chore(userpsace/engine): update fields checksum

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.circleci/config.yml

@@ -394,12 +394,6 @@ jobs:
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
-      - run:
-          name: Publish bin-static-dev
-          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
-            /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin-dev -a x86_64
   "publish/packages-deb-dev":
     docker:
       - image: docker.io/debian:stable
@@ -514,12 +508,6 @@ jobs:
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
-      - run:
-          name: Publish bin-static
-          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
-            /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin -a x86_64
   "publish/packages-deb":
     docker:
       - image: docker.io/debian:stable

CMakeLists.txt

@@ -67,7 +67,6 @@ endif()
 
 if(MUSL_OPTIMIZED_BUILD)
   set(MUSL_FLAGS "-static -Os -fPIE -pie")
-  add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
 # explicitly set hardening flags
@@ -207,9 +206,7 @@ add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)
 
-if(NOT MUSL_OPTIMIZED_BUILD)
-  include(plugins)
-endif()
+include(plugins)
 
 # Packages configuration
 include(CPackConfig)

cmake/modules/falcosecurity-libs.cmake

@@ -24,8 +24,8 @@ else()
   # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
   # -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "319368f1ad778691164d33d59945e00c5752cd27")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=2cf44f06a282e8cee7aa1f775a08ea94c06e275faaf0636b21eb06af28cf4b3f")
+    set(FALCOSECURITY_LIBS_VERSION "4de7ad2857fb55439eb10455aacd1d262b70551b")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=3769e410fc0e31d5c7c37f33a7a73dfe52418a850d8f166fbafc67a723c619b6")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/plugins.cmake

@@ -13,12 +13,10 @@
 
 include(ExternalProject)
 
-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
-
 ExternalProject_Add(
   cloudtrail-plugin
-  URL "https://download.falco.org/plugins/stable/cloudtrail-0.2.2-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=1628717e48b2ba1b9c78c9081e2ec23e4d88bb1a7b68b12cf8dff7f247b5b9b1"
+  URL "https://download.falco.org/plugins/stable/cloudtrail-0.2.0-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=917ebc5c3b1ad78d959372baa73ac2e9b18b38f51e1e42bd0974166dc04a964c"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -27,8 +25,8 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 
 ExternalProject_Add(
   json-plugin
-  URL "https://download.falco.org/plugins/stable/json-0.2.1-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=14d1cf4c3c651af0daec7a45162ef91172d6f0baba787f0eff0227b3cf2ca39c"
+  URL "https://download.falco.org/plugins/stable/json-0.2.0-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=250f0b04db7ab08f3bfa5ecd90cc9b39a6992fc2e96b887ed6f319a6ba156fd7"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")

falco.yaml

@@ -92,7 +92,7 @@ log_level: info
 # Minimum rule priority level to load and run. All rules having a
 # priority more severe than this level will be loaded/run.  Can be one
 # of "emergency", "alert", "critical", "error", "warning", "notice",
-# "informational", "debug".
+# "info", "debug".
 priority: debug
 
 # Whether or not output to any of the output channels below is
@@ -246,7 +246,6 @@ program_output:
 http_output:
   enabled: false
   url: http://some.url
-  user_agent: "falcosecurity/falco"
 
 # Falco supports running a gRPC server with two main binding types
 # 1. Over the network with mandatory mutual TLS authentication (mTLS)

rules/aws_cloudtrail_rules.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,9 +22,7 @@
 # anything semver-compatible.
 - required_plugin_versions:
   - name: cloudtrail
-    version: 0.2.2
-  - name: json
-    version: 0.2.1
+    version: 0.1.0
 
 # Note that this rule is disabled by default. It's useful only to
 # verify that the cloudtrail plugin is sending events properly.  The
@@ -335,7 +333,7 @@
   desc: Detect deleting blocking public access to bucket.
   condition:
     ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
-    json.value[/requestParameters/publicAccessBlock]='""' and
+    json.value[/requestParameters/publicAccessBlock]="" and
       (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
       json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
       json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or

rules/falco_rules.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -63,14 +63,11 @@
   condition: rename or remove
 
 - macro: spawned_process
-  condition: evt.type in (execve, execveat) and evt.dir=<
+  condition: evt.type = execve and evt.dir=<
 
 - macro: create_symlink
   condition: evt.type in (symlink, symlinkat) and evt.dir=<
 
-- macro: create_hardlink
-  condition: evt.type in (link, linkat) and evt.dir=<
-
 - macro: chmod
   condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)
 
@@ -219,7 +216,7 @@
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
     frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
-    apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, apt.systemd.dai
+    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache, apt.systemd.dai
     ]
 
 # The truncated dpkg-preconfigu is intentional, process names are
@@ -1874,6 +1871,19 @@
               container.image.repository in (falco_sensitive_mount_images) or
               container.image.repository startswith quay.io/sysdig/)
 
+# These container images are allowed to run with hostnetwork=true
+- list: falco_hostnetwork_images
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/typha,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/ip-masq-agent-amd64
+    k8s.gcr.io/prometheus-to-sd,
+    ]
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
 # allowed to perform sensitive mounts.
@@ -2699,17 +2709,7 @@
     (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
   output: >
     Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
-  priority: WARNING
-  tags: [file, mitre_exfiltration]
-
-- rule: Create Hardlink Over Sensitive Files
-  desc: Detect hardlink created over sensitive files
-  condition: >
-    create_hardlink and
-    (evt.arg.oldpath in (sensitive_file_names))
-  output: >
-    Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname)
-  priority: WARNING
+  priority: NOTICE
   tags: [file, mitre_exfiltration]
 
 - list: miner_ports
@@ -2820,7 +2820,7 @@
 
 - rule: Detect crypto miners using the Stratum protocol
   desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
-  condition: spawned_process and (proc.cmdline contains "stratum+tcp" or proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum2+ssl")
+  condition: spawned_process and proc.cmdline contains "stratum+tcp"
   output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [process, mitre_execution]
@@ -3039,7 +3039,7 @@
 # A privilege escalation to root through heap-based buffer overflow
 - rule: Sudo Potential Privilege Escalation
   desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
-  condition: spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \)
+  condition: spawned_process and user.uid != 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
   output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
   priority: CRITICAL
   tags: [filesystem, mitre_privilege_escalation]

rules/k8s_audit_rules.yaml

@@ -152,19 +152,6 @@
   source: k8s_audit
   tags: [k8s]
 
-# These container images are allowed to run with hostnetwork=true
-- list: falco_hostnetwork_images
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/typha,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64
-    k8s.gcr.io/prometheus-to-sd,
-    ]
-
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.

scripts/falco-driver-loader

@@ -160,26 +160,15 @@ load_kernel_module_compile() {
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
 		chmod +x /tmp/falco-dkms-make
 		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms"
-			KO_FILE="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}"
-			if [ -f "$KO_FILE.ko" ]; then
-				KO_FILE="$KO_FILE.ko"
-			elif [ -f "$KO_FILE.ko.gz" ]; then
-				KO_FILE="$KO_FILE.ko.gz"
-			elif [ -f "$KO_FILE.ko.xz" ]; then
-				KO_FILE="$KO_FILE.ko.xz"
-			elif [ -f "$KO_FILE.ko.zst" ]; then
-				KO_FILE="$KO_FILE.ko.zst"
-			else
-				>&2 echo "${DRIVER_NAME} module file not found"
-				return
-			fi
-			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying insmod"
-			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if insmod "$KO_FILE" > /dev/null 2>&1; then
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
+			chcon -t modules_object_t "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1 || true
+			chcon -t modules_object_t "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1 || true
+			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
+			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+				exit 0
 			else
 				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
@@ -207,12 +196,8 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		if insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"; then
-			echo "* Success: ${DRIVER_NAME} module found and inserted"
-			exit 0
-		else
-			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
-		fi	
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
+		exit $?
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
 		return
@@ -256,6 +241,11 @@ load_kernel_module() {
 		exit 0
 	fi
 
+	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
+	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
+		exit 0
+	fi
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
@@ -278,13 +268,6 @@ load_kernel_module() {
 		load_kernel_module_compile
 	fi
 
-	# Last try (might load a previous driver version)
-	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
-	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
-		exit 0
-	fi
-
 	# Not able to download a prebuilt module nor to compile one on-the-fly
 	>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
 	exit 1

test/falco_k8s_audit_tests.yaml

@@ -49,7 +49,6 @@ trace_files: !mux
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
@@ -75,7 +74,6 @@ trace_files: !mux
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

userspace/engine/CMakeLists.txt

@@ -56,3 +56,6 @@ else()
 endif()
 
 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}" luafiles)
+
+configure_file(config_falco_engine.h.in config_falco_engine.h)
+

userspace/engine/config_falco_engine.h.in

@@ -0,0 +1,20 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#define FALCO_ENGINE_LUA_DIR "${FALCO_ABSOLUTE_SHARE_DIR}/lua/"
+#define FALCO_ENGINE_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/engine/lua/"

userspace/engine/falco_common.cpp

@@ -16,6 +16,7 @@ limitations under the License.
 
 #include <fstream>
 
+#include "config_falco_engine.h"
 #include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 #include "falco_engine_lua_files.hh"

userspace/engine/falco_engine.cpp

@@ -25,6 +25,7 @@ limitations under the License.
 #include "falco_engine.h"
 #include "falco_utils.h"
 #include "falco_engine_version.h"
+#include "config_falco_engine.h"
 
 #include "formats.h"
 
@@ -43,7 +44,7 @@ const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";
 
 using namespace std;
 
-falco_engine::falco_engine(bool seed_rng)
+falco_engine::falco_engine(bool seed_rng, const std::string& alternate_lua_dir)
 	: m_next_ruleset_id(0),
 	  m_min_priority(falco_common::PRIORITY_DEBUG),
 	  m_sampling_ratio(1), m_sampling_multiplier(0),

userspace/engine/falco_engine.h

@@ -32,6 +32,7 @@ limitations under the License.
 #include "rules.h"
 #include "ruleset.h"
 
+#include "config_falco_engine.h"
 #include "falco_common.h"
 
 //
@@ -43,7 +44,7 @@ limitations under the License.
 class falco_engine : public falco_common
 {
 public:
-	falco_engine(bool seed_rng=true);
+	falco_engine(bool seed_rng=true, const std::string& alternate_lua_dir=FALCO_ENGINE_SOURCE_LUA_DIR);
 	virtual ~falco_engine();
 
 	// A given engine has a version which identifies the fields

userspace/engine/lua/CMakeLists.txt

@@ -10,7 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-file(GLOB_RECURSE lua_files ${CMAKE_CURRENT_SOURCE_DIR} *.lua)
+file(GLOB_RECURSE lua_module_files ${CMAKE_CURRENT_SOURCE_DIR} *.lua)
 
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/falco_engine_lua_files.cpp
 	COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/lua-to-cpp.sh ${CMAKE_CURRENT_SOURCE_DIR} ${LYAML_LUA_DIR} ${CMAKE_CURRENT_BINARY_DIR}

userspace/engine/lua/rule_loader.lua

@@ -1059,9 +1059,9 @@ function load_rules(rules_content,
 
 	 else
 	    num_evttypes = falco_rules.add_filter(rules_mgr, lua_parser, v['rule'], v['source'], v['tags'])
-	    if v['source'] == "syscall" and (num_evttypes == 0 or num_evttypes > 100) then
+	    if num_evttypes == 0 or num_evttypes > 100 then
 	       if warn_evttypes == true then
-		  msg = "Rule "..v['rule']..": warning (no-evttype):\n".."         matches too many evt.type values.\n".."         This has a significant performance penalty."
+		  msg = "Rule "..v['rule']..": warning (no-evttype):"
 		  warnings[#warnings + 1] = msg
 	       end
 	    end

userspace/engine/ruleset.cpp

@@ -68,9 +68,6 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper>
 {
 	std::set<uint16_t> fevttypes = wrap->filter->evttypes();
 
-	// TODO: who fills this one for rules without evt.type specified?
-	// Can this be actually empty?
-	// Is m_filter_all_event_types useful?
 	if(fevttypes.empty())
 	{
 		// Should run for all event types

userspace/falco/configuration.cpp

@@ -148,10 +148,6 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		}
 		http_output.options["url"] = url;
 
-		string user_agent;
-		user_agent = m_config->get_scalar<string>("http_output.user_agent","falcosecurity/falco");
-		http_output.options["user_agent"] = user_agent;
-
 		m_outputs.push_back(http_output);
 	}
 

userspace/falco/falco.cpp

@@ -94,6 +94,7 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -136,12 +137,8 @@ static void usage()
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
 	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
 	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
-	   " --list-fields-markdown [<source>]\n"
-	   "                               List fields in md\n"
-#ifndef MUSL_OPTIMIZED
+#ifndef MUSL_OPTIMIZED_BUILD
 	   " --list-plugins                Print info on all loaded plugins and exit.\n"
-#endif
-#ifndef MINIMAL_BUILD
 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
 	   "                               Enable Mesos support by connecting to the API server\n"
 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
@@ -459,29 +456,11 @@ static void check_for_ignored_events(sinsp &inspector, falco_engine &engine)
 			std::string name = etable[evtnum].name;
 			if(warn_event_names.find(name) == warn_event_names.end())
 			{
+				printf("Loaded rules use event %s, but this event is not returned unless running falco with -A\n", name.c_str());
 				warn_event_names.insert(name);
 			}
 		}
 	}
-
-	// Print a single warning with the list of ignored events
-	if (!warn_event_names.empty())
-	{
-		std::string skipped_events;
-		bool first = true;
-		for (const auto& evtname : warn_event_names)
-		{
-			if (first)
-			{
-				skipped_events += evtname;
-				first = false;
-			} else
-			{
-				skipped_events += "," + evtname;
-			}
-		}
-		fprintf(stderr,"Rules match ignored syscall: warning (ignored-evttype):\n         loaded rules match the following events: %s;\n         but these events are not returned unless running falco with -A\n", skipped_events.c_str());
-	}
 }
 
 static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
@@ -566,6 +545,7 @@ int falco_init(int argc, char **argv)
 
 	static struct option long_options[] =
 		{
+			{"alternate-lua-dir", required_argument, 0},
 			{"cri", required_argument, 0},
 			{"daemon", no_argument, 0, 'd'},
 			{"disable-cri-async", no_argument, 0, 0},
@@ -576,7 +556,9 @@ int falco_init(int argc, char **argv)
 			{"k8s-api", required_argument, 0, 'k'},
 			{"k8s-node", required_argument, 0},
 			{"list", optional_argument, 0},
+#ifndef MUSL_OPTIMIZED_BUILD
 			{"list-plugins", no_argument, 0},
+#endif
 			{"mesos-api", required_argument, 0, 'm'},
 			{"option", required_argument, 0, 'o'},
 			{"pidfile", required_argument, 0, 'P'},
@@ -596,7 +578,8 @@ int falco_init(int argc, char **argv)
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
-		string all_rules;
+		string all_rules = "";
+		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
@@ -768,7 +751,7 @@ int falco_init(int argc, char **argv)
 						list_flds_source = optarg;
 					}
 				}
-#ifndef MUSL_OPTIMIZED
+#ifndef MUSL_OPTIMIZED_BUILD
 				else if (string(long_options[long_index].name) == "list-plugins")
 				{
 					list_plugins = true;
@@ -789,6 +772,16 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
+				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+				{
+					if(optarg != NULL)
+					{
+						alternate_lua_dir = optarg;
+						if (alternate_lua_dir.back() != '/') {
+							alternate_lua_dir += '/';
+						}
+					}
+				}
 				break;
 
 			default:
@@ -824,7 +817,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}
 
-		engine = new falco_engine(true);
+		engine = new falco_engine(true, alternate_lua_dir);
 		engine->set_extra(output_format, replace_container_info);
 
 		// Create "factories" that can create filters/formatters for
@@ -954,7 +947,7 @@ int falco_init(int argc, char **argv)
 		for(auto &p : config.m_plugins)
 		{
 			std::shared_ptr<sinsp_plugin> plugin;
-#ifdef MUSL_OPTIMIZED
+#ifdef MUSL_OPTIMIZED_BUILD
 			throw std::invalid_argument(string("Can not load/use plugins with musl optimized build"));
 #else
 			falco_logger::log(LOG_INFO, "Loading plugin (" + p.m_name + ") from file " + p.m_library_path + "\n");
@@ -1048,7 +1041,6 @@ int falco_init(int argc, char **argv)
 				{
 					os << "Type: extractor plugin" << std::endl;
 				}
-				os << std::endl;
 			}
 
 			printf("%lu Plugins Loaded:\n\n%s\n", infos.size(), os.str().c_str());
@@ -1146,6 +1138,11 @@ int falco_init(int argc, char **argv)
 			engine->enable_rule_by_tag(enabled_rule_tags, true);
 		}
 
+		// For syscalls, see if any event types used by the
+		// loaded rules are ones with the EF_DROP_SIMPLE_CONS
+		// label.
+		check_for_ignored_events(*inspector, *engine);
+
 		if(print_support)
 		{
 			nlohmann::json support;
@@ -1209,10 +1206,6 @@ int falco_init(int argc, char **argv)
 
 		if(!all_events)
 		{
-			// For syscalls, see if any event types used by the
-			// loaded rules are ones with the EF_DROP_SIMPLE_CONS
-			// label.
-			check_for_ignored_events(*inspector, *engine);
 			// Drop EF_DROP_SIMPLE_CONS kernel side
 			inspector->set_simple_consumer();
 			// Eventually, drop any EF_DROP_SIMPLE_CONS event

userspace/falco/outputs_http.cpp

@@ -34,14 +34,11 @@ void falco::outputs::output_http::output(const message *msg)
 		} else {
 			slist1 = curl_slist_append(slist1, "Content-Type: text/plain");
 		}
-
 		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
 		curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
 		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
-		curl_easy_setopt(curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str());
 		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
 
-
 		res = curl_easy_perform(curl);
 
 		if(res != CURLE_OK)
@@ -53,4 +50,4 @@ void falco::outputs::output_http::output(const message *msg)
 		curl_slist_free_all(slist1);
 		slist1 = NULL;
 	}
-}
+}