update(scripts): update Falco description

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.circleci/config.yml

@@ -64,8 +64,72 @@ jobs:
             pushd build
             make tests
             popd
+  # Build using Ubuntu Bionic Beaver (18.04)
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/ubuntu-bionic":
+    docker:
+      - image: ubuntu:bionic
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using CentOS 8
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/centos8":
+    docker:
+      - image: centos:8
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: dnf update -y
+      - run:
+          name: Install dependencies
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
   # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
   "build/centos7":
     docker:
       - image: falcosecurity/falco-builder:latest
@@ -102,7 +166,7 @@ jobs:
           path: /tmp/packages
           destination: /packages
   # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
   "build/centos7-debug":
     docker:
       - image: falcosecurity/falco-builder:latest
@@ -310,6 +374,8 @@ workflows:
     jobs:
       - "build/ubuntu-focal"
       - "build/ubuntu-focal-debug"
+      - "build/ubuntu-bionic"
+      - "build/centos8"
       - "build/centos7"
       - "build/centos7-debug"
       - "tests/integration":

CHANGELOG.md

@@ -2,9 +2,114 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.24.0
+
+Released on 2020-07-16
+
+### Major Changes
+
+* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
+* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
+
+
+### Minor Changes
+
+* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
+* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
+* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
+* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
+* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
+* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
+
+
+### Bug Fixes
+
+* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
+* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
+* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
+* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
+
+
+### Rule Changes
+
+* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
+* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
+* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
+* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
+* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
+* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
+* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
+* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
+* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
+
 ## v0.23.0
 
-Released on 2020-18-05
+Released on 2020-05-18
 
 ### Major Changes
 
@@ -46,7 +151,7 @@ Released on 2020-18-05
 
 ## v0.22.1
 
-Released on 2020-17-04
+Released on 2020-04-17
 
 ### Major Changes
 
@@ -66,7 +171,7 @@ Released on 2020-17-04
 
 ## v0.22.0
 
-Released on 2020-16-04
+Released on 2020-04-16
 
 ### Major Changes
 

CMakeLists.txt

@@ -160,27 +160,20 @@ ExternalProject_Add(
   INSTALL_COMMAND "")
 
 # libyaml
-find_library(LIBYAML_LIB NAMES libyaml.so)
-if(LIBYAML_LIB)
-  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-else()
-  message(FATAL_ERROR "Couldn't find system libyaml")
-endif()
+include(libyaml)
 
 # lyaml
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-set(LYAML_DEPENDENCIES "")
-list(APPEND LYAML_DEPENDENCIES "luajit")
 ExternalProject_Add(
   lyaml
-  DEPENDS ${LYAML_DEPENDENCIES}
+  DEPENDS luajit libyaml
   URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
   URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
   INSTALL_COMMAND sh -c
                   "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 

CODE_OF_CONDUCT.md

@@ -1,38 +0,0 @@
-# CNCF Community Code of Conduct v1.0
-
-## Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
-http://contributor-covenant.org/version/1/2/0/

CONTRIBUTING.md

@@ -1,150 +0,0 @@
-# Contributing to Falco
-
-- [Contributing to Falco](#contributing-to-falco)
-  - [Code of Conduct](#code-of-conduct)
-  - [Issues](#issues)
-    - [Triage issues](#triage-issues)
-      - [More about labels](#more-about-labels)
-    - [Slack](#slack)
-  - [Pull Requests](#pull-requests)
-    - [Commit convention](#commit-convention)
-      - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
-    - [Unit testing](/tests/README.md)
-  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
-
-## Code of Conduct
-
-Falco has a
-[Code of Conduct](CODE_OF_CONDUCT.md)
-to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
-
-## Issues
-
-Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
-
-- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
-creating an issue with the **bug report template** is the best way to do so.
-- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
-- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
-
-The best way to get **involved** in the project is through issues, you can help in many ways:
-
-- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
-sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
-- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
-
-### Triage issues
-
-We need help in categorizing issues. Thus any help is welcome!
-
-When you triage an issue, you:
-
-* assess whether it has merit or not
-
-* quickly close it by correctly answering a question
-
-* point the reporter to a resource or documentation answering the issue
-
-* tag it via labels, projects, or milestones
-
-* take ownership submitting a PR for it, in case you want 😇
-
-#### More about labels
-
-These guidelines are not set in stone and are subject to change.
-
-Anyway a `kind/*` label for any issue is mandatory.
-
-This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
-
-You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
-
-The commands available are the following ones:
-
-```
-/[remove-](area|kind|priority|triage|label)
-```
-
-Some examples:
-
-* `/area rules`
-* `/remove-area rules`
-* `/kind kernel-module`
-* `/label good-first-issue`
-* `/triage duplicate`
-* `/triage unresolved`
-* `/triage not-reproducible`
-* `/triage support`
-* ...
-
-### Slack
-
-Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
-
-## Pull Requests
-
-Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
-
-In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
-need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
-
-The list of labels is [here](https://github.com/falcosecurity/falco/labels).
-
-Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
-
-Once your reviewer is happy, they will say `/lgtm` which will apply the
-`lgtm` label, and will apply the `approved` label if they are an
-[owner](/OWNERS).
-
-Your PR will be automatically merged once it has the `lgtm` and `approved`
-labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
-
-### Commit convention
-
-As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
-of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
-
-#### Rule type
-
-Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
-Example:
-
-```
-rule(Write below monitored dir): make sure monitored dirs are monitored.
-```
-
-Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
-
-If you are changing only a macro, the commit will look like this:
-
-```
-rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
-```
-
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
-
-## Developer Certificate Of Origin
-
-The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
-
-Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
-
-```
-This is my commit message
-
-Signed-off-by: John Poiana <jpoiana@falco.org>
-```
-
-Git even has a `-s` command line option to append this automatically to your commit message:
-
-```
-$ git commit -s -m 'This is my commit message'
-```

README.md

@@ -3,8 +3,6 @@
 
 <hr>
 
-# The Falco Project
-
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
 #### Latest releases
@@ -19,63 +17,78 @@ Read the [change log](CHANGELOG.md).
 
 ---
 
-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
+Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
 
-Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
+### Installing Falco
 
-#### What kind of behaviors can Falco detect?
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
 
-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
+##### Kubernetes
 
-- A shell is running inside a container.
+| Tool     | Link                                                                                       | Note                                                               |
+|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
+| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+
+### Developing
+
+Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+The Falco Project supports various SDKs for this endpoint.
+
+##### SDKs
+
+| Language | Repository                                              |
+|----------|---------------------------------------------------------|
+| Go       | [client-go](https://github.com/falcosecurity/client-go) |
+| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
+| Python   | [client-py](https://github.com/falcosecurity/client-py) |
+
+
+### What can Falco detect?
+
+Falco can detect and alert on any behavior that involves making Linux system calls.
+Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
+For example, Falco can easily detect incidents including but not limited to:
+
+- A shell is running inside a container or pod in Kubernetes.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
 
+### Documentation
 
-### Installing Falco
+The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
 
-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
-
-#### How do you compare Falco with other security tools?
-
-One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
-
-
-Documentation
----
-
-See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
-
-Join the Community
----
+### Join the Community
 
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
 
-License Terms
----
-
-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
-
-Contributing
----
+### Contributing
 
 See the [CONTRIBUTING.md](./CONTRIBUTING.md).
 
-Security
----
-
 ### Security Audit
 
 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
 
 ### Reporting security vulnerabilities
+
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
 
+### License Terms
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable

RELEASE.md

@@ -2,7 +2,7 @@
 
 Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
 
 Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 
@@ -19,18 +19,19 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 - Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
 
 ### 2. Milestones
+
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
-- Close the completed milestone
-    
+
 ### 3. Release PR
 
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
 - Add the lastest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
+- Close the completed milestone as soon PR is merged
 
 ## Release
 
@@ -52,6 +53,7 @@ Let `x.y.z` the new version.
 - Wait for the CI to complete
 
 ### 2. Update the GitHub release
+
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:

cmake/modules/CPackConfig.cmake

@@ -30,14 +30,14 @@ set(CPACK_GENERATOR DEB RPM TGZ)
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
     "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

cmake/modules/OpenSSL.cmake

@@ -35,7 +35,7 @@ else()
     URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
     URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
     # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
     BUILD_COMMAND ${CMD_MAKE}
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND ${CMD_MAKE} install)

cmake/modules/cURL.cmake

@@ -19,13 +19,9 @@ else()
   set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
   set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
 
-  if(NOT USE_BUNDLED_OPENSSL)
-    set(CURL_SSL_OPTION "--with-ssl")
-  else()
-    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-  endif()
+  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
 
   externalproject_add(
     curl

cmake/modules/gRPC.cmake

@@ -110,8 +110,8 @@ else()
     grpc
     DEPENDS openssl
     GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    GIT_TAG v1.31.1
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
     BUILD_IN_SOURCE 1
     BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
     INSTALL_COMMAND ""
@@ -121,6 +121,8 @@ else()
       HAS_SYSTEM_ZLIB=false
       HAS_SYSTEM_PROTOBUF=false
       HAS_SYSTEM_CARES=false
+      HAS_EMBEDDED_OPENSSL_ALPN=false
+      HAS_SYSTEM_OPENSSL_ALPN=true
       PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
       PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
       PATH=${PROTOC_DIR}:$ENV{PATH}

cmake/modules/jq.cmake

@@ -10,26 +10,44 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-if(NOT USE_BUNDLED_DEPS)
-  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-  find_library(JQ_LIB NAMES jq)
-  if(JQ_INCLUDE AND JQ_LIB)
-    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system jq")
-  endif()
-else()
-  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-  set(JQ_INCLUDE "${JQ_SRC}")
-  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-  ExternalProject_Add(
-    jq
-    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
-    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    BUILD_IN_SOURCE 1
-    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    INSTALL_COMMAND "")
-endif()
+if (NOT USE_BUNDLED_DEPS)
+    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+    find_library(JQ_LIB NAMES jq)
+    if (JQ_INCLUDE AND JQ_LIB)
+        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+    else ()
+        message(FATAL_ERROR "Couldn't find system jq")
+    endif ()
+else ()
+    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+    message(STATUS "Using bundled jq in '${JQ_SRC}'")
+    set(JQ_INCLUDE "${JQ_SRC}/target/include")
+    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
+    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
+    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
+    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+
+    # Why we mirror jq here?
+    #
+    # In their readme, jq claims that you don't have
+    # to do autoreconf -fi when downloading a released tarball.
+    #
+    # However, they forgot to push the released makefiles
+    # into their release tarbal.
+    #
+    # For this reason, we have to mirror their release after
+    # doing the configuration ourselves.
+    #
+    # This is needed because many distros do not ship the right
+    # version of autoreconf, making virtually impossible to build Falco on them.
+    # Read more about it here:
+    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
+    ExternalProject_Add(
+            jq
+            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
+            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
+            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+            BUILD_IN_SOURCE 1
+            INSTALL_COMMAND ${CMD_MAKE} install)
+endif ()

cmake/modules/libyaml.cmake

@@ -0,0 +1,26 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
+message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+ExternalProject_Add(
+libyaml
+URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+BUILD_COMMAND ${CMD_MAKE} 
+BUILD_IN_SOURCE 1
+INSTALL_COMMAND ${CMD_MAKE} install)
+

cmake/modules/sysdig.cmake

@@ -18,22 +18,23 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 if(USE_BUNDLED_DEPS)
   # explicitly force this dependency to use the bundled OpenSSL
   set(USE_BUNDLED_OPENSSL ON)
+  set(USE_BUNDLED_JQ ON)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
+# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
+# -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "85c88952b018fdbce2464222c3303229f5bfcfad")
-  set(SYSDIG_CHECKSUM "SHA256=6c3f5f2d699c9540e281f50cbc5cb6b580f0fc689798bc65d4a77f57f932a71c")
+  set(SYSDIG_VERSION "ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7")
+  set(SYSDIG_CHECKSUM "SHA256=43d274e4ce16b0d0e4dd00aab78006c902f36070d1cbb22d12a2685134a2ae51")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
+                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 

docker/no-driver/Dockerfile

@@ -13,7 +13,7 @@ WORKDIR /
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
 RUN apt-get update -y && \
-    apt-get install -y libyaml-0-2 binutils && \
+    apt-get install -y binutils && \
     tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
@@ -43,9 +43,6 @@ COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
 COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
     /usr/lib/x86_64-linux-gnu/libstdc++.so.6
 
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
-
 COPY --from=ubuntu /etc/ld.so.cache \
     /etc/nsswitch.conf \
     /etc/ld.so.cache \

docker/tester/root/runners/deb.Dockerfile

@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
 
 RUN apt update -y
-RUN apt install dkms libyaml-0-2 -y
+RUN apt install dkms -y
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb

docker/tester/root/runners/tar.gz.Dockerfile

@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
 
 RUN apt update -y
-RUN apt install dkms libyaml-0-2 curl -y
+RUN apt install dkms curl -y
 
 ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
 RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /

docker/tester/root/usr/bin/entrypoint

@@ -69,7 +69,7 @@ case "$CMD" in
     # run tests
     echo "Running regression tests ..."
     cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
+    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
 
     # clean docker images
     clean_image "deb"

rules/falco_rules.yaml

@@ -55,11 +55,12 @@
 - macro: proc_name_exists
   condition: (proc.name!="<NA>")
 
-# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
 - macro: rename
-  condition: evt.type in (rename, renameat)
+  condition: evt.type in (rename, renameat, renameat2)
+
 - macro: mkdir
   condition: evt.type in (mkdir, mkdirat)
+
 - macro: remove
   condition: evt.type in (rmdir, unlink, unlinkat)
 
@@ -867,7 +868,7 @@
     proc.name = "exe"
     and (proc.cmdline contains "/var/lib/docker"
     or proc.cmdline contains "/var/run/docker")
-    and proc.pname in (dockerd, docker)
+    and proc.pname in (dockerd, docker, dockerd-current, docker-current)
 
 # Ideally we'd have a length check here as well but sysdig
 # filterchecks don't have operators like len()
@@ -1458,6 +1459,12 @@
 - macro: user_read_sensitive_file_conditions
   condition: cmp_cp_by_passwd
 
+- list: read_sensitive_file_images
+  items: []
+
+- macro: user_read_sensitive_file_containers
+  condition: (container and container.image.repository in (read_sensitive_file_images))
+
 - rule: Read sensitive file untrusted
   desc: >
     an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1482,6 +1489,7 @@
     and not perl_running_centrifydc
     and not runuser_reading_pam
     and not user_known_read_sensitive_files_activities
+    and not user_read_sensitive_file_containers
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
@@ -1824,7 +1832,7 @@
 # In this file, it just takes one of the images in trusted_containers
 # and repeats it.
 - macro: user_trusted_containers
-  condition: (container.image.repository endswith sysdig/agent)
+  condition: (never_true)
 
 - list: sematext_images
   items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
@@ -1835,10 +1843,11 @@
 # These container images are allowed to run with --privileged
 - list: falco_privileged_images
   items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig,
     gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
-    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
+    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
+    docker.io/falcosecurity/falco, sysdig/falco, sysdig/sysdig, falcosecurity/falco
     ]
 
 - macro: falco_privileged_containers
@@ -1847,7 +1856,7 @@
               container.image.repository in (trusted_images) or
               container.image.repository in (falco_privileged_images) or
               container.image.repository startswith istio/proxy_ or
-              container.image.repository startswith quay.io/sysdig)
+              container.image.repository startswith quay.io/sysdig/)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1856,7 +1865,7 @@
 # In this file, it just takes one of the images in falco_privileged_images
 # and repeats it.
 - macro: user_privileged_containers
-  condition: (container.image.repository endswith sysdig/agent)
+  condition: (never_true)
 
 - list: rancher_images
   items: [
@@ -1868,7 +1877,7 @@
 # host filesystem.
 - list: falco_sensitive_mount_images
   items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig,
     gcr.io/google_containers/hyperkube,
     gcr.io/google_containers/kube-proxy, docker.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -1894,7 +1903,7 @@
 # In this file, it just takes one of the images in falco_sensitive_mount_images
 # and repeats it.
 - macro: user_sensitive_mount_containers
-  condition: (container.image.repository = docker.io/sysdig/agent)
+  condition: (never_true)
 
 - rule: Launch Privileged Container
   desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
@@ -2353,8 +2362,9 @@
 - macro: k8s_containers
   condition: >
     (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
-     gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco,
-     sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
+     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
 
 - macro: k8s_api_server
   condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -2760,7 +2770,7 @@
   condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
 - macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
+  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco))
   append: false
 
 # The rule is disabled by default.
@@ -2915,9 +2925,10 @@
 # Two things to pay attention to:
 #   1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged
 #   2) Drift rules will be noisy in environments in which containers are built (e.g. docker build)
+# These two rules are not enabled by default. Use `never_true` in macro condition to enable them.
 
 - macro: user_known_container_drift_activities
-  condition: (never_true)
+  condition: (always_true)
 
 - rule: Container Drift Detected (chmod)
   desc: New executable created in a container due to chmod

rules/k8s_audit_rules.yaml

@@ -46,6 +46,7 @@
 - list: allowed_k8s_users
   items: [
     "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
+    "kubernetes-admin",
     vertical_pod_autoscaler_users,
     ]
 
@@ -216,6 +217,19 @@
   source: k8s_audit
   tags: [k8s]
 
+- macro: user_known_pod_debug_activities
+  condition: (k8s_audit_never_true)
+
+# Only works when feature gate EphemeralContainers is enabled
+- rule: EphemeralContainers Created
+  desc: >
+    Detect any ephemeral container created
+  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
+  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
   items: [kube-system, kube-public, default]
@@ -231,8 +245,12 @@
 - list: user_trusted_image_list
   items: []
 
+- list: k8s_image_list
+  items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
+
 - macro: trusted_pod
-  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list))
+  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
+              ka.req.pod.containers.image.repository in (k8s_image_list))
 
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace

scripts/debian/falco

@@ -21,7 +21,7 @@
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: Falco syscall activity monitoring agent
+# Short-Description: Falco Cloud Native runtime security
 # Description:       Falco is a system activity monitoring agent
 #                    driven by system calls with support for containers.
 ### END INIT INFO
@@ -62,11 +62,11 @@ do_start()
 	#   0 if daemon has been started
 	#   1 if daemon was already running
 	#   2 if daemon could not be started
+	if [ ! -d /sys/module/falco ]; then
+		/sbin/modprobe falco || exit 2
+	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
 		|| return 1
-	if [ ! -d /sys/module/falco ]; then
-		/sbin/modprobe falco || exit 1
-	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
 		$DAEMON_ARGS \
 		|| return 2

scripts/falco-driver-loader

@@ -473,9 +473,8 @@ else
 	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi
 
-MAX_RMMOD_WAIT=60
-if [[ $# -ge 1 ]]; then
-	MAX_RMMOD_WAIT=$1
+if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+	MAX_RMMOD_WAIT=60
 fi
 
 DRIVER_VERSION="@PROBE_VERSION@"

scripts/rpm/falco

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,10 +18,10 @@
 #
 
 #
-# falco syscall monitoring agent
+# Falco Cloud Native runtime security
 #
 # chkconfig:   2345 55 45
-# description: Falco syscall monitoring agent
+# description: Falco Cloud Native runtime security
 #
 
 ### BEGIN INIT INFO
@@ -52,10 +52,10 @@ start() {
     [ -x $exec ] || exit 5
     # [ -f $config ] || exit 6
     echo -n $"Starting $prog: "
-    daemon $exec --daemon --pidfile=$pidfile
     if [ ! -d /sys/module/falco ]; then
         /sbin/modprobe falco || return $?
     fi
+    daemon $exec --daemon --pidfile=$pidfile
     retval=$?
     echo
     [ $retval -eq 0 ] && touch $lockfile

test/CMakeLists.txt

@@ -1 +1,4 @@
 add_subdirectory(trace_files)
+
+add_custom_target(test-trace-files ALL)
+add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)

test/README.md

@@ -7,13 +7,25 @@ You can find instructions on how to run this test suite on the Falco website [he
 ## Test suites
 
 - [falco_tests](./falco_tests.yaml)
-- [falco_traces](./falco_traces.yaml)
+- [falco_traces](./falco_traces.yaml.in)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
 - [falco_tests_psp](./falco_tests_psp.yaml)
 
 ## Running locally
 
+This step assumes you already built Falco.
+
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+
+Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
+
+```console
+make test-trace-files
+```
+
+It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
+
 Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
 
 ```console
@@ -32,8 +44,72 @@ In case you want to only execute a specific test case, use the `--mux-filter-onl
 BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
 ```
 
-To obtain the path of all the available variants, execute:
+To obtain the path of all the available variants for a given test suite, execute:
 
 ```console
-avocado variants --mux-yaml falco_test.yaml
-```
+avocado variants --mux-yaml falco_tests.yaml
+```
+
+### falco_traces
+
+The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
+
+1. Ensure you have `unzip` and `xargs` utilities
+2. Prepare the test suite with the following command:
+
+    ```console
+    bash run_regression_tests.sh -p -v
+    ```
+
+### falco_tests_package
+
+The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
+
+In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
+
+1. Ensure you have `docker` up and running
+2. Ensure you build Falco (with bundled deps)
+
+    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
+    ```
+
+3. Ensure you build the Falco packages from the Falco above:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
+    ```
+
+4. Ensure you build the runners:
+
+    ```console
+    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+    mkdir -p /tmp/runners-rootfs
+    cp -R ./test/rules /tmp/runners-rootfs
+    cp -R ./test/trace_files /tmp/runners-rootfs
+    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
+    ```
+
+5. Run the `falco_tests_package.yaml` test suite from the `test` directory
+
+    ```console
+    cd test
+    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
+    ```
+
+### Execute all the test suites
+
+In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
+
+```console
+cd test
+./run_regression_tests.sh -v
+```
+
+Just make sure you followed all the previous setup steps.

test/driver-loader/run_test.sh

@@ -20,17 +20,17 @@ set -euo pipefail
 BUILD_DIR=$1
 
 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
+SCRIPTDIR=$(dirname "$SCRIPT")
 RUNNERDIR="${SCRIPTDIR}/runner"
 FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"
 
 cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd ${RUNNERDIR}
+pushd "${RUNNERDIR}"
 docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
     -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" ${RUNNERDIR}
+    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
 popd
 rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"
 

test/driver-loader/runner/Dockerfile

@@ -10,7 +10,6 @@ ENV HOST_ROOT=/host
 RUN apt-get update -y
 RUN apt-get install -y --no-install-recommends \
 	ca-certificates \
-	libyaml-0-2 \
 	dkms \
 	curl \
 	gcc \

test/falco_traces.yaml.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

test/run_regression_tests.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,45 +18,46 @@
 set -euo pipefail
 
 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
-BUILD_DIR=$1
-BRANCH=${2:-none}
-
-TRACE_DIR=$BUILD_DIR/test
-
-mkdir -p $TRACE_DIR
+SCRIPTDIR=$(dirname "$SCRIPT")
 
 function download_trace_files() {
-    echo "branch=$BRANCH"
     for TRACE in traces-positive traces-negative traces-info ; do
-	if [ ! -e $TRACE_DIR/$TRACE ]; then
-	    if [ $BRANCH != "none" ]; then
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$BRANCH.zip
-	    else
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
-	    fi
-	    unzip -d $TRACE_DIR $TRACE_DIR/$TRACE.zip
-	    rm -rf $TRACE_DIR/$TRACE.zip
-	fi
+    if [ ! -e "$TRACE_DIR/$TRACE" ]; then
+        if [ "$OPT_BRANCH" != "none" ]; then
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
+        else
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
+        fi
+        unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
+        rm -rf "$TRACE_DIR/$TRACE.zip"
+    else
+        if ${OPT_VERBOSE}; then
+            echo "Trace directory $TRACE_DIR/$TRACE already exist: skipping"
+        fi
+    fi
     done
 }
 
 function prepare_multiplex_fileset() {
-
     dir=$1
     detect=$2
 
-    for trace in $TRACE_DIR/$dir/*.scap ; do
-	[ -e "$trace" ] || continue
-	NAME=`basename $trace .scap`
+    for trace in "$TRACE_DIR/$dir"/*.scap ; do
+        [ -e "$trace" ] || continue
+        NAME=$(basename "$trace" .scap)
 
-	# falco_traces.yaml might already have an entry for this trace
-	# file, with specific detection levels and counts. If so, skip
-	# it. Otherwise, add a generic entry showing whether or not to
-	# detect anything.
-	grep -q "$NAME:" $SCRIPTDIR/falco_traces.yaml && continue
+        # falco_traces.yaml might already have an entry for this trace file, with specific detection levels and counts.
+        # If so, skip it.
+        # Otherwise, add a generic entry showing whether or not to detect anything.
+        if grep -q "$NAME:" "$SCRIPTDIR/falco_traces.yaml"; then
+            if ${OPT_VERBOSE}; then
+                echo "Entry $NAME already exist: skipping"
+            fi
+            continue
+        fi
+
+        cat << EOF >> "$SCRIPTDIR/falco_traces.yaml"
 
-	cat << EOF >> $SCRIPTDIR/falco_traces.yaml
   $NAME:
     detect: $detect
     detect_level: WARNING
@@ -66,41 +67,96 @@ EOF
 }
 
 function prepare_multiplex_file() {
-    cp $SCRIPTDIR/falco_traces.yaml.in $SCRIPTDIR/falco_traces.yaml
+    /bin/cp -f "$SCRIPTDIR/falco_traces.yaml.in" "$SCRIPTDIR/falco_traces.yaml"
 
     prepare_multiplex_fileset traces-positive True
     prepare_multiplex_fileset traces-negative False
     prepare_multiplex_fileset traces-info True
 
-    echo "Contents of $SCRIPTDIR/falco_traces.yaml:"
-    cat $SCRIPTDIR/falco_traces.yaml
+    if ${OPT_VERBOSE}; then
+        echo "Contents of $SCRIPTDIR/falco_traces.yaml"
+        cat "$SCRIPTDIR/falco_traces.yaml"
+    fi
 }
 
 function print_test_failure_details() {
     echo "Showing full job logs for any tests that failed:"
-    jq '.tests[] | select(.status != "PASS") | .logfile' $SCRIPTDIR/job-results/latest/results.json  | xargs cat
+    jq '.tests[] | select(.status != "PASS") | .logfile' "$SCRIPTDIR/job-results/latest/results.json" | xargs cat
 }
 
 function run_tests() {
     rm -rf /tmp/falco_outputs
     mkdir /tmp/falco_outputs
-    # If we got this far, we can undo set -e, as we're watching the
-    # return status when running avocado.
+    # If we got this far, we can undo set -e,
+    # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
     for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
-	CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
-	echo "Running: $CMD"
-	BUILD_DIR=${BUILD_DIR} $CMD
-	RC=$?
-	TEST_RC=$((TEST_RC+$RC))
-	if [ $RC -ne 0 ]; then
-	    print_test_failure_details
-	fi
+        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        echo "Running $CMD"
+        BUILD_DIR=${OPT_BUILD_DIR} $CMD
+        RC=$?
+        TEST_RC=$((TEST_RC+RC))
+        if [ $RC -ne 0 ]; then
+            print_test_failure_details
+        fi
     done
 }
 
+OPT_ONLY_PREPARE="false"
+OPT_VERBOSE="false"
+OPT_BUILD_DIR="$(dirname "$SCRIPTDIR")/build"
+OPT_BRANCH="none"
+while getopts ':p :h :v :b: :d:' 'OPTKEY'; do
+    case ${OPTKEY} in
+        'p')
+            OPT_ONLY_PREPARE="true"
+            ;;
+        'h')
+            /bin/bash usage
+            exit 0
+            ;;
+        'v')
+            OPT_VERBOSE="true"
+            ;;
+        'd')
+            OPT_BUILD_DIR=${OPTARG}
+            ;;
+        'b')
+            OPT_BRANCH=${OPTARG}
+            ;;
+        '?')
+            echo "Invalid option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        ':')
+            echo "Missing argument for option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        *)
+            echo "Unimplemented option: ${OPTKEY}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        esac
+done
+
+TRACE_DIR=$OPT_BUILD_DIR/test
+
+if ${OPT_VERBOSE}; then
+    echo "Build directory = $OPT_BUILD_DIR"
+    echo "Trace directory = $TRACE_DIR"
+    echo "Custom branch   = $OPT_BRANCH"
+fi
+
+mkdir -p "$TRACE_DIR"
+
 download_trace_files
 prepare_multiplex_file
-run_tests
-exit $TEST_RC
+
+if ! ${OPT_ONLY_PREPARE}; then
+    run_tests
+    exit $TEST_RC
+fi

test/trace_files/CMakeLists.txt

@@ -1,5 +1,6 @@
 add_subdirectory(k8s_audit)
 add_subdirectory(psp)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
@@ -11,4 +12,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-base-scap ALL)
+add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})

test/trace_files/k8s_audit/CMakeLists.txt

@@ -9,4 +9,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-k8s-audit ALL)
+add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})

test/trace_files/psp/CMakeLists.txt

@@ -10,4 +10,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-psp ALL)
+add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})

test/usage

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+cat <<EOF
+Hello, this is Falco integration tests runner.
+
+SYNOPSIS
+
+    bash run_regression_tests.sh [-h] [-v] [-p] [-d=<build directory>] [-b=<custom branch>]
+
+DESCRIPTION
+
+    -h                      Display usage instructions
+    -v                      Verbose output
+    -p                      Prepare the falco_traces integration test suite
+    -b=CUSTOM_BRANCH        Specify a custom branch for downloading falco_traces fixtures (defaults to "none")
+    -d=BUILD_DIRECTORY      Specify the build directory where Falco has been built (defaults to $SCRIPTDIR/../build)
+EOF

userspace/engine/CMakeLists.txt

@@ -23,6 +23,10 @@ set(FALCO_ENGINE_SOURCE_FILES
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
 add_dependencies(falco_engine njson lyaml lpeg string-view-lite)
 
+if(USE_BUNDLED_DEPS)
+  add_dependencies(falco_engine libyaml)
+endif()
+
 target_include_directories(
   falco_engine
   PUBLIC

userspace/falco/CMakeLists.txt

@@ -75,6 +75,7 @@ target_include_directories(
     "${STRING_VIEW_LITE_INCLUDE}"
     "${YAMLCPP_INCLUDE_DIR}"
     "${CIVETWEB_INCLUDE_DIR}"
+    "${OPENSSL_INCLUDE_DIR}"
     "${GRPC_INCLUDE}"
     "${GRPCPP_INCLUDE}"
     "${PROTOBUF_INCLUDE}"
@@ -89,6 +90,8 @@ target_link_libraries(
   "${GRPC_LIB}"
   "${GRPCPP_LIB}"
   "${PROTOBUF_LIB}"
+  "${OPENSSL_LIBRARY_SSL}"
+  "${OPENSSL_LIBRARY_CRYPTO}"
   "${LIBYAML_LIB}"
   "${YAMLCPP_LIB}"
   "${CIVETWEB_LIB}")

userspace/falco/falco.cpp

@@ -158,6 +158,8 @@ static void usage()
 	   "                               This causes every single line emitted by falco to be flushed,\n"
 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
 	   "                               into another process or into a script.\n"
+	   " -u, --userspace               Parse events from userspace.\n"
+	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
 	   "                               Can be specified multiple times to validate multiple files.\n"
 	   " -v                            Verbose output.\n"
@@ -443,6 +445,7 @@ int falco_init(int argc, char **argv)
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
+	bool userspace = false;
 
 	// Used for writing trace files
 	int duration_seconds = 0;
@@ -482,6 +485,7 @@ int falco_init(int argc, char **argv)
         {"stats-interval", required_argument, 0},
         {"support", no_argument, 0},
         {"unbuffered", no_argument, 0, 'U'},
+        {"userspace", no_argument, 0, 'u'},
         {"validate", required_argument, 0, 'V'},
         {"version", no_argument, 0, 0},
         {"writefile", required_argument, 0, 'w'},
@@ -500,7 +504,7 @@ int falco_init(int argc, char **argv)
 		// Parse the args
 		//
 		while((op = getopt_long(argc, argv,
-                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UvV:w:",
+                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
                                         long_options, &long_index)) != -1)
 		{
 			switch(op)
@@ -607,6 +611,9 @@ int falco_init(int argc, char **argv)
 				buffered_outputs = false;
 				buffered_cmdline = true;
 				break;
+			case 'u':
+				userspace = true;
+				break;
 			case 'v':
 				verbose = true;
 				break;
@@ -795,12 +802,16 @@ int falco_init(int argc, char **argv)
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
 
 			// log after config init because config determines where logs go
+			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
 		}
 		else
 		{
 			config.init(cmdline_options);
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
+
+			// log after config init because config determines where logs go
+			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}
 
@@ -1091,7 +1102,17 @@ int falco_init(int argc, char **argv)
 		}
 		else
 		{
-			open_t open_cb = [](sinsp* inspector) {
+			open_t open_cb = [&userspace](sinsp* inspector)
+			{
+				if(userspace)
+				{
+					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
+					//
+					// Falco uses a ptrace(2) based userspace implementation.
+					// Regardless of the implementation, the underlying method remains the same.
+					inspector->open_udig();
+					return;
+				}
 				inspector->open();
 			};
 			open_t open_nodriver_cb = [](sinsp* inspector) {
@@ -1116,11 +1137,17 @@ int falco_init(int argc, char **argv)
 			}
 			catch(sinsp_exception &e)
 			{
-				if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
+				// If syscall input source is enabled and not through userspace instrumentation
+				if (!disable_syscall && !userspace)
 				{
-					falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
+					// Try to insert the Falco kernel module
+					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
+					{
+						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
+					}
+					open_f(inspector);
 				}
-				open_f(inspector);
+				rethrow_exception(current_exception());
 			}
 		}
 
@@ -1139,7 +1166,7 @@ int falco_init(int argc, char **argv)
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 
 		//
-		// run k8s, if required
+		// Run k8s, if required
 		//
 		if(k8s_api)
 		{
@@ -1178,7 +1205,7 @@ int falco_init(int argc, char **argv)
 		}
 
 		//
-		// run mesos, if required
+		// Run mesos, if required
 		//
 		if(mesos_api)
 		{