Falco test changes (small output matches) for actions

With the advent of actions, there is a more concrete line between
runtime errors (e.g. things that throw exceptions) and errors returned
by actions.

Some of the plugins tests were expecting errors to be returned by
exceptions (e.g. with a leading "Runtime error: and a trailing "
Exiting.").

With actions changes, the errors are just returned directly in
application::run(), so drop the leading and trailing bits in expected
test outputs.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

test/falco_tests_plugins.yaml

@@ -54,21 +54,21 @@ trace_files: !mux
 
   multiple_source_plugins:
     exit_status: 1
-    stderr_contains: "Runtime error: Can not load multiple source plugins. cloudtrail already loaded. Exiting."
+    stderr_contains: "Can not load multiple source plugins. cloudtrail already loaded."
     conf_file: BUILD_DIR/test/confs/plugins/multiple_source_plugins.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompatible_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugin not compatible with event source aws_cloudtrail. Exiting."
+    stderr_contains: "Extractor plugin not compatible with event source aws_cloudtrail."
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   overlap_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugins have overlapping compatible event source test_source. Exiting."
+    stderr_contains: "Extractor plugins have overlapping compatible event source test_source."
     conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
@@ -82,7 +82,7 @@ trace_files: !mux
 
   incompat_plugin_rules_version:
     exit_status: 1
-    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
+    stderr_contains: "Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0."
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     rules_file:
       - rules/plugins/cloudtrail_incompat_plugin_version.yaml

tests/CMakeLists.txt

@@ -17,17 +17,25 @@
 if(MINIMAL_BUILD)
   set(
     FALCO_TESTS_SOURCES
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_runnable_action.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_action_manager.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/logger.cpp
     test_base.cpp
     engine/test_rulesets.cpp
     engine/test_falco_utils.cpp
+    falco/test_actions.cpp
     falco/test_configuration.cpp
   )
 else()
   set(
     FALCO_TESTS_SOURCES
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_runnable_action.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_action_manager.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/logger.cpp
     test_base.cpp
     engine/test_rulesets.cpp
     engine/test_falco_utils.cpp
+    falco/test_actions.cpp
     falco/test_configuration.cpp
     falco/test_webserver.cpp
   )

tests/falco/test_actions.cpp

@@ -0,0 +1,387 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_action_manager.h"
+
+#include <algorithm>
+#include <list>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <catch.hpp>
+
+// Test actions just record the order they were run (or skipped)
+class test_action : public falco::app::runnable_action {
+public:
+
+	static std::vector<std::string> s_actions_run;
+
+	test_action(const std::string &name,
+		    const std::string &group,
+		    const std::list<std::string> &prerequsites,
+		    run_result res)
+		: m_name(name),
+		  m_group(group),
+		  m_prerequsites(prerequsites),
+		  m_res(res)
+		{
+		}
+
+	~test_action()
+		{
+		}
+
+	const std::string &name()
+	{
+		return m_name;
+	}
+
+	const std::string &group()
+	{
+		return m_group;
+	}
+
+	const std::list<std::string> &prerequsites()
+	{
+		return m_prerequsites;
+	}
+
+	run_result run()
+	{
+		s_actions_run.push_back(m_name);
+		return m_res;
+	}
+
+private:
+	std::string m_name;
+	std::string m_group;
+	std::list<std::string> m_prerequsites;
+	run_result m_res;
+};
+
+std::vector<std::string> test_action::s_actions_run;
+
+static std::list<std::string> empty;
+static std::list<std::string> prereq_a = {"a"};
+static std::list<std::string> prereq_aa = {"aa"};
+static std::list<std::string> prereq_ab = {"ab"};
+static std::list<std::string> prereq_m = {"m"};
+static std::list<std::string> prereq_n = {"n"};
+
+// The action names denote the dependency order e.g. "a", "b", "c" are
+// all independent, "aa" and "ab" depend on a but are independent of
+// each other, "aaa" "aab" depend on "aa" but are independent, etc.
+
+static falco::app::runnable_action::run_result success_proceed{true, "", true};
+
+static falco::app::runnable_action::run_result success_noproceed{true, "", false};
+
+
+static std::shared_ptr<test_action> a = std::make_shared<test_action>(std::string("a"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> a_noproceed = std::make_shared<test_action>(std::string("a"),
+										std::string("init"),
+										empty,
+										success_noproceed);
+
+static std::shared_ptr<test_action> b = std::make_shared<test_action>(std::string("b"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> c = std::make_shared<test_action>(std::string("c"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> d = std::make_shared<test_action>(std::string("d"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+std::shared_ptr<test_action> aa = std::make_shared<test_action>(std::string("aa"),
+								std::string("init"),
+								prereq_a,
+								success_proceed);
+
+std::shared_ptr<test_action> ab = std::make_shared<test_action>(std::string("ab"),
+								std::string("init"),
+								prereq_a,
+								success_proceed);
+
+std::shared_ptr<test_action> aa_noproceed = std::make_shared<test_action>(std::string("aa"),
+									  std::string("init"),
+									  prereq_a,
+									  success_noproceed);
+
+std::shared_ptr<test_action> aaa = std::make_shared<test_action>(std::string("aaa"),
+								 std::string("init"),
+								 prereq_aa,
+								 success_proceed);
+
+std::shared_ptr<test_action> aab = std::make_shared<test_action>(std::string("aab"),
+								 std::string("init"),
+								 prereq_aa,
+								 success_proceed);
+
+std::shared_ptr<test_action> aba = std::make_shared<test_action>(std::string("aba"),
+								 std::string("init"),
+								 prereq_ab,
+								 success_proceed);
+
+static std::shared_ptr<test_action> m = std::make_shared<test_action>(std::string("m"),
+								      std::string("run"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> ma = std::make_shared<test_action>(std::string("ma"),
+								       std::string("run"),
+								       prereq_m,
+								       success_proceed);
+
+static std::shared_ptr<test_action> n = std::make_shared<test_action>(std::string("n"),
+								      std::string("run"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> na = std::make_shared<test_action>(std::string("na"),
+								       std::string("run"),
+								       prereq_n,
+								       success_proceed);
+
+static std::vector<std::string>::iterator find_action(const std::string &name,
+						      std::vector<std::string>::iterator begin = test_action::s_actions_run.begin())
+{
+	return std::find(begin,
+			 test_action::s_actions_run.end(),
+			 name);
+}
+
+static bool action_is_found(const std::string &name,
+			    std::vector<std::string>::iterator begin = test_action::s_actions_run.begin())
+{
+	auto it = find_action(name, begin);
+
+	return (it != test_action::s_actions_run.end());
+}
+
+TEST_CASE("action manager can add and run actions", "[actions]")
+{
+	std::list<std::string> groups = {"init", "run"};
+
+	SECTION("Two independent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(b);
+
+		amgr.run();
+
+		// Can't compare to any direct vector as order is not guaranteed
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+	}
+
+	SECTION("Two dependent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("One independent, two dependent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa);
+		amgr.add(b);
+
+		amgr.run();
+
+		// Can't compare to any direct vector as order is not guaranteed
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(aa->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+
+		// Ensure that aa appears after a
+		auto it = find_action(a->name());
+		REQUIRE(action_is_found(aa->name(), it) == true);
+	}
+
+	SECTION("Two dependent, first does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a_noproceed);
+		amgr.add(aa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Two dependent, second does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa_noproceed);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Three dependent, first does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a_noproceed);
+		amgr.add(aa);
+		amgr.add(aaa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Three dependent, second does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa_noproceed);
+		amgr.add(aaa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Groups")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(ma);
+		amgr.add(m);
+		amgr.add(aa);
+		amgr.add(a);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa", "m", "ma"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Complex")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(b);
+		amgr.add(c);
+		amgr.add(d);
+		amgr.add(aa);
+		amgr.add(ab);
+		amgr.add(aaa);
+		amgr.add(aab);
+		amgr.add(aba);
+		amgr.add(m);
+		amgr.add(ma);
+		amgr.add(n);
+		amgr.add(na);
+
+		amgr.run();
+
+		// a, b, c, d must be found. Order not specified.
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+		REQUIRE(action_is_found(c->name()) == true);
+		REQUIRE(action_is_found(d->name()) == true);
+
+		// aa, ab must be after a.
+		auto it = find_action(a->name());
+		REQUIRE(action_is_found(aa->name(), it) == true);
+		REQUIRE(action_is_found(ab->name(), it) == true);
+
+		// aaa, aab must be after aa
+		it = find_action(aa->name());
+		REQUIRE(action_is_found(aaa->name(), it) == true);
+		REQUIRE(action_is_found(aab->name(), it) == true);
+
+		// aba must be after ab
+		it = find_action(ab->name());
+		REQUIRE(action_is_found(aba->name(), it) == true);
+
+		// The run actions must be the last four
+		std::vector<std::string>::iterator last_four = test_action::s_actions_run.end() - 4;
+		REQUIRE(action_is_found(m->name(), last_four) == true);
+		REQUIRE(action_is_found(ma->name(), last_four) == true);
+		REQUIRE(action_is_found(n->name(), last_four) == true);
+		REQUIRE(action_is_found(na->name(), last_four) == true);
+
+		// ma must be after m
+		it = find_action(m->name());
+		REQUIRE(action_is_found(ma->name(), it) == true);
+
+		// na must be after n
+		it = find_action(n->name());
+		REQUIRE(action_is_found(na->name(), it) == true);
+	}
+}

userspace/engine/formats.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-falco_formats::falco_formats(falco_engine *engine,
+falco_formats::falco_formats(std::shared_ptr<falco_engine> engine,
 			     bool json_include_output_property,
 			     bool json_include_tags_property)
 	: m_falco_engine(engine),

userspace/engine/formats.h

@@ -33,7 +33,7 @@ extern "C"
 class falco_formats
 {
 public:
-	falco_formats(falco_engine *engine,
+	falco_formats(std::shared_ptr<falco_engine> engine,
 		      bool json_include_output_property,
 		      bool json_include_tags_property);
 	virtual ~falco_formats();
@@ -45,7 +45,7 @@ public:
 					     const std::string &format);
 
 protected:
-	falco_engine *m_falco_engine;
+	std::shared_ptr<falco_engine> m_falco_engine;
 	bool m_json_include_output_property;
 	bool m_json_include_tags_property;
 };

userspace/falco/CMakeLists.txt

@@ -17,6 +17,31 @@ set(
   FALCO_SOURCES
   application.cpp
   app_cmdline_options.cpp
+  app_action.cpp
+  app_runnable_action.cpp
+  app_actions/create_signal_handlers.cpp
+  app_actions/easyopts_action.cpp
+  app_actions/init_action.cpp
+  app_actions/run_action.cpp
+  app_actions/init_falco_engine.cpp
+  app_actions/init_inspector.cpp
+  app_actions/init_outputs.cpp
+  app_actions/list_fields.cpp
+  app_actions/list_plugins.cpp
+  app_actions/load_config.cpp
+  app_actions/load_plugins.cpp
+  app_actions/load_rules_files.cpp
+  app_actions/print_help.cpp
+  app_actions/print_ignored_events.cpp
+  app_actions/print_support.cpp
+  app_actions/print_version.cpp
+  app_actions/start_grpc_server.cpp
+  app_actions/start_webserver.cpp
+  app_actions/validate_rules_files.cpp
+  app_actions/daemonize.cpp
+  app_actions/open_inspector.cpp
+  app_actions/process_events.cpp
+  app_action_manager.cpp
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
@@ -131,6 +156,7 @@ target_include_directories(
   falco
   PUBLIC
   ${FALCO_INCLUDE_DIRECTORIES}
+  ${CMAKE_CURRENT_SOURCE_DIR}
 )
 
 if(NOT MINIMAL_BUILD)

userspace/falco/app_action.cpp

@@ -0,0 +1,48 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "application.h"
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+action::action(application &app)
+	: m_app(app)
+{
+}
+
+action::~action()
+{
+}
+
+application &action::app()
+{
+	return m_app;
+}
+
+cmdline_options &action::options()
+{
+	return m_app.options();
+}
+
+application::action_state &action::state()
+{
+	return m_app.state();
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_action.h

@@ -0,0 +1,59 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "application.h"
+#include "app_cmdline_options.h"
+#include "app_runnable_action.h"
+
+namespace falco {
+namespace app {
+
+// This class represents an "action" e.g. a chunk of code to execute
+// as a part of running the falco application. Examples of actions are:
+//   - initializing/configuring the inspector
+//   - loading/configuring plugins
+//   - reading events from a trace file or live event source
+//
+// Actions also include "one off" actions for things like --help
+// output, --list fields, etc.
+//
+// There's no attempt to distribute state (e.g. inspectors, lists of
+// plugins, etc) across actions or have ways to advertise what state
+// an action manages. The expectation is that all state that needs to
+// be used across actions is held in the provided application object
+// and actions know which state they should create and destroy.
+
+// The reason for a sublcass is to allow for building/running unit
+// tests for the action manager without bringing in all of the falco
+// application code (engine, outputs, grpc, etc).
+class action : public runnable_action {
+public:
+	action(application &app);
+	virtual ~action();
+
+	application &app();
+
+	cmdline_options &options();
+	application::action_state &state();
+
+private:
+	application &m_app;
+};
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_action_manager.cpp

@@ -0,0 +1,163 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_action_manager.h"
+#include "logger.h"
+#include "falco_common.h"
+
+#include <algorithm>
+#include <list>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+namespace falco {
+namespace app {
+
+action_manager::action_manager()
+{
+}
+
+action_manager::~action_manager()
+{
+}
+
+void action_manager::set_groups(std::list<std::string> &groups)
+{
+	m_groups = groups;
+}
+
+void action_manager::add(std::shared_ptr<runnable_action> act)
+{
+	m_actions[act->name()] = act;
+}
+
+runnable_action::run_result action_manager::run()
+{
+	runnable_action::run_result res;
+
+	sort_groups();
+	res = run_groups();
+	deinit_groups();
+
+	return res;
+}
+
+void action_manager::sort_groups()
+{
+	for(auto &group : m_groups)
+	{
+		std::vector<std::shared_ptr<runnable_action>> actions_ordered;
+
+		for(auto &pair : m_actions)
+		{
+			if(pair.second->group() == group)
+			{
+				actions_ordered.push_back(pair.second);
+			}
+		}
+
+		auto compare = [this](const std::shared_ptr<runnable_action> &a,
+				      const std::shared_ptr<runnable_action> &b) {
+			return this->compare_actions(a, b);
+		};
+
+		// Order the actions according to precedence
+		std::sort(actions_ordered.begin(), actions_ordered.end(), compare);
+
+		m_actions_ordered[group] = std::move(actions_ordered);
+	}
+}
+
+runnable_action::run_result action_manager::run_groups()
+{
+	runnable_action::run_result res;
+
+	for(auto &group : m_groups)
+	{
+		falco_logger::log(LOG_DEBUG, string("Running group ") + group);
+
+		for(auto &act : m_actions_ordered[group])
+		{
+			falco_logger::log(LOG_DEBUG, string("Running action ") + act->name());
+
+			res = act->run();
+
+			if(!res.success)
+			{
+				falco_logger::log(LOG_DEBUG, string("Could not complete ") + act->name() + " : " + res.errstr);
+			}
+
+			if(!res.proceed)
+			{
+				break;
+			}
+		}
+
+		if(!res.proceed)
+		{
+			break;
+		}
+	}
+
+	return res;
+}
+
+void action_manager::deinit_groups()
+{
+	for(auto &group : m_groups)
+	{
+		for(auto &act : m_actions_ordered[group])
+		{
+			falco_logger::log(LOG_DEBUG, string("Deinitializing action ") + act->name());
+
+			act->deinit();
+		}
+	}
+}
+
+bool action_manager::compare_actions(const std::shared_ptr<runnable_action> &a, const std::shared_ptr<runnable_action> &b)
+{
+	// Check b's prerequsites. If a is found return true.
+	for(auto &prereq_name : b->prerequsites())
+	{
+		if(prereq_name == a->name())
+		{
+			return true;
+		}
+	}
+
+	// Not a direct dependency. Check b's prerequsites recursively
+	for(auto &prereq_name : b->prerequsites())
+	{
+		auto it = m_actions.find(prereq_name);
+		if(it == m_actions.end())
+		{
+			throw falco_exception("No action with name " + prereq_name + " exists?");
+		}
+
+		if(compare_actions(a, it->second))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_action_manager.h

@@ -0,0 +1,67 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "app_runnable_action.h"
+
+#include <list>
+#include <memory>
+#include <map>
+#include <string>
+#include <vector>
+
+namespace falco {
+namespace app {
+
+// This class manages a set of actions, ensuring that they run in an
+// order that honors their dependencies, groups and their run results.
+
+class action_manager {
+public:
+	action_manager();
+	virtual ~action_manager();
+
+	// Actions are organized into groups. All actions from a
+	// given group are run before actions from another group.
+	//
+	// Example groups are "init", "run", etc.
+	//
+	// This specifies the order of groups.
+	void set_groups(std::list<std::string> &groups);
+
+	void add(std::shared_ptr<runnable_action> act);
+
+	runnable_action::run_result run();
+
+private:
+
+	typedef std::vector<std::shared_ptr<runnable_action>> ordered_actions_t;
+
+	void sort_groups();
+	runnable_action::run_result run_groups();
+	void deinit_groups();
+
+	// Return true if a is less (e.g. a should run before b)
+	bool compare_actions(const std::shared_ptr<runnable_action> &a, const std::shared_ptr<runnable_action> &b);
+
+	std::list<std::string> m_groups;
+	std::map<std::string, std::shared_ptr<runnable_action>> m_actions;
+	std::map<std::string, ordered_actions_t> m_actions_ordered;
+};
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_actions/create_signal_handlers.cpp

@@ -0,0 +1,99 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string.h>
+#include <signal.h>
+
+#include "create_signal_handlers.h"
+
+static void signal_callback(int signal)
+{
+	falco::app::application::get().state().terminate = true;
+}
+
+static void reopen_outputs(int signal)
+{
+	falco::app::application::get().state().reopen_outputs = true;
+}
+
+static void restart_falco(int signal)
+{
+	falco::app::application::get().state().restart = true;
+}
+
+namespace falco {
+namespace app {
+
+act_create_signal_handlers::act_create_signal_handlers(application &app)
+	: init_action(app), m_name("create signal handlers")
+{
+}
+
+act_create_signal_handlers::~act_create_signal_handlers()
+{
+}
+
+const std::string &act_create_signal_handlers::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_create_signal_handlers::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_create_signal_handlers::run()
+{
+	run_result ret = {true, "", true};
+
+	if(! create_handler(SIGINT, signal_callback, ret) ||
+	   ! create_handler(SIGTERM, signal_callback, ret) ||
+	   ! create_handler(SIGUSR1, reopen_outputs, ret) ||
+	   ! create_handler(SIGHUP, restart_falco, ret))
+	{
+		return ret;
+	}
+
+	return ret;
+}
+
+bool act_create_signal_handlers::create_handler(int sig, void (*func)(int), run_result &ret)
+{
+	if(signal(sig, func) == SIG_ERR)
+	{
+		char errbuf[1024];
+
+		if (strerror_r(errno, errbuf, sizeof(errbuf)) != 0)
+		{
+			snprintf(errbuf, sizeof(errbuf)-1, "Errno %d", errno);
+		}
+
+		ret.success = false;
+		ret.errstr = std::string("Could not create signal handler for ") +
+			   strsignal(sig) +
+			   ": " +
+			   errbuf;
+
+		ret.proceed = false;
+	}
+
+	return ret.success;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/create_signal_handlers.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_create_signal_handlers : public init_action {
+public:
+	act_create_signal_handlers(application &app);
+	virtual ~act_create_signal_handlers();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+
+	bool create_handler(int sig, void (*func)(int), run_result &ret);
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/daemonize.cpp

@@ -0,0 +1,115 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "daemonize.h"
+
+namespace falco {
+namespace app {
+
+act_daemonize::act_daemonize(application &app)
+	: run_action(app), m_name("daemonize"), m_daemonized(false)
+{
+}
+
+act_daemonize::~act_daemonize()
+{
+}
+
+const std::string &act_daemonize::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_daemonize::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_daemonize::run()
+{
+	run_result ret = {true, "", true};
+
+	// If daemonizing, do it here so any init errors will
+	// be returned in the foreground process.
+	if (options().daemon && !m_daemonized) {
+		pid_t pid, sid;
+
+		pid = fork();
+		if (pid < 0) {
+			// error
+			ret.success = false;
+			ret.errstr = "Could not fork.";
+			ret.proceed = false;
+			return ret;
+		} else if (pid > 0) {
+			// parent. Write child pid to pidfile and exit
+			std::ofstream pidfile;
+			pidfile.open(options().pidfilename);
+
+			if (!pidfile.good())
+			{
+				ret.success = false;
+				ret.errstr = string("Could not write pid to pid file ") + options().pidfilename + ".";
+				ret.proceed = false;
+				return ret;
+			}
+			pidfile << pid;
+			pidfile.close();
+			return ret;
+		}
+		// if here, child.
+
+		// Become own process group.
+		sid = setsid();
+		if (sid < 0) {
+			ret.success = false;
+			ret.errstr = string("Could not set session id.");
+			ret.proceed = false;
+			return ret;
+		}
+
+		// Set umask so no files are world anything or group writable.
+		umask(027);
+
+		// Change working directory to '/'
+		if ((chdir("/")) < 0) {
+			ret.success = false;
+			ret.errstr = string("Could not change working directory to '/'.");
+			ret.proceed = false;
+			return ret;
+		}
+
+		// Close stdin, stdout, stderr and reopen to /dev/null
+		close(0);
+		close(1);
+		close(2);
+		open("/dev/null", O_RDONLY);
+		open("/dev/null", O_RDWR);
+		open("/dev/null", O_RDWR);
+
+		m_daemonized = true;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/daemonize.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_daemonize : public run_action {
+public:
+	act_daemonize(application &app);
+	virtual ~act_daemonize();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+	bool m_daemonized;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/easyopts_action.cpp

@@ -0,0 +1,40 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "easyopts_action.h"
+
+namespace falco {
+namespace app {
+
+static std::string easyopts_group = "easyopts";
+
+easyopts_action::easyopts_action(application &app)
+	: action(app)
+{
+}
+
+easyopts_action::~easyopts_action()
+{
+}
+
+const std::string &easyopts_action::group()
+{
+	return easyopts_group;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/easyopts_action.h

@@ -0,0 +1,37 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+// All actions in the "easyopts" group derive from this class
+
+class easyopts_action : public action {
+public:
+	easyopts_action(application &app);
+	virtual ~easyopts_action();
+
+	const std::string &group() override;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_action.cpp

@@ -0,0 +1,40 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+static std::string init_group = "init";
+
+init_action::init_action(application &app)
+	: action(app)
+{
+}
+
+init_action::~init_action()
+{
+}
+
+const std::string &init_action::group()
+{
+	return init_group;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_action.h

@@ -0,0 +1,37 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+// All actions in the "init" group derive from this class
+
+class init_action : public action {
+public:
+	init_action(application &app);
+	virtual ~init_action();
+
+	const std::string &group() override;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_falco_engine.cpp

@@ -0,0 +1,118 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "init_falco_engine.h"
+
+namespace falco {
+namespace app {
+
+act_init_falco_engine::act_init_falco_engine(application &app)
+	: init_action(app), m_name("init falco engine"),
+	  m_prerequsites({"init inspector", "load config"})
+{
+}
+
+act_init_falco_engine::~act_init_falco_engine()
+{
+}
+
+const std::string &act_init_falco_engine::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_falco_engine::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_falco_engine::run()
+{
+	run_result ret = {true, "", true};
+
+	configure_output_format();
+
+	// Create "factories" that can create filters/formatters for
+	// syscalls and k8s audit events.
+
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(state().inspector.get()));
+	std::shared_ptr<gen_event_filter_factory> k8s_audit_filter_factory(new json_event_filter_factory());
+
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get()));
+	std::shared_ptr<gen_event_formatter_factory> k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory));
+
+	state().engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
+	state().engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
+
+	if(state().config->m_json_output)
+	{
+		syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+		k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+	}
+
+	for(const auto &src : options().disable_sources)
+	{
+		state().enabled_sources.erase(src);
+	}
+
+	// XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin.
+	if(state().enabled_sources.empty())
+	{
+		throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
+	}
+
+	state().engine->set_min_priority(state().config->m_min_priority);
+
+	return ret;
+}
+
+void act_init_falco_engine::configure_output_format()
+{
+	std::string output_format;
+	bool replace_container_info = false;
+
+	if(options().print_additional == "c" || options().print_additional == "container")
+	{
+		output_format = "container=%container.name (id=%container.id)";
+		replace_container_info = true;
+	}
+	else if(options().print_additional == "k" || options().print_additional == "kubernetes")
+	{
+		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
+		replace_container_info = true;
+	}
+	else if(options().print_additional == "m" || options().print_additional == "mesos")
+	{
+		output_format = "task=%mesos.task.name container=%container.id";
+		replace_container_info = true;
+	}
+	else if(!options().print_additional.empty())
+	{
+		output_format = options().print_additional;
+		replace_container_info = false;
+	}
+
+	if(!output_format.empty())
+	{
+		state().engine->set_extra(output_format, replace_container_info);
+	}
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_falco_engine.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_falco_engine : public init_action {
+public:
+	act_init_falco_engine(application &app);
+	virtual ~act_init_falco_engine();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void configure_output_format();
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_inspector.cpp

@@ -0,0 +1,138 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "init_inspector.h"
+
+namespace falco {
+namespace app {
+
+act_init_inspector::act_init_inspector(application &app)
+	: init_action(app), m_name("init inspector"),
+	  m_prerequsites({"load config"})
+{
+}
+
+act_init_inspector::~act_init_inspector()
+{
+}
+
+const std::string &act_init_inspector::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_inspector::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_inspector::run()
+{
+	run_result ret = {true, "", true};
+
+	state().inspector->set_buffer_format(options().event_buffer_format);
+
+	// If required, set the CRI paths
+	for (auto &p : options().cri_socket_paths)
+	{
+		if (!p.empty())
+		{
+			state().inspector->add_cri_socket_path(p);
+		}
+	}
+
+	// Decide whether to do sync or async for CRI metadata fetch
+	state().inspector->set_cri_async(!options().disable_cri_async);
+
+	//
+	// If required, set the snaplen
+	//
+	if(options().snaplen != 0)
+	{
+		state().inspector->set_snaplen(options().snaplen);
+	}
+
+	if(!options().all_events)
+	{
+		// Drop EF_DROP_SIMPLE_CONS kernel side
+		state().inspector->set_simple_consumer();
+		// Eventually, drop any EF_DROP_SIMPLE_CONS event
+		// that reached userspace (there are some events that are not syscall-based
+		// like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag)
+		state().inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
+	}
+
+	state().inspector->set_hostname_and_port_resolution_mode(false);
+
+#ifndef MINIMAL_BUILD
+
+		falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(state().config->m_metadata_download_max_mb) + " MB\n");
+		falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(state().config->m_metadata_download_chunk_wait_us) + " μs\n");
+		falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(state().config->m_metadata_download_watch_freq_sec) + " seconds\n");
+		state().inspector->set_metadata_download_params(state().config->m_metadata_download_max_mb * 1024 * 1024, state().config->m_metadata_download_chunk_wait_us, state().config->m_metadata_download_watch_freq_sec);
+
+#endif
+
+#ifndef MINIMAL_BUILD
+	// Initializing k8s/mesos might have to move to open inspector
+	//
+	// Run k8s, if required
+	//
+	char *k8s_api_env = NULL;
+	if(!options().k8s_api.empty() ||
+	   (k8s_api_env = getenv("FALCO_K8S_API")))
+	{
+		// Create string pointers for some config vars
+		// and pass to inspector. The inspector then
+		// owns the pointers.
+		std::string *k8s_api_ptr = new string((!options().k8s_api.empty() ? options().k8s_api : k8s_api_env));
+		std::string *k8s_api_cert_ptr = new string(options().k8s_api_cert);
+		std::string *k8s_node_name_ptr = new string(options().k8s_node_name);
+
+		if(k8s_api_cert_ptr->empty())
+		{
+			if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
+			{
+				*k8s_api_cert_ptr = k8s_cert_env;
+			}
+		}
+		state().inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, options().verbose);
+	}
+
+	//
+	// Run mesos, if required
+	//
+	if(!options().mesos_api.empty())
+	{
+		// Differs from init_k8s_client in that it
+		// passes a pointer but the inspector does
+		// *not* own it and does not use it after
+		// init_mesos_client() returns.
+		state().inspector->init_mesos_client(&(options().mesos_api), options().verbose);
+	}
+	else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
+	{
+		std::string mesos_api_copy = mesos_api_env;
+		state().inspector->init_mesos_client(&mesos_api_copy, options().verbose);
+	}
+
+#endif
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_inspector.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_inspector : public init_action {
+public:
+	act_init_inspector(application &app);
+	virtual ~act_init_inspector();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_outputs.cpp

@@ -0,0 +1,88 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "init_outputs.h"
+
+namespace falco {
+namespace app {
+
+act_init_outputs::act_init_outputs(application &app)
+	: init_action(app), m_name("init outputs"),
+	  m_prerequsites({"load config", "init falco engine"})
+{
+}
+
+act_init_outputs::~act_init_outputs()
+{
+}
+
+const std::string &act_init_outputs::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_outputs::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_outputs::run()
+{
+	run_result ret = {true, "", true};
+
+	// read hostname
+	std::string hostname;
+	if(char* env_hostname = getenv("FALCO_GRPC_HOSTNAME"))
+	{
+		hostname = env_hostname;
+	}
+	else
+	{
+		char c_hostname[256];
+		int err = gethostname(c_hostname, 256);
+		if(err != 0)
+		{
+			ret.success = false;
+			ret.errstr = "Failed to get hostname";
+			ret.proceed = false;
+		}
+		hostname = c_hostname;
+	}
+
+	state().outputs->init(state().engine,
+				    state().config->m_json_output,
+				    state().config->m_json_include_output_property,
+				    state().config->m_json_include_tags_property,
+				    state().config->m_output_timeout,
+				    state().config->m_notifications_rate, state().config->m_notifications_max_burst,
+				    state().config->m_buffered_outputs,
+				    state().config->m_time_format_iso_8601,
+				    hostname);
+
+	for(auto output : state().config->m_outputs)
+	{
+		state().outputs->add_output(output);
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_outputs.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_outputs : public init_action {
+public:
+	act_init_outputs(application &app);
+	virtual ~act_init_outputs();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_fields.cpp

@@ -0,0 +1,74 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <fields_info.h>
+
+#include "list_fields.h"
+
+namespace falco {
+namespace app {
+
+act_list_fields::act_list_fields(application &app)
+	: init_action(app), m_name("list fields"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_list_fields::~act_list_fields()
+{
+}
+
+const std::string &act_list_fields::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_list_fields::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_list_fields::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().list_fields)
+	{
+		if(options().list_source_fields != "" &&
+		   !state().engine->is_source_valid(options().list_source_fields))
+		{
+			ret.success = false;
+			ret.errstr = "Value for --list must be a valid source type";
+			ret.proceed = false;
+			return ret;
+		}
+		state().engine->list_fields(options().list_source_fields, options().verbose, options().names_only, options().markdown);
+
+		ret.proceed = false;
+	}
+	else if(app().options().list_syscall_events)
+	{
+		list_events(app().state().inspector.get(), app().options().markdown);
+
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_fields.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_list_fields : public init_action {
+public:
+	act_list_fields(application &app);
+	virtual ~act_list_fields();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_plugins.cpp

@@ -0,0 +1,78 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "list_plugins.h"
+
+namespace falco {
+namespace app {
+
+act_list_plugins::act_list_plugins(application &app)
+	: init_action(app), m_name("list plugins"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_list_plugins::~act_list_plugins()
+{
+}
+
+const std::string &act_list_plugins::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_list_plugins::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_list_plugins::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().list_plugins)
+	{
+		std::ostringstream os;
+
+		for(auto &info : state().plugin_infos)
+		{
+			os << "Name: " << info.name << std::endl;
+			os << "Description: " << info.description << std::endl;
+			os << "Contact: " << info.contact << std::endl;
+			os << "Version: " << info.plugin_version.as_string() << std::endl;
+
+			if(info.type == TYPE_SOURCE_PLUGIN)
+			{
+				os << "Type: source plugin" << std::endl;
+				os << "ID: " << info.id << std::endl;
+			}
+			else
+			{
+				os << "Type: extractor plugin" << std::endl;
+			}
+			os << std::endl;
+		}
+
+		printf("%lu Plugins Loaded:\n\n%s\n", state().plugin_infos.size(), os.str().c_str());
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_plugins.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_list_plugins : public init_action {
+public:
+	act_list_plugins(application &app);
+	virtual ~act_list_plugins();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_config.cpp

@@ -0,0 +1,73 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_config.h"
+
+namespace falco {
+namespace app {
+
+act_load_config::act_load_config(application &app)
+	: init_action(app), m_name("load config")
+{
+}
+
+act_load_config::~act_load_config()
+{
+}
+
+const std::string &act_load_config::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_config::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_config::run()
+{
+	run_result ret = {true, "", true};
+
+	if (options().conf_filename.size())
+	{
+		state().config->init(options().conf_filename, options().cmdline_config_options);
+		falco_logger::set_time_format_iso_8601(state().config->m_time_format_iso_8601);
+
+		// log after config init because config determines where logs go
+		falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
+		falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + options().conf_filename + "\n");
+	}
+	else
+	{
+		ret.success = false;
+		ret.proceed = false;
+
+#ifndef BUILD_TYPE_RELEASE
+		ret.errstr = std::string("You must create a config file at ")  + FALCO_SOURCE_CONF_FILE + ", " + FALCO_INSTALL_CONF_FILE + " or by passing -c";
+#else
+		ret.errstr = std::string("You must create a config file at ")  + FALCO_INSTALL_CONF_FILE + " or by passing -c";
+#endif
+	}
+
+	state().config->m_buffered_outputs = !options().unbuffered_outputs;
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_config.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_config : public init_action {
+public:
+	act_load_config(application &app);
+	virtual ~act_load_config();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_plugins.cpp

@@ -0,0 +1,144 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_plugins.h"
+
+namespace falco {
+namespace app {
+
+act_load_plugins::act_load_plugins(application &app)
+	: init_action(app), m_name("load plugins"),
+	  m_prerequsites({"init falco engine", "load config"})
+{
+}
+
+act_load_plugins::~act_load_plugins()
+{
+}
+
+const std::string &act_load_plugins::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_plugins::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_plugins::run()
+{
+	run_result ret = {true, "", true};
+
+	// Factories that can create filters/formatters for
+	// the (single) source supported by the (single) input plugin.
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_filter_factory> plugin_filter_factory(new sinsp_filter_factory(state().inspector.get(), m_plugin_filter_checks));
+	std::shared_ptr<gen_event_formatter_factory> plugin_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get(), m_plugin_filter_checks));
+
+	if(state().config->m_json_output)
+	{
+		plugin_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+	}
+
+	std::shared_ptr<sinsp_plugin> input_plugin;
+	std::list<std::shared_ptr<sinsp_plugin>> extractor_plugins;
+	for(auto &p : state().config->m_plugins)
+	{
+		std::shared_ptr<sinsp_plugin> plugin;
+#ifdef MUSL_OPTIMIZED
+		ret.success = ret.proceed = false;
+		ret.errstr = "Can not load/use plugins with musl optimized build";
+		return ret;
+#else
+		falco_logger::log(LOG_INFO, "Loading plugin (" + p.m_name + ") from file " + p.m_library_path + "\n");
+
+		// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+		plugin = sinsp_plugin::register_plugin(state().inspector.get(),
+						       p.m_library_path,
+						       (p.m_init_config.empty() ? NULL : (char *)p.m_init_config.c_str()),
+						       m_plugin_filter_checks);
+#endif
+
+		if(plugin->type() == TYPE_SOURCE_PLUGIN)
+		{
+			sinsp_source_plugin *splugin = static_cast<sinsp_source_plugin *>(plugin.get());
+
+			if(input_plugin)
+			{
+				ret.success = false;
+				ret.errstr = string("Can not load multiple source plugins. ") + input_plugin->name() + " already loaded";
+				ret.proceed = false;
+				return ret;
+			}
+
+			input_plugin = plugin;
+			state().event_source = splugin->event_source();
+
+			state().inspector->set_input_plugin(p.m_name);
+			if(!p.m_open_params.empty())
+			{
+				state().inspector->set_input_plugin_open_params(p.m_open_params.c_str());
+			}
+
+			state().engine->add_source(state().event_source, plugin_filter_factory, plugin_formatter_factory);
+
+		} else {
+			extractor_plugins.push_back(plugin);
+		}
+	}
+
+	// Ensure that extractor plugins are compatible with the event source.
+	// Also, ensure that extractor plugins don't have overlapping compatible event sources.
+	std::set<std::string> compat_sources_seen;
+	for(auto plugin : extractor_plugins)
+	{
+		// If the extractor plugin names compatible sources,
+		// ensure that the input plugin's source is in the list
+		// of compatible sources.
+		sinsp_extractor_plugin *eplugin = static_cast<sinsp_extractor_plugin *>(plugin.get());
+		const std::set<std::string> &compat_sources = eplugin->extract_event_sources();
+		if(input_plugin &&
+		   !compat_sources.empty())
+		{
+			if (compat_sources.find(state().event_source) == compat_sources.end())
+			{
+				ret.success = ret.proceed = false;
+				ret.errstr = string("Extractor plugin not compatible with event source ") + state().event_source;
+				return ret;
+			}
+
+			for(const auto &compat_source : compat_sources)
+			{
+				if(compat_sources_seen.find(compat_source) != compat_sources_seen.end())
+				{
+					ret.success = ret.proceed = false;
+					ret.errstr = string("Extractor plugins have overlapping compatible event source ") + compat_source;
+					return ret;
+				}
+				compat_sources_seen.insert(compat_source);
+			}
+		}
+	}
+
+	state().plugin_infos = sinsp_plugin::plugin_infos(state().inspector.get());
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_plugins.h

@@ -0,0 +1,52 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_plugins : public init_action {
+public:
+	act_load_plugins(application &app);
+	virtual ~act_load_plugins();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	// All filterchecks created by plugins go in this
+	// list. If we ever support multiple event sources at
+	// the same time, this (and the below factories) will
+	// have to be a map from event source to filtercheck
+	// list.
+	filter_check_list m_plugin_filter_checks;
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_rules_files.cpp

@@ -0,0 +1,200 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_rules_files.h"
+
+namespace falco {
+namespace app {
+
+act_load_rules_files::act_load_rules_files(application &app)
+	: init_action(app), m_name("load rules files"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_load_rules_files::~act_load_rules_files()
+{
+}
+
+const std::string &act_load_rules_files::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_rules_files::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_rules_files::run()
+{
+	run_result ret = {true, "", true};
+
+	string all_rules;
+
+	if (options().rules_filenames.size())
+	{
+		state().config->m_rules_filenames = options().rules_filenames;
+	}
+
+	if(state().config->m_rules_filenames.size() == 0)
+	{
+		ret.success = false;
+		ret.errstr = "You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml";
+		ret.proceed = false;
+		return ret;
+	}
+
+	falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
+	for (auto filename : state().config->m_rules_filenames)
+	{
+		falco_logger::log(LOG_DEBUG, string("   ") + filename + "\n");
+	}
+
+	for (auto filename : state().config->m_rules_filenames)
+	{
+		falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
+		uint64_t required_engine_version;
+
+		try {
+			state().engine->load_rules_file(filename, options().verbose, options().all_events, required_engine_version);
+		}
+		catch(falco_exception &e)
+		{
+			ret.success = false;
+			ret.errstr = string("Could not load rules file ") + filename + ": " + e.what();
+			ret.proceed = false;
+			return ret;
+		}
+		state().required_engine_versions[filename] = required_engine_version;
+	}
+
+	// Ensure that all plugins are compatible with the loaded set of rules
+	for(auto &info : state().plugin_infos)
+	{
+		std::string required_version;
+
+		if(!state().engine->is_plugin_compatible(info.name, info.plugin_version.as_string(), required_version))
+		{
+			ret.success = false;
+			ret.errstr = std::string("Plugin ") + info.name + " version " + info.plugin_version.as_string() + " not compatible with required plugin version " + required_version;
+			ret.proceed = false;
+		}
+	}
+
+	for (auto substring : options().disabled_rule_substrings)
+	{
+		falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
+		state().engine->enable_rule(substring, false);
+	}
+
+	if(options().disabled_rule_tags.size() > 0)
+	{
+		for(auto &tag : options().disabled_rule_tags)
+		{
+			falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
+		}
+		state().engine->enable_rule_by_tag(options().disabled_rule_tags, false);
+	}
+
+	if(options().enabled_rule_tags.size() > 0)
+	{
+		// Since we only want to enable specific
+		// rules, first disable all rules.
+		state().engine->enable_rule(all_rules, false);
+		for(auto &tag : options().enabled_rule_tags)
+		{
+			falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
+		}
+		state().engine->enable_rule_by_tag(options().enabled_rule_tags, true);
+	}
+
+	if(!options().all_events)
+	{
+		// For syscalls, see if any event types used by the
+		// loaded rules are ones with the EF_DROP_SIMPLE_CONS
+		// label.
+		check_for_ignored_events();
+	}
+
+	if (options().describe_all_rules)
+	{
+		state().engine->describe_rule(NULL);
+		ret.proceed = false;
+		return ret;
+	}
+
+	if (!options().describe_rule.empty())
+	{
+		state().engine->describe_rule(&(options().describe_rule));
+		ret.proceed = false;
+		return ret;
+	}
+
+	return ret;
+}
+
+void act_load_rules_files::check_for_ignored_events()
+{
+	std::set<uint16_t> evttypes;
+	sinsp_evttables* einfo = state().inspector->get_event_info_tables();
+	const struct ppm_event_info* etable = einfo->m_event_info;
+
+	state().engine->evttypes_for_ruleset(application::s_syscall_source, evttypes);
+
+	// Save event names so we don't warn for both the enter and exit event.
+	std::set<std::string> warn_event_names;
+
+	for(auto evtnum : evttypes)
+	{
+		if(evtnum == PPME_GENERIC_E || evtnum == PPME_GENERIC_X)
+		{
+			continue;
+		}
+
+		if(!sinsp::simple_consumer_consider_evtnum(evtnum))
+		{
+			std::string name = etable[evtnum].name;
+			if(warn_event_names.find(name) == warn_event_names.end())
+			{
+				warn_event_names.insert(name);
+			}
+		}
+	}
+
+	// Print a single warning with the list of ignored events
+	if (!warn_event_names.empty())
+	{
+		std::string skipped_events;
+		bool first = true;
+		for (const auto& evtname : warn_event_names)
+		{
+			if (first)
+			{
+				skipped_events += evtname;
+				first = false;
+			} else
+			{
+				skipped_events += "," + evtname;
+			}
+		}
+		fprintf(stderr,"Rules match ignored syscall: warning (ignored-evttype):\n         loaded rules match the following events: %s;\n         but these events are not returned unless running falco with -A\n", skipped_events.c_str());
+	}
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_rules_files.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_rules_files : public init_action {
+public:
+	act_load_rules_files(application &app);
+	virtual ~act_load_rules_files();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void check_for_ignored_events();
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/open_inspector.cpp

@@ -0,0 +1,174 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "open_inspector.h"
+
+namespace falco {
+namespace app {
+
+act_open_inspector::act_open_inspector(application &app)
+	: run_action(app), m_name("open_inspector"),
+	  m_prerequsites({"daemonize"})
+{
+}
+
+act_open_inspector::~act_open_inspector()
+{
+}
+
+const std::string &act_open_inspector::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_open_inspector::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_open_inspector::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().trace_filename.size())
+	{
+		// Try to open the trace file as a
+		// capture file first.
+		try {
+			state().inspector->open(options().trace_filename);
+			falco_logger::log(LOG_INFO, "Reading system call events from file: " + options().trace_filename + "\n");
+		}
+		catch(sinsp_exception &e)
+		{
+			falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + options().trace_filename + "\": " + string(e.what()));
+			state().trace_is_scap=false;
+		}
+
+		if(!state().trace_is_scap)
+		{
+#ifdef MINIMAL_BUILD
+			ret.success = false;
+			ret.errstr = "Cannot use k8s audit events trace file with a minimal Falco build";
+			ret.proceed = false;
+			return ret;
+#else
+			try {
+				string line;
+				nlohmann::json j;
+
+				// Note we only temporarily open the file here.
+				// The read file read loop will be later.
+				ifstream ifs(options().trace_filename);
+				getline(ifs, line);
+				j = nlohmann::json::parse(line);
+
+				falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + options().trace_filename + "\n");
+			}
+			catch (nlohmann::json::parse_error& e)
+			{
+				ret.success = false;
+				ret.errstr = std::string("Trace filename ") + options().trace_filename + " not recognized as system call events or k8s audit events";
+				ret.proceed = false;
+				return ret;
+
+			}
+			catch (exception &e)
+			{
+				ret.success = false;
+				ret.errstr = std::string("Could not open trace filename ") + options().trace_filename + " for reading: " + e.what();
+				ret.proceed = false;
+				return ret;
+			}
+#endif
+		}
+	}
+	else
+	{
+		open_t open_cb = [this](std::shared_ptr<sinsp> inspector)
+			{
+				if(options().userspace)
+				{
+					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
+					//
+					// Falco uses a ptrace(2) based userspace implementation.
+					// Regardless of the implementation, the underlying method remains the same.
+					inspector->open_udig();
+					return;
+				}
+				inspector->open();
+			};
+		open_t open_nodriver_cb = [](std::shared_ptr<sinsp> inspector) {
+			inspector->open_nodriver();
+		};
+		open_t open_f;
+
+		// Default mode: both event sources enabled
+		if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() &&
+		    state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
+		{
+			open_f = open_cb;
+		}
+		if (state().enabled_sources.find(application::s_syscall_source) == state().enabled_sources.end())
+		{
+			open_f = open_nodriver_cb;
+		}
+		if (state().enabled_sources.find(application::s_k8s_audit_source) == state().enabled_sources.end())
+		{
+			open_f = open_cb;
+		}
+
+		try
+		{
+			open_f(state().inspector);
+		}
+		catch(sinsp_exception &e)
+		{
+			// If syscall input source is enabled and not through userspace instrumentation
+			if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() && !options().userspace)
+			{
+				// Try to insert the Falco kernel module
+				if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
+				{
+					falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
+				}
+				open_f(state().inspector);
+			}
+			else
+			{
+				ret.success = false;
+				ret.errstr = e.what();
+				ret.proceed = false;
+				return ret;
+			}
+		}
+	}
+
+	// This must be done after the open
+	if(!options().all_events)
+	{
+		state().inspector->start_dropping_mode(1);
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/open_inspector.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_open_inspector : public run_action {
+public:
+	typedef function<void(std::shared_ptr<sinsp> inspector)> open_t;
+
+	act_open_inspector(application &app);
+	virtual ~act_open_inspector();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_help.cpp

@@ -0,0 +1,56 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "print_help.h"
+
+namespace falco {
+namespace app {
+
+act_print_help::act_print_help(application &app)
+	: easyopts_action(app), m_name("print help")
+{
+}
+
+act_print_help::~act_print_help()
+{
+}
+
+const std::string &act_print_help::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_help::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_help::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().help)
+	{
+		printf("%s", options().usage().c_str());
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_help.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "easyopts_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_help : public easyopts_action {
+public:
+	act_print_help(application &app);
+	virtual ~act_print_help();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_ignored_events.cpp

@@ -0,0 +1,98 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "print_ignored_events.h"
+
+namespace falco {
+namespace app {
+
+act_print_ignored_events::act_print_ignored_events(application &app)
+	: init_action(app), m_name("print ignored events"),
+	  m_prerequsites({"init inspector"})
+{
+}
+
+act_print_ignored_events::~act_print_ignored_events()
+{
+}
+
+const std::string &act_print_ignored_events::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_ignored_events::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_ignored_events::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_ignored_events)
+	{
+		print_all_ignored_events();
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+void act_print_ignored_events::print_all_ignored_events()
+{
+	sinsp_evttables* einfo = state().inspector->get_event_info_tables();
+	const struct ppm_event_info* etable = einfo->m_event_info;
+	const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table;
+
+	std::set<string> ignored_event_names;
+	for(uint32_t j = 0; j < PPM_EVENT_MAX; j++)
+	{
+		if(!sinsp::simple_consumer_consider_evtnum(j))
+		{
+			std::string name = etable[j].name;
+			// Ignore event names NA*
+			if(name.find("NA") != 0)
+			{
+				ignored_event_names.insert(name);
+			}
+		}
+	}
+
+	for(uint32_t j = 0; j < PPM_SC_MAX; j++)
+	{
+		if(!sinsp::simple_consumer_consider_syscallid(j))
+		{
+			std::string name = stable[j].name;
+			// Ignore event names NA*
+			if(name.find("NA") != 0)
+			{
+				ignored_event_names.insert(name);
+			}
+		}
+	}
+
+	printf("Ignored Event(s):");
+	for(auto it : ignored_event_names)
+	{
+		printf(" %s", it.c_str());
+	}
+	printf("\n");
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_ignored_events.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_ignored_events : public init_action {
+public:
+	act_print_ignored_events(application &app);
+	virtual ~act_print_ignored_events();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void print_all_ignored_events();
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_support.cpp

@@ -0,0 +1,100 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/utsname.h>
+
+#include "falco_engine_version.h"
+#include "print_support.h"
+
+namespace falco {
+namespace app {
+
+act_print_support::act_print_support(application &app)
+	: init_action(app), m_name("print support"),
+	  m_prerequsites({"load rules files"})
+{
+}
+
+act_print_support::~act_print_support()
+{
+}
+
+const std::string &act_print_support::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_support::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_support::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_support)
+	{
+		nlohmann::json support;
+		struct utsname sysinfo;
+		std::string cmdline;
+
+		if(uname(&sysinfo) != 0)
+		{
+			ret.success = false;
+			ret.errstr = string("Could not uname() to find system info: ") + strerror(errno);
+			ret.proceed = false;
+			return ret;
+		}
+
+		support["version"] = FALCO_VERSION;
+		support["system_info"]["sysname"] = sysinfo.sysname;
+		support["system_info"]["nodename"] = sysinfo.nodename;
+		support["system_info"]["release"] = sysinfo.release;
+		support["system_info"]["version"] = sysinfo.version;
+		support["system_info"]["machine"] = sysinfo.machine;
+		support["cmdline"] = state().cmdline;
+		support["engine_info"]["engine_version"] = FALCO_ENGINE_VERSION;
+		support["config"] = read_file(options().conf_filename);
+		support["rules_files"] = nlohmann::json::array();
+		for(auto filename : state().config->m_rules_filenames)
+		{
+			nlohmann::json finfo;
+			finfo["name"] = filename;
+			nlohmann::json variant;
+			variant["required_engine_version"] = state().required_engine_versions[filename];
+			variant["content"] = read_file(filename);
+			finfo["variants"].push_back(variant);
+			support["rules_files"].push_back(finfo);
+		}
+		printf("%s\n", support.dump().c_str());
+	}
+
+	return ret;
+}
+
+std::string act_print_support::read_file(std::string &filename)
+{
+	std::ifstream t(filename);
+	std::string str((std::istreambuf_iterator<char>(t)),
+			std::istreambuf_iterator<char>());
+
+	return str;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_support.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_support : public init_action {
+public:
+	act_print_support(application &app);
+	virtual ~act_print_support();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string read_file(std::string &filename);
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_version.cpp

@@ -0,0 +1,58 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "config_falco.h"
+#include "print_version.h"
+
+namespace falco {
+namespace app {
+
+act_print_version::act_print_version(application &app)
+	: easyopts_action(app), m_name("print version")
+{
+}
+
+act_print_version::~act_print_version()
+{
+}
+
+const std::string &act_print_version::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_version::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_version::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_version_info)
+	{
+		printf("Falco version: %s\n", FALCO_VERSION);
+		printf("Driver version: %s\n", DRIVER_VERSION);
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_version.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "easyopts_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_version : public easyopts_action {
+public:
+	act_print_version(application &app);
+	virtual ~act_print_version();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/process_events.cpp

@@ -0,0 +1,302 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#define __STDC_FORMAT_MACROS
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "falco_utils.h"
+#ifndef MINIMAL_BUILD
+#include "webserver.h"
+#endif
+#include "statsfilewriter.h"
+#include "process_events.h"
+
+namespace falco {
+namespace app {
+
+act_process_events::act_process_events(application &app)
+	: run_action(app), m_name("process_events"),
+	  m_prerequsites({"open inspector"})
+{
+}
+
+act_process_events::~act_process_events()
+{
+}
+
+const std::string &act_process_events::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_process_events::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_process_events::run()
+{
+	syscall_evt_drop_mgr sdropmgr;
+	// Used for stats
+	double duration;
+	scap_stats cstats;
+
+	run_result ret = {true, "", true};
+
+	duration = ((double)clock()) / CLOCKS_PER_SEC;
+
+	if(!options().trace_filename.empty() && !state().trace_is_scap)
+	{
+#ifndef MINIMAL_BUILD
+		read_k8s_audit_trace_file(options().trace_filename);
+#endif
+	}
+	else
+	{
+		uint64_t num_evts;
+
+		num_evts = do_inspect(state().engine,
+				      state().outputs,
+				      state().inspector,
+				      state().event_source,
+				      state().config,
+				      sdropmgr,
+				      uint64_t(options().duration_to_tot*ONE_SECOND_IN_NS),
+				      options().stats_filename,
+				      options().stats_interval,
+				      options().all_events,
+				      ret);
+
+		duration = ((double)clock()) / CLOCKS_PER_SEC - duration;
+
+		state().inspector->get_capture_stats(&cstats);
+
+		if(options().verbose)
+		{
+			fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n",
+				cstats.n_evts,
+				cstats.n_drops);
+
+			fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n",
+				duration,
+				num_evts,
+				num_evts / duration);
+		}
+
+	}
+
+	// Honor -M also when using a trace file.
+	// Since inspection stops as soon as all events have been consumed
+	// just await the given duration is reached, if needed.
+	if(!options().trace_filename.empty() && options().duration_to_tot>0)
+	{
+		std::this_thread::sleep_for(std::chrono::seconds(options().duration_to_tot));
+	}
+
+	state().inspector->close();
+	state().engine->print_stats();
+	sdropmgr.print_stats();
+
+	return ret;
+}
+
+#ifndef MINIMAL_BUILD
+// Read a jsonl file containing k8s audit events and pass each to the engine.
+void act_process_events::read_k8s_audit_trace_file(string &trace_filename)
+{
+	ifstream ifs(trace_filename);
+
+	uint64_t line_num = 0;
+
+	while(ifs)
+	{
+		string line, errstr;
+
+		getline(ifs, line);
+		line_num++;
+
+		if(line == "")
+		{
+			continue;
+		}
+
+		if(!k8s_audit_handler::accept_data(state().engine, state().outputs, line, errstr))
+		{
+			falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping");
+			return;
+		}
+	}
+}
+#endif
+
+//
+// Event processing loop
+//
+uint64_t act_process_events::do_inspect(std::shared_ptr<falco_engine> engine,
+					std::shared_ptr<falco_outputs> outputs,
+					std::shared_ptr<sinsp> inspector,
+					std::string &event_source,
+					std::shared_ptr<falco_configuration> config,
+					syscall_evt_drop_mgr &sdropmgr,
+					uint64_t duration_to_tot_ns,
+					string &stats_filename,
+					uint64_t stats_interval,
+					bool all_events,
+					run_result &result)
+{
+	uint64_t num_evts = 0;
+	int32_t rc;
+	sinsp_evt* ev;
+	StatsFileWriter writer;
+	uint64_t duration_start = 0;
+	uint32_t timeouts_since_last_success_or_msg = 0;
+
+	sdropmgr.init(inspector,
+		      outputs,
+		      config->m_syscall_evt_drop_actions,
+		      config->m_syscall_evt_drop_threshold,
+		      config->m_syscall_evt_drop_rate,
+		      config->m_syscall_evt_drop_max_burst,
+		      config->m_syscall_evt_simulate_drops);
+
+	if (stats_filename != "")
+	{
+		string errstr;
+
+		if (!writer.init(inspector, stats_filename, stats_interval, errstr))
+		{
+			throw falco_exception(errstr);
+		}
+	}
+
+	//
+	// Loop through the events
+	//
+	while(1)
+	{
+
+		rc = inspector->next(&ev);
+
+		writer.handle();
+
+		if(state().reopen_outputs)
+		{
+			falco_logger::log(LOG_INFO, "SIGUSR1 received, reopening outputs...\n");
+			outputs->reopen_outputs();
+			app().state().reopen_outputs = false;
+		}
+
+		if(state().terminate)
+		{
+			falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
+			break;
+		}
+		else if (state().restart)
+		{
+			falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
+			break;
+		}
+		else if(rc == SCAP_TIMEOUT)
+		{
+			if(unlikely(ev == nullptr))
+			{
+				timeouts_since_last_success_or_msg++;
+				if(event_source == application::s_syscall_source &&
+				   (timeouts_since_last_success_or_msg > config->m_syscall_evt_timeout_max_consecutives))
+				{
+					std::string rule = "Falco internal: timeouts notification";
+					std::string msg = rule + ". " + std::to_string(config->m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
+					std::string last_event_time_str = "none";
+					if(duration_start > 0)
+					{
+						sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
+					}
+					std::map<std::string, std::string> o = {
+						{"last_event_time", last_event_time_str},
+					};
+					auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
+					outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
+					// Reset the timeouts counter, Falco alerted
+					timeouts_since_last_success_or_msg = 0;
+				}
+			}
+
+			continue;
+		}
+		else if(rc == SCAP_EOF)
+		{
+			break;
+		}
+		else if(rc != SCAP_SUCCESS)
+		{
+			//
+			// Event read error.
+			//
+			cerr << "rc = " << rc << endl;
+			throw sinsp_exception(inspector->getlasterr().c_str());
+		}
+
+		// Reset the timeouts counter, Falco successfully got an event to process
+		timeouts_since_last_success_or_msg = 0;
+		if(duration_start == 0)
+		{
+			duration_start = ev->get_ts();
+		}
+		else if(duration_to_tot_ns > 0)
+		{
+			if(ev->get_ts() - duration_start >= duration_to_tot_ns)
+			{
+				break;
+			}
+		}
+
+		if(!sdropmgr.process_event(inspector, ev))
+		{
+			result.success = false;
+			result.errstr = "";
+			result.proceed = false;
+			break;
+		}
+
+		if(!ev->simple_consumer_consider() && !all_events)
+		{
+			continue;
+		}
+
+		// As the inspector has no filter at its level, all
+		// events are returned here. Pass them to the falco
+		// engine, which will match the event against the set
+		// of rules. If a match is found, pass the event to
+		// the outputs.
+		unique_ptr<falco_engine::rule_result> res = engine->process_event(event_source, ev);
+		if(res)
+		{
+			outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format, res->tags);
+		}
+
+		num_evts++;
+	}
+
+	return num_evts;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/process_events.h

@@ -0,0 +1,62 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_process_events : public run_action {
+public:
+	act_process_events(application &app);
+	virtual ~act_process_events();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+
+#ifndef MINIMAL_BUILD
+	void read_k8s_audit_trace_file(std::string &trace_filename);
+#endif
+
+	uint64_t do_inspect(std::shared_ptr<falco_engine> engine,
+			    std::shared_ptr<falco_outputs> outputs,
+			    std::shared_ptr<sinsp> inspector,
+			    std::string &event_source,
+			    std::shared_ptr<falco_configuration> config,
+			    syscall_evt_drop_mgr &sdropmgr,
+			    uint64_t duration_to_tot_ns,
+			    string &stats_filename,
+			    uint64_t stats_interval,
+			    bool all_events,
+			    run_result &result);
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/run_action.cpp

@@ -0,0 +1,40 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+static std::string run_group = "run";
+
+run_action::run_action(application &app)
+	: action(app)
+{
+}
+
+run_action::~run_action()
+{
+}
+
+const std::string &run_action::group()
+{
+	return run_group;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/run_action.h

@@ -0,0 +1,37 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+// All actions in the "run" group derive from this class
+
+class run_action : public action {
+public:
+	run_action(application &app);
+	virtual ~run_action();
+
+	const std::string &group() override;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/start_grpc_server.cpp

@@ -0,0 +1,81 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "start_grpc_server.h"
+
+#ifndef MINIMAL_BUILD
+
+namespace falco {
+namespace app {
+
+act_start_grpc_server::act_start_grpc_server(application &app)
+	: init_action(app), m_name("start grpc server"),
+	  m_prerequsites({"init outputs"})
+{
+}
+
+act_start_grpc_server::~act_start_grpc_server()
+{
+}
+
+const std::string &act_start_grpc_server::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_start_grpc_server::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_start_grpc_server::run()
+{
+	run_result ret = {true, "", true};
+
+	// gRPC server
+	if(state().config->m_grpc_enabled)
+	{
+		falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(state().config->m_grpc_threadiness) + "\n");
+		// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
+		// different queuing mechanisms, round robin, fanout? What we want to achieve?
+		m_grpc_server.init(
+			state().config->m_grpc_bind_address,
+			state().config->m_grpc_threadiness,
+			state().config->m_grpc_private_key,
+			state().config->m_grpc_cert_chain,
+			state().config->m_grpc_root_certs,
+			state().config->m_log_level
+			);
+		m_grpc_server_thread = std::thread([this] {
+			m_grpc_server.run();
+		});
+	}
+	return ret;
+}
+
+void act_start_grpc_server::deinit()
+{
+	if(m_grpc_server_thread.joinable())
+	{
+		m_grpc_server.shutdown();
+		m_grpc_server_thread.join();
+	}
+}
+
+}; // namespace application
+}; // namespace falco
+
+#endif

userspace/falco/app_actions/start_grpc_server.h

@@ -0,0 +1,55 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+#ifndef MINIMAL_BUILD
+
+#include "grpc_server.h"
+
+namespace falco {
+namespace app {
+
+class act_start_grpc_server : public init_action {
+public:
+	act_start_grpc_server(application &app);
+	virtual ~act_start_grpc_server();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+	void deinit() override;
+
+private:
+	falco::grpc::server m_grpc_server;
+	std::thread m_grpc_server_thread;
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+
+#endif

userspace/falco/app_actions/start_webserver.cpp

@@ -0,0 +1,67 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "start_webserver.h"
+
+#ifndef MINIMAL_BUILD
+
+namespace falco {
+namespace app {
+
+act_start_webserver::act_start_webserver(application &app)
+	: init_action(app), m_name("start webserver"),
+	  m_prerequsites({"init outputs"})
+{
+}
+
+act_start_webserver::~act_start_webserver()
+{
+}
+
+const std::string &act_start_webserver::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_start_webserver::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_start_webserver::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().trace_filename.empty() && state().config->m_webserver_enabled && state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
+	{
+		std::string ssl_option = (state().config->m_webserver_ssl_enabled ? " (SSL)" : "");
+		falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(state().config->m_webserver_listen_port) + ssl_option + "\n");
+		m_webserver.init(state().config, state().engine, state().outputs);
+		m_webserver.start();
+	}
+
+	return ret;
+}
+
+void act_start_webserver::deinit()
+{
+	m_webserver.stop();
+}
+
+}; // namespace application
+}; // namespace falco
+
+#endif

userspace/falco/app_actions/start_webserver.h

@@ -0,0 +1,52 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+#ifndef MINIMAL_BUILD
+#include "webserver.h"
+
+namespace falco {
+namespace app {
+
+class act_start_webserver : public init_action {
+public:
+	act_start_webserver(application &app);
+	virtual ~act_start_webserver();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+	void deinit() override;
+
+private:
+	falco_webserver m_webserver;
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+
+#endif

userspace/falco/app_actions/validate_rules_files.cpp

@@ -0,0 +1,78 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "validate_rules_files.h"
+
+namespace falco {
+namespace app {
+
+act_validate_rules_files::act_validate_rules_files(application &app)
+	: init_action(app), m_name("validate rules files"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_validate_rules_files::~act_validate_rules_files()
+{
+}
+
+const std::string &act_validate_rules_files::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_validate_rules_files::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_validate_rules_files::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().validate_rules_filenames.size() > 0)
+	{
+		falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
+		for(auto file : options().validate_rules_filenames)
+		{
+			falco_logger::log(LOG_INFO, "   " + file + "\n");
+		}
+		for(auto file : options().validate_rules_filenames)
+		{
+			// Only include the prefix if there is more than one file
+			std::string prefix = (options().validate_rules_filenames.size() > 1 ? file + ": " : "");
+			try {
+				state().engine->load_rules_file(file, options().verbose, options().all_events);
+			}
+			catch(falco_exception &e)
+			{
+				printf("%s%s", prefix.c_str(), e.what());
+				ret.success = false;
+				ret.errstr = prefix +  e.what();
+				ret.proceed = false;
+				return ret;
+			}
+			printf("%sOk\n", prefix.c_str());
+		}
+		falco_logger::log(LOG_INFO, "Ok\n");
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/validate_rules_files.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_validate_rules_files : public init_action {
+public:
+	act_validate_rules_files(application &app);
+	virtual ~act_validate_rules_files();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_runnable_action.cpp

@@ -0,0 +1,35 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_runnable_action.h"
+
+namespace falco {
+namespace app {
+
+runnable_action::runnable_action()
+{
+}
+
+runnable_action::~runnable_action()
+{
+}
+
+void runnable_action::deinit()
+{
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_runnable_action.h

@@ -0,0 +1,75 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <string>
+#include <list>
+
+namespace falco {
+namespace app {
+
+// Along with app_action.h, defines the interface for an application
+// action. The split implementation allows for building tests for the
+// action manager without bringing in all of the application related
+// code (falco engine, outputs, webserver, etc.).
+class runnable_action {
+public:
+
+	struct run_result {
+		// If true, the action completed successfully.
+		bool success;
+
+		// If success==false, details on the error.
+		std::string errstr;
+
+		// If true, subsequent actions should be performed. If
+		// false, subsequent actions should *not* be performed
+		// and falco should tear down/exit.
+		bool proceed;
+	};
+
+	runnable_action();
+	virtual ~runnable_action();
+
+	// Return the name of the action. Only used for logging
+	// purposes and to use in prerequsites().
+	virtual const std::string &name() = 0;
+
+	// Actions are organized into groups. All actions from a
+	// given group are run before actions from another group.
+	//
+	// The order of groups is passed to the action manager via
+	// set_groups().
+	virtual const std::string &group() = 0;
+
+	// Return a list of action names that *must* run before this
+	// action is run.
+	virtual const std::list<std::string> &prerequsites() = 0;
+
+	// Perform the action. The returned run_result holds the
+	// result of the action and whether later actions should
+	// procceed.
+	virtual run_result run() = 0;
+
+	// Destroy any state created while running the action. This is
+	// called after all actions are run (or stopped due to a
+	// proceed=false run_result).
+	virtual void deinit();
+};
+
+}; // namespace application
+}; // namespace falco

userspace/falco/application.cpp

@@ -22,11 +22,33 @@ limitations under the License.
 // inspector, falco engine, etc.
 
 #include "application.h"
+#include "defined_app_actions.h"
 #include "falco_common.h"
 
 namespace falco {
 namespace app {
 
+std::string application::s_syscall_source = "syscall";
+std::string application::s_k8s_audit_source = "k8s_audit";
+
+application::action_state::action_state()
+	: restart(false),
+	  terminate(false),
+	  reopen_outputs(false),
+	  enabled_sources({application::s_syscall_source, application::s_k8s_audit_source}),
+	  event_source(application::s_syscall_source),
+	  trace_is_scap(true)
+{
+	config = std::make_shared<falco_configuration>();
+	outputs = std::make_shared<falco_outputs>();
+        engine = std::make_shared<falco_engine>();
+	inspector = std::make_shared<sinsp>();
+}
+
+application::action_state::~action_state()
+{
+}
+
 application::application()
 	: m_initialized(false)
 {
@@ -36,6 +58,12 @@ application::~application()
 {
 }
 
+application &application::get()
+{
+	static application instance;
+	return instance;
+}
+
 cmdline_options &application::options()
 {
 	if(!m_initialized)
@@ -46,16 +74,69 @@ cmdline_options &application::options()
 	return m_cmdline_options;
 }
 
+application::action_state &application::state()
+{
+	if(!m_initialized)
+	{
+		throw falco_exception("App init() not called yet");
+	}
+
+	return (*(m_state.get()));
+}
+
 bool application::init(int argc, char **argv, std::string &errstr)
 {
+	m_action_manager = std::make_shared<action_manager>();
+	m_state = std::make_shared<action_state>();
+	m_initialized = false;
+
 	if(!m_cmdline_options.parse(argc, argv, errstr))
 	{
 		return false;
 	}
 
+	for(char **arg = argv; *arg; arg++)
+	{
+		if(m_state->cmdline.size() > 0)
+		{
+			m_state->cmdline += " ";
+		}
+		m_state->cmdline += *arg;
+	}
+
+	std::list<std::string> groups = {"easyopts", "init", "run"};
+	m_action_manager->set_groups(groups);
+
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_create_signal_handlers(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_init_falco_engine(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_init_inspector(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_init_outputs(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_list_fields(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_list_plugins(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_load_config(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_load_plugins(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_load_rules_files(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_print_help(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_print_ignored_events(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_print_support(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_print_version(*this)));
+#ifndef MINIMAL_BUILD
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_start_grpc_server(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_start_webserver(*this)));
+#endif
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_validate_rules_files(*this)));
+
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_daemonize(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_open_inspector(*this)));
+	m_action_manager->add(std::shared_ptr<runnable_action>(new act_process_events(*this)));
 	m_initialized = true;
 	return true;
 }
 
+runnable_action::run_result application::run()
+{
+	return m_action_manager->run();
+}
+
 }; // namespace app
 }; // namespace falco

userspace/falco/application.h

@@ -27,7 +27,10 @@ limitations under the License.
 // For now, it is only responsible for command line options.
 #pragma once
 
+#include "configuration.h"
+
 #include "app_cmdline_options.h"
+#include "app_action_manager.h"
 
 #include <string>
 
@@ -36,15 +39,54 @@ namespace app {
 
 class application {
 public:
+	class action_state {
+	public:
+		action_state();
+		virtual ~action_state();
+
+		bool restart;
+		bool terminate;
+		bool reopen_outputs;
+
+		std::shared_ptr<falco_configuration> config;
+		std::shared_ptr<falco_outputs> outputs;
+		std::shared_ptr<falco_engine> engine;
+		std::shared_ptr<sinsp> inspector;
+		std::set<std::string> enabled_sources;
+
+		// The event source is syscall by default. If an input
+		// plugin was found, the source is the source of that
+		// plugin.
+		std::string event_source;
+
+		std::list<sinsp_plugin::info> plugin_infos;
+
+		std::map<string,uint64_t> required_engine_versions;
+
+		std::string cmdline;
+
+		bool trace_is_scap;
+	};
+
+	static std::string s_syscall_source;
+	static std::string s_k8s_audit_source;
 
 	application();
 	virtual ~application();
 
+	// Singleton for application
+	static application &get();
+
 	cmdline_options &options();
+	action_state &state();
+
 	bool init(int argc, char **argv, std::string &errstr);
 
-private:
+	runnable_action::run_result run();
 
+private:
+	std::shared_ptr<action_state> m_state;
+	std::shared_ptr<action_manager> m_action_manager;
 	cmdline_options m_cmdline_options;
 	bool m_initialized;
 };

userspace/falco/defined_app_actions.h

@@ -0,0 +1,38 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_actions/create_signal_handlers.h"
+#include "app_actions/init_falco_engine.h"
+#include "app_actions/init_inspector.h"
+#include "app_actions/init_outputs.h"
+#include "app_actions/list_plugins.h"
+#include "app_actions/list_fields.h"
+#include "app_actions/load_config.h"
+#include "app_actions/load_plugins.h"
+#include "app_actions/load_rules_files.h"
+#include "app_actions/print_help.h"
+#include "app_actions/print_ignored_events.h"
+#include "app_actions/print_support.h"
+#include "app_actions/print_version.h"
+#include "app_actions/start_grpc_server.h"
+#include "app_actions/start_webserver.h"
+#include "app_actions/validate_rules_files.h"
+
+#include "app_actions/daemonize.h"
+#include "app_actions/open_inspector.h"
+#include "app_actions/process_events.h"
+
+

userspace/falco/event_drops.cpp

@@ -32,8 +32,8 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
 {
 }
 
-void syscall_evt_drop_mgr::init(sinsp *inspector,
-				falco_outputs *outputs,
+void syscall_evt_drop_mgr::init(std::shared_ptr<sinsp> inspector,
+				std::shared_ptr<falco_outputs> outputs,
 				syscall_evt_drop_actions &actions,
 				double threshold,
 				double rate,
@@ -55,7 +55,7 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
 	}
 }
 
-bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
+bool syscall_evt_drop_mgr::process_event(std::shared_ptr<sinsp> inspector, sinsp_evt *evt)
 {
 	if(m_next_check_ts == 0)
 	{

userspace/falco/event_drops.h

@@ -15,6 +15,7 @@ limitations under the License.
 */
 #pragma once
 
+#include <memory>
 #include <set>
 
 #include <sinsp.h>
@@ -41,8 +42,8 @@ public:
 	syscall_evt_drop_mgr();
 	virtual ~syscall_evt_drop_mgr();
 
-	void init(sinsp *inspector,
-		  falco_outputs *outputs,
+	void init(std::shared_ptr<sinsp> inspector,
+		  std::shared_ptr<falco_outputs> outputs,
 		  syscall_evt_drop_actions &actions,
 		  double threshold,
 		  double rate,
@@ -54,7 +55,7 @@ public:
 	// event drops, and performing any actions.
 	//
 	// Returns whether event processing should continue or stop (with an error).
-	bool process_event(sinsp *inspector, sinsp_evt *evt);
+	bool process_event(std::shared_ptr<sinsp> inspector, sinsp_evt *evt);
 
 	void print_stats();
 
@@ -64,8 +65,8 @@ protected:
 
 	uint64_t m_num_syscall_evt_drops;
 	uint64_t m_num_actions;
-	sinsp *m_inspector;
-	falco_outputs *m_outputs;
+	std::shared_ptr<sinsp> m_inspector;
+	std::shared_ptr<falco_outputs> m_outputs;
 	syscall_evt_drop_actions m_actions;
 	token_bucket m_bucket;
 	uint64_t m_next_check_ts;

userspace/falco/falco_outputs.cpp

@@ -60,7 +60,7 @@ falco_outputs::~falco_outputs()
 	}
 }
 
-void falco_outputs::init(falco_engine *engine,
+void falco_outputs::init(std::shared_ptr<falco_engine> engine,
 			 bool json_output,
 			 bool json_include_output_property,
 			 bool json_include_tags_property,

userspace/falco/falco_outputs.h

@@ -39,7 +39,7 @@ public:
 	falco_outputs();
 	virtual ~falco_outputs();
 
-	void init(falco_engine *engine,
+	void init(std::shared_ptr<falco_engine> engine,
 		  bool json_output,
 		  bool json_include_output_property,
 		  bool json_include_tags_property,

userspace/falco/statsfilewriter.cpp

@@ -31,7 +31,7 @@ static void timer_handler (int signum)
 extern char **environ;
 
 StatsFileWriter::StatsFileWriter()
-	: m_num_stats(0), m_inspector(NULL)
+	: m_num_stats(0)
 {
 }
 
@@ -40,7 +40,7 @@ StatsFileWriter::~StatsFileWriter()
 	m_output.close();
 }
 
-bool StatsFileWriter::init(sinsp *inspector, string &filename, uint32_t interval_msec, string &errstr)
+bool StatsFileWriter::init(std::shared_ptr<sinsp> inspector, string &filename, uint32_t interval_msec, string &errstr)
 {
 	struct itimerval timer;
 	struct sigaction handler;

userspace/falco/statsfilewriter.h

@@ -31,7 +31,7 @@ public:
 	virtual ~StatsFileWriter();
 
 	// Returns success as bool. On false fills in errstr.
-	bool init(sinsp *inspector, std::string &filename,
+	bool init(std::shared_ptr<sinsp> inspector, std::string &filename,
 		  uint32_t interval_msec,
 		  string &errstr);
 
@@ -41,7 +41,7 @@ public:
 
 protected:
 	uint32_t m_num_stats;
-	sinsp *m_inspector;
+	std::shared_ptr<sinsp> m_inspector;
 	std::ofstream m_output;
 	std::string m_extra;
 	scap_stats m_last_stats;

userspace/falco/webserver.cpp

@@ -27,7 +27,7 @@ using namespace std;
 
 string k8s_audit_handler::m_k8s_audit_event_source = "k8s_audit";
 
-k8s_audit_handler::k8s_audit_handler(falco_engine *engine, falco_outputs *outputs):
+k8s_audit_handler::k8s_audit_handler(std::shared_ptr<falco_engine> engine, std::shared_ptr<falco_outputs> outputs):
 	m_engine(engine), m_outputs(outputs)
 {
 }
@@ -45,8 +45,8 @@ bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *c
 	return true;
 }
 
-bool k8s_audit_handler::accept_data(falco_engine *engine,
-				    falco_outputs *outputs,
+bool k8s_audit_handler::accept_data(std::shared_ptr<falco_engine> engine,
+				    std::shared_ptr<falco_outputs> outputs,
 				    std::string &data,
 				    std::string &errstr)
 {
@@ -187,9 +187,9 @@ falco_webserver::~falco_webserver()
 	stop();
 }
 
-void falco_webserver::init(falco_configuration *config,
-			   falco_engine *engine,
-			   falco_outputs *outputs)
+void falco_webserver::init(std::shared_ptr<falco_configuration> config,
+			   std::shared_ptr<falco_engine> engine,
+			   std::shared_ptr<falco_outputs> outputs)
 {
 	m_config = config;
 	m_engine = engine;

userspace/falco/webserver.h

@@ -25,21 +25,21 @@ limitations under the License.
 class k8s_audit_handler : public CivetHandler
 {
 public:
-	k8s_audit_handler(falco_engine *engine, falco_outputs *outputs);
+	k8s_audit_handler(std::shared_ptr<falco_engine> engine, std::shared_ptr<falco_outputs> outputs);
 	virtual ~k8s_audit_handler();
 
 	bool handleGet(CivetServer *server, struct mg_connection *conn);
 	bool handlePost(CivetServer *server, struct mg_connection *conn);
 
-	static bool accept_data(falco_engine *engine,
-				falco_outputs *outputs,
+	static bool accept_data(std::shared_ptr<falco_engine> engine,
+				std::shared_ptr<falco_outputs> outputs,
 				std::string &post_data, std::string &errstr);
 
 	static std::string m_k8s_audit_event_source;
 
 private:
-	falco_engine *m_engine;
-	falco_outputs *m_outputs;
+	std::shared_ptr<falco_engine> m_engine;
+	std::shared_ptr<falco_outputs> m_outputs;
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };
 
@@ -63,17 +63,17 @@ public:
 	falco_webserver();
 	virtual ~falco_webserver();
 
-	void init(falco_configuration *config,
-		  falco_engine *engine,
-		  falco_outputs *outputs);
+	void init(std::shared_ptr<falco_configuration> config,
+		  std::shared_ptr<falco_engine> engine,
+		  std::shared_ptr<falco_outputs> outputs);
 
 	void start();
 	void stop();
 
 private:
-	falco_engine *m_engine;
-	falco_configuration *m_config;
-	falco_outputs *m_outputs;
+	std::shared_ptr<falco_engine> m_engine;
+	std::shared_ptr<falco_configuration> m_config;
+	std::shared_ptr<falco_outputs> m_outputs;
 	unique_ptr<CivetServer> m_server;
 	unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
 	unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;