update(cmake): bumped libs to 0.10.4

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>

CHANGELOG.md

@@ -1,5 +1,111 @@
 # Change Log
 
+## v0.34.0
+
+Released on 2023-02-07
+
+### Major Changes
+
+* BREAKING CHANGE: if you relied upon `application_rules.yaml` you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+
+* new(rules): New rule to detect attempts to inject code into a process using PTRACE [[#2226](https://github.com/falcosecurity/falco/pull/2226)] - [@Brucedh](https://github.com/Brucedh)
+* new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [[#2216](https://github.com/falcosecurity/falco/pull/2216)] - [@mstemm](https://github.com/mstemm)
+* new(scripts): Support older RHEL distros in falco-driver-loader script [[#2312](https://github.com/falcosecurity/falco/pull/2312)] - [@gentooise](https://github.com/gentooise)
+* new(scripts): add `falcoctl` config into Falco package [[#2390](https://github.com/falcosecurity/falco/pull/2390)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [[#2363](https://github.com/falcosecurity/falco/pull/2363)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): add webserver endpoint for retrieving internal version numbers [[#2356](https://github.com/falcosecurity/falco/pull/2356)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(falco): add --version-json to print version information in json format [[#2331](https://github.com/falcosecurity/falco/pull/2331)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(scripts): support multiple drivers in systemd units [[#2242](https://github.com/falcosecurity/falco/pull/2242)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): add bottlerocket support in falco-driver-loader [[#2318](https://github.com/falcosecurity/falco/pull/2318)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): add more version fields to --support and --version [[#2325](https://github.com/falcosecurity/falco/pull/2325)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(config): explicitly add the `simulate_drops` config [[#2260](https://github.com/falcosecurity/falco/pull/2260)] - [@Andreagit97](https://github.com/Andreagit97)
+
+
+### Minor Changes
+
+* build: upgrade to `falcoctl` v0.4.0 [[#2406](https://github.com/falcosecurity/falco/pull/2406)] - [@loresuso](https://github.com/loresuso)
+* update(userspace): change `modern_bpf.cpus_for_each_syscall_buffer` default value [[#2404](https://github.com/falcosecurity/falco/pull/2404)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(build): update falcoctl to 0.3.0 [[#2401](https://github.com/falcosecurity/falco/pull/2401)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(build): update falcoctl to 0.3.0-rc7 [[#2396](https://github.com/falcosecurity/falco/pull/2396)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bump libs to 0.10.3 [[#2392](https://github.com/falcosecurity/falco/pull/2392)] - [@FedeDP](https://github.com/FedeDP)
+* build: `/etc/falco/rules.available` has been deprecated [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+* build: `application_rules.yaml` is not shipped anymore with Falco [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+* build: upgrade k8saudit plugin to v0.5.0 [[#2381](https://github.com/falcosecurity/falco/pull/2381)] - [@leogr](https://github.com/leogr)
+* build: upgrade cloudtrail plugin to v0.6.0 [[#2381](https://github.com/falcosecurity/falco/pull/2381)] - [@leogr](https://github.com/leogr)
+* new!: ship falcoctl inside Falco [[#2345](https://github.com/falcosecurity/falco/pull/2345)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: remove rules and add submodule to falcosecurity/rules [[#2359](https://github.com/falcosecurity/falco/pull/2359)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(scripts): add option for regenerating signatures of all dev and release packages [[#2364](https://github.com/falcosecurity/falco/pull/2364)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: print JSON version output when json_output is enabled [[#2351](https://github.com/falcosecurity/falco/pull/2351)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(cmake): updated libs to 0.10.1 tag. [[#2362](https://github.com/falcosecurity/falco/pull/2362)] - [@FedeDP](https://github.com/FedeDP)
+* Install the certificates of authorities in falco:no-driver docker image [[#2355](https://github.com/falcosecurity/falco/pull/2355)] - [@Issif](https://github.com/Issif)
+* update: Mesos support is now deprecated and will be removed in the next version. [[#2328](https://github.com/falcosecurity/falco/pull/2328)] - [@leogr](https://github.com/leogr)
+* update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [[#2336](https://github.com/falcosecurity/falco/pull/2336)] - [@Dentrax](https://github.com/Dentrax)
+* doc(userspace): provide users with a correct message when some syscalls are not defined [[#2329](https://github.com/falcosecurity/falco/pull/2329)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(ci): update ci jobs to generate Falco images with the modern BPF probe [[#2320](https://github.com/falcosecurity/falco/pull/2320)] - [@Andreagit97](https://github.com/Andreagit97)
+* rules: add Falco container lists [[#2290](https://github.com/falcosecurity/falco/pull/2290)] - [@oscr](https://github.com/oscr)
+* rules(macro: private_key_or_password): now also check for OpenSSH private keys [[#2284](https://github.com/falcosecurity/falco/pull/2284)] - [@oscr](https://github.com/oscr)
+* update(cmake): bump libs and driver to latest RC. [[#2302](https://github.com/falcosecurity/falco/pull/2302)] - [@FedeDP](https://github.com/FedeDP)
+* Ensure that a ruleset object is copied properly in falco_engine::add_source(). [[#2271](https://github.com/falcosecurity/falco/pull/2271)] - [@mstemm](https://github.com/mstemm)
+* update(userspace/falco): enable using zlib with webserver [[#2125](https://github.com/falcosecurity/falco/pull/2125)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco): add container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [[#2277](https://github.com/falcosecurity/falco/pull/2277)] - [@FedeDP](https://github.com/FedeDP)
+* update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [[#2277](https://github.com/falcosecurity/falco/pull/2277)] - [@FedeDP](https://github.com/FedeDP)
+* update(falco.yaml): `open_params` under plugins configuration is now trimmed from surrounding whitespace [[#2267](https://github.com/falcosecurity/falco/pull/2267)] - [@yardenshoham](https://github.com/yardenshoham)
+
+
+### Bug Fixes
+
+* fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [[#2272](https://github.com/falcosecurity/falco/pull/2272)] - [@mstemm](https://github.com/mstemm)
+* fix(scripts): use falco-driver-loader only into install scripts [[#2391](https://github.com/falcosecurity/falco/pull/2391)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): fix grpc server shutdown [[#2350](https://github.com/falcosecurity/falco/pull/2350)] - [@FedeDP](https://github.com/FedeDP)
+* fix(docker/falco): trust latest GPG key [[#2365](https://github.com/falcosecurity/falco/pull/2365)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): improve rule loading validation results [[#2344](https://github.com/falcosecurity/falco/pull/2344)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix: graceful error handling for macros/lists reference loops [[#2311](https://github.com/falcosecurity/falco/pull/2311)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rules(tagging): enhanced rules tagging for inventory / threat modeling [[#2167](https://github.com/falcosecurity/falco/pull/2167)] - [@incertum](https://github.com/incertum)
+* rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [[#2241](https://github.com/falcosecurity/falco/pull/2241)] - [@Nicolas-Peiffer](https://github.com/Nicolas-Peiffer)
+* rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [[#2225](https://github.com/falcosecurity/falco/pull/2225)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+* rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [[#2224](https://github.com/falcosecurity/falco/pull/2224)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+* rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [[#2305](https://github.com/falcosecurity/falco/pull/2305)] - [@loresuso](https://github.com/loresuso)
+* rule(Read sensitive file untrusted): let salt-call read sensitive files [[#2291](https://github.com/falcosecurity/falco/pull/2291)] - [@vin01](https://github.com/vin01)
+* rule(macro: rpm_procs): let salt-call write to rpm database [[#2291](https://github.com/falcosecurity/falco/pull/2291)] - [@vin01](https://github.com/vin01)
+
+
+### Non user-facing changes
+
+* fix(ci): fix rpm sign job dependencies [[#2324](https://github.com/falcosecurity/falco/pull/2324)] - [@cappellinsamuele](https://github.com/cappellinsamuele)
+* chore(userspace): add `njson` lib as a dependency for `falco_engine` [[#2316](https://github.com/falcosecurity/falco/pull/2316)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [[#2405](https://github.com/falcosecurity/falco/pull/2405)] - [@FedeDP](https://github.com/FedeDP)
+* fix(scripts): fixed falcoctl config install dir. [[#2399](https://github.com/falcosecurity/falco/pull/2399)] - [@FedeDP](https://github.com/FedeDP)
+* fix(scripts): make /usr writable [[#2398](https://github.com/falcosecurity/falco/pull/2398)] - [@therealbobo](https://github.com/therealbobo)
+* fix(scripts): driver loader insmod [[#2388](https://github.com/falcosecurity/falco/pull/2388)] - [@FedeDP](https://github.com/FedeDP)
+* update(systemd): solve some issues with systemd unit [[#2385](https://github.com/falcosecurity/falco/pull/2385)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(cmake): upgrade falcoctl to v0.3.0-rc6 [[#2383](https://github.com/falcosecurity/falco/pull/2383)] - [@leogr](https://github.com/leogr)
+* docs(.github): rules are no longer in this repo [[#2382](https://github.com/falcosecurity/falco/pull/2382)] - [@leogr](https://github.com/leogr)
+* update(CI): mitigate frequent failure in CircleCI jobs [[#2375](https://github.com/falcosecurity/falco/pull/2375)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace): use the right path for the `cpus_for_each_syscall_buffer` config [[#2378](https://github.com/falcosecurity/falco/pull/2378)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(scripts): fixed incorrect bash var expansion [[#2367](https://github.com/falcosecurity/falco/pull/2367)] - [@therealbobo](https://github.com/therealbobo)
+* update(CI): upgrade toolchain in modern falco builder dockerfile [[#2337](https://github.com/falcosecurity/falco/pull/2337)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(ci): move static analysis job from circle CI to GHA [[#2332](https://github.com/falcosecurity/falco/pull/2332)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(falco): update cpp-httplib to 0.11.3 [[#2327](https://github.com/falcosecurity/falco/pull/2327)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(script): makes user able to pass custom option to driver-loade… [[#1901](https://github.com/falcosecurity/falco/pull/1901)] - [@andreabonanno](https://github.com/andreabonanno)
+* cleanup(ci): remove some unused jobs and remove some `falco-builder` reference where possible [[#2322](https://github.com/falcosecurity/falco/pull/2322)] - [@Andreagit97](https://github.com/Andreagit97)
+* docs(proposal): new artifacts distribution proposal [[#2304](https://github.com/falcosecurity/falco/pull/2304)] - [@leogr](https://github.com/leogr)
+* fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [[#2292](https://github.com/falcosecurity/falco/pull/2292)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [[#2313](https://github.com/falcosecurity/falco/pull/2313)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: remove string view lite [[#2307](https://github.com/falcosecurity/falco/pull/2307)] - [@leogr](https://github.com/leogr)
+* new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [[#2303](https://github.com/falcosecurity/falco/pull/2303)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(docs): add overview and versioning sections to falco release.md [[#2205](https://github.com/falcosecurity/falco/pull/2205)] - [@incertum](https://github.com/incertum)
+* Add Xenit AB to adopters [[#2285](https://github.com/falcosecurity/falco/pull/2285)] - [@NissesSenap](https://github.com/NissesSenap)
+* fix(userspace/falco): verify engine fields only for syscalls [[#2281](https://github.com/falcosecurity/falco/pull/2281)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(output): do not print syscall_buffer_size when gvisor is enabled [[#2283](https://github.com/falcosecurity/falco/pull/2283)] - [@alacuku](https://github.com/alacuku)
+* fix(engine): fix warning about redundant std::move [[#2286](https://github.com/falcosecurity/falco/pull/2286)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [[#2219](https://github.com/falcosecurity/falco/pull/2219)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fixed version bucket for release jobs. [[#2266](https://github.com/falcosecurity/falco/pull/2266)] - [@FedeDP](https://github.com/FedeDP)
+
 ## v0.33.1
 
 Released on 2022-11-24

cmake/cpack/debian/conffiles

@@ -1,3 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/rules.available/application_rules.yaml
+/etc/falco/falcoctl.yaml
 /etc/falco/falco_rules.local.yaml

cmake/modules/GetFalcoVersion.cmake

@@ -19,29 +19,36 @@ if(NOT FALCO_VERSION)
   # Try to obtain the exact git tag
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
-      # Fetch current hash
-      get_git_head_revision(refspec FALCO_HASH)
-      if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
-        set(FALCO_VERSION "0.0.0")
-      else()
-        # Obtain the closest tag
-        git_get_latest_tag(FALCO_LATEST_TAG)
-        if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
+      # Obtain the closest tag
+      git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
+      string(REGEX MATCH "^[0-9]+.[0-9]+.[0-9]+$" FALCO_TAG ${FALCO_VERSION})
+      if(FALCO_VERSION MATCHES "NOTFOUND$" OR FALCO_TAG STREQUAL "")
+        # Fetch current hash
+        get_git_head_revision(refspec FALCO_HASH)
+        if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
           set(FALCO_VERSION "0.0.0")
         else()
-          # Compute commit delta since tag
-          git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
-          if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+          # Obtain the closest tag
+          git_get_latest_tag(FALCO_LATEST_TAG)
+          if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
             set(FALCO_VERSION "0.0.0")
           else()
-            # Cut hash to 7 bytes
-            string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
-            # Format FALCO_VERSION to be semver with prerelease and build part
-            set(FALCO_VERSION
-                  "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
-           endif()
+            # Compute commit delta since tag
+            git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
+            if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+              set(FALCO_VERSION "0.0.0")
+            else()
+              # Cut hash to 7 bytes
+              string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
+              # Format FALCO_VERSION to be semver with prerelease and build part
+              set(FALCO_VERSION
+                    "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
+            endif()
+          endif()
         endif()
       endif()
+      # Format FALCO_VERSION to be semver with prerelease and build part
+      string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")

cmake/modules/falcoctl.cmake

@@ -15,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.3.0-rc6")
+set(FALCOCTL_VERSION "0.4.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "e2c0f488992b0034269cca7dd99adce0a6405421092d3d59def9505e1ff3c328")
+    set(FALCOCTL_HASH "13c88e612efe955bc014918a7af30bae28dc5ba99b2962af57e36b1b87f527f9")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "a90de711c178d1beb1148ee2a9099a430a95fb6997fe0728e666a43bf3ca3441")
+    set(FALCOCTL_HASH "0f8898853e99a2cd1b4dd6b161e8545cf20ce0e3ce79cddc539f6002257d5de5")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.10.2")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=6191114dc315c4f49c7e49613aa50c4e30140312997ffaec99e0041f5539f738")
+    set(FALCOSECURITY_LIBS_VERSION "0.10.4")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=30c5c846b6336d51473bb73bc0e6c18f91dd931e346ae34f18ad7ad4a5b904a2")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/rules.cmake

@@ -28,20 +28,6 @@ ExternalProject_Add(
   TEST_COMMAND ""
 )
 
-# application_rules.yaml
-set(FALCOSECURITY_RULES_APPLICATION_VERSION "application-rules-0.1.0")
-set(FALCOSECURITY_RULES_APPLICATION_CHECKSUM "SHA256=cf45c1a6997799610a7724ba7a2ceaa64a3bdc73d26cdfe06adb3f43e2321278")
-set(FALCOSECURITY_RULES_APPLICATION_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-application-prefix/src/falcosecurity-rules-application/application_rules.yaml")
-ExternalProject_Add(
-  falcosecurity-rules-application
-  URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_APPLICATION_VERSION}.tar.gz"
-  URL_HASH "${FALCOSECURITY_RULES_APPLICATION_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-)
-
 # falco_rules.local.yaml
 set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml")
 file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
@@ -53,7 +39,6 @@ endif()
 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
   set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
   set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
-  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
 endif()
 
 if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
@@ -81,11 +66,5 @@ else() # Default Falco installation
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
     COMPONENT "${FALCO_COMPONENT_NAME}")
 
-  install(
-    FILES "${FALCOSECURITY_RULES_APPLICATION_PATH}"
-    DESTINATION "${FALCO_ETC_DIR}/rules.available"
-    RENAME "${FALCO_APP_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
-
   install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

docker/builder/modern-falco-builder.Dockerfile

@@ -47,7 +47,6 @@ COPY --from=build-stage /build/release/falco-*.rpm /packages/
 # This is just a workaround to fix the CI build until we replace our actual testing framework.
 COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
 COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-application-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-application-prefix
 COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
 COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
 COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix

docker/no-driver/Dockerfile

@@ -27,6 +27,8 @@ LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
+RUN apt-get -y update && apt-get -y install ca-certificates
+
 ENV HOST_ROOT /host
 ENV HOME /root
 

falco.yaml

@@ -232,16 +232,16 @@ syscall_buf_size_preset: 4
 # `cpus_for_each_syscall_buffer`
 #
 # --- [Description]
-# 
+#
 # This is an index that controls how many CPUs you want to assign to a single
-# syscall buffer (ring buffer). By default every CPU has its syscall buffer, 
-# so the mapping is 1:1. The modern BPF probe allows you to choose a different 
-# mapping, for example, 2:1 would mean a syscall buffer every 2 CPUs
+# syscall buffer (ring buffer). By default, every syscall buffer is associated to
+# 2 CPUs, so the mapping is 1:2. The modern BPF probe allows you to choose different
+# mappings, for example, 1:1 would mean a syscall buffer for each CPU.
 #
 # --- [Usage]
 #
 # You can choose between different indexes: from `0` to `MAX_NUMBER_ONLINE_CPUs`.
-# `0` is a special value and it means a single syscall buffer shared between all 
+# `0` is a special value and it means a single syscall buffer shared between all
 # your online CPUs. `0` has the same effect as `MAX_NUMBER_ONLINE_CPUs`, the rationale
 # is that `0` allows you to create a single buffer without knowing the number of online
 # CPUs on your system.
@@ -249,17 +249,17 @@ syscall_buf_size_preset: 4
 #
 # Consider a system with 7 online CPUs:
 #
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU) 
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
 #
-# - `1` (Default value) means a syscall buffer for each CPU so 7 buffers
+# - `1` means a syscall buffer for each CPU so 7 buffers
 #
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU) 
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
 #                   |     |  |        |  |  |  |
 #       BUFFERs     0     1  2        3  4  5  6
-# 
-# - `2` means a syscall buffer for each CPU pair, so 4 buffers
 #
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU) 
+# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
 #                   |     |  |        |  |  |  |
 #       BUFFERs     0     0  1        1  2  2  3
 #
@@ -268,28 +268,28 @@ syscall_buf_size_preset: 4
 #
 # - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all CPUs, so 1 buffer
 #
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU) 
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
 #                   |     |  |        |  |  |  |
 #       BUFFERs     0     0  0        0  0  0  0
 #
 # Moreover you can combine this param with `syscall_buf_size_preset`
 # index, for example, you could create a huge single syscall buffer
-# shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`). 
+# shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`).
 #
 # --- [Suggestions]
 #
-# We chose index `1` (so one syscall buffer for each CPU) as default to keep parity
-# between our drivers (bpf and kernel module). By the way, you are free to find the preferred
-# configuration for your system. Considering a fixed `syscall_buf_size_preset` and so
-# a fixed buffer dimension:
+# We chose index `2` (so one syscall buffer for each CPU pair) as default because the modern bpf probe
+# follows a different memory allocation strategy with respect to the other 2 drivers (bpf and kernel module).
+# By the way, you are free to find the preferred configuration for your system.
+# Considering a fixed `syscall_buf_size_preset` and so a fixed buffer dimension:
 # - a lower number of buffers can speed up your system (lower memory footprint)
 # - a too lower number of buffers could increase contention in the kernel causing an
 #   overall slowdown of the system.
-# If you don't have huge events throughtputs and you are not experimenting with tons of drops
+# If you don't have huge events throughputs and you are not experimenting with tons of drops
 # you can try to reduce the number of buffers to have a lower memory footprint
 
 modern_bpf:
-  cpus_for_each_syscall_buffer: 1
+  cpus_for_each_syscall_buffer: 2
 ############## [EXPERIMENTAL] Modern BPF probe specific ##############
 
 # Falco continuously monitors outputs performance. When an output channel does not allow

scripts/CMakeLists.txt

@@ -31,17 +31,23 @@ configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.s
 		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
 
 # Debian
-configure_file(debian/postinst.in debian/postinst)
-configure_file(debian/postrm.in debian/postrm)
-configure_file(debian/prerm.in debian/prerm)
+configure_file(debian/postinst.in debian/postinst COPYONLY)
+configure_file(debian/postrm.in debian/postrm COPYONLY)
+configure_file(debian/prerm.in debian/prerm COPYONLY)
 
 # Rpm
-configure_file(rpm/postinstall.in rpm/postinstall)
-configure_file(rpm/postuninstall.in rpm/postuninstall)
-configure_file(rpm/preuninstall.in rpm/preuninstall)
+configure_file(rpm/postinstall.in rpm/postinstall COPYONLY)
+configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY)
+configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY)
 
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
+# Install Falcoctl config file
+if(NOT DEFINED FALCOCTL_ETC_DIR)
+	set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
+endif()
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
 		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")

scripts/debian/postinst.in

@@ -35,7 +35,7 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ "$1" = "configure" ]; then
-        if [ -x /usr/bin/dialog ]; then
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
           # If dialog is installed, create a dialog to let users choose the correct driver for them
           CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                 1 "Manual configuration (no unit is started)" \
@@ -78,8 +78,9 @@ systemctl --system daemon-reload || true
 # If needed, try to load/compile the driver through falco-driver-loader
 case "$chosen_driver" in
     "kmod")
-      echo "[POST-INSTALL] Call 'falco-driver-loader module':"
-      falco-driver-loader module
+      # Only compile for kmod, in this way we use dkms
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
       ;;
     "bpf")
       echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"

scripts/falco-driver-loader

@@ -251,16 +251,10 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying to modprobe"
+			echo "* Trying to insmod"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found in dkms and loaded"
-				exit 0
-			fi
-			echo "* Unable to load ${DRIVER_NAME} module"
-			echo "* Trying insmod"
 			if insmod "$KO_FILE" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found in dkms and inserted"
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
 			fi
 			echo "* Unable to insmod ${DRIVER_NAME} module"
@@ -284,14 +278,6 @@ load_kernel_module_download() {
 	if curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true
-		depmod ${KERNEL_RELEASE} || true
-		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-			echo "* Success: ${DRIVER_NAME} module found and loaded"
-			exit 0
-		fi
-		>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
 		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
 			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
@@ -410,13 +396,6 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true
-		depmod ${KERNEL_RELEASE} || true
-		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-			echo "* Success: ${DRIVER_NAME} module found and loaded"
-			exit 0
-		fi
 		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
@@ -435,7 +414,7 @@ load_kernel_module() {
 	# Last try (might load a previous driver version)
 	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
 	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "* Success: ${DRIVER_NAME} module found and loaded"
+		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 		exit 0
 	fi
 

scripts/falcoctl/falcoctl.yaml

@@ -0,0 +1,9 @@
+artifact:
+  follow:
+    every: 6h0m0s
+    falcoVersions: http://localhost:8765/versions
+    refs:
+    - falco-rules:0
+indexes:
+- name: falcosecurity
+  url: https://falcosecurity.github.io/falcoctl/index.yaml

scripts/rpm/postinstall.in

@@ -33,8 +33,8 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 # unmask falcoctl if it was masked
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
-if [ $1 -eq 1 ]; then
-        if [ -x /usr/bin/dialog ]; then
+if [ $1 -ge 1 ]; then
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
             # If dialog is installed, create a dialog to let users choose the correct driver for them
             CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                     1 "Manual configuration (no unit is started)" \
@@ -77,8 +77,9 @@ systemctl --system daemon-reload || true
 # If needed, try to load/compile the driver through falco-driver-loader
 case "$chosen_driver" in
     "kmod")
-      echo "[POST-INSTALL] Call 'falco-driver-loader module':"
-      falco-driver-loader module
+      # Only compile for kmod, in this way we use dkms
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
       ;;
     "bpf")
       echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"

scripts/systemd/falco-bpf.service

@@ -3,9 +3,6 @@ Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
 Before=falcoctl-artifact-follow.service
 Wants=falcoctl-artifact-follow.service
-Conflicts=falco-kmod.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-custom.service
 
 [Service]
 Type=simple

scripts/systemd/falco-custom.service

@@ -3,9 +3,6 @@ Description=Falco: Container Native Runtime Security with custom configuration
 Documentation=https://falco.org/docs/
 Before=falcoctl-artifact-follow.service
 Wants=falcoctl-artifact-follow.service
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
 
 [Service]
 Type=simple

scripts/systemd/falco-kmod.service

@@ -5,9 +5,6 @@ After=falco-kmod-inject.service
 Requires=falco-kmod-inject.service
 Before=falcoctl-artifact-follow.service
 Wants=falcoctl-artifact-follow.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-custom.service
 
 [Service]
 Type=simple
@@ -22,7 +19,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
+ReadWriteDirectories=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/systemd/falco-modern-bpf.service

@@ -3,9 +3,6 @@ Description=Falco: Container Native Runtime Security with modern ebpf
 Documentation=https://falco.org/docs/
 Before=falcoctl-artifact-follow.service
 Wants=falcoctl-artifact-follow.service
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-custom.service
 
 [Service]
 Type=simple

scripts/systemd/falcoctl-artifact-follow.service

@@ -6,7 +6,7 @@ PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custo
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falcoctl artifact follow
+ExecStart=/usr/bin/falcoctl artifact follow --allowed-types=rulesfile
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -14,6 +14,7 @@ Restart=on-failure
 PrivateTmp=true
 NoNewPrivileges=yes
 ProtectSystem=true
+ReadWriteDirectories=/usr/share/falco
 ProtectKernelTunables=true
 RestrictRealtime=true
 

userspace/engine/falco_engine_version.h

@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this Falco
 // engine.
-#define FALCO_ENGINE_VERSION (15)
+#define FALCO_ENGINE_VERSION (16)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of Falco. It's used

userspace/falco/app_actions/load_rules_files.cpp

@@ -172,6 +172,14 @@ application::run_result application::load_rules_files()
 		check_for_ignored_events();
 	}
 
+	if(m_options.all_events && m_options.modern_bpf)
+	{
+		/* Right now the modern BPF probe doesn't support the -A flag, we implemented just 
+		 * the "simple set" syscalls.
+		 */
+		falco_logger::log(LOG_INFO, "The '-A' flag has no effect with the modern BPF probe, no further syscalls will be added\n");
+	}
+
 	if (m_options.describe_all_rules)
 	{
 		m_state->engine->describe_rule(NULL);

userspace/falco/configuration.cpp

@@ -57,7 +57,7 @@ falco_configuration::falco_configuration():
 	m_metadata_download_chunk_wait_us(1000),
 	m_metadata_download_watch_freq_sec(1),
 	m_syscall_buf_size_preset(4),
-	m_cpus_for_each_syscall_buffer(1)
+	m_cpus_for_each_syscall_buffer(2)
 {
 }
 
@@ -311,7 +311,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	 */
 	m_syscall_buf_size_preset = config.get_scalar<uint16_t>("syscall_buf_size_preset", 4);
 
-	m_cpus_for_each_syscall_buffer = config.get_scalar<uint16_t>("modern_bpf.cpus_for_each_syscall_buffer", 1);
+	m_cpus_for_each_syscall_buffer = config.get_scalar<uint16_t>("modern_bpf.cpus_for_each_syscall_buffer", 2);
 
 	std::set<std::string> load_plugins;