docs: changelog for 0.26.2

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

.circleci/config.yml

@@ -1,5 +1,85 @@
 version: 2
 jobs:
+  # Build a statically linked Falco release binary using musl
+  # This build is 100% static, there are no host dependencies
+  "build/musl":
+    docker:
+      - image: alpine:3.12
+    steps:
+      - checkout:
+          path: /source-static/falco
+      - run:
+          name: Update base image
+          command: apk update
+      - run:
+          name: Install build dependencies
+          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+      - run:
+          name: Prepare project
+          command: |
+            mkdir -p /build-static/release
+            cd /build-static/release
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+      - run:
+          name: Build
+          command: |
+            cd /build-static/release
+            make -j4 all
+      - run:
+          name: Package
+          command: |
+            cd /build-static/release
+            make -j4 package
+      - run:
+          name: Run unit tests
+          command: |
+            cd /build-static/release
+            make tests
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build-static/release/*.tar.gz /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build-static/release
+            - source-static
+  # Build the minimal Falco
+  # This build only contains the Falco engine and the basic input/output.
+  "build/minimal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build-minimal
+            pushd build-minimal
+            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build-minimal
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build-minimal
+            make tests
+            popd
   # Build using ubuntu LTS
   # This build is dynamic, most dependencies are taken from the OS
   "build/ubuntu-focal":
@@ -202,6 +282,21 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+  "tests/integration-static":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source-static"
+          BUILD_DIR: "/build-static"
+          BUILD_TYPE: "release"
+          SKIP_PACKAGES_TESTS: "true"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
   "tests/driver-loader/integration":
     machine:
       image: ubuntu-1604:202004-01
@@ -211,6 +306,33 @@ jobs:
       - run:
           name: Execute driver-loader integration tests
           command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Code quality
+  "quality/static-analysis":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - run:
+          name: Install cppcheck
+          command: |
+            yum update -y
+            yum install epel-release -y
+            yum install cppcheck cppcheck-htmlreport -y
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: cppcheck
+          command: /usr/bin/entrypoint cppcheck
+      - run:
+          name: cppcheck html report
+          command: /usr/bin/entrypoint cppcheck_htmlreport
+      - store_artifacts:
+          path: /build/release/static-analysis-reports
+          destination: /static-analysis-reports
   # Sign rpm packages
   "rpm/sign":
     docker:
@@ -267,10 +389,34 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish tgz-dev
+          name: Publish bin-dev
           command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Clenup the Falco development release packages
+  "cleanup/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare env
+          command: |
+            apk add --no-cache --update
+            apk add curl jq
+      - run:
+          name: Only keep the 10 most recent Falco development release tarballs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release RPMs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release DEBs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
   # Publish docker packages
   "publish/docker-dev":
     docker:
@@ -327,10 +473,10 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish tgz
+          name: Publish bin
           command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker":
     docker:
@@ -372,6 +518,8 @@ workflows:
   version: 2
   build_and_test:
     jobs:
+      - "build/musl"
+      - "build/minimal"
       - "build/ubuntu-focal"
       - "build/ubuntu-focal-debug"
       - "build/ubuntu-bionic"
@@ -381,6 +529,9 @@ workflows:
       - "tests/integration":
           requires:
             - "build/centos7"
+      - "tests/integration-static":
+          requires:
+            - "build/musl"
       - "tests/driver-loader/integration":
           requires:
             - "build/centos7"
@@ -402,6 +553,16 @@ workflows:
               only: master
           requires:
             - "rpm/sign"
+            - "tests/integration-static"
+      - "cleanup/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
       - "publish/docker-dev":
           context: falco
           filters:
@@ -412,8 +573,15 @@ workflows:
           requires:
             - "publish/packages-dev"
             - "tests/driver-loader/integration"
+      - "quality/static-analysis"
   release:
     jobs:
+      - "build/musl":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
       - "build/centos7":
           filters:
             tags:
@@ -432,6 +600,7 @@ workflows:
       - "publish/packages":
           context: falco
           requires:
+            - "build/musl"
             - "rpm/sign"
           filters:
             tags:

CHANGELOG.md

@@ -1,6 +1,101 @@
 # Change Log
 
-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
+## v0.26.1
+
+Released on 2020-10-01
+
+### Major Changes
+
+* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
+
+
+### Rule Changes
+
+* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+
+
+## v0.26.0
+
+Released on 2020-24-09
+
+### Major Changes
+
+* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+
+
+### Rule Changes
+
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
+
+## v0.25.0
+
+Released on 2020-08-25
+
+### Major Changes
+
+* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
+* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Minor Changes
+
+* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
+* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
+* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
+
+
+### Rule Changes
+
+* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
+* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
+* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
+* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
 
 ## v0.24.0
 

CMakeLists.txt

@@ -16,6 +16,8 @@ project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -50,7 +52,15 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os")
+endif()
+
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS
@@ -73,7 +83,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -123,11 +133,13 @@ ExternalProject_Add(
 # yaml-cpp
 include(yaml-cpp)
 
-# OpenSSL
+if(NOT MINIMAL_BUILD)
-include(OpenSSL)
+  # OpenSSL
+  include(OpenSSL)
 
-# libcurl
+  # libcurl
-include(cURL)
+  include(cURL)
+endif()
 
 # LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
@@ -194,26 +206,30 @@ ExternalProject_Add(
   BUILD_BYPRODUCTS ${TBB_LIB}
   INSTALL_COMMAND "")
 
-# civetweb
+if(NOT MINIMAL_BUILD)
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+  # civetweb
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-ExternalProject_Add(
+  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-  civetweb
+  ExternalProject_Add(
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+    civetweb
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  BUILD_IN_SOURCE 1
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    BUILD_IN_SOURCE 1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+endif()
 
 #string-view-lite
 include(DownloadStringViewLite)
 
-# gRPC
+if(NOT MINIMAL_BUILD)
-include(gRPC)
+  # gRPC
+  include(gRPC)
+endif()
 
 # sysdig
 include(sysdig)
@@ -221,11 +237,13 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
 
-# Coverage
+if(NOT MINIMAL_BUILD)
-include(Coverage)
+  # Coverage
+  include(Coverage)
 
-# Tests
+  # Tests
-add_subdirectory(test)
+  add_subdirectory(test)
+endif()
 
 # Rules
 add_subdirectory(rules)
@@ -236,6 +254,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)

README.md

@@ -74,7 +74,7 @@ To get involved with The Falco Project please visit [the community repository](h
 
 ### Contributing
 
-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
 
 ### Security Audit
 

RELEASE.md

@@ -4,19 +4,21 @@ Our release process is mostly automated, but we still need some manual steps to
 
 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
 
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
 ## Pre-Release Checklist
 
+Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+
 ### 1. Release notes
-- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
 
 ### 2. Milestones
 
@@ -28,14 +30,15 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` update itself automatically
 - Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-- Add the lastest changes on top the previous `CHANGELOG.md`
+    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
-- Close the completed milestone as soon PR is merged
+- Close the completed milestone as soon as the PR is merged
 
 ## Release
 
-Let `x.y.z` the new version.
+Now assume `x.y.z` is the new version.
 
 ### 1. Create a tag
 
@@ -58,15 +61,29 @@ Let `x.y.z` the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
     ```
+    <!-- Substitute x.y.z with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+
+    | Images                                                          |
+    | --------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
+
     <!-- Copy the relevant part of the changelog here -->
 
     ### Statistics
 
-    | Merged PRs        | Number  |
+    | Merged PRs      | Number |
-    |-------------------|---------|
+    | --------------- | ------ |
-    | Not user-facing   | x       |
+    | Not user-facing | x      |
-    | Release note      | x       |
+    | Release note    | x      |
-    | Total             | x       |
+    | Total           | x      |
 
     <!-- Calculate stats and fill the above table -->
     ```

brand/README.md

@@ -15,6 +15,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.
+
 ### Slogan
 
 > Cloud Native Runtime Security

cmake/modules/CPackConfig.cmake

@@ -25,7 +25,11 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
-set(CPACK_GENERATOR DEB RPM TGZ)
+if(NOT CPACK_GENERATOR)
+    set(CPACK_GENERATOR DEB RPM TGZ)
+endif()
+
+message(STATUS "Using package generators: ${CPACK_GENERATOR}")
 
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")

cmake/modules/DownloadStringViewLite.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 
 set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
 set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
+message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
 
 ExternalProject_Add(
   string-view-lite

cmake/modules/gRPC.cmake

@@ -96,12 +96,17 @@ else()
   # that zlib will be very outdated
   set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
   set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that c-ares will be very outdated
+  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
+  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
 
   message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
   message(
     STATUS
       "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
   message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
   message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
 
   get_filename_component(PROTOC_DIR ${PROTOC} PATH)

cmake/modules/static-analysis.cmake

@@ -0,0 +1,42 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
+      "--quiet"
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT

cmake/modules/sysdig.cmake

@@ -17,7 +17,9 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
   # explicitly force this dependency to use the bundled OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
+  if(NOT MINIMAL_BUILD)
+    set(USE_BUNDLED_OPENSSL ON)
+  endif()
   set(USE_BUNDLED_JQ ON)
 endif()
 
@@ -27,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7")
+  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=43d274e4ce16b0d0e4dd00aab78006c902f36070d1cbb22d12a2685134a2ae51")
+  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
@@ -55,6 +57,9 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
 
 # Add libsinsp directory
@@ -65,5 +70,8 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)
 
 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
+  add_dependencies(scap jq)
+  if(NOT MINIMAL_BUILD)
+    add_dependencies(scap curl grpc)
+  endif()
 endif()

docker/builder/root/usr/bin/entrypoint

@@ -34,6 +34,7 @@ case "$CMD" in
     -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DBUILD_DRIVER="$BUILD_DRIVER" \
+    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \

docker/no-driver/Dockerfile

@@ -12,47 +12,16 @@ WORKDIR /
 
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-RUN apt-get update -y && \
+RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    apt-get install -y binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
+    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
 FROM scratch
 
-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
-
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
 COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/root/usr/bin/entrypoint

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
 
-set -eu -o pipefail
+set -u -o pipefail
+
+BUILD_DIR=${BUILD_DIR:-/build}
+SOURCE_DIR=${SOURCE_DIR:-/source}
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
 
-SOURCE_DIR=/source
-BUILD_DIR=/build
 CMD=${1:-test}
 shift
 
@@ -56,9 +58,11 @@ case "$CMD" in
     fi
 
     # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    fi
 
     # check that source directory contains Falco
     if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -69,12 +73,14 @@ case "$CMD" in
     # run tests
     echo "Running regression tests ..."
     cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
 
     # clean docker images
-    clean_image "deb"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-    clean_image "rpm"
+        clean_image "deb"
-    clean_image "tar.gz"
+        clean_image "rpm"
+        clean_image "tar.gz"
+    fi
     ;;
 "bash")
     CMD=/bin/bash

proposals/20200506-artifacts-scope-part-1.md

@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
 
-## Summary 
+## Summary
 
 As a project we would like to support the following artifacts.
 
@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.
 
 ## Terms
 
-**falco** 
+**falco**
 
 *The Falco binary*
 
@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.
 
 **package**
 
-*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
+*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*
 
 **image**
 
 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
- 
+
 
 # Packages
 
@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be
 
 ### repository
 
-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
 
 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
 
@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.
 
-    
+
 ### Action Items
 
 Here are SOME of the items that would need to be done, for example:

proposals/20200818-artifacts-storage.md

@@ -0,0 +1,83 @@
+# Falco Artifacts Storage
+
+This document reflects the way we store the Falco artifacts.
+
+## Terms & Definitions
+
+- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
+- Bintray: artifacts distribution platform
+
+## Packages
+
+The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
+
+The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
+
+As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
+
+- DEB
+- RPM
+- Tarball
+
+Thus, we have three repositories for the Falco stable releases:
+
+- https://bintray.com/falcosecurity/deb
+- https://bintray.com/falcosecurity/rpm
+- https://bintray.com/falcosecurity/bin
+
+And three repositories for the Falco development releases:
+
+- https://bintray.com/falcosecurity/deb-dev
+- https://bintray.com/falcosecurity/rpm-dev
+- https://bintray.com/falcosecurity/bin-dev
+
+## Drivers
+
+The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
+
+This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
+
+Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
+
+Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
+
+The driver versions we ship prebuilt drivers for are:
+
+- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
+- the driver version associated with the penultimate Falco stable version
+
+The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
+
+You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
+
+### Notice
+
+The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
+
+Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
+
+Nevertheless, this process is an open, auditable, and transparent one.
+
+So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
+
+Some pull-requests you can look at to create your own are:
+
+- https://github.com/falcosecurity/test-infra/pull/165
+- https://github.com/falcosecurity/test-infra/pull/163
+- https://github.com/falcosecurity/test-infra/pull/162
+
+While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
+
+## Container images
+
+As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
+
+These images are built and published in two cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens (**Falco stable releases**)
+
+For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).

proposals/20200901-artifacts-cleanup.md

@@ -0,0 +1,102 @@
+# Falco Artifacts Cleanup
+
+This document reflects when and how we clean up the Falco artifacts from their storage location.
+
+## Motivation
+
+The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
+
+They also kindly granted us an additional 5GB of free space.
+
+## Goal
+
+Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
+
+## Status
+
+To be implemented.
+
+## Packages
+
+### Tarballs from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
+
+Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
+
+This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
+
+### DEB from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
+
+Historically, every Falco release is composed by less than 50 merges (upper limit).
+
+So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
+
+This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
+
+### RPM from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
+
+For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
+
+This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
+
+### Stable releases
+
+This document proposes to retain all the stable releases.
+
+This means that all the Falco packages present in the Falco stable release repositories will be kept.
+
+The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
+This means it grows in space of ~50MB each month.
+
+The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
+This means it grows in space of ~5MB each month.
+
+The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
+This means it grows in space of ~4.3MB each month.
+
+### Considerations
+
+Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
+
+Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
+
+### Implementation
+
+The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
+
+This job will be triggered after the `publish/packages-dev` completed successfully.
+
+## Drivers
+
+As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
+Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
+
+This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
+
+At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
+
+Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
+
+This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
+
+This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
+
+Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
+
+### Archivation
+
+Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
+
+The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
+
+### Implementation
+
+The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
+will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
+
+This job will be triggered after the `drivers/publish` completed successfully on the master branch.

rules/CMakeLists.txt

@@ -37,8 +37,7 @@ if(DEFINED FALCO_COMPONENT)
     COMPONENT "${FALCO_COMPONENT}"
     DESTINATION "${FALCO_ETC_DIR}"
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
+# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
-  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
   install(
     FILES falco_rules.yaml
@@ -57,8 +56,8 @@ else()
 
   install(
     FILES application_rules.yaml
-    DESTINATION "/etc/falco/rules.available"
+    DESTINATION "${FALCO_ETC_DIR}/rules.available"
     RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
 
-  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()

rules/falco_rules.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -23,7 +23,7 @@
 # change to this rules file, we'll uncomment this line and set it to
 # the falco engine version in use at the time.
 #
-#- required_engine_version: 2
+- required_engine_version: 7
 
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -344,8 +344,8 @@
 # for efficiency.
 - macro: inbound_outbound
   condition: >
-    (((evt.type in (accept,listen,connect) and evt.dir=<)) or
+    ((((evt.type in (accept,listen,connect) and evt.dir=<)) or
-     (fd.typechar = 4 or fd.typechar = 6) and
+     (fd.typechar = 4 or fd.typechar = 6)) and
      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
@@ -368,7 +368,7 @@
 - rule: Disallowed SSH Connection
   desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
   condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
-  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_remote_service]
 
@@ -399,7 +399,7 @@
     ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
      (fd.snet in (allowed_outbound_destination_networks)) or
      (fd.sip.name in (allowed_outbound_destination_domains)))
-  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network]
 
@@ -422,7 +422,7 @@
     ((fd.cip in (allowed_inbound_source_ipaddrs)) or
      (fd.cnet in (allowed_inbound_source_networks)) or
      (fd.cip.name in (allowed_inbound_source_domains)))
-  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network]
 
@@ -461,7 +461,7 @@
     and not proc.name in (shell_binaries)
     and not exe_running_docker_save
   output: >
-    a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_persistence]
@@ -483,7 +483,7 @@
      fd.directory in (shell_config_directories)) and
     (not proc.name in (shell_binaries))
   output: >
-    a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_discovery]
@@ -502,7 +502,7 @@
     consider_all_cron_jobs and
     not user_known_cron_jobs
   output: >
-    Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline
+    Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -512,8 +512,8 @@
 
 # When displaying container information in the output field, use
 # %container.info, without any leading term (file=%fd.name
-# %container.info user=%user.name, and not file=%fd.name
+# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
-# container=%container.info user=%user.name). The output will change
+# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
 # based on the context and whether or not -pk/-pm/-pc was specified on
 # the command line.
 - macro: container
@@ -696,8 +696,8 @@
 - macro: run_by_foreman
   condition: >
     (user.name=foreman and
-     (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
+     ((proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
-     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
+     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))))
 
 - macro: java_running_sdjagent
   condition: proc.name=java and proc.cmdline contains sdjagent.jar
@@ -746,6 +746,13 @@
 - macro: runuser_reading_pam
   condition: (proc.name=runuser and fd.directory=/etc/pam.d)
 
+# CIS Linux Benchmark program
+- macro: linux_bench_reading_etc_shadow
+  condition: ((proc.aname[2]=linux-bench and
+               proc.name in (awk,cut,grep)) and
+              (fd.name=/etc/shadow or
+               fd.directory=/etc/pam.d))
+
 - macro: parent_ucf_writing_conf
   condition: (proc.pname=ucf and proc.aname[2]=frontend)
 
@@ -928,10 +935,12 @@
   items: [sources.list]
 
 - list: repository_directories
-  items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
+  items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]
 
 - macro: access_repositories
-  condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
+  condition: (fd.directory in (repository_directories) or
+              (fd.name pmatch (repository_directories) and
+               fd.filename in (repository_files)))
 
 - macro: modify_repositories
   condition: (evt.arg.newpath pmatch (repository_directories))
@@ -944,10 +953,11 @@
   condition: >
     ((open_write and access_repositories) or (modify and modify_repositories))
     and not package_mgmt_procs
+    and not package_mgmt_ancestor_procs
     and not exe_running_docker_save
     and not user_known_update_package_registry
   output: >
-    Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
+    Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
   priority:
     NOTICE
   tags: [filesystem, mitre_persistence]
@@ -968,7 +978,7 @@
     and not python_running_ms_oms
     and not user_known_write_below_binary_dir_activities
   output: >
-    File below a known binary directory opened for writing (user=%user.name
+    File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1026,7 +1036,7 @@
     and not cloud_init_writing_ssh
     and not user_known_write_monitored_dir_conditions
   output: >
-    File below a monitored directory opened for writing (user=%user.name
+    File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1049,7 +1059,7 @@
      not user_known_read_ssh_information_activities and
      not proc.name in (ssh_binaries))
   output: >
-    ssh-related file/directory read by non-ssh program (user=%user.name
+    ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_discovery]
@@ -1145,7 +1155,7 @@
 
 - macro: redis_writing_conf
   condition: >
-    (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis)
+    (proc.name in (run-redis, redis-launcher.) and (fd.name=/etc/redis.conf or fd.name startswith /etc/redis))
 
 - macro: openvpn_writing_conf
   condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
@@ -1173,7 +1183,10 @@
 
 - macro: calico_writing_conf
   condition: >
-    (proc.name = calico-node and fd.name startswith /etc/calico)
+    (((proc.name = calico-node) or
+      (container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or
+      (container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed))
+     and fd.name startswith /etc/calico)
 
 - macro: prometheus_conf_writing_conf
   condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)
@@ -1324,7 +1337,7 @@
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
   condition: write_etc_common
-  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
+  output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -1393,10 +1406,14 @@
 - macro: runc_writing_var_lib_docker
   condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
 
+- macro: mysqlsh_writing_state
+  condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
+
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
     root_dir and evt.dir = < and open_write
+    and proc_name_exists
     and not fd.name in (known_root_files)
     and not fd.directory pmatch (known_root_directories)
     and not exe_running_docker_save
@@ -1413,10 +1430,11 @@
     and not calico_writing_state
     and not rancher_writing_root
     and not runc_writing_exec_fifo
+    and not mysqlsh_writing_state
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities
-  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
+  output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -1433,7 +1451,7 @@
     at startup to load initial state, but not afterwards.
   condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities
   output: >
-    Sensitive file opened for reading by trusted program after startup (user=%user.name
+    Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [filesystem, mitre_credential_access]
@@ -1475,7 +1493,9 @@
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
      vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
+     google_oslogin_
+     )
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb
@@ -1488,10 +1508,11 @@
     and not veritas_driver_script
     and not perl_running_centrifydc
     and not runuser_reading_pam
+    and not linux_bench_reading_etc_shadow
     and not user_known_read_sensitive_files_activities
     and not user_read_sensitive_file_containers
   output: >
-    Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
+    Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [filesystem, mitre_credential_access, mitre_discovery]
@@ -1554,7 +1575,7 @@
     and not postgres_running_wal_e
     and not user_known_db_spawned_processes
   output: >
-    Database-related program spawned process other than itself (user=%user.name
+    Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
     program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [process, database, mitre_execution]
@@ -1566,7 +1587,7 @@
   desc: an attempt to modify any file below a set of binary directories.
   condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities
   output: >
-    File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
+    File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1578,7 +1599,7 @@
   desc: an attempt to create a directory below a set of binary directories.
   condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
   output: >
-    Directory below known binary directory created (user=%user.name
+    Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1607,6 +1628,7 @@
     as a part of creating a container) by calling setns.
   condition: >
     evt.type=setns and evt.dir=<
+    and proc_name_exists
     and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
     and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
     and not proc.name in (user_known_change_thread_namespace_binaries)
@@ -1622,7 +1644,7 @@
     and not weaveworks_scope
     and not user_known_change_thread_namespace_activities
   output: >
-    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
+    Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
@@ -1768,7 +1790,7 @@
     and not run_by_appdynamics
     and not user_shell_container_exclusions
   output: >
-    Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
+    Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
     aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
   priority: DEBUG
@@ -1843,11 +1865,29 @@
 # These container images are allowed to run with --privileged
 - list: falco_privileged_images
   items: [
-    docker.io/sysdig/falco, docker.io/sysdig/sysdig,
+    docker.io/calico/node,
-    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
+    docker.io/cloudnativelabs/kube-router,
-    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
+    docker.io/docker/ucp-agent,
-    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
+    docker.io/falcosecurity/falco,
-    docker.io/falcosecurity/falco, sysdig/falco, sysdig/sysdig, falcosecurity/falco
+    docker.io/mesosphere/mesos-slave,
+    docker.io/rook/toolbox,
+    docker.io/sysdig/falco,
+    docker.io/sysdig/sysdig,
+    falcosecurity/falco,
+    gcr.io/google_containers/kube-proxy,
+    gcr.io/google-containers/startup-script,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/netd-amd64,
+    gcr.io/google-containers/prometheus-to-sd,
+    k8s.gcr.io/ip-masq-agent-amd64,
+    k8s.gcr.io/kube-proxy,
+    k8s.gcr.io/prometheus-to-sd,
+    quay.io/calico/node,
+    sysdig/falco,
+    sysdig/sysdig,
+    sematext_images
     ]
 
 - macro: falco_privileged_containers
@@ -1890,11 +1930,20 @@
   condition: (user_trusted_containers or
               container.image.repository in (trusted_images) or
               container.image.repository in (falco_sensitive_mount_images) or
-              container.image.repository startswith quay.io/sysdig)
+              container.image.repository startswith quay.io/sysdig/)
 
 # These container images are allowed to run with hostnetwork=true
 - list: falco_hostnetwork_images
-  items: []
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/typha,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/ip-masq-agent-amd64
+    k8s.gcr.io/prometheus-to-sd,
+    ]
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1912,7 +1961,7 @@
     and container.privileged=true
     and not falco_privileged_containers
     and not user_privileged_containers
-  output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
   tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
 
@@ -1956,7 +2005,7 @@
     and sensitive_mount
     and not falco_sensitive_mount_containers
     and not user_sensitive_mount_containers
-  output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
+  output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
   priority: INFO
   tags: [container, cis, mitre_lateral_movement]
 
@@ -1976,7 +2025,7 @@
   desc: >
     Detect the initial process started by a container that is not in a list of allowed containers.
   condition: container_started and container and not allowed_containers
-  output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [container, mitre_lateral_movement]
 
@@ -1991,7 +2040,7 @@
 - rule: System user interactive
   desc: an attempt to run interactive commands by a system (i.e. non-login) user
   condition: spawned_process and system_users and interactive and not user_known_system_user_login
-  output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
+  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
   priority: INFO
   tags: [users, mitre_remote_access_tools]
 
@@ -2008,7 +2057,7 @@
     and container_entrypoint
     and not user_expected_terminal_shell_in_container_conditions
   output: >
-    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
+    A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [container, shell, mitre_execution]
@@ -2084,7 +2133,7 @@
     and not user_expected_system_procs_network_activity_conditions
   output: >
     Known system binary sent/received network traffic
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2122,7 +2171,7 @@
     proc.env icontains HTTP_PROXY
   output: >
     Program run with disallowed HTTP_PROXY environment variable
-    (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [host, users]
 
@@ -2145,7 +2194,7 @@
      and interpreted_procs)
   output: >
     Interpreted program received/listened for network traffic
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2156,7 +2205,7 @@
      and interpreted_procs)
   output: >
     Interpreted program performed outgoing network connection
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2197,7 +2246,7 @@
   condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
   output: >
     Unexpected UDP Traffic Seen
-    (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2256,7 +2305,7 @@
     and not nrpe_becoming_nagios
     and not user_known_non_sudo_setuid_conditions
   output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
+    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [users, mitre_privilege_escalation]
@@ -2285,7 +2334,7 @@
     not user_known_user_management_activities
   output: >
     User management binary command run outside of container
-    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: NOTICE
   tags: [host, users, mitre_persistence]
 
@@ -2309,7 +2358,7 @@
     and not fd.name in (allowed_dev_files)
     and not fd.name startswith /dev/tty
     and not user_known_create_files_below_dev_activities
-  output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
+  output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -2427,7 +2476,7 @@
     and not package_mgmt_ancestor_procs
     and not user_known_package_manager_in_container
   output: >
-    Package management process launched in container (user=%user.name
+    Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: ERROR
   tags: [process, mitre_persistence]
@@ -2441,7 +2490,7 @@
                               or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
-    Netcat runs inside container that allows remote code execution (user=%user.name
+    Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [network, process, mitre_execution]
@@ -2454,7 +2503,7 @@
   condition: >
     spawned_process and container and network_tool_procs and not user_known_network_tool_activities
   output: >
-    Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, process, mitre_discovery, mitre_exfiltration]
@@ -2474,7 +2523,7 @@
     network_tool_procs and
     not user_known_network_tool_activities
   output: >
-    Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname)
+    Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname)
   priority: NOTICE
   tags: [network, process, mitre_discovery, mitre_exfiltration]
 
@@ -2510,7 +2559,7 @@
     )
   output: >
     Grep private keys or passwords activities found
-    (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name
     image=%container.image.repository:%container.image.tag)
   priority:
     WARNING
@@ -2544,7 +2593,7 @@
     not trusted_logging_images and
     not allowed_clear_log_files
   output: >
-    Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_defense_evasion]
@@ -2562,13 +2611,12 @@
   desc: Detect process running to clear bulk data from disk
   condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
   output: >
-    Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [process, mitre_persistence]
 
-- rule: Delete or rename shell history
+- macro: modify_shell_history
-  desc: Detect shell history deletion
   condition: >
     (modify and (
       evt.arg.name contains "bash_history" or
@@ -2582,14 +2630,27 @@
       evt.arg.path contains "bash_history" or
       evt.arg.path contains "zsh_history" or
       evt.arg.path contains "fish_read_history" or
-      evt.arg.path endswith "fish_history")) or
+      evt.arg.path endswith "fish_history"))
+
+- macro: truncate_shell_history
+  condition: >
     (open_write and (
       fd.name contains "bash_history" or
       fd.name contains "zsh_history" or
       fd.name contains "fish_read_history" or
       fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
+
+- macro: var_lib_docker_filepath
+  condition: (evt.arg.name startswith /var/lib/docker or fd.name startswith /var/lib/docker)
+
+- rule: Delete or rename shell history
+  desc: Detect shell history deletion
+  condition: >
+    (modify_shell_history or truncate_shell_history) and
+       not var_lib_docker_filepath and
+       not proc.name in (docker_binaries)
   output: >
-    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
   tags: [process, mitre_defense_evasion]
@@ -2602,7 +2663,7 @@
     ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
      (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
   output: >
-    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
   tags: [process, mitre_defense_evasion]
@@ -2630,7 +2691,7 @@
     and not exe_running_docker_save
     and not user_known_set_setuid_or_setgid_bit_conditions
   output: >
-    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
+    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -2655,7 +2716,7 @@
     consider_hidden_file_creation and
     not user_known_create_hidden_file_activities
   output: >
-    Hidden file or directory created (user=%user.name command=%proc.cmdline
+    Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -2672,7 +2733,7 @@
   condition: >
     spawned_process and container and remote_file_copy_procs
   output: >
-    Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
@@ -2683,7 +2744,7 @@
     create_symlink and
     (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
   output: >
-    Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
+    Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
   priority: NOTICE
   tags: [file, mitre_exfiltration]
 
@@ -2806,24 +2867,23 @@
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
   condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
-  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
+  output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
   priority: WARNING
   tags: [container, mitre_execution]
 
 
-# This rule is not enabled by default, as there are legitimate use
+# This rule is enabled by default. 
-# cases for raw packet. If you want to enable it, modify the
+# If you want to disable it, modify the following macro.
-# following macro.
 - macro: consider_packet_socket_communication
-  condition: (never_true)
+  condition: (always_true)
 
 - list: user_known_packet_socket_binaries
   items: []
 
 - rule: Packet socket created in container
-  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
+  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
   condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
-  output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, mitre_discovery]
 
@@ -2862,7 +2922,7 @@
     k8s.ns.name in (namespace_scope_network_only_subnet)
   output: >
     Network connection outside local subnet
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
      image=%container.image.repository namespace=%k8s.ns.name
      fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
   priority: WARNING
@@ -2902,7 +2962,7 @@
     not fd.sport in (authorized_server_port)
   output: >
     Network connection outside authorized port and binary
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
     image=%container.image.repository)
   priority: WARNING
   tags: [network]
@@ -2914,7 +2974,7 @@
   desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
   condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
   output: >
-    Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
+    Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
   priority: WARNING
 
 # The two Container Drift rules below will fire when a new executable is created in a container.
@@ -2943,7 +3003,7 @@
     ((evt.arg.mode contains "S_IXUSR") or
     (evt.arg.mode contains "S_IXGRP") or
     (evt.arg.mode contains "S_IXOTH"))
-  output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
 
 # ****************************************************************************
@@ -2959,7 +3019,7 @@
     not runc_writing_var_lib_docker and
     not user_known_container_drift_activities and
     evt.rawres>=0
-  output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
 
 

rules/k8s_audit_rules.yaml

@@ -48,6 +48,8 @@
     "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
     "kubernetes-admin",
     vertical_pod_autoscaler_users,
+    cluster-autoscaler,
+    "system:addon-manager"
     ]
 
 - rule: Disallowed K8s User
@@ -242,20 +244,48 @@
   source: k8s_audit
   tags: [k8s]
 
+# Only defined for backwards compatibility. Use the more specific
+# user_allowed_kube_namespace_image_list instead.
 - list: user_trusted_image_list
   items: []
 
-- list: k8s_image_list
+- list: user_allowed_kube_namespace_image_list
-  items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
+  items: [user_trusted_image_list]
 
-- macro: trusted_pod
+# Only defined for backwards compatibility. Use the more specific
-  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
+# allowed_kube_namespace_image_list instead.
-              ka.req.pod.containers.image.repository in (k8s_image_list))
+- list: k8s_image_list
+  items: []
+
+- list: allowed_kube_namespace_image_list
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/addon-resizer,
+    gke.gcr.io/heapster,
+    gke.gcr.io/gke-metadata-server,
+    k8s.gcr.io/ip-masq-agent-amd64,
+    k8s.gcr.io/kube-apiserver,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/addon-resizer
+    k8s.gcr.io/prometheus-to-sd,
+    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
+    k8s.gcr.io/k8s-dns-kube-dns-amd64,
+    k8s.gcr.io/k8s-dns-sidecar-amd64,
+    k8s.gcr.io/metrics-server-amd64,
+    kope/kube-apiserver-healthcheck,
+    k8s_image_list
+    ]
+
+- macro: allowed_kube_namespace_pods
+  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
+              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
 
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
   output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -281,7 +311,8 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
+             not ka.target.name in (system:coredns, system:managed-certificate-controller)
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit

scripts/cleanup

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+usage() {
+    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
+    exit 1
+}
+
+user=poiana
+
+# Get the versions to delete.
+#
+# $1: repository to lookup
+# $2: number of versions to skip.
+get_versions() {
+    # The API endpoint returns the Falco package versions sort by most recent.
+    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
+}
+
+# Remove all the versions (${all[@]} array).
+#
+# $1: repository containing the versions.
+rem_versions() {
+    for i in "${!all[@]}";
+    do
+        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
+    done
+}
+
+while getopts ":p::r:" opt; do
+    case "${opt}" in
+        p )
+          pass=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${pass}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+skip=51
+if [[ "${repo}" == "bin-dev" ]]; then
+    skip=11
+fi
+
+get_versions "${repo}" ${skip}
+echo "number of versions to delete: ${#all[@]}"
+rem_versions "${repo}"

scripts/falco-driver-loader

@@ -143,33 +143,41 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-	else
+		return
-		if hash dkms &>/dev/null; then
+	fi
-				echo "* Trying to dkms install ${DRIVER_NAME} module"
+
-			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+	if ! hash dkms &>/dev/null; then
-				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+		echo "* Skipping dkms install (dkms not found)"
-				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+		return
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+	fi
-					exit 0
+
-				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+	# try to compile using all the available gcc versions
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
-					exit 0
+		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
-				else
+		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
-					echo "* Unable to insmod ${DRIVER_NAME} module"
+		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
-				fi
+		chmod +x /tmp/falco-dkms-make
+		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+				exit 0
+			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+				exit 0
 			else
-				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+				echo "* Unable to insmod ${DRIVER_NAME} module"
-				if [ -f "${DKMS_LOG}" ]; then
-					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
-					cat "${DKMS_LOG}"
-				else
-					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
-				fi
 			fi
 		else
-			echo "* Skipping dkms install (dkms not found)"
+			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+			if [ -f "${DKMS_LOG}" ]; then
+				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+				cat "${DKMS_LOG}"
+			else
+				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+			fi
 		fi
-	fi
+	done
 }
 
 load_kernel_module_download() {

test/rules/detect_connect_using_in.yaml

@@ -18,5 +18,5 @@
   desc: Detect any connect to the localhost network, using fd.net and the in operator
   condition: evt.type=connect and fd.net in ("127.0.0.1/24")
   output: Program connected to localhost network
-    (user=%user.name command=%proc.cmdline connection=%fd.name)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
   priority: INFO

test/run_regression_tests.sh

@@ -19,6 +19,13 @@ set -euo pipefail
 
 SCRIPT=$(readlink -f $0)
 SCRIPTDIR=$(dirname "$SCRIPT")
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
+
+# Trace file tarballs are now versioned. Any time a substantial change
+# is made that affects the interaction of rules+engine and the trace
+# files here, upload a new trace file zip file and change the version
+# suffix here.
+TRACE_FILES_VERSION=20200831
 
 function download_trace_files() {
     for TRACE in traces-positive traces-negative traces-info ; do
@@ -26,7 +33,7 @@ function download_trace_files() {
         if [ "$OPT_BRANCH" != "none" ]; then
         curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
         else
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
         fi
         unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
         rm -rf "$TRACE_DIR/$TRACE.zip"
@@ -91,7 +98,13 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
+
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        suites+=($SCRIPTDIR/falco_tests_package.yaml)
+    fi
+    
+    for mult in "${suites[@]}"; do
         CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
         echo "Running $CMD"
         BUILD_DIR=${OPT_BUILD_DIR} $CMD

tests/CMakeLists.txt

@@ -14,7 +14,11 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 #
-set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
+if(MINIMAL_BUILD)
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp)
+else()
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
+endif()
 
 set(FALCO_TESTED_LIBRARIES falco_engine)
 
@@ -35,14 +39,25 @@ if(FALCO_BUILD_TESTS)
   add_executable(falco_test ${FALCO_TESTS_SOURCES})
 
   target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-  target_include_directories(
+
-    falco_test
+  if(MINIMAL_BUILD)
-    PUBLIC "${CATCH2_INCLUDE}"
+    target_include_directories(
-           "${FAKEIT_INCLUDE}"
+      falco_test
-           "${PROJECT_SOURCE_DIR}/userspace/engine"
+      PUBLIC "${CATCH2_INCLUDE}"
-           "${YAMLCPP_INCLUDE_DIR}"
+            "${FAKEIT_INCLUDE}"
-           "${CIVETWEB_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
-           "${PROJECT_SOURCE_DIR}/userspace/falco")
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  else()
+    target_include_directories(
+      falco_test
+      PUBLIC "${CATCH2_INCLUDE}"
+            "${FAKEIT_INCLUDE}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${CIVETWEB_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  endif()
   add_dependencies(falco_test catch2)
 
   include(CMakeParseArguments)

userspace/engine/CMakeLists.txt

@@ -27,18 +27,32 @@ if(USE_BUNDLED_DEPS)
   add_dependencies(falco_engine libyaml)
 endif()
 
-target_include_directories(
+if(MINIMAL_BUILD)
-  falco_engine
+  target_include_directories(
-  PUBLIC
+    falco_engine
-    "${LUAJIT_INCLUDE}"
+    PUBLIC
-    "${NJSON_INCLUDE}"
+      "${LUAJIT_INCLUDE}"
-    "${CURL_INCLUDE_DIR}"
+      "${NJSON_INCLUDE}"
-    "${TBB_INCLUDE_DIR}"
+      "${TBB_INCLUDE_DIR}"
-    "${STRING_VIEW_LITE_INCLUDE}"
+      "${STRING_VIEW_LITE_INCLUDE}"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-    "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-    "${PROJECT_BINARY_DIR}/userspace/engine")
+      "${PROJECT_BINARY_DIR}/userspace/engine")
+else()
+  target_include_directories(
+    falco_engine
+    PUBLIC
+      "${LUAJIT_INCLUDE}"
+      "${NJSON_INCLUDE}"
+      "${CURL_INCLUDE_DIR}"
+      "${TBB_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${PROJECT_BINARY_DIR}/userspace/engine")
+endif()
 
 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}")
 

userspace/engine/falco_engine_version.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (6)
+#define FALCO_ENGINE_VERSION (7)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used

userspace/falco/CMakeLists.txt

@@ -13,32 +13,35 @@
 
 configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
 
-add_custom_command(
+if(NOT MINIMAL_BUILD)
-  OUTPUT
+  add_custom_command(
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    OUTPUT
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-  COMMENT "Generate gRPC API"
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-  # Falco gRPC Version API
+    COMMENT "Generate gRPC API"
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Version API
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-  # Falco gRPC Outputs API
+            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    # Falco gRPC Outputs API
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-          ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+endif()
 
+if(MINIMAL_BUILD)
 add_executable(
   falco
   configuration.cpp
@@ -47,66 +50,109 @@ add_executable(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
-  webserver.cpp
+else()
-  grpc_context.cpp
+  add_executable(
-  grpc_server_impl.cpp
+    falco
-  grpc_request_context.cpp
+    configuration.cpp
-  grpc_server.cpp
+    logger.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    falco_outputs.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    event_drops.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    statsfilewriter.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    falco.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+    webserver.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
+    grpc_request_context.cpp
+    grpc_server.cpp
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
 
-add_dependencies(falco civetweb string-view-lite)
+    add_dependencies(falco civetweb)
+endif()
+
+add_dependencies(falco string-view-lite)
 
 if(USE_BUNDLED_DEPS)
   add_dependencies(falco yamlcpp)
 endif()
 
-target_include_directories(
+if(MINIMAL_BUILD)
-  falco
+  target_include_directories(
-  PUBLIC
+    falco
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+    PUBLIC
-    "${PROJECT_SOURCE_DIR}/userspace/engine"
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-    "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
-    "${PROJECT_BINARY_DIR}/driver/src"
+      "${PROJECT_BINARY_DIR}/userspace/falco"
-    "${STRING_VIEW_LITE_INCLUDE}"
+      "${PROJECT_BINARY_DIR}/driver/src"
-    "${YAMLCPP_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
-    "${CIVETWEB_INCLUDE_DIR}"
+      "${YAMLCPP_INCLUDE_DIR}"
-    "${OPENSSL_INCLUDE_DIR}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
-    "${GRPC_INCLUDE}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-    "${GRPCPP_INCLUDE}"
-    "${PROTOBUF_INCLUDE}"
-    "${CMAKE_CURRENT_BINARY_DIR}"
-    "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
 
-target_link_libraries(
+  target_link_libraries(
-  falco
+    falco
-  falco_engine
+    falco_engine
-  sinsp
+    sinsp
-  "${GPR_LIB}"
+    "${LIBYAML_LIB}"
-  "${GRPC_LIB}"
+    "${YAMLCPP_LIB}")
-  "${GRPCPP_LIB}"
+else()
-  "${PROTOBUF_LIB}"
+  target_include_directories(
-  "${OPENSSL_LIBRARY_SSL}"
+    falco
-  "${OPENSSL_LIBRARY_CRYPTO}"
+    PUBLIC
-  "${LIBYAML_LIB}"
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-  "${YAMLCPP_LIB}"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
-  "${CIVETWEB_LIB}")
+      "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_BINARY_DIR}/driver/src"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${CIVETWEB_INCLUDE_DIR}"
+      "${OPENSSL_INCLUDE_DIR}"
+      "${GRPC_INCLUDE}"
+      "${GRPCPP_INCLUDE}"
+      "${PROTOBUF_INCLUDE}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+
+  target_link_libraries(
+    falco
+    falco_engine
+    sinsp
+    "${GPR_LIB}"
+    "${GRPC_LIB}"
+    "${GRPCPP_LIB}"
+    "${PROTOBUF_LIB}"
+    "${OPENSSL_LIBRARY_SSL}"
+    "${OPENSSL_LIBRARY_CRYPTO}"
+    "${LIBYAML_LIB}"
+    "${YAMLCPP_LIB}"
+    "${CIVETWEB_LIB}")
+endif()
 
 configure_file(config_falco.h.in config_falco.h)
 
-add_custom_command(
+if(NOT MINIMAL_BUILD)
-  TARGET falco
+  add_custom_command(
-  COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY}
+    TARGET falco
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
-  COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+else()
+  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()
 
-# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h)
+# strip the Falco binary when releasing using musl
-
+if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
-# add_dependencies(verify_engine_fields falco)
+  add_custom_command(
+    TARGET falco
+    POST_BUILD
+    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
+    COMMENT "Strip the Falco binary when releasing the musl build")
+endif()
 
 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
 install(

userspace/falco/falco.cpp

@@ -43,8 +43,10 @@ limitations under the License.
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
+#ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
+#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 typedef function<void(sinsp* inspector)> open_t;
@@ -84,6 +86,7 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -104,6 +107,7 @@ static void usage()
 	   "                               Can not be specified with -t.\n"
 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
 	   "                               k8s audit events) instead of tapping into live.\n"
+#ifndef MINIMAL_BUILD
 	   " -k <url>, --k8s-api <url>\n"
 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
        "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
@@ -117,15 +121,18 @@ static void usage()
 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
 	   "                               ':' or '#' characters in the file name.\n"
+#endif
 	   " -L                            Show the name and description of all rules and exit.\n"
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
 	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
 	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
+#ifndef MINIMAL_BUILD
 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
 	   "                               Enable Mesos support by connecting to the API server\n"
 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
+#endif
 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
 	   " -N                            When used with --list, only print field names.\n"
 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
@@ -185,6 +192,7 @@ static void display_fatal_err(const string &msg)
 // Splitting into key=value or key.subkey=value will be handled by configuration class.
 std::list<string> cmdline_options;
 
+#ifndef MINIMAL_BUILD
 // Read a jsonl file containing k8s audit events and pass each to the engine.
 void read_k8s_audit_trace_file(falco_engine *engine,
 			       falco_outputs *outputs,
@@ -213,6 +221,7 @@ void read_k8s_audit_trace_file(falco_engine *engine,
 		}
 	}
 }
+#endif
 
 static std::string read_file(std::string filename)
 {
@@ -429,9 +438,11 @@ int falco_init(int argc, char **argv)
 	bool verbose = false;
 	bool names_only = false;
 	bool all_events = false;
+#ifndef MINIMAL_BUILD
 	string* k8s_api = 0;
 	string* k8s_api_cert = 0;
 	string* mesos_api = 0;
+#endif
 	string output_format = "";
 	uint32_t snaplen = 0;
 	bool replace_container_info = false;
@@ -461,42 +472,45 @@ int falco_init(int argc, char **argv)
 	double duration;
 	scap_stats cstats;
 
+#ifndef MINIMAL_BUILD
 	falco_webserver webserver;
 	falco::grpc::server grpc_server;
 	std::thread grpc_server_thread;
+#endif
 
 	static struct option long_options[] =
-	{
+		{
-		{"cri", required_argument, 0},
+			{"alternate-lua-dir", required_argument, 0},
-        {"daemon", no_argument, 0, 'd'},
+			{"cri", required_argument, 0},
-        {"disable-cri-async", no_argument, 0, 0},
+			{"daemon", no_argument, 0, 'd'},
-        {"disable-source", required_argument, 0},
+			{"disable-cri-async", no_argument, 0, 0},
-        {"help", no_argument, 0, 'h'},
+			{"disable-source", required_argument, 0},
-        {"ignored-events", no_argument, 0, 'i'},
+			{"help", no_argument, 0, 'h'},
-        {"k8s-api-cert", required_argument, 0, 'K'},
+			{"ignored-events", no_argument, 0, 'i'},
-        {"k8s-api", required_argument, 0, 'k'},
+			{"k8s-api-cert", required_argument, 0, 'K'},
-        {"list", optional_argument, 0},
+			{"k8s-api", required_argument, 0, 'k'},
-        {"mesos-api", required_argument, 0, 'm'},
+			{"list", optional_argument, 0},
-        {"option", required_argument, 0, 'o'},
+			{"mesos-api", required_argument, 0, 'm'},
-        {"pidfile", required_argument, 0, 'P'},
+			{"option", required_argument, 0, 'o'},
-        {"print-base64", no_argument, 0, 'b'},
+			{"pidfile", required_argument, 0, 'P'},
-        {"print", required_argument, 0, 'p'},
+			{"print-base64", no_argument, 0, 'b'},
-        {"snaplen", required_argument, 0, 'S'},
+			{"print", required_argument, 0, 'p'},
-        {"stats-interval", required_argument, 0},
+			{"snaplen", required_argument, 0, 'S'},
-        {"support", no_argument, 0},
+			{"stats-interval", required_argument, 0},
-        {"unbuffered", no_argument, 0, 'U'},
+			{"support", no_argument, 0},
-        {"userspace", no_argument, 0, 'u'},
+			{"unbuffered", no_argument, 0, 'U'},
-        {"validate", required_argument, 0, 'V'},
+			{"userspace", no_argument, 0, 'u'},
-        {"version", no_argument, 0, 0},
+			{"validate", required_argument, 0, 'V'},
-        {"writefile", required_argument, 0, 'w'},
+			{"version", no_argument, 0, 0},
-		{0, 0, 0, 0}
+			{"writefile", required_argument, 0, 'w'},
-	};
+			{0, 0, 0, 0}};
 
 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
+		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
@@ -530,8 +544,10 @@ int falco_init(int argc, char **argv)
 				break;
 			case 'e':
 				trace_filename = optarg;
+#ifndef MINIMAL_BUILD
 				k8s_api = new string();
 				mesos_api = new string();
+#endif
 				break;
 			case 'F':
 				list_flds = optarg;
@@ -539,21 +555,25 @@ int falco_init(int argc, char **argv)
 			case 'i':
 				print_ignored_events = true;
 				break;
+#ifndef MINIMAL_BUILD
 			case 'k':
 				k8s_api = new string(optarg);
 				break;
 			case 'K':
 				k8s_api_cert = new string(optarg);
 				break;
+#endif
 			case 'L':
 				describe_all_rules = true;
 				break;
 			case 'l':
 				describe_rule = optarg;
 				break;
+#ifndef MINIMAL_BUILD
 			case 'm':
 				mesos_api = new string(optarg);
 				break;
+#endif
 			case 'M':
 				duration_to_tot = atoi(optarg);
 				if(duration_to_tot <= 0)
@@ -668,6 +688,16 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
+				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+				{
+					if(optarg != NULL)
+					{
+						alternate_lua_dir = optarg;
+						if (alternate_lua_dir.back() != '/') {
+							alternate_lua_dir += '/';
+						}
+					}
+				}
 				break;
 
 			default:
@@ -703,7 +733,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}
 
-		engine = new falco_engine();
+		engine = new falco_engine(true, alternate_lua_dir);
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);
 
@@ -947,7 +977,8 @@ int falco_init(int argc, char **argv)
 			      config.m_notifications_rate, config.m_notifications_max_burst,
 			      config.m_buffered_outputs,
 			      config.m_time_format_iso_8601,
-			      hostname);
+			      hostname,
+			      alternate_lua_dir);
 
 		if(!all_events)
 		{
@@ -1074,6 +1105,12 @@ int falco_init(int argc, char **argv)
 
 			if(!trace_is_scap)
 			{
+#ifdef MINIMAL_BUILD
+				// Note that the webserver is not available when MINIMAL_BUILD is defined.
+				fprintf(stderr, "Cannot use k8s audit events trace file with a minimal Falco build");
+				result = EXIT_FAILURE;
+				goto exit;
+#else
 				try {
 					string line;
 					nlohmann::json j;
@@ -1098,6 +1135,7 @@ int falco_init(int argc, char **argv)
 					result = EXIT_FAILURE;
 					goto exit;
 				}
+#endif
 			}
 		}
 		else
@@ -1143,11 +1181,14 @@ int falco_init(int argc, char **argv)
 					// Try to insert the Falco kernel module
 					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 					{
-						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
+						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
+				} 
+				else 
+				{
+					rethrow_exception(current_exception());
 				}
-				rethrow_exception(current_exception());
 			}
 		}
 
@@ -1165,6 +1206,7 @@ int falco_init(int argc, char **argv)
 
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 
+#ifndef MINIMAL_BUILD
 		//
 		// Run k8s, if required
 		//
@@ -1248,12 +1290,15 @@ int falco_init(int argc, char **argv)
 				grpc_server.run();
 			});
 		}
+#endif
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
+#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
+#endif
 		}
 		else
 		{
@@ -1299,12 +1344,14 @@ int falco_init(int argc, char **argv)
 		inspector->close();
 		engine->print_stats();
 		sdropmgr.print_stats();
+#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
+#endif
 	}
 	catch(exception &e)
 	{
@@ -1312,12 +1359,14 @@ int falco_init(int argc, char **argv)
 
 		result = EXIT_FAILURE;
 
+#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
+#endif
 	}
 
 exit:

userspace/falco/falco_outputs.cpp

@@ -14,7 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#ifndef MINIMAL_BUILD
 #include <google/protobuf/util/time_util.h>
+#endif
 
 #include "falco_outputs.h"
 
@@ -22,15 +24,19 @@ limitations under the License.
 
 #include "formats.h"
 #include "logger.h"
+#ifndef MINIMAL_BUILD
 #include "falco_outputs_queue.h"
+#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 using namespace std;
 
 const static struct luaL_reg ll_falco_outputs [] =
 {
+#ifndef MINIMAL_BUILD
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
+#endif
 	{NULL, NULL}
 };
 
@@ -72,7 +78,8 @@ falco_outputs::~falco_outputs()
 void falco_outputs::init(bool json_output,
 			 bool json_include_output_property,
 			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname)
+			 bool time_format_iso_8601, string hostname,
+			 const string& alternate_lua_dir)
 {
 	// The engine must have been given an inspector by now.
 	if(!m_inspector)
@@ -82,7 +89,7 @@ void falco_outputs::init(bool json_output,
 
 	m_json_output = json_output;
 
-	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
+	falco_common::init(m_lua_main_filename.c_str(), alternate_lua_dir.c_str());
 
 	// Note that falco_formats is added to both the lua state used
 	// by the falco engine as well as the separate lua state used
@@ -259,6 +266,7 @@ void falco_outputs::reopen_outputs()
 	}
 }
 
+#ifndef MINIMAL_BUILD
 int falco_outputs::handle_http(lua_State *ls)
 {
 	CURL *curl = NULL;
@@ -369,3 +377,4 @@ int falco_outputs::handle_grpc(lua_State *ls)
 
 	return 1;
 }
+#endif

userspace/falco/falco_outputs.h

@@ -54,7 +54,8 @@ public:
 	void init(bool json_output,
 		  bool json_include_output_property,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
-		  bool time_format_iso_8601, std::string hostname);
+		  bool time_format_iso_8601, std::string hostname,
+		  const std::string& alternate_lua_dir);
 
 	void add_output(output_config oc);
 
@@ -74,8 +75,10 @@ public:
 
 	void reopen_outputs();
 
+#ifndef MINIMAL_BUILD
 	static int handle_http(lua_State *ls);
 	static int handle_grpc(lua_State *ls);
+#endif
 
 private:
 

userspace/falco/verify_engine_fields.sh

@@ -1,19 +1,12 @@
-#!/bin/sh
+#!/bin/env/bash
 
 set -euo pipefail
 
 SOURCE_DIR=$1
-OPENSSL=$2
 
-if ! command -v "${OPENSSL}" version > /dev/null 2>&1; then
+NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}')
-    echo "No openssl command at ${OPENSSL}"
-    exit 1
-fi
-
-NEW_CHECKSUM=$(./falco --list -N | ${OPENSSL} dgst -sha256 | awk '{print $2}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
-
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then
     echo "Set of fields supported has changed (new checksum $NEW_CHECKSUM != old checksum $CUR_CHECKSUM)."
     echo "Update checksum and/or version in falco_engine_version.h."