chore(ci): only install awscli from repo.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.circleci/OWNERS

@@ -0,0 +1,2 @@
+emeritus_approvers:
+  - jonahjon

.circleci/config.yml

@@ -1,194 +1,156 @@
-version: 2
+version: 2.1
 jobs:
-  # Build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal":
-    docker:
-      - image: ubuntu:focal
+  "build-arm64":
+    machine:
+      enabled: true
+      image: ubuntu-2204:2022.10.2
+    resource_class: arm.large
     steps:
-      - checkout
+
+      # Install dependencies to build the modern BPF probe skeleton.
       - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
+          name: Install deps ⛓️
           command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On ..
-            popd
+            sudo apt update
+            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
+            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
+            cd bpftool
+            git submodule update --init
+            cd src && sudo make install
+
+      # Path to the source code
+      - checkout:
+          path: /tmp/source-arm64/falco
+
+      # Build the skeleton
       - run:
-          name: Build
+          name: Build modern BPF skeleton 🐝
           command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
+            mkdir -p /tmp/source-arm64/falco/skeleton-build
+            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
+            make ProbeSkeleton
+
+      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
+      # This dockerfile returns as output:
+      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
+      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
       - run:
-          name: Run unit tests
+          name: Build Falco packages 🏗️
           command: |
-            pushd build
-            make tests
-            popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal-debug":
+            FALCO_VERSION=$(cat /tmp/source-arm64/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
+
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - build-arm64/release
+            - source-arm64
+
+  # Build a statically linked Falco release binary using musl
+  # This build is 100% static, there are no host dependencies
+  "build-musl":
     docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using Ubuntu Bionic Beaver (18.04)
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/ubuntu-bionic":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using CentOS 8
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/centos8":
-    docker:
-      - image: centos:8
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: dnf update -y
-      - run:
-          name: Install dependencies
-          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/centos7":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
+      - image: alpine:3.17
+    resource_class: large
     steps:
       - checkout:
-          path: /source/falco
+          path: /source-static/falco
+      - run:
+          name: Update base image
+          command: apk update
+      - run:
+          name: Install build dependencies
+          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
       - run:
           name: Prepare project
-          command: /usr/bin/entrypoint cmake
+          command: |
+            mkdir -p /build-static/release
+            cd /build-static/release
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
       - run:
           name: Build
-          command: /usr/bin/entrypoint all
+          command: |
+            cd /build-static/release
+            make -j6 all
       - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release
-            - source
+          name: Package
+          command: |
+            cd /build-static/release
+            make -j6 package
       - run:
           name: Prepare artifacts
           command: |
             mkdir -p /tmp/packages
-            cp /build/release/*.deb /tmp/packages
-            cp /build/release/*.tar.gz /tmp/packages
-            cp /build/release/*.rpm /tmp/packages
+            cp /build-static/release/*.tar.gz /tmp/packages
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-  # Debug build using our own builder base image using centos 7
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build-static/release
+            - source-static
+
   # This build is static, dependencies are bundled in the Falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
+  "build-centos7":
+    machine:
+      enabled: true
+      image: ubuntu-2204:2022.10.2
+    resource_class: large
     steps:
+
+      # Install dependencies to build the modern BPF probe skeleton.
+      - run:
+          name: Install deps ⛓️
+          command: |
+            sudo apt update
+            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
+            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
+            cd bpftool
+            git submodule update --init
+            cd src && sudo make install
+
+      # Path for the source code
       - checkout:
-          path: /source/falco
+          path: /tmp/source/falco
+
       - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
+          name: Build modern BPF skeleton 🐝
+          command: |
+            mkdir -p /tmp/source/falco/skeleton-build
+            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
+            make ProbeSkeleton
+
+      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
+      # This dockerfile returns as output:
+      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
+      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
       - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
-  # Execute integration tests based on the build results coming from the "build/centos7" job
-  "tests/integration":
+          name: Build Falco packages 🏗️
+          command: |
+            FALCO_VERSION=$(cat /tmp/source/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
+
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - build/release
+            - source
+
+  # Execute integration tests based on the build results coming from the "build-centos7" job
+  "tests-integration":
     docker:
       - image: falcosecurity/falco-tester:latest
         environment:
@@ -202,248 +164,69 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  "tests/driver-loader/integration":
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
+  "tests-integration-static":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source-static"
+          BUILD_DIR: "/build-static"
+          BUILD_TYPE: "release"
+          SKIP_PACKAGES_TESTS: "true"
+          SKIP_PLUGINS_TESTS: "true"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
+  # Execute integration tests based on the build results coming from the "build-arm64" job
+  "tests-integration-arm64":
     machine:
-      image: ubuntu-1604:202004-01
+      enabled: true
+      image: ubuntu-2004:202101-01
+    resource_class: arm.medium
+    steps:
+      - attach_workspace:
+          at: /tmp
+      - run:
+          name: Execute integration tests
+          command: |
+            docker run -e BUILD_TYPE="release" -e BUILD_DIR="/build" -e SOURCE_DIR="/source" -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-tester:latest \
+              test
+      - store_test_results:
+          path: /tmp/build-arm64/release/integration-tests-xunit
+  "tests-driver-loader-integration":
+    machine:
+      image: ubuntu-2004:2023.04.2
     steps:
       - attach_workspace:
           at: /tmp/ws
       - run:
           name: Execute driver-loader integration tests
           command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-  # Sign rpm packages
-  "rpm/sign":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Install rpmsign
-          command: |
-            yum update -y
-            yum install rpm-sign -y
-      - run:
-          name: Sign rpm
-          command: |
-            echo "%_signature gpg" > ~/.rpmmacros
-            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            cd /build/release/
-            echo '#!/usr/bin/expect -f' > sign
-            echo 'spawn rpmsign --addsign {*}$argv' >> sign
-            echo 'expect -exact "Enter pass phrase: "' >> sign
-            echo 'send -- "\n"' >> sign
-            echo 'expect eof' >> sign
-            chmod +x sign
-            echo $GPG_KEY | base64 -d | gpg --import
-            ./sign *.rpm
-            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release/*.rpm
-  # Publish the packages
-  "publish/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker-dev":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish no-driver-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
-            docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco-no-driver:master
-            docker push falcosecurity/falco:master-slim
-      - run:
-          name: Build and publish dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master
-      - run:
-          name: Build and publish dev falco-driver-loader-dev
-          command: |
-            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco-driver-loader:master
-  # Publish the packages
-  "publish/packages":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish no-driver
-          command: |
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco-no-driver:latest"
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "falcosecurity/falco:latest-slim"
-      - run:
-          name: Build and publish falco
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco:latest"
-      - run:
-          name: Build and publish falco-driver-loader
-          command: |
-            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
-            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco-driver-loader:latest"
+
 workflows:
-  version: 2
+  version: 2.1
   build_and_test:
     jobs:
-      - "build/ubuntu-focal"
-      - "build/ubuntu-focal-debug"
-      - "build/ubuntu-bionic"
-      - "build/centos8"
-      - "build/centos7"
-      - "build/centos7-debug"
-      - "tests/integration":
+      - "build-musl"
+      - "build-arm64"
+      - "build-centos7"
+      - "tests-integration":
           requires:
-            - "build/centos7"
-      - "tests/driver-loader/integration":
+            - "build-centos7"
+      - "tests-integration-arm64":
           requires:
-            - "build/centos7"
-      - "rpm/sign":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
+            - "build-arm64"
+      - "tests-integration-static":
           requires:
-            - "tests/integration"
-      - "publish/packages-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
+            - "build-musl"
+      - "tests-driver-loader-integration":
           requires:
-            - "rpm/sign"
-      - "publish/docker-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish/packages-dev"
-            - "tests/driver-loader/integration"
-  release:
-    jobs:
-      - "build/centos7":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "rpm/sign":
-          context: falco
-          requires:
-            - "build/centos7"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/packages":
-          context: falco
-          requires:
-            - "rpm/sign"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/docker":
-          context: falco
-          requires:
-            - "publish/packages"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
+            - "build-centos7"

.cmake-format

@@ -7,7 +7,7 @@ line_width = 120
 # How many spaces to tab for indent
 tab_size = 2
 
-# If arglists are longer than this, break them always
+# If arg lists are longer than this, break them always
 max_subargs_per_line = 3
 
 # If true, separate flow control names from their parentheses with a space
@@ -21,7 +21,7 @@ separate_fn_name_with_space = False
 dangle_parens = False
 
 # If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this amoung, then force reject un-nested
+# than the tab width by more than this among, then force reject un-nested
 # layouts.
 max_prefix_chars = 2
 
@@ -54,7 +54,7 @@ always_wrap = []
 algorithm_order = [0, 1, 2, 3, 4]
 
 # If true, the argument lists which are known to be sortable will be sorted
-# lexicographicall
+# lexicographically
 enable_sort = True
 
 # If true, the parsers may infer whether or not an argument list is sortable

.codespellignore

@@ -0,0 +1,4 @@
+aks
+creat
+chage
+ro

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,7 @@
-<!--  Thanks for sending a pull request!  Here are some tips for you:
-
-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+<!--  Thanks for sending a pull request! Here are some tips for you:
+1. If this is your first time, please read our contributor guidelines in the https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md file.
 2. Please label this pull request according to what type of issue you are addressing.
-3. . Please add a release note!
+3. Please add a release note!
 4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
 -->
 
@@ -22,11 +21,7 @@
 
 > /kind feature
 
-> If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
-
-> /kind rule-update
-
-> /kind rule-create
+> /kind release
 
 <!--
 Please remove the leading whitespace before the `/kind <>` you uncommented.
@@ -40,12 +35,12 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.
 
 > /area engine
 
-> /area rules
-
 > /area tests
 
 > /area proposals
 
+> /area CI
+
 <!--
 Please remove the leading whitespace before the `/area <>` you uncommented.
 -->
@@ -67,11 +62,13 @@ Fixes #
 **Does this PR introduce a user-facing change?**:
 
 <!--
-If no, just write "NONE" in the release-note block below.
-If yes, a release note is required:
-Enter your extended release note in the block below.
-If the PR requires additional action from users switching to the new release, prepend the string "action required:".
-For example, `action required: change the API interface of the rule engine`.
+If NO, just write "NONE" in the release-note block below.
+
+If YES, a release note is required, enter your release note in the block below. 
+The convention is the same as for commit messages: https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#commit-convention
+If the PR introduces non-backward compatible changes, please add a line starting with "BREAKING CHANGE:" and describe what changed.
+For example, `BREAKING CHANGE: the API interface of the rule engine has changed`.
+Your note will be included in the changelog.
 -->
 
 ```release-note

.github/dependabot.yml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-- macro: my_macro
-  condition: proc.name=not-cat
-  append: true
+
+version: 2
+
+updates:
+  - package-ecosystem: gitsubmodule
+    schedule:
+      interval: "daily"
+    directory: /

.github/stale.yml

@@ -1,20 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
-  Please refer to a maintainer to get such label added if you think this should be kept open.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

.github/workflows/ci.yml

@@ -0,0 +1,84 @@
+name: CI Build
+on:
+  pull_request:
+    branches: [master]
+  workflow_dispatch:
+
+# Checks if any concurrent jobs under the same pull request or branch are being executed
+# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true  
+
+jobs:
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml
+
+  build-dev-packages:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  build-dev:
+    strategy:
+      fail-fast: false
+      matrix:
+        machine: ['ubuntu-20.04']
+        buildmode: ['Debug', 'Release']
+        minimal: ['', 'minimal']
+    runs-on: ${{ matrix.machine }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+      
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y
+
+      - name: Install build dependencies (non-minimal)
+        if: matrix.minimal != 'minimal'
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
+      
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake \
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DCMAKE_BUILD_TYPE=${{ matrix.buildmode }} \
+            -DBUILD_BPF=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
+            -DBUILD_DRIVER=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
+            -DMINIMAL_BUILD=${{ matrix.minimal == 'minimal' && 'ON' || 'OFF' }} \
+            ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests 
+          popd

.github/workflows/codeql.yaml

@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Update base image
+      run: sudo apt update -y
+
+    - name: Install build dependencies
+      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+    - name: Prepare project
+      run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On ..
+          popd
+
+    - name: Build
+      run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/codespell.yml

@@ -0,0 +1,14 @@
+name: Codespell
+on:
+  pull_request:
+jobs:
+  codespell:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: codespell-project/actions-codespell@master
+      with:
+        skip: .git
+        ignore_words_file: .codespellignore
+        check_filenames: true
+        check_hidden: false

.github/workflows/images_bumper.yml

@@ -0,0 +1,64 @@
+name: Builder and Tester Images Bumper
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      builder_changed: ${{ steps.filter.outputs.builder }}
+      tester_changed: ${{ steps.filter.outputs.tester }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: dorny/paths-filter@v2
+      id: filter
+      with:
+        filters: |
+          builder:
+            - 'docker/builder/**'
+          tester:
+            - 'docker/tester/**'
+
+  update-builder-tester-images:
+    runs-on: ubuntu-22.04
+    needs: paths-filter
+    if: needs.paths-filter.outputs.builder_changed == 'true' || needs.paths-filter.outputs.tester_changed == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+          
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: 'amd64,arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      
+      - name: Build and push new builder image
+        if: needs.paths-filter.outputs.builder_changed == 'true'
+        uses: docker/build-push-action@v3
+        with:
+          context: docker/builder
+          platforms: linux/amd64,linux/arm64
+          tags: latest
+          push: true
+
+      - name: Build and push new tester image
+        if: needs.paths-filter.outputs.tester_changed == 'true'
+        uses: docker/build-push-action@v3
+        with:
+          context: docker/tester
+          platforms: linux/amd64,linux/arm64
+          tags: latest
+          push: true

.github/workflows/master.yaml

@@ -0,0 +1,83 @@
+name: Dev Packages and Docker images
+on:
+  push:
+    branches: [master]
+
+# Checks if any concurrent jobs is running for master CI and eventually cancel it
+concurrency:
+  group: ci-master
+  cancel-in-progress: true  
+
+jobs:
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml 
+
+  build-dev-packages:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+  
+  build-dev-packages-arm64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+  
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  publish-dev-packages:
+    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_publish_packages.yaml
+    with:
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+  
+  build-dev-docker:
+    needs: [fetch-version, publish-dev-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: x86_64
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+      tag: master
+    secrets: inherit
+    
+  build-dev-docker-arm64:
+    needs: [fetch-version, publish-dev-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: aarch64
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+      tag: master
+    secrets: inherit
+    
+  publish-dev-docker:
+    needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    uses: ./.github/workflows/reusable_publish_docker.yaml
+    with:
+      tag: master
+    secrets: inherit

.github/workflows/release.yaml

@@ -0,0 +1,105 @@
+name: Release Packages and Docker images
+on:
+  release:
+    types: [published]
+
+# Checks if any concurrent jobs is running for release CI and eventually cancel it.
+concurrency:
+  group: ci-release
+  cancel-in-progress: true  
+
+jobs:
+  release-settings:
+    runs-on: ubuntu-latest
+    outputs:
+      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
+    steps:
+      - name: Get latest release
+        uses: rez0n/actions-github-release@v2.0
+        id: latest_release
+        env:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          type: "stable"
+
+      - name: Get settings for this release
+        id: get_settings
+        shell: python
+        run: |
+          import os
+          import re
+          import sys
+
+          semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
+          tag_name = '${{ github.event.release.tag_name }}'
+
+          is_valid_version = re.match(semver_no_meta, tag_name) is not None
+          if not is_valid_version:
+            print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
+            sys.exit(1)
+
+          is_prerelease = '-' in tag_name
+
+          # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
+          is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
+
+          bucket_suffix = '-dev' if is_prerelease else ''
+
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
+            print(f'is_latest={is_latest}'.lower(), file=ofp)
+            print(f'bucket_suffix={bucket_suffix}', file=ofp)
+
+  build-packages:
+    needs: [release-settings]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  build-packages-arm64:
+    needs: [release-settings]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+    
+  publish-packages:
+    needs: [release-settings, build-packages, build-packages-arm64]
+    uses: ./.github/workflows/reusable_publish_packages.yaml
+    with:
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+  
+  # Both build-docker and its arm64 counterpart require build-packages because they use its output
+  build-docker:
+    needs: [release-settings, build-packages, publish-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: x86_64
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+      tag: ${{ github.event.release.tag_name }}
+    secrets: inherit
+    
+  build-docker-arm64:
+    needs: [release-settings, build-packages, publish-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: aarch64
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+      tag: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  publish-docker:
+    needs: [release-settings, build-docker, build-docker-arm64]
+    uses: ./.github/workflows/reusable_publish_docker.yaml
+    secrets: inherit
+    with:
+      is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
+      tag: ${{ github.event.release.tag_name }}
+      sign: true

.github/workflows/reusable_build_docker.yaml

@@ -0,0 +1,73 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      bucket_suffix:
+        description: bucket suffix for packages
+        required: false
+        default: ''
+        type: string
+      version:
+        description: The Falco version to use when building images
+        required: true
+        type: string
+      tag:
+        description: The tag to use (e.g. "master" or "0.35.0")
+        required: true
+        type: string
+
+# Here we just build all docker images as tarballs, 
+# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
+# In this way, we don't need to publish any arch specific image, 
+# and this "build" workflow is actually only building images.
+jobs:
+  build-docker:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    env:
+      TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+          
+      - name: Build no-driver image
+        run: |
+          cd ${{ github.workspace }}/docker/no-driver/
+          docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
+            
+      - name: Build falco image
+        run: |
+          cd ${{ github.workspace }}/docker/falco/
+          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
+
+      - name: Build falco-driver-loader image
+        run: |
+          cd ${{ github.workspace }}/docker/driver-loader/
+          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
+            
+      - name: Upload images tarballs
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-images
+          path: /tmp/falco-*.tar

.github/workflows/reusable_build_packages.yaml

@@ -0,0 +1,160 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      version:
+        description: The Falco version to use when building packages
+        required: true
+        type: string
+
+jobs:
+  build-modern-bpf-skeleton:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    container: fedora:latest
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build modern BPF skeleton
+        run: |
+          mkdir skeleton-build && cd skeleton-build
+          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} ..
+          make ProbeSkeleton -j6
+          
+      - name: Upload skeleton
+        uses: actions/upload-artifact@v3
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: skeleton-build/skel_dir/bpf_probe.skel.h
+          
+  build-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    needs: [build-modern-bpf-skeleton]
+    container: centos:7
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          yum -y install centos-release-scl
+          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
+          source /opt/rh/devtoolset-9/enable
+          yum install -y wget git make m4 rpm-build
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Download skeleton
+        uses: actions/download-artifact@v3
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+          
+      - name: Install updated cmake
+        run: |
+          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
+          gzip -d /tmp/cmake.tar.gz
+          tar -xpf /tmp/cmake.tar --directory=/tmp
+          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
+          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
+    
+      - name: Prepare project
+        run: |
+          mkdir build && cd build
+          source /opt/rh/devtoolset-9/enable
+          cmake \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DBUILD_FALCO_MODERN_BPF=ON \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DFALCO_VERSION=${{ inputs.version }} \
+              ..
+              
+      - name: Build project
+        run: |
+          cd build
+          source /opt/rh/devtoolset-9/enable
+          make falco -j6
+      
+      - name: Build packages
+        run: |
+          cd build
+          source /opt/rh/devtoolset-9/enable
+          make package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+            
+      - name: Upload Falco deb package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
+          path: |
+            ${{ github.workspace }}/build/falco-*.deb
+      
+      - name: Upload Falco rpm package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
+          path: |
+            ${{ github.workspace }}/build/falco-*.rpm
+            
+  build-musl-package:
+    # x86_64 only for now
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: ubuntu-latest
+    container: alpine:3.17
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Prepare project
+        run: |
+          mkdir build && cd build
+          cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }}
+          
+      - name: Build project
+        run: |
+          cd build
+          make -j6 all
+      
+      - name: Build packages
+        run: |
+          cd build
+          make -j6 package
+
+      - name: Rename static package
+        run: |
+          cd build
+          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
+          
+      - name: Upload Falco static package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz

.github/workflows/reusable_fetch_version.yaml

@@ -0,0 +1,40 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "Falco version"
+        value: ${{ jobs.fetch-version.outputs.version }}
+    
+jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # fully clone the repo, but uses http rest api instead.
+  fetch-version:
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Install build dependencies
+        run: |
+          sudo apt update 
+          sudo apt install -y cmake build-essential
+      
+      - name: Configure project
+        run: |
+          mkdir build && cd build
+          cmake -DUSE_BUNDLED_DEPS=On ..
+          
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_docker.yaml

@@ -0,0 +1,144 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: The tag to push
+        required: true
+        type: string
+      is_latest:
+        description: Update the latest tag with the new image
+        required: false
+        type: boolean
+        default: false
+      sign:
+        description: Add signature with cosign
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  id-token: write
+  contents: read
+  
+jobs:
+  publish-docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+    
+      - name: Download images tarballs
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-images
+          path: /tmp/falco-images
+      
+      - name: Load all images
+        run: |
+          for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
+    
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+      
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
+          aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
+          
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
+        with:
+          registry-type: public    
+      
+      - name: Setup Crane
+        uses: imjasonh/setup-crane@v0.3
+        with:
+          version: v0.15.1
+
+      # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
+      - name: Push arch-specific images to Docker Hub
+        run: |
+          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+
+      - name: Create no-driver manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
+          push: true
+          
+      - name: Tag slim manifest on Docker Hub
+        run: |
+          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
+
+      - name: Create falco manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          push: true
+          
+      - name: Create falco-driver-loader manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+          push: true
+
+      - name: Get Digests for images
+        id: digests
+        run: |
+          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+
+      - name: Publish images to ECR
+        run: |
+          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
+          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
+
+      - name: Tag latest on Docker Hub and ECR
+        if: inputs.is_latest
+        run: |
+          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+
+          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+
+      - name: Setup Cosign
+        if: inputs.sign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: v2.0.2
+
+      - name: Sign images with cosign
+        if: inputs.sign
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_YES: "true"
+        run: |
+          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+
+          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}

.github/workflows/reusable_publish_packages.yaml

@@ -0,0 +1,149 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: The Falco version to use when publishing packages
+        required: true
+        type: string
+      bucket_suffix:
+        description: bucket suffix for packages
+        required: false
+        default: ''
+        type: string
+       
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AWS_S3_REGION: eu-west-1
+  AWS_CLOUDFRONT_DIST_ID: E1CQNPFWRXLGQD
+
+jobs:
+  publish-packages:
+    runs-on: ubuntu-latest
+    container: docker.io/centos:7
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Install dependencies
+        run: |
+          yum install epel-release -y
+          yum update -y
+          yum install rpm-sign expect which createrepo gpg python python-pip -y
+          pip install awscli==1.19.47
+
+      # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
+      # Note: master CI can only push dev packages as we have 2 different roles for master and release.
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
+          aws-region: ${{ env.AWS_S3_REGION }}    
+          
+      - name: Download RPM x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.rpm
+          path: /tmp/falco-build-rpm
+
+      - name: Download RPM aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.rpm
+          path: /tmp/falco-build-rpm
+
+      - name: Download binary x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.tar.gz
+          path: /tmp/falco-build-bin
+
+      - name: Download binary aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.tar.gz
+          path: /tmp/falco-build-bin
+
+      - name: Download static binary x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
+          path: /tmp/falco-build-bin-static
+        
+      - name: Import gpg key 
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: printenv GPG_KEY | gpg --import -
+        
+      - name: Sign rpms
+        run: |
+          echo "%_signature gpg" > ~/.rpmmacros
+          echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+          echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
+          cat > ~/sign <<EOF
+          #!/usr/bin/expect -f
+          spawn rpmsign --addsign {*}\$argv
+          expect -exact "Enter pass phrase: "
+          send -- "\n"
+          expect eof
+          EOF
+          chmod +x ~/sign
+          ~/sign /tmp/falco-build-rpm/falco-*.rpm
+          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+          
+      - name: Publish rpm
+        run: |
+          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
+      
+      - name: Publish bin
+        run: |
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
+          
+      - name: Publish static
+        run: |
+          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          
+  publish-packages-deb:
+    runs-on: ubuntu-latest
+    container: docker.io/debian:stable
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Install dependencies
+        run: |
+          apt update -y
+          apt-get install apt-utils bzip2 gpg awscli -y
+      
+      # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
+      # Note: master CI can only push dev packages as we have 2 different roles for master and release.
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
+          aws-region: ${{ env.AWS_S3_REGION }}     
+      
+      - name: Download deb x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.deb
+          path: /tmp/falco-build-deb
+
+      - name: Download deb aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.deb
+          path: /tmp/falco-build-deb
+
+      - name: Import gpg key 
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: printenv GPG_KEY | gpg --import -
+          
+      - name: Publish deb
+        run: |
+          ./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}

.github/workflows/reusable_test_packages.yaml

@@ -0,0 +1,73 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      static:
+        description: Falco packages use a static build
+        required: false
+        type: boolean
+        default: false
+      version:
+        description: The Falco version to use when testing packages
+        required: true
+        type: string
+
+jobs:
+  test-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
+      
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '>=1.17.0'
+
+      - name: Download binary
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
+      
+      - name: Install Falco package
+        run: |
+          ls falco-*.tar.gz
+          tar -xvf $(ls falco-*.tar.gz)
+          cd falco-${{ inputs.version }}-${{ inputs.arch }}
+          sudo cp -r * /
+
+      - name: Install go-junit-report
+        run: |
+          pushd submodules/falcosecurity-testing
+          go install github.com/jstemmer/go-junit-report/v2@latest
+          popd
+  
+      - name: Generate regression test files
+        run: |
+          pushd submodules/falcosecurity-testing
+          go generate ./...
+          popd
+
+      - name: Run regression tests
+        run: |
+          pushd submodules/falcosecurity-testing
+          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          ./build/falcoctl.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          ./build/k8saudit.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          cat ./report.txt | go-junit-report -set-exit-code > report.xml
+          popd
+
+      - name: Test Summary
+        if: always() # run this even if previous step fails
+        uses: test-summary/action@v2
+        with:
+          paths: "submodules/falcosecurity-testing/report.xml"
+          show: "fail"

.github/workflows/staticanalysis.yaml

@@ -0,0 +1,31 @@
+name: StaticAnalysis
+on:
+  pull_request:
+jobs:
+  staticanalysis:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout ⤵️
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install build dependencies ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install build-essential git cppcheck cmake -y
+
+      - name: Build and run cppcheck 🏎️
+        run: |
+          mkdir build
+          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
+          make -j4 cppcheck
+          make -j4 cppcheck_htmlreport
+
+      - name: Upload reports ⬆️
+        uses: actions/upload-artifact@v3
+        with:
+          name: static-analysis-reports
+          path: ./build/static-analysis-reports

.gitignore

@@ -2,7 +2,6 @@
 *~
 *.pyc
 
-test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
 test/traces-info
@@ -11,13 +10,6 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build
 
-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
-userspace/engine/lua/lyaml
-userspace/engine/lua/lyaml.lua
-
 .vscode/*
 
-.luacheckcache
-
-*.idea*
+*.idea*

.gitmodules

@@ -0,0 +1,8 @@
+[submodule "submodules/falcosecurity-rules"]
+	path = submodules/falcosecurity-rules
+	url = https://github.com/falcosecurity/rules.git
+	branch = main
+[submodule "submodules/falcosecurity-testing"]
+	path = submodules/falcosecurity-testing
+	url = https://github.com/falcosecurity/testing.git
+	branch = main

.luacheckrc

@@ -1,9 +0,0 @@
-std = "min"
-cache = true
-include_files = {
-    "userspace/falco/lua/*.lua",
-    "userspace/engine/lua/*.lua",
-    "userspace/engine/lua/lyaml/*.lua",
-    "*.luacheckrc"
-}
-exclude_files = {"build"}

ADOPTERS.md

@@ -1,23 +1,61 @@
 # Adopters
 
+Known end users with notable contributions to the project include:
+* AWS
+* IBM
+* Red Hat
+
+Falco is being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:
+* Equinix Metal
+* IEEE
+* Lowes
+* Reckrut
+* Yellow Pepper
+* CTx
+* Utikal
+* Discrete Events
+* Agritech Infra
+
 This is a list of production adopters of Falco (in alphabetical order):
 
+* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
+
 * [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
 
 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
 
+* [Deckhouse](https://deckhouse.io/) - Deckhouse Platform presents to you the opportunity to create homogeneous Kubernetes clusters anywhere and handles comprehensive, automagical management for them. It supplies all the add-ons you need for auto-scaling, observability, security, and service mesh. Falco is used as a part of the [runtime-audit-engine](https://deckhouse.io/documentation/latest/modules/650-runtime-audit-engine/) module to provide threats detection and enforce security compliance out of the box. By pairing with [shell-operator](https://github.com/flant/shell-operator) Falco can be configured by Kubernetes Custom Resources.
+
+* [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.
+
 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
 
+* [Giant Swarm](https://www.giantswarm.io/) - Giant Swarm manages Kubernetes clusters and infrastructure for enterprises across multiple cloud providers as well as several flavors of on-premises data centers. Our platform provisions and monitors pure "vanilla" Kubernetes clusters which can be augmented with managed solutions to many common Kubernetes challenges, including security. We use Falco for anomaly detection as part of our collection of entirely open-source tools for securing our own clusters, and offer the same capabilities to our customers as part of our [managed security offering](https://docs.giantswarm.io/app-platform/apps/security/).
+
 * [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
 
-* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+* [gVisor](https://gvisor.dev/) - gVisor secures Kubernetes, containers, and workloads via an alternate execution environment that handles system calls in user space, blocking security issues before they reach the underlying host. gVisor provides defense-in-depth, protection against untrusted code execution, and a secure-by-default Kubernetes experience where containers are a security boundary. Falco can be used with gVisor to detect unusual or suspicious activity using its threat detection engine on top of gVisor runtime execution information.
+
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
 
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 
-* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
+
+* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
+
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
   * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
 
+* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicious behaviors in our clusters.
+
+* [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects.
+
+* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers'​ environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
+
+* [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platform’s Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco.
+
 * [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
 
 * [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
@@ -26,5 +64,24 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
 
-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
 
+* [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
+
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
+* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+
+* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
+
+## Projects that use Falco libs
+
+* [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
+
+* [SysFlow](https://sysflow.io) SysFlow is a cloud-native system telemetry framework that focuses on data abstraction, behavioral analytics, and noise reduction. At its core, SysFlow exposes a compact open telemetry format that records workload behaviors by connecting event and flow representations of process control flows, file interactions, and network communications. The resulting abstraction encodes a graph structure that enables provenance reasoning on host and container environments, and fast retrieval of security-relevant information.
+
+* [StackRox](https://stackrox.io) is the industry’s first Kubernetes-native security platform enabling organizations to build, deploy, and run cloud-native applications securely. The platform works with Kubernetes environments and integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. StackRox aims to harness containerized applications’ development speed while giving operations and security teams greater context and risk profiling. StackRox leverages cloud-native principles and declarative artifacts to automate DevSecOps best practices.
+
+## Adding a name
+
+If you would like to add your name to this file, submit a pull request with your change.

CMakeLists.txt

@@ -16,6 +16,36 @@ project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
+option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
+
+# gVisor is currently only supported on Linux x86_64
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+  option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
+  if (BUILD_FALCO_GVISOR)
+    add_definitions(-DHAS_GVISOR)
+  endif()
+endif()
+
+# Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
+if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
+  if(BUILD_FALCO_MODERN_BPF)
+    add_definitions(-DHAS_MODERN_BPF)
+  endif()
+endif()
+
+# We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
+option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
+if (${EP_UPDATE_DISCONNECTED})
+  set_property(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+endif()
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_EXTENSIONS OFF)
 
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -37,20 +67,40 @@ if(NOT DEFINED FALCO_ETC_DIR)
   set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()
 
-if(NOT DRAIOS_DEBUG_FLAGS)
-  set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+# This will be used to print the architecture for which Falco is compiled.
+set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
+
+if(NOT FALCO_EXTRA_DEBUG_FLAGS)
+  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
 endif()
 
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
 else()
   set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+  add_definitions(-DBUILD_TYPE_RELEASE)
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os -fPIE -pie")
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+# explicitly set hardening flags
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
+if(CMAKE_BUILD_TYPE STREQUAL "release")
+  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+endif()
+
+set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS
@@ -60,10 +110,10 @@ if(BUILD_WARNINGS_AS_ERRORS)
 endif()
 
 set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
+set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
 
-set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
-set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
+set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
 
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
@@ -71,9 +121,19 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco")
-set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVER_NAME "falco")
+set(DRIVER_DEVICE_NAME "falco")
+set(DRIVERS_REPO "https://download.falco.org/driver")
+
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
+# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
+add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
+
+if(NOT DEFINED FALCO_COMPONENT_NAME)
+    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+endif()
+
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -84,151 +144,58 @@ set(CMD_MAKE make)
 
 include(ExternalProject)
 
+# libs
+include(falcosecurity-libs)
+
 # jq
 include(jq)
 
 # nlohmann-json
-set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-ExternalProject_Add(
-  njson
-  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
+include(njson)
 
-# curses
-# We pull this in because libsinsp won't build without it
-set(CURSES_NEED_NCURSES TRUE)
-find_package(Curses REQUIRED)
-message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-
-# libb64
-
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
-  URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+# b64
+include(b64)
 
 # yaml-cpp
 include(yaml-cpp)
 
-# OpenSSL
-include(OpenSSL)
+if(NOT MINIMAL_BUILD)
+  # OpenSSL
+  include(openssl)
 
-# libcurl
-include(cURL)
+  # libcurl
+  include(curl)
 
-# LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
-  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+  # cpp-httlib
+  include(cpp-httplib)
+endif()
 
-# Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
-
-# libyaml
-include(libyaml)
-
-# lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-ExternalProject_Add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+include(cxxopts)
 
 # One TBB
-set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
+include(tbb)
 
-message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-
-set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
-set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
-ExternalProject_Add(
-  tbb
-  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
-  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${TBB_LIB}
-  INSTALL_COMMAND "")
-
-# civetweb
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-ExternalProject_Add(
-  civetweb
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_IN_SOURCE 1
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
-
-#string-view-lite
-include(DownloadStringViewLite)
-
-# gRPC
-include(gRPC)
-
-# sysdig
-include(sysdig)
+if(NOT MINIMAL_BUILD)
+  include(zlib)
+  include(cares)
+  include(protobuf)
+  # gRPC
+  include(grpc)
+endif()
 
 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 
-# Coverage
-include(Coverage)
+if(NOT MINIMAL_BUILD)
+  # Coverage
+  include(Coverage)
 
-# Tests
-add_subdirectory(test)
+  # Tests
+  add_subdirectory(test)
+endif()
 
 # Rules
-add_subdirectory(rules)
+include(rules)
 
 # Dockerfiles
 add_subdirectory(docker)
@@ -236,16 +203,29 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
+set(FALCO_PLUGINS_DIR ${FALCO_SHARE_DIR}/plugins)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 
 add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
-add_subdirectory(tests)
+
+if(NOT MUSL_OPTIMIZED_BUILD)
+  include(plugins)
+endif()
+
+include(falcoctl)
 
 # Packages configuration
 include(CPackConfig)
+
+if(BUILD_FALCO_UNIT_TESTS)
+  add_subdirectory(unit_tests)
+endif()

GOVERNANCE.md

@@ -1,55 +0,0 @@
-# Process for becoming a maintainer
-
-* Express interest to the existing maintainers that you or your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
-  organization.
-* We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing maintainers.
-* We may ask you to do some PRs from our backlog.
-* As you gain experience with the code base and our standards, we will ask you to do code reviews
-  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
-  community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Maintainer responsibilities
-
-* Monitor Slack (delayed response is perfectly acceptable).
-* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
-* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
-  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment.
-* Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare
-  occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment
-  obligations with employers.
-* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
-  business days per week).
-
-## When does a maintainer lose maintainer status
-
-If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
-should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
-the maintainers per the voting process below.
-
-# Conflict resolution and voting
-
-In general, we prefer that technical issues and maintainer membership are amicably worked out
-between the persons involved. If a dispute cannot be decided independently, the maintainers can be
-called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
-be resolved by voting. The voting process is a simple majority in which each senior maintainer
-receives two votes and each normal maintainer receives one vote.
-
-# Adding new projects to the falcosecurity GitHub organization
-
-New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
-existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
-days but depending on the volume of conversation), the maintainers of *the project where the issue
-was opened* (since different projects in the organization may have different maintainers) will
-decide whether the new project should be added. See the section above on voting if the maintainers
-cannot easily decide.

OWNERS

@@ -1,14 +1,12 @@
 approvers:
-  - fntlnz
-  - kris-nova
-  - leodido
   - mstemm
   - leogr
+  - jasondellaluce
+  - fededp
+  - andreagit97
 reviewers:
-  - fntlnz
   - kaizhe
+emeritus_approvers:
+  - fntlnz
   - kris-nova
   - leodido
-  - mfdii
-  - mstemm
-  - leogr

README.md

@@ -1,97 +1,89 @@
-<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
+# Falco
 
-<hr>
+[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
-#### Latest releases
+[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 
-Read the [change log](CHANGELOG.md).
+[Falco](https://falco.org/) is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
 
-|        | development                                                                                                                 | stable                                                                                                              |
-|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
-| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
-| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
+At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
 
----
+Falco, originally created by [Sysdig](https://sysdig.com), is an incubating project under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in producation by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).
 
-The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
-Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
-Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
-If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
+For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
-### Installing Falco
+For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.
 
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
+## Falco Repo: Powering the Core of The Falco Project
 
-##### Kubernetes
+This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
 
-| Tool     | Link                                                                                       | Note                                                               |
-|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
 
-### Developing
+For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
 
-Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+## Getting Started with Falco
 
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
-The Falco Project supports various SDKs for this endpoint.
+Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).
 
-##### SDKs
+Considerations and guidance for Falco adopters:
 
-| Language | Repository                                              |
-|----------|---------------------------------------------------------|
-| Go       | [client-go](https://github.com/falcosecurity/client-go) |
-| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
-| Python   | [client-py](https://github.com/falcosecurity/client-py) |
+1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
+
+2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
+
+3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
+
+4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
+
+5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
 
 
-### What can Falco detect?
+## How to Contribute
 
-Falco can detect and alert on any behavior that involves making Linux system calls.
-Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
-For example, Falco can easily detect incidents including but not limited to:
+Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.
 
-- A shell is running inside a container or pod in Kubernetes.
-- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
-- A server process is spawning a child process of an unexpected type.
-- Unexpected read of a sensitive file, such as `/etc/shadow`.
-- A non-device file is written to `/dev`.
-- A standard system binary, such as `ls`, is making an outbound network connection.
 
-### Documentation
+## Join the Community
 
-The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
+To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
 
-### Join the Community
+If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
 
-To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
+How to reach out?
 
-### Contributing
+ - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io).
+ - Join the [Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev).
+ - File an [issue](https://github.com/falcosecurity/falco/issues) or make feature requests.
 
-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+## Commitment to Falco's Own Security
 
-### Security Audit
+Full reports of various security audits can be found [here](./audits/).
 
-A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
+In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.
 
-### Reporting security vulnerabilities
+To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
-Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+## What's next for Falco?
 
-### License Terms
+Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
+
+
+## License
 
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
+## Resources
 
-[1]: https://dl.bintray.com/falcosecurity/rpm-dev
-[2]: https://dl.bintray.com/falcosecurity/rpm
-[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
-[4]: https://dl.bintray.com/falcosecurity/deb/stable
-[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+ - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
+ - [Code Of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md)
+ - [Maintainers Guidelines](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS_GUIDELINES.md)
+ - [Maintainers List](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS.md)
+ - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
+ - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
+ - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)

RELEASE.md

@@ -1,81 +1,252 @@
 # Falco Release Process
 
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+## Overview
 
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
 
-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+- Falco binary (userspace), includes `modern_bpf` driver object code (kernel space) starting with Falco 0.34.x releases
+- Falco kernel driver object files, separate artifacts for `kmod` and `bpf` drivers, not applicable for `modern_bpf` driver (kernel space)
+    - Option 1: Kernel module (`.ko` files)
+    - Option 2: eBPF (`.o` files)
+- Falco config and rules `.yaml` files (userspace)
+- Falco plugins (userspace - optional)
+
+> Note: Starting with Falco 0.34.x releases, the Falco userspace binary includes the `modern_bpf` driver object code during the linking process. This integration is made possible by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to function on kernels that have backported BTF (BPF Type Format) support or have a kernel version >= 5.8. For the older `kmod` and `bpf` drivers, separate artifacts are released for the kernel space. This is because these drivers need to be explicitly compiled for the specific kernel release, using the exact kernel headers. This approach ensures that Falco can support a wide range of environments, including multiple kernel versions, distributions, and architectures.  (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)).
+
+The Falco Project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo.
+
+The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+Falco publishes all sources, enabling users to audit the project's integrity and build kernel drivers for custom or unsupported kernels/distributions, specifically for non-modern BPF drivers (see [driverkit](https://github.com/falcosecurity/driverkit) for more information).
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco guide and documentation](https://falco.org/) provide rich information around building, installing and using Falco.
+
+
+### Falco Binaries, Rules and Sources Artifacts - Quick Links
+
+The Falco project publishes all sources and the Falco userspace binaries as GitHub releases.
+
+- [Falco Releases](https://github.com/falcosecurity/falco/releases)
+    - `tgz`, `rpm` and `deb` Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)
+    - `tgz`, `zip` source code
+- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+    - `tgz`, `zip` source code
+- [Driver Releases](https://github.com/falcosecurity/libs/releases), marked with `+driver` [build metadata](https://semver.org/). 
+    - `tgz`, `zip` source code
+- [Falco Rules Releases](https://github.com/falcosecurity/rules/releases)
+    - `tgz`, `zip` source code, each ruleset is tagged separately in a mono-repo fashion, see the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md)
+
+
+Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
+
+- [Falco Artifacts Repo Packages Root](https://download.falco.org/?prefix=packages/)
+- [Falco Artifacts Repo Plugins Root](https://download.falco.org/?prefix=plugins/)
+
+
+### Falco Drivers Artifacts Repo - Quick Links
+
+> Note: This section specifically applies to non-modern BPF drivers.
+
+The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+
+- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
+    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
+    - Option 2: eBPF (`.o` files) - all under same driver version directory
+
+
+### Timeline
+
+Falco follows a release schedule of three times per year, with releases expected at the end of January, May, and September. Hotfix releases are issued as needed.
+
+Changes and new features are organized into [milestones](https://github.com/falcosecurity/falco/milestones). The milestone corresponding to the next version represents the content that will be included in the upcoming release.
+
+
+### Procedures
+
+The release process is mostly automated, requiring only a few manual steps to initiate and complete.
+
+Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).
+
+At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
+
+- [1 - 3] `libs` (+ `driver`) and `plugins` components releases
+- [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
+- [5] Falco userspace binary release
+
+Assignees are responsible for creating a Falco GitHub issue to track the release tasks and monitor the progress of the release. This issue serves as a central point for communication and provides updates on the release dates. You can refer to the [Falco v0.35 release](https://github.com/falcosecurity/falco/issues/2554) or [Libs Release (0.11.0+5.0.1+driver)](https://github.com/falcosecurity/libs/issues/1092) issues as examples/templates for creating the release issue.
+
+Finally, on the proposed due date, the assignees for the upcoming release proceed with the processes described below.  
 
 ## Pre-Release Checklist
 
+Before proceeding with the release, make sure to complete the following preparatory steps, which can be easily done using the GitHub UI:
+
 ### 1. Release notes
-- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
-    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
 
 ### 2. Milestones
 
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
 
-### 3. Release PR
+
+### 3. Release branch
+
+Assuming we are releasing a non-patch version (like: Falco 0.34.0), a new release branch needs to be created.  
+Its naming will be `release/M.m.x`; for example: `release/0.34.x`.  
+The same branch will then be used for any eventual cherry pick for patch releases.  
+
+For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.  
+Double check that any PR that should be part of the tag has been cherry-picked from master!
+
+### 4. Release PR
+
+The release PR is meant to be made against the respective `release/M.m.x` branch, **then cherry-picked on master**.  
 
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-- Add the lastest changes on top the previous `CHANGELOG.md`
+    - Versions table in the `README.md` updates itself automatically
+- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
+    - Execute `rn2md -o falcosecurity -m <version> -r falco`
+    - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
+- Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
-- Close the completed milestone as soon PR is merged
+- Close the completed milestone as soon as the PR is merged into the release branch
+- Cherry pick the PR on master too
+
+## Publishing Pre-Releases (RCs and tagged development versions)
+
+Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
+is live for development and testing purposes.
+
+The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
+
+To do so:
+
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `M.m.p-r` both as tag version and release title.
+- Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked
+- It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published
+- Publish the prerelease!
+- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag.
+
+In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
 
 ## Release
 
-Let `x.y.z` the new version.
+Assume `M.m.p` is the new version.
 
-### 1. Create a tag
-
-- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
-
-    ```
-    git pull
-    git checkout master
-    git tag x.y.z
-    git push origin x.y.z
-    ```
-
-> **N.B.**: do NOT use an annotated tag
-
-- Wait for the CI to complete
-
-### 2. Update the GitHub release
+### 1. Create the release with GitHub
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
-- Use `x.y.z` both as tag version and release title
+- Use `M.m.p` both as tag version and release title
 - Use the following template to fill the release description:
     ```
-    <!-- Copy the relevant part of the changelog here -->
+    <!-- Substitute M.m.p with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
+    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
+    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
+    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
+    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
+    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
+
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |
+
+    <changelog>
+
+    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
 
     ### Statistics
 
-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |
 
     <!-- Calculate stats and fill the above table -->
+
+    #### Release Manager <github handle>
+
+    <!-- Substitute GitHub handle with the release manager's one -->
     ```
 
 - Finally, publish the release!
+- The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
+
+In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
+
+### 2. Update the meeting notes
+
+For each release we archive the meeting notes in git for historical purposes.
+
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
+    - Note: There may be other notes from working groups that can optionally be added as well as needed.
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
+ - Open up a pull request with the new change.
+
 
 ## Post-Release tasks
 
 Announce the new release to the world!
 
+- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
+- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
+
+
+## Falco Components Versioning
+
+This section provides more details around the versioning of the components that make up Falco's core. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because `libs` makes up the greater portion of the source code of the Falco binary and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+
+
+### Falco repo (this repo)
+- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and/or `FALCO_FIELDS_CHECKSUM` computed via `falco --list -N | sha256sum` has changed. The primary idea is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced, a version change indicates that these fields were not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. Lastly, `FALCO_ENGINE_VERSION` is typically incremented once during a Falco release cycle, while `FALCO_FIELDS_CHECKSUM` is bumped whenever necessary during the development and testing phases of the release cycle.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
+- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
+- At release time Plugin, Libs and Driver versions are compatible with Falco.
+- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
+
+
+```
+Falco version: x.y.z (sem-ver like)
+Libs version:  x.y.z (sem-ver like)
+Plugin API:    x.y.z (sem-ver like)
+Engine:        x
+Driver:
+  API version:    x.y.z (sem-ver)
+  Schema version: x.y.z (sem-ver)
+  Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
+```
+
+
+### Libs repo
+- Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
+- The driver version is not directly linked to the userspace components of the Falco binary. This is because of the clear separation between userspace and kernel space, which adds an additional layer of complexity. To address this, the concept of a `Default driver` has been introduced, allowing for implicit declaration of compatible driver versions. For example, if the default driver version is `5.0.1+driver`, Falco works with all driver versions >= 5.0.1 and < 6.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
+
+### Plugins repo
+
+- Plugins version is a git tag (`x.y.z`)
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information.
+
+### Rules repo
+- Rulesets are versioned individually through git tags
+- See [rules release doc](https://github.com/falcosecurity/rules/blob/main/RELEASE.md) for more information.
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information about plugins rulesets.

brand/README.md

@@ -3,9 +3,11 @@
 
 # Falco Branding Guidelines
 
-This document describes The Falco Project's branding guidelines, language, and message.
+Falco is an open source security project whose brand and identity are governed by the [Cloud Native Computing Foundation](https://www.linuxfoundation.org/legal/trademark-usage).
 
-Content in this document can be used to publically share about Falco.
+This document describes the official branding guidelines of The Falco Project. Please see the [Falco Branding](https://falco.org/community/falco-brand/) page on our website for further details.
+
+Content in this document can be used to publicly share about Falco.
 
 
 
@@ -15,6 +17,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.
+
 ### Slogan
 
 > Cloud Native Runtime Security
@@ -41,7 +58,7 @@ If a rule has been violated, Falco triggers an alert.
 ### How does Falco work?
 
 Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
 Falco enriches these kernel events with information about containers running on the system.
 Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
 At runtime, Falco will reason about these events and assert them against configured security rules.
@@ -67,7 +84,7 @@ Examples of malicious behavior include:
 
 Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
 By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
-                                 
+
 ### Writing about Falco
 
 ##### Yes
@@ -98,7 +115,7 @@ Falco ultimately is a security engine. It reasons about signals coming from a sy
 
 ##### Anomaly detection
 
-This refers to an event that occurs with something unsual, concerning, or odd occurs.
+This refers to an event that occurs with something unusual, concerning, or odd occurs.
 We can associate anomalies with unwanted behavior, and alert in their presence.
 
 ##### Detection tooling
@@ -107,7 +124,6 @@ Falco does not prevent unwanted behavior.
 Falco however alerts when unusual behavior occurs.
 This is commonly referred to as **detection** or **forensics**.
 
-
 ---
 
 # Glossary 
@@ -128,6 +144,10 @@ Sometimes this word is incorrectly used to refer to a `probe`.
 
 The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
 
+#### Plugin
+
+Used to describe a dynamic shared library (`.so` files in Unix, `.dll` files in Windows) that conforms to a documented API and allows to extend Falco's capabilities.
+
 #### Falco
 
 The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,14 +1,13 @@
-if(CPACK_GENERATOR MATCHES "DEB")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
-endif()
-
-if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
+if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")
 	set(CPACK_SET_DESTDIR "ON")
-	set(CPACK_STRIP_FILES "OFF")
 endif()

cmake/cpack/debian/conffiles

@@ -1,4 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/falco_rules.yaml
-/etc/falco/rules.available/application_rules.yaml
+/etc/falco/falcoctl.yaml
 /etc/falco/falco_rules.local.yaml

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,10 +25,31 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
-set(CPACK_GENERATOR DEB RPM TGZ)
+# Built packages will include only the following components
+set(CPACK_INSTALL_CMAKE_PROJECTS
+  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
+  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+)
+if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
+  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
+  )
+endif()
 
+if(NOT CPACK_GENERATOR)
+    set(CPACK_GENERATOR DEB RPM TGZ)
+endif()
+
+message(STATUS "Using package generators: ${CPACK_GENERATOR}")
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
@@ -36,8 +57,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -49,9 +71,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
     /etc
     /usr
     /usr/bin
-    /usr/share
-    /etc/rc.d
-    /etc/rc.d/init.d)
+    /usr/share)
 set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
 
 include(CPack)

cmake/modules/Catch.cmake

@@ -1,159 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-#[=======================================================================[.rst:
-Catch
------
-
-This module defines a function to help use the Catch test framework.
-
-The :command:`catch_discover_tests` discovers tests by asking the compiled test
-executable to enumerate its tests.  This does not require CMake to be re-run
-when tests change.  However, it may not work in a cross-compiling environment,
-and setting test properties is less convenient.
-
-This command is intended to replace use of :command:`add_test` to register
-tests, and will create a separate CTest test for each Catch test case.  Note
-that this is in some cases less efficient, as common set-up and tear-down logic
-cannot be shared by multiple test cases executing in the same instance.
-However, it provides more fine-grained pass/fail information to CTest, which is
-usually considered as more beneficial.  By default, the CTest test name is the
-same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.
-
-.. command:: catch_discover_tests
-
-  Automatically add tests with CTest by querying the compiled test executable
-  for available tests::
-
-    catch_discover_tests(target
-                         [TEST_SPEC arg1...]
-                         [EXTRA_ARGS arg1...]
-                         [WORKING_DIRECTORY dir]
-                         [TEST_PREFIX prefix]
-                         [TEST_SUFFIX suffix]
-                         [PROPERTIES name1 value1...]
-                         [TEST_LIST var]
-    )
-
-  ``catch_discover_tests`` sets up a post-build command on the test executable
-  that generates the list of tests by parsing the output from running the test
-  with the ``--list-test-names-only`` argument.  This ensures that the full
-  list of tests is obtained.  Since test discovery occurs at build time, it is
-  not necessary to re-run CMake when the list of tests changes.
-  However, it requires that :prop_tgt:`CROSSCOMPILING_EMULATOR` is properly set
-  in order to function in a cross-compiling environment.
-
-  Additionally, setting properties on tests is somewhat less convenient, since
-  the tests are not available at CMake time.  Additional test properties may be
-  assigned to the set of tests as a whole using the ``PROPERTIES`` option.  If
-  more fine-grained test control is needed, custom content may be provided
-  through an external CTest script using the :prop_dir:`TEST_INCLUDE_FILES`
-  directory property.  The set of discovered tests is made accessible to such a
-  script via the ``<target>_TESTS`` variable.
-
-  The options are:
-
-  ``target``
-    Specifies the Catch executable, which must be a known CMake executable
-    target.  CMake will substitute the location of the built executable when
-    running the test.
-
-  ``TEST_SPEC arg1...``
-    Specifies test cases, wildcarded test cases, tags and tag expressions to
-    pass to the Catch executable with the ``--list-test-names-only`` argument.
-
-  ``EXTRA_ARGS arg1...``
-    Any extra arguments to pass on the command line to each test case.
-
-  ``WORKING_DIRECTORY dir``
-    Specifies the directory in which to run the discovered test cases.  If this
-    option is not provided, the current binary directory is used.
-
-  ``TEST_PREFIX prefix``
-    Specifies a ``prefix`` to be prepended to the name of each discovered test
-    case.  This can be useful when the same test executable is being used in
-    multiple calls to ``catch_discover_tests()`` but with different
-    ``TEST_SPEC`` or ``EXTRA_ARGS``.
-
-  ``TEST_SUFFIX suffix``
-    Similar to ``TEST_PREFIX`` except the ``suffix`` is appended to the name of
-    every discovered test case.  Both ``TEST_PREFIX`` and ``TEST_SUFFIX`` may
-    be specified.
-
-  ``PROPERTIES name1 value1...``
-    Specifies additional properties to be set on all tests discovered by this
-    invocation of ``catch_discover_tests``.
-
-  ``TEST_LIST var``
-    Make the list of tests available in the variable ``var``, rather than the
-    default ``<target>_TESTS``.  This can be useful when the same test
-    executable is being used in multiple calls to ``catch_discover_tests()``.
-    Note that this variable is only available in CTest.
-
-#]=======================================================================]
-
-# ------------------------------------------------------------------------------
-function(catch_discover_tests TARGET)
-  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
-                        ${ARGN})
-
-  if(NOT _WORKING_DIRECTORY)
-    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
-  endif()
-  if(NOT _TEST_LIST)
-    set(_TEST_LIST ${TARGET}_TESTS)
-  endif()
-
-  # Generate a unique name based on the extra arguments
-  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
-  string(SUBSTRING ${args_hash} 0 7 args_hash)
-
-  # Define rule to generate test list for aforementioned test executable
-  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
-  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
-  get_property(
-    crosscompiling_emulator
-    TARGET ${TARGET}
-    PROPERTY CROSSCOMPILING_EMULATOR)
-  add_custom_command(
-    TARGET ${TARGET}
-    POST_BUILD
-    BYPRODUCTS "${ctest_tests_file}"
-    COMMAND
-      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
-      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
-      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
-      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
-      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
-    VERBATIM)
-
-  file(
-    WRITE "${ctest_include_file}"
-    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
-    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")
-
-  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
-    # Add discovered tests to directory TEST_INCLUDE_FILES
-    set_property(
-      DIRECTORY
-      APPEND
-      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
-  else()
-    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
-    get_property(
-      test_include_file_set
-      DIRECTORY
-      PROPERTY TEST_INCLUDE_FILE
-      SET)
-    if(NOT ${test_include_file_set})
-      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
-    else()
-      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
-    endif()
-  endif()
-
-endfunction()
-
-# ######################################################################################################################
-
-set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)

cmake/modules/CatchAddTests.cmake

@@ -1,61 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-set(prefix "${TEST_PREFIX}")
-set(suffix "${TEST_SUFFIX}")
-set(spec ${TEST_SPEC})
-set(extra_args ${TEST_EXTRA_ARGS})
-set(properties ${TEST_PROPERTIES})
-set(script)
-set(suite)
-set(tests)
-
-function(add_command NAME)
-  set(_args "")
-  foreach(_arg ${ARGN})
-    if(_arg MATCHES "[^-./:a-zA-Z0-9_]")
-      set(_args "${_args} [==[${_arg}]==]") # form a bracket_argument
-    else()
-      set(_args "${_args} ${_arg}")
-    endif()
-  endforeach()
-  set(script
-      "${script}${NAME}(${_args})\n"
-      PARENT_SCOPE)
-endfunction()
-
-# Run test executable to get list of available tests
-if(NOT EXISTS "${TEST_EXECUTABLE}")
-  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
-endif()
-execute_process(
-  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
-  OUTPUT_VARIABLE output
-  RESULT_VARIABLE result)
-# Catch --list-test-names-only reports the number of tests, so 0 is... surprising
-if(${result} EQUAL 0)
-  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
-elseif(${result} LESS 0)
-  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
-                      "  Output: ${output}\n")
-endif()
-
-string(REPLACE "\n" ";" output "${output}")
-
-# Parse output
-foreach(line ${output})
-  set(test ${line})
-  # use escape commas to handle properly test cases with commans inside the name
-  string(REPLACE "," "\\," test_name ${test})
-  # ...and add to script
-  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
-  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
-              ${properties})
-  list(APPEND tests "${prefix}${test}${suffix}")
-endforeach()
-
-# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
-add_command(set ${TEST_LIST} ${tests})
-
-# Write CTest script
-file(WRITE "${CTEST_FILE}" "${script}")

cmake/modules/DownloadFakeIt.cmake

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
-
-set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
-
-ExternalProject_Add(
-  fakeit-external
-  PREFIX ${CMAKE_BINARY_DIR}/fakeit-prefix
-  ${FAKEIT_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
-    ${FAKEIT_INCLUDE}/fakeit.hpp)

cmake/modules/DownloadStringViewLite.cmake

@@ -1,29 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
-set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
-
-ExternalProject_Add(
-  string-view-lite
-  PREFIX ${STRING_VIEW_LITE_PREFIX}
-  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
-  GIT_TAG "v1.4.0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
-    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)

cmake/modules/FindMakedev.cmake

@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
-# Usage: In your CMakeLists.txt include(FindMakedev)
-#
-# In your source code:
-#
-# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
-#
-include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
-
-check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
-check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
-
-if(HAVE_SYS_MKDEV_H)
-  add_definitions(-DHAVE_SYS_MKDEV_H)
-endif()
-if(HAVE_SYS_SYSMACROS_H)
-  add_definitions(-DHAVE_SYS_SYSMACROS_H)
-endif()

cmake/modules/GetFalcoVersion.cmake

@@ -16,44 +16,69 @@ include(GetGitRevisionDescription)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
-  string(STRIP "${FALCO_HASH}" FALCO_HASH)
   # Try to obtain the exact git tag
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
-    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
-    # Fallback version
-    if(FALCO_VERSION MATCHES "NOTFOUND$")
-      set(FALCO_VERSION "0.0.0")
-    endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+      # Obtain the closest tag
+      git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
+      string(REGEX MATCH "^[0-9]+.[0-9]+.[0-9]+$" FALCO_TAG ${FALCO_VERSION})
+      if(FALCO_VERSION MATCHES "NOTFOUND$" OR FALCO_TAG STREQUAL "")
+        # Fetch current hash
+        get_git_head_revision(refspec FALCO_HASH)
+        if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
+          set(FALCO_VERSION "0.0.0")
+        else()
+          # Obtain the closest tag
+          git_get_latest_tag(FALCO_LATEST_TAG)
+          if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
+            set(FALCO_VERSION "0.0.0")
+          else()
+            # Compute commit delta since tag
+            git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
+            if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+              set(FALCO_VERSION "0.0.0")
+            else()
+              # Cut hash to 7 bytes
+              string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
+              # Format FALCO_VERSION to be semver with prerelease and build part
+              set(FALCO_VERSION
+                    "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
+            endif()
+          endif()
+        endif()
+      endif()
+      # Format FALCO_VERSION to be semver with prerelease and build part
+      string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")
-    # Remove the starting "v" in case there is one
-    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
-  endif()
-  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
-  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                       "${FALCO_VERSION}")
-  string(
-    REGEX
-    REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-      "\\5"
-      FALCO_VERSION_PRERELEASE
-      "${FALCO_VERSION}")
-  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_PRERELEASE "")
-  endif()
-  if(NOT FALCO_VERSION_BUILD)
-    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
-  endif()
-  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_BUILD "")
   endif()
 endif()
+
+# Remove the starting "v" in case there is one
+string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
+
+# TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
+string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                     "${FALCO_VERSION}")
+string(
+  REGEX
+  REPLACE
+    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+    "\\5"
+    FALCO_VERSION_PRERELEASE
+    "${FALCO_VERSION}")
+
+if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_PRERELEASE "")
+endif()
+if(NOT FALCO_VERSION_BUILD)
+  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+endif()
+if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_BUILD "")
+endif()
+
 message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -86,29 +86,37 @@ function(get_git_head_revision _refspecvar _hashvar)
       PARENT_SCOPE)
 endfunction()
 
-function(git_describe _var)
+function(git_get_latest_tag _var)
   if(NOT GIT_FOUND)
     find_package(Git QUIET)
   endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
+
+  # We use git describe --tags `git rev-list --exclude "*.*.*-*" --tags --max-count=1`
+  # Note how we eclude prereleases tags (the ones with "-alphaX")
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          rev-list
+          --exclude "*.*.*-*"
+          --tags
+          --max-count=1
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          tag_hash
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
     return()
   endif()
 
   execute_process(COMMAND
     "${GIT_EXECUTABLE}"
     describe
-    ${hash}
-    ${ARGN}
+    --tags
+    ${tag_hash}
     WORKING_DIRECTORY
     "${CMAKE_CURRENT_SOURCE_DIR}"
     RESULT_VARIABLE
@@ -120,10 +128,108 @@ function(git_describe _var)
   if(NOT res EQUAL 0)
     set(out "${out}-${res}-NOTFOUND")
   endif()
+  set(${_var} "${out}" PARENT_SCOPE)
+endfunction()
+
+function(git_get_delta_from_tag _var tag hash)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+
+  # Count commits in HEAD
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${hash}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_head
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  # Count commits in latest tag
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_tag
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+    expr
+    ${out_counter_head} - ${out_counter_tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_delta
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+  set(${_var} "${out_delta}" PARENT_SCOPE)
+endfunction()
+
+function(git_describe _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+            "GIT-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+            "HEAD-HASH-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          describe
+          ${hash}
+          ${ARGN}
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          out
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()
 
   set(${_var}
-      "${out}"
-      PARENT_SCOPE)
+          "${out}"
+          PARENT_SCOPE)
 endfunction()
 
 function(git_get_exact_tag _var)

cmake/modules/OpenSSL.cmake

@@ -1,42 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if(NOT USE_BUNDLED_DEPS)
-  find_package(OpenSSL REQUIRED)
-  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-  find_program(OPENSSL_BINARY openssl)
-  if(NOT OPENSSL_BINARY)
-    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
-  else()
-    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
-  endif()
-else()
-  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
-  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
-
-  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-  ExternalProject_Add(
-    openssl
-    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
-    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
-    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND ${CMD_MAKE} install)
-endif()

cmake/modules/cURL.cmake

@@ -1,76 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  find_package(CURL REQUIRED)
-  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
-else()
-  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-
-  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-
-  externalproject_add(
-    curl
-    DEPENDS openssl
-    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
-    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
-    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    CONFIGURE_COMMAND
-      ./configure
-      ${CURL_SSL_OPTION}
-      --disable-shared
-      --enable-optimize
-      --disable-curldebug
-      --disable-rt
-      --enable-http
-      --disable-ftp
-      --disable-file
-      --disable-ldap
-      --disable-ldaps
-      --disable-rtsp
-      --disable-telnet
-      --disable-tftp
-      --disable-pop3
-      --disable-imap
-      --disable-smb
-      --disable-smtp
-      --disable-gopher
-      --disable-sspi
-      --disable-ntlm-wb
-      --disable-tls-srp
-      --without-winssl
-      --without-darwinssl
-      --without-polarssl
-      --without-cyassl
-      --without-nss
-      --without-axtls
-      --without-ca-path
-      --without-ca-bundle
-      --without-libmetalink
-      --without-librtmp
-      --without-winidn
-      --without-libidn2
-      --without-libpsl
-      --without-nghttp2
-      --without-libssh2
-      --disable-threaded-resolver
-      --without-brotli
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()

cmake/modules/copy_files_to_build_dir.cmake

@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+function(copy_files_to_build_dir source_files targetsuffix)
+
+  set(build_files)
+
+  foreach(file_path ${source_files})
+	  get_filename_component(trace_file ${file_path} NAME)
+	  list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+  endforeach()
+
+  add_custom_target(copy-files-${targetsuffix} ALL
+	  DEPENDS ${build_files})
+
+  add_custom_command(OUTPUT ${build_files}
+	  COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
+	  DEPENDS ${source_files})
+
+endfunction()

cmake/modules/cpp-httplib.cmake

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# cpp-httplib (https://github.com/yhirose/cpp-httplib)
+#
+if(CPPHTTPLIB_INCLUDE)
+	# we already have cpp-httplib
+else()
+	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
+	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
+
+	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
+
+	ExternalProject_Add(cpp-httplib
+		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
+		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND "")	
+endif()

cmake/modules/cxxopts.cmake

@@ -0,0 +1,23 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
+set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+
+ExternalProject_Add(
+        cxxopts
+        URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
+        URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND "")

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -10,18 +10,20 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+cmake_minimum_required(VERSION 3.5.1)
+
+project(driver-repo NONE)
+
 include(ExternalProject)
-
-set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
-
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
-                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
+message(STATUS "Driver version: ${DRIVER_VERSION}")
 
 ExternalProject_Add(
-  catch2
-  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
-  ${CATCH_EXTERNAL_URL}
+  driver
+  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
+  URL_HASH "${DRIVER_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
-                  ${CATCH2_INCLUDE}/catch.hpp)
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
+)

cmake/modules/driver.cmake

@@ -0,0 +1,48 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(DRIVER_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/driver-repo")
+set(DRIVER_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/driver-repo")
+
+file(MAKE_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+if(DRIVER_SOURCE_DIR)
+  set(DRIVER_VERSION "0.0.0-local")
+  message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
+else()
+  # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
+  # which contains the driver source code under the `/driver` directory.
+  # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
+  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DDRIVER_VERSION=dev ..`
+  if(NOT DRIVER_VERSION)
+    set(DRIVER_VERSION "5.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=8b197b916b6419dac8fb41807aa05d822164c7bfd2c3eef66d20d060a05a485a")
+  endif()
+
+  # cd /path/to/build && cmake /path/to/source
+  execute_process(COMMAND "${CMAKE_COMMAND}" -DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+    ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+  # cmake --build .
+  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}")
+  set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
+endif()
+
+add_definitions(-D_GNU_SOURCE)
+
+set(DRIVER_NAME "falco")
+set(DRIVER_PACKAGE_NAME "falco")
+set(DRIVER_COMPONENT_NAME "falco-driver")
+
+add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver)

cmake/modules/falcoctl.cmake

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
+
+set(FALCOCTL_VERSION "0.5.1")
+
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
+    set(FALCOCTL_HASH "ea7c89134dc745a1cbdbcf8f839d3b47851a40e1aebee20702a606b03b45b897")
+else() # aarch64
+    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
+    set(FALCOCTL_HASH "22797200bf0e4c7c45f69207ed85218a3839115a302dc07939d3006778d41300")
+endif()
+
+ExternalProject_Add(
+        falcoctl
+        URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
+        URL_HASH "SHA256=${FALCOCTL_HASH}"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+
+install(PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl" DESTINATION "${FALCO_BIN_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -12,17 +12,17 @@
 #
 cmake_minimum_required(VERSION 3.5.1)
 
-project(sysdig-repo NONE)
+project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
-  sysdig
-  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  falcosecurity-libs
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
   TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+)

cmake/modules/falcosecurity-libs.cmake

@@ -0,0 +1,95 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
+set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
+
+file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+# explicitly disable the bundled driver, since we pull it separately
+set(USE_BUNDLED_DRIVER OFF CACHE BOOL "")
+
+if(FALCOSECURITY_LIBS_SOURCE_DIR)
+  set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
+  message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+else()
+  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
+  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
+  if(NOT FALCOSECURITY_LIBS_VERSION)
+    set(FALCOSECURITY_LIBS_VERSION "0.11.3")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b4f9dc8c1612f4b14207d107bce323a0684dce0dbf018e5b846177992569367b")
+  endif()
+
+  # cd /path/to/build && cmake /path/to/source
+  execute_process(COMMAND "${CMAKE_COMMAND}"
+      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+      -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
+      -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+  # cmake --build .
+  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
+  set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
+endif()
+
+set(LIBS_PACKAGE_NAME "falcosecurity")
+
+add_definitions(-D_GNU_SOURCE)
+add_definitions(-DHAS_CAPTURE)
+
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
+set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME")
+set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH")
+
+if(NOT LIBSCAP_DIR)
+  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+endif()
+
+set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+
+# configure gVisor support
+set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
+
+# configure modern BPF support
+set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "")
+
+# explicitly disable the tests/examples of this dependency
+set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
+set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
+
+set(USE_BUNDLED_TBB ON CACHE BOOL "")
+set(USE_BUNDLED_B64 ON CACHE BOOL "")
+set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
+set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
+set(USE_BUNDLED_RE2 ON CACHE BOOL "")
+
+list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
+
+include(CheckSymbolExists)
+check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+
+if(HAVE_STRLCPY)
+  message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+  add_definitions(-DHAVE_STRLCPY)
+else()
+  message(STATUS "No strlcpy found, will use local definition")
+endif()
+
+include(driver)
+include(libscap)
+include(libsinsp)

cmake/modules/gRPC.cmake

@@ -1,133 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  # zlib
-  include(FindZLIB)
-  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
-  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
-
-  if(ZLIB_INCLUDE AND ZLIB_LIB)
-    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
-  endif()
-
-  # c-ares
-  find_path(CARES_INCLUDE NAMES ares.h)
-  find_library(CARES_LIB NAMES libcares.so)
-  if(CARES_INCLUDE AND CARES_LIB)
-    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system c-ares")
-  endif()
-
-  # protobuf
-  find_program(PROTOC NAMES protoc)
-  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
-  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
-  if(PROTOC
-     AND PROTOBUF_INCLUDE
-     AND PROTOBUF_LIB)
-    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system protobuf")
-  endif()
-
-  # gpr
-  find_library(GPR_LIB NAMES gpr)
-
-  if(GPR_LIB)
-    message(STATUS "Found gpr lib: ${GPR_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system gpr")
-  endif()
-
-  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
-  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-  if(GRPCXX_INCLUDE)
-    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-  else()
-    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-  endif()
-  find_library(GRPC_LIB NAMES grpc)
-  find_library(GRPCPP_LIB NAMES grpc++)
-  if(GRPC_INCLUDE
-     AND GRPC_LIB
-     AND GRPCPP_LIB)
-    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system grpc")
-  endif()
-  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-  if(NOT GRPC_CPP_PLUGIN)
-    message(FATAL_ERROR "System grpc_cpp_plugin not found")
-  endif()
-
-else()
-  find_package(PkgConfig)
-    if(NOT PKG_CONFIG_FOUND)
-      message(FATAL_ERROR "pkg-config binary not found")
-  endif()
-  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
-  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-  set(GRPC_INCLUDE "${GRPC_SRC}/include")
-  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
-  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
-  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
-  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
-
-  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
-  # likely that protobuf will be very outdated
-  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
-  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
-  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
-  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that zlib will be very outdated
-  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
-  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-
-  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
-  message(
-    STATUS
-      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
-
-  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-  ExternalProject_Add(
-    grpc
-    DEPENDS openssl
-    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
-    BUILD_IN_SOURCE 1
-    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
-    INSTALL_COMMAND ""
-    CONFIGURE_COMMAND ""
-    BUILD_COMMAND
-      CFLAGS=-Wno-implicit-fallthrough
-      HAS_SYSTEM_ZLIB=false
-      HAS_SYSTEM_PROTOBUF=false
-      HAS_SYSTEM_CARES=false
-      HAS_EMBEDDED_OPENSSL_ALPN=false
-      HAS_SYSTEM_OPENSSL_ALPN=true
-      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
-      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
-      PATH=${PROTOC_DIR}:$ENV{PATH}
-      make
-      static_cxx
-      static_c
-      grpc_cpp_plugin)
-endif()

cmake/modules/jq.cmake

@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if (NOT USE_BUNDLED_DEPS)
-    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-    find_library(JQ_LIB NAMES jq)
-    if (JQ_INCLUDE AND JQ_LIB)
-        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-    else ()
-        message(FATAL_ERROR "Couldn't find system jq")
-    endif ()
-else ()
-    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-    message(STATUS "Using bundled jq in '${JQ_SRC}'")
-    set(JQ_INCLUDE "${JQ_SRC}/target/include")
-    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
-    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
-    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
-    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-
-    # Why we mirror jq here?
-    #
-    # In their readme, jq claims that you don't have
-    # to do autoreconf -fi when downloading a released tarball.
-    #
-    # However, they forgot to push the released makefiles
-    # into their release tarbal.
-    #
-    # For this reason, we have to mirror their release after
-    # doing the configuration ourselves.
-    #
-    # This is needed because many distros do not ship the right
-    # version of autoreconf, making virtually impossible to build Falco on them.
-    # Read more about it here:
-    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
-    ExternalProject_Add(
-            jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
-            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
-            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
-            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-            BUILD_IN_SOURCE 1
-            INSTALL_COMMAND ${CMD_MAKE} install)
-endif ()

cmake/modules/libyaml.cmake

@@ -15,12 +15,13 @@ set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
-libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
-BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
-
+externalproject_add(
+  libyaml
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
+  INSTALL_COMMAND ${CMD_MAKE} install
+)

cmake/modules/njson.cmake

@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# nlohmann-json
+#
+if(NJSON_INCLUDE)
+    # Adding the custom target we can use it with `add_dependencies()`
+    if(NOT TARGET njson)
+        add_custom_target(njson)
+    endif()
+else()
+    # We always use the bundled version
+    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+    ExternalProject_Add(
+        njson
+        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+endif()

cmake/modules/plugins.cmake

@@ -0,0 +1,97 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+# 'stable' or 'dev'
+set(PLUGINS_DOWNLOAD_BUCKET "stable")
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
+
+if(NOT DEFINED PLUGINS_COMPONENT_NAME)
+    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
+endif()
+
+# k8saudit
+set(PLUGIN_K8S_AUDIT_VERSION "0.6.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_K8S_AUDIT_HASH "560e8f8dc8fd169e524d95462d65b5227415a7a157442e82383c7d9f456ce58f")
+else() # aarch64
+    set(PLUGIN_K8S_AUDIT_HASH "e4757af1bac42b21c5937340790841dedc3805759050a6ffb22d1761e1dd1d31")
+endif()
+
+ExternalProject_Add(
+  k8saudit-plugin
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  k8saudit-rules
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=44cee2fb88312d889213e1dbe1b9902d0a3f5c594cce73b2cac8e54fb51321b7"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+# cloudtrail
+set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_CLOUDTRAIL_HASH "13ba77602c0859936f6e3b00f93bd218c463300c6a797b694a0d5aeecde13976")
+else() # aarch64
+    set(PLUGIN_CLOUDTRAIL_HASH "a01730738e9d5769f69957a204c8afe528b059e9a22f59792dfc65e19d6a43db")
+endif()
+
+ExternalProject_Add(
+  cloudtrail-plugin
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  cloudtrail-rules
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=27f2fc0a74d39476ad968a61318dec65a82b109c4a462b9fa22be45425ddaaad"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+# json
+set(PLUGIN_JSON_VERSION "0.7.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_JSON_HASH "a7bf52009a935f22b473724f722566fde27aec5c7d618ecd426eed81e477e94d")
+else() # aarch64
+    set(PLUGIN_JSON_HASH "9cd65fac3f1cbc7f723b69671d42d35901cd322a23d8f2b9dc95fb0593918a7e")
+endif()
+
+ExternalProject_Add(
+  json-plugin
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

cmake/modules/rules.cmake

@@ -0,0 +1,70 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(GNUInstallDirs)
+include(ExternalProject)
+
+# falco_rules.yaml
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
+set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
+ExternalProject_Add(
+  falcosecurity-rules-falco
+  URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
+  URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+)
+
+# falco_rules.local.yaml
+set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml")
+file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
+
+if(NOT DEFINED FALCO_ETC_DIR)
+  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+endif()
+
+if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
+  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
+  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
+endif()
+
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
+  install(
+    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+    COMPONENT "${FALCO_COMPONENT}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_RULES_DEST_FILENAME}")
+
+  install(
+    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+    COMPONENT "${FALCO_COMPONENT}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+else() # Default Falco installation
+  install(
+    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
+
+  install(
+    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
+
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
+endif()

cmake/modules/static-analysis.cmake

@@ -0,0 +1,42 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+      "${CMAKE_SOURCE_DIR}"
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,31 +0,0 @@
-diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
---- a/userspace/libscap/scap.c
-+++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
- //#define NDEBUG
- #include <assert.h>
- 
--static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
-+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
- 
- //
- // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
- 				return NULL;
- 			}
- 
--			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
-+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
- 			bpf_probe = buf;
- 		}
- 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
- 
- const char* scap_get_host_root()
- {
--	char* p = getenv("SYSDIG_HOST_ROOT");
-+	char* p = getenv("HOST_ROOT");
- 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
- 	static bool inited = false;
- 	if (! inited) {

cmake/modules/sysdig.cmake

@@ -1,69 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
-set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
-
-# this needs to be here at the top
-if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the bundled OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
-  set(USE_BUNDLED_JQ ON)
-endif()
-
-file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
-# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
-# -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7")
-  set(SYSDIG_CHECKSUM "SHA256=43d274e4ce16b0d0e4dd00aab78006c902f36070d1cbb22d12a2685134a2ae51")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
-# cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
-                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-# "${SYSDIG_CMAKE_SOURCE_DIR}")
-
-execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
-set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
-
-# jsoncpp
-set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
-
-# Add driver directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
-
-# Add libscap directory
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
-
-# Add libsinsp directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
-add_dependencies(sinsp tbb b64 luajit)
-
-# explicitly disable the tests of this dependency
-set(CREATE_TEST_TARGETS OFF)
-
-if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
-endif()

cmake/modules/yaml-cpp.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
   find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
   find_library(YAMLCPP_LIB NAMES yaml-cpp)
@@ -18,6 +19,7 @@ if(NOT USE_BUNDLED_DEPS)
   else()
     message(FATAL_ERROR "Couldn't find system yamlcpp")
   endif()
+  add_custom_target(yamlcpp)
 else()
   set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
   message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
@@ -27,6 +29,7 @@ else()
     yamlcpp
     URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
     URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND "")
 endif()

docker/OWNERS

@@ -2,5 +2,4 @@ labels:
   - area/integration
 approvers:
   - leogr
-reviewers:
-  - leogr
+

docker/README.md

@@ -1,17 +1,17 @@
 # Falco Dockerfiles
 
-This directory contains various ways to package Falco as a container and related tools. 
+This directory contains various ways to package Falco as a container and related tools.
 
 ## Currently Supported Images
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
-| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| _not yet published (experimental)_ | docker/ubi | Falco (built from RedHat's UBI base image) with the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
+| _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 > Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
-

docker/builder/Dockerfile

@@ -3,6 +3,7 @@ FROM centos:7
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF
@@ -10,6 +11,7 @@ ARG BUILD_BPF=OFF
 ARG BUILD_WARNINGS_AS_ERRORS=ON
 ARG MAKE_JOBS=4
 ARG FALCO_VERSION
+ARG CMAKE_VERSION=3.22.5
 
 ENV BUILD_TYPE=${BUILD_TYPE}
 ENV BUILD_DRIVER=${BUILD_DRIVER}
@@ -17,22 +19,22 @@ ENV BUILD_BPF=${BUILD_BPF}
 ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
 ENV MAKE_JOBS=${MAKE_JOBS}
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV CMAKE_VERSION=${CMAKE_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 
-ARG CMAKE_VERSION=3.5.1
-RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
-    cd /tmp && \
-    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
-    cd cmake-${CMAKE_VERSION} && \
-    ./bootstrap --system-curl && \
-    make -j${MAKE_JOBS} && \
-    make install && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}
+
+RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
+
+RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
+    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
+    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
 
 COPY ./root /
 

docker/builder/README.md

@@ -0,0 +1,8 @@
+# Builder folder
+
+* We use `Dockerfile` to build the `centos7` Falco builder image.
+* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
+  * Falco `tar.gz`.
+  * Falco `deb` package.
+  * Falco `rpm` package.
+  * Falco build directory, used by other CI jobs.

docker/builder/modern-falco-builder.Dockerfile

@@ -0,0 +1,62 @@
+
+FROM centos:7 AS build-stage
+
+# To build Falco you need to pass the cmake option
+ARG CMAKE_OPTIONS=""
+ARG MAKE_JOBS=6
+
+# Install all the dependencies
+WORKDIR /
+
+RUN yum -y install centos-release-scl; \
+    yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++; \
+    source scl_source enable devtoolset-9; \
+    yum install -y git wget make m4 rpm-build
+
+# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
+RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
+    gzip -d /tmp/cmake.tar.gz; \
+    tar -xpf /tmp/cmake.tar --directory=/tmp; \
+    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
+    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
+
+# Copy Falco folder from the build context
+COPY . /source
+WORKDIR /build/release
+
+RUN source scl_source enable devtoolset-9; \
+    cmake ${CMAKE_OPTIONS} /source; \
+    make falco -j${MAKE_JOBS}
+RUN make package
+
+# We need `make all` for integration tests.
+RUN make all -j${MAKE_JOBS}
+
+FROM scratch AS export-stage
+
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
+ARG DEST_BUILD_DIR="/build"
+
+COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
+COPY --from=build-stage /build/release/falco-*.deb /packages/
+COPY --from=build-stage /build/release/falco-*.rpm /packages/
+
+# This is what we need for integration tests. We don't export all the build directory
+# outside the container since its size is almost 6 GB, we export only what is strictly necessary
+# for integration tests.
+# This is just a workaround to fix the CI build until we replace our actual testing framework.
+COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
+COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
+COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
+COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
+COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix
+COPY --from=build-stage /build/release/k8saudit-plugin-prefix ${DEST_BUILD_DIR}/k8saudit-plugin-prefix
+COPY --from=build-stage /build/release/k8saudit-rules-prefix ${DEST_BUILD_DIR}/k8saudit-rules-prefix
+COPY --from=build-stage /build/release/scripts ${DEST_BUILD_DIR}/scripts
+COPY --from=build-stage /build/release/test ${DEST_BUILD_DIR}/test
+COPY --from=build-stage /build/release/userspace/falco/falco ${DEST_BUILD_DIR}/userspace/falco/falco
+COPY --from=build-stage /build/release/userspace/falco/config_falco.h ${DEST_BUILD_DIR}/userspace/falco/config_falco.h
+COPY --from=build-stage /build/release/falco-*.tar.gz ${DEST_BUILD_DIR}/
+COPY --from=build-stage /build/release/falco-*.deb ${DEST_BUILD_DIR}/
+COPY --from=build-stage /build/release/falco-*.rpm ${DEST_BUILD_DIR}/

docker/builder/root/usr/bin/entrypoint

@@ -9,10 +9,10 @@ shift
 
 # Build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-DRAIOS_DEBUG_FLAGS=
+FALCO_EXTRA_DEBUG_FLAGS=
 case "$BUILD_TYPE" in
 "debug")
-    DRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
+    FALCO_EXTRA_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
     ;;
 *)
     BUILD_TYPE="release"
@@ -37,7 +37,7 @@ case "$CMD" in
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \
-    -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
+    -DFALCO_EXTRA_DEBUG_FLAGS="$FALCO_EXTRA_DEBUG_FLAGS" \
     -DUSE_BUNDLED_DEPS=ON \
     "$SOURCE_DIR/falco"
     exit "$(printf '%d\n' $?)"

docker/builder/root/usr/bin/scl_enable

@@ -1,6 +1,6 @@
 # IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced everytime the shell session is opened.
+#            This file is sourced every time the shell session is opened.
 #
 # This will make scl collection binaries work out of box.
 unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7
+source scl_source enable devtoolset-7 llvm-toolset-7.0

docker/builder/root/usr/bin/usage

@@ -18,7 +18,7 @@ How to use.
     * docker run -ti falcosecurity/falco-builder bash
 
     To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings)
+    - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling)
 
     Optionally, you can also bind-mount the build directory.
     So, you can execute it from the Falco root directory as follows.

docker/driver-loader/Dockerfile

@@ -1,13 +1,14 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
 COPY ./docker-entrypoint.sh /
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco/Dockerfile

@@ -1,8 +1,11 @@
-FROM debian:stable
+FROM debian:buster
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+
+ARG TARGETARCH
 
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
@@ -18,53 +21,64 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
 	libc6-dev \
 	libelf-dev \
-	libmpx2 \
+	libssl-dev \
 	llvm-7 \
 	netcat \
+	patchelf \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -75,8 +89,8 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
@@ -96,10 +110,16 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/falco/docker-entrypoint.sh

@@ -16,14 +16,9 @@
 # limitations under the License.
 #
 
-# todo(leogr): remove deprecation notice within a couple of releases
-if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
-fi
-
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 
-if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     echo "* Setting up /usr/src links from host"
 
     for i in "$HOST_ROOT/usr/src"/*

docker/local/Dockerfile

@@ -1,7 +1,10 @@
-FROM debian:stable
+FROM debian:buster
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
+ARG TARGETARCH
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -37,43 +40,50 @@ RUN apt-get update \
 	libatomic1 \
 	liblsan0 \
 	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
 	libcc1-0 \
+	patchelf \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -90,21 +100,26 @@ RUN rm -rf /usr/bin/clang \
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/local/rules/CMakeLists.txt

@@ -1,13 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of rules is created at cmake time, not build time
 file(GLOB test_rule_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
 
-foreach(rule_file_path ${test_rule_files})
-	get_filename_component(rule_file ${rule_file_path} NAME)
-	add_custom_target(docker-local-rule-${rule_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		DEPENDS ${rule_file_path})
-endforeach()
-
+copy_files_to_build_dir("${test_rule_files}" docker-local-rules)

docker/local/traces/CMakeLists.txt

@@ -1,13 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(docker-local-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-endforeach()
-
+copy_files_to_build_dir("${test_trace_files}" docker-local-traces)

docker/no-driver/Dockerfile

@@ -1,58 +1,39 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 
+RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
+
 WORKDIR /
 
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-
-RUN apt-get update -y && \
-    apt-get install -y binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+RUN curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM scratch
+FROM debian:11-slim
 
-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
 
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+    && apt clean -y && rm -rf /var/lib/apt/lists/*
 
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+ENV HOST_ROOT /host
+ENV HOME /root
 
 COPY --from=ubuntu /falco /
 
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -3,18 +3,26 @@ FROM fedora:31
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
+ARG TARGETARCH
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
+    else curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
+    fi;
+
+RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 RUN pip install --user watchdog==0.10.2
 RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
+RUN tar -C /usr/bin -xvf grpcurl.tar.gz
 
 COPY ./root /
 

docker/tester/root/runners/deb.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms -y
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/rpm.Dockerfile

@@ -9,8 +9,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN yum update -y
 RUN yum install epel-release -y
 
-ADD falco-${FALCO_VERSION}-x86_64.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
+ADD falco-${FALCO_VERSION}-*.rpm /
+RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/tar.gz.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms curl -y
 
-ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+ADD falco-${FALCO_VERSION}-*.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/usr/bin/entrypoint

@@ -1,12 +1,15 @@
 #!/usr/bin/env bash
 
-set -eu -o pipefail
+BUILD_DIR=${BUILD_DIR:-/build}
+SOURCE_DIR=${SOURCE_DIR:-/source}
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
 
-SOURCE_DIR=/source
-BUILD_DIR=/build
 CMD=${1:-test}
 shift
 
+# Stop the execution if a command in the pipeline has an error, from now on
+set -e -u -o pipefail
+
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -22,7 +25,7 @@ build_image() {
     BUILD_TYPE=$2
     FALCO_VERSION=$3
     PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
+    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
     if [ ! -f "$PACKAGE" ]; then
         echo "Package not found: ${PACKAGE}." >&2
         exit 1
@@ -47,7 +50,8 @@ case "$CMD" in
 "test")
     if [ -z "$FALCO_VERSION" ]; then
         echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
         echo "Falco version: $FALCO_VERSION"
     fi
     if [ -z "$FALCO_VERSION" ]; then
@@ -56,9 +60,11 @@ case "$CMD" in
     fi
 
     # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    fi
 
     # check that source directory contains Falco
     if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -69,12 +75,14 @@ case "$CMD" in
     # run tests
     echo "Running regression tests ..."
     cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
 
     # clean docker images
-    clean_image "deb"
-    clean_image "rpm"
-    clean_image "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        clean_image "deb"
+        clean_image "rpm"
+        clean_image "tar.gz"
+    fi
     ;;
 "bash")
     CMD=/bin/bash

docker/tester/root/usr/bin/usage

@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=$(pip show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}
 
 cat <<EOF

docker/ubi/Dockerfile

@@ -0,0 +1,46 @@
+ARG UBI_VERSION=latest
+FROM registry.access.redhat.com/ubi8/ubi:${UBI_VERSION}
+
+ARG FALCO_VERSION
+RUN test -n "$FALCO_VERSION" || (echo "FALCO_VERSION  not set" && false)
+ENV FALCO_VERSION=${FALCO_VERSION}
+
+LABEL "name"="Falco Runtime Security"
+LABEL "vendor"="Falco"
+LABEL "version"="${FALCO_VERSION}"
+LABEL "release"="${FALCO_VERSION}"
+LABEL "ubi-version"="${UBI_VERSION}"
+LABEL "summary"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL "description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL "io.k8s.display-name"="Falco"
+LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN  dnf -y update && \
+     dnf -y install \
+          curl \
+          make \
+          cmake \
+          gcc \
+          llvm-toolset \
+          clang \
+          kmod \
+     && dnf -y clean all ; rm -rf /var/cache/{dnf,yum}
+
+RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
+     tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
+
+RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
+     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
+     rm -rf /deploy
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/falco"]

docker/ubi/docker-entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
+
+    # Required by dkms to find the required dependencies on RedHat UBI
+    rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/
+    rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules
+    rm -fr /boot && ln -s $HOST_ROOT/boot /boot
+
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
+    done
+
+    /usr/bin/falco-driver-loader
+fi
+
+exec "$@"

proposals/20190826-grpc-outputs.md

@@ -47,7 +47,7 @@ The motivation behind this proposal is to design a new output implementation tha
 ### Non-Goals
 
 - To substitute existing outputs (stdout, syslog, etc.)
-- To support different queing systems than the default (round-robin) one
+- To support different queuing systems than the default (round-robin) one
 - To support queuing mechanisms for message retransmission
   - Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
 - To change the output format

proposals/20190909-psp-rules-support.md

@@ -27,7 +27,7 @@ That's where Falco comes in. We want to make it possible for Falco to perform a
 
 Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
 
-The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
+The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so that they can monitor system calls and k8s audit activity.
 
 ### Non-Goals
 
@@ -51,6 +51,6 @@ No diagrams yet.
 
 * We'll use [inja](https://github.com/pantor/inja) as the templating engine.
 
-* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
+* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisons between values in an event and values in the comparison right-hand-side.
 
 * This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.

proposals/20191030-api.md

@@ -6,13 +6,13 @@ This is a proposal to better structure the Falco API.
 
 The Falco API is a set of contracts describing how users can interacts with Falco.
 
-By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible.
+By defining a set of interfaces the Falco Authors intend to decouple Falco from other software and data (eg., from the input sources) and, at the same time, make it more extensible.
 
-Thus, this document intent is to propose a list of services that contistute the Falco API (targeting the first stable version of Falco, v1.0.0).
+Thus, this document intent is to propose a list of services that constitute the Falco API (targeting the first stable version of Falco, v1.0.0).
 
 ## Motivation
 
-We want to enable users to use thirdy-party clients to interface with Falco outputs, inputs, rules, and configurations.
+We want to enable users to use third-party clients to interface with Falco outputs, inputs, rules, and configurations.
 
 Such ability would enable the community to create a whole set of OSS tools, built on top of Falco.
 
@@ -94,7 +94,7 @@ This translates in having the following set of `proto` files.
     }
     ```
 
-- one or more `.proto` containing the commond models - ie., the already existing `schema.proto` containing source enum, etc.
+- one or more `.proto` containing the command models - ie., the already existing `schema.proto` containing source enum, etc.
 
     ```proto3
     # schema.proto

proposals/20191217-rules-naming-convention.md

@@ -36,7 +36,7 @@ There will be no intention to cover Falco rule syntax in this proposal.
 
 ### Use cases
 
-When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
+When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check whether follow the naming convention.
 
 ### Diagrams
 

proposals/20200506-artifacts-scope-part-1.md

@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
 
-## Summary 
+## Summary
 
 As a project we would like to support the following artifacts.
 
@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.
 
 ## Terms
 
-**falco** 
+**falco**
 
 *The Falco binary*
 
@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.
 
 **package**
 
-*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
+*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*
 
 **image**
 
 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
- 
+
 
 # Packages
 
@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,13 +76,13 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be
 
 ### repository
 
-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
 
 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
 
 ### official support
 
-As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Offical support_."
+As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Official support_."
 
 The artifacts listed above are part of the official Falco release process. These artifact will be refined and amended by the [Part 2](./20200506-artifacts-scope-part-2.md).
 
@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.
 
-    
+
 ### Action Items
 
 Here are SOME of the items that would need to be done, for example:
@@ -111,4 +111,4 @@ Update documentation in [falco-website#184](https://github.com/falcosecurity/fal
 ### Adjusting projects
 
  - YAML manifest documentation to be moved to `contrib`
- - Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`
+ - Minikube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`

proposals/20200818-artifacts-storage.md

@@ -0,0 +1,83 @@
+# Falco Artifacts Storage
+
+This document reflects the way we store the Falco artifacts.
+
+## Terms & Definitions
+
+- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
+- Bintray: artifacts distribution platform
+
+## Packages
+
+The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
+
+The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
+
+As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
+
+- DEB
+- RPM
+- Tarball
+
+Thus, we have three repositories for the Falco stable releases:
+
+- https://bintray.com/falcosecurity/deb
+- https://bintray.com/falcosecurity/rpm
+- https://bintray.com/falcosecurity/bin
+
+And three repositories for the Falco development releases:
+
+- https://bintray.com/falcosecurity/deb-dev
+- https://bintray.com/falcosecurity/rpm-dev
+- https://bintray.com/falcosecurity/bin-dev
+
+## Drivers
+
+The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
+
+This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
+
+Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
+
+Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
+
+The driver versions we ship prebuilt drivers for are:
+
+- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
+- the driver version associated with the penultimate Falco stable version
+
+The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
+
+You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
+
+### Notice
+
+The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
+
+Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
+
+Nevertheless, this process is an open, auditable, and transparent one.
+
+So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
+
+Some pull-requests you can look at to create your own are:
+
+- https://github.com/falcosecurity/test-infra/pull/165
+- https://github.com/falcosecurity/test-infra/pull/163
+- https://github.com/falcosecurity/test-infra/pull/162
+
+While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
+
+## Container images
+
+As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
+
+These images are built and published in two cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens (**Falco stable releases**)
+
+For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).

proposals/20200828-structured-exception-handling.md

@@ -0,0 +1,240 @@
+# Proposal for First Class Structured Exceptions in Falco Rules
+
+## Summary
+
+## Motivation
+
+Almost all Falco Rules have cases where the behavior detected by the
+rule should be allowed. For example, The rule Write Below Binary Dir
+has exceptions for specific programs that are known to write below
+these directories as a part of software installation/management:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+...
+```
+In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
+
+```yaml
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+```
+
+The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
+
+A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
+
+```
+...
+    and not sed_temporary_file
+    and not exe_running_docker_save
+    and not ansible_running_python
+    and not python_running_denyhosts
+    and not fluentd_writing_conf_files
+    and not user_known_write_etc_conditions
+    and not run_by_centrify
+    and not run_by_adclient
+    and not qualys_writing_conf_files
+    and not git_writing_nssdb
+...
+```
+
+The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
+
+### Using Appends/Overwrites to Customize Rules
+
+An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+
+- macro: user_known_update_package_registry
+  condition: (never_true)
+
+- rule: Update Package Repository
+  desc: Detect package repositories get updated
+  condition: >
+    ((open_write and access_repositories) or (modify and modify_repositories))
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not user_known_update_package_registry
+```
+
+If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [puppet]
+  append: true
+
+- macro: package_mgmt_procs
+  condition: and not proc.pname=chef
+  append: true
+
+- macro: user_known_update_package_registry
+  condition: (proc.name in (npm))
+  append: false
+```
+
+This adds an 3 different exceptions:
+* an additional binary to package_mgmt_binaries (because append is true),
+* adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
+* overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
+
+### Problems with Appends/Overrides to Define Exceptions
+
+Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
+
+* Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
+
+```yaml
+rule: my_rule
+condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
+
+rule: my_rule
+condition: or fd.name=/tmp/baz
+append: true
+```
+
+Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
+
+* A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
+
+* Appends and overrides can get confusing if you try to apply them multiple times. For example:
+
+```yaml
+macro: allowed_files
+condition: fd.name=/tmp/foo
+
+...
+
+macro: allowed_files
+condition: and fd.name=/tmp/bar
+append: true
+```
+
+If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
+
+## Solution: Exceptions as first class objects
+
+To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+  exceptions:
+   - name: proc_writer
+     fields: [proc.name, fd.directory]
+   - name: container_writer
+     fields: [container.image.repository, fd.directory]
+     comps: [=, startswith]
+   - name: proc_filenames
+     fields: [proc.name, fd.name]
+     comps: [=, in]
+   - name: filenames
+     fields: fd.filename
+     comps: in
+```
+
+This rule defines four kinds of exceptions:
+  * proc_writer: uses a combination of proc.name and fd.directory
+  * container_writer: uses a combination of container.image.repository and fd.directory
+  * proc_filenames: uses a combination of process and list of filenames.
+  * filenames: uses a list of filenames
+
+The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
+
+proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
+
+proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
+
+filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
+
+Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
+
+Exception values will most commonly be defined in rules with append: true. Here's an example:
+
+```yaml
+- list: apt_files
+  items: [/bin/ls, /bin/rm]
+
+- rule: Write below binary dir
+  exceptions:
+  - name: proc_writer
+    values:
+    - [apk, /usr/lib/alpine]
+    - [npm, /usr/node/bin]
+  - name: container_writer
+    values:
+    - [docker.io/alpine, /usr/libexec/alpine]
+  - name: proc_filenames
+    values:
+    - [apt, apt_files]
+    - [rpm, [/bin/cp, /bin/pwd]]
+  - name: filenames
+    values: [python, go]
+```
+
+A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
+
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parentheses will be added.
+
+Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
+
+### Implementation
+
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implicit "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+
+When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
+
+```
+(<Write below binary dir condition>) and not (
+    (proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
+	(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
+	(proc.name=apt and fd.name in (apt_files))) or
+	(fd.filename in (python, go))))
+```
+
+The exceptions are effectively syntactic sugar that allows expressing sets of exceptions in a concise way.
+
+### Advantages
+
+Adding Exception objects as described here has several advantages:
+
+* All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
+* The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
+* With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
+
+## Backwards compatibility
+
+To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
+
+This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
+
+This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
+
+However, there are a few changes we'll have to make to Falco rules file parsing:
+
+* Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
+* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.
+
+

proposals/20200901-artifacts-cleanup.md

@@ -0,0 +1,114 @@
+# Falco Artifacts Cleanup
+
+This document reflects when and how we clean up the Falco artifacts from their storage location.
+
+**Superseded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
+
+## Motivation
+
+The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
+
+They also kindly granted us an additional 5GB of free space.
+
+## Goal
+
+Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
+
+## Status
+
+To be implemented.
+
+## Packages
+
+### Tarballs from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
+
+Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
+
+This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
+
+### DEB from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
+
+Historically, every Falco release is composed by less than 50 merges (upper limit).
+
+So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
+
+This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
+
+### RPM from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
+
+For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
+
+This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
+
+### Stable releases
+
+This document proposes to retain all the stable releases.
+
+This means that all the Falco packages present in the Falco stable release repositories will be kept.
+
+The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
+This means it grows in space of ~50MB each month.
+
+The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
+This means it grows in space of ~5MB each month.
+
+The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
+This means it grows in space of ~4.3MB each month.
+
+### Considerations
+
+Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
+
+Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
+
+### Implementation
+
+The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
+
+This job will be triggered after the `publish/packages-dev` completed successfully.
+
+## Drivers
+
+As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
+Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
+
+This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
+
+At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
+
+Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
+
+This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
+
+This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
+
+Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
+
+### Archiving
+
+Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
+
+The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
+
+#### Notice
+
+The current mechanism the Falco community uses to store the Falco drivers is explained by the [drivers-storage-s3](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md) proposal.
+
+### Implementation
+
+The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
+will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
+
+This job will be triggered after the `drivers/publish` completed successfully on the master branch.
+
+#### Notice
+
+At the moment of writing (2021 09 28) the `drivers/cleanup` job is no more in place.
+
+Pragmatically, this means that the older Falco drivers will remain available in their [S3 bucket](https://download.falco.org/?prefix=driver/).

proposals/20201025-drivers-storage-s3.md

@@ -0,0 +1,137 @@
+# Falco Drivers Storage S3
+
+Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
+
+Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
+
+## Introduction
+
+In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
+
+This does not only interrupt the workflow of our users but also the workflow of the contributors, since without bintray most of our container images and CMake files can’t download the dependencies we mirror.
+
+### What is the cause?
+
+We had a spike in adoption apparently, either a user with many nodes or an increased number of users. We don’t know this detail specifically yet because bintray does not give us very fine-grained statistics on this.
+
+This is the 30-days history:
+
+![A spike on driver downloads the last ten days](20201025-drivers-storage-s3_downloads.png)
+
+As you can see, we can only see that they downloaded the latest kernel module driver version, however we can’t see if:
+
+* It’s a single source or many different users
+
+* What is the kernel/OS they are using
+
+### What do we host on Bintray?
+
+* RPM packages: high traffic but very manageable ~90k downloads a month
+
+* Deb packages:low traffic ~5k downloads a month
+
+* Pre-built image Dependencies: low traffic, will eventually disappear in the future
+
+* Kernel modules: very high traffic, 700k downloads in 10 days, this is what is causing the current problems. They are primarily used by users of our container images.
+
+* eBPF probes: low traffic ~5k downloads a month
+
+### Motivations to go to S3 instead of Bintray for the Drivers
+
+Bintray does an excellent service at building the rpm/deb structures for us, however we also use them for S3-like storage for the drivers. We have ten thousand files hosted there and the combinations are infinite.
+
+
+Before today, we had many issues with storage even without the spike in users we are seeing since the last ten days.
+
+## Context on AWS
+
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).
+
+## Interactions with other teams and the CNCF
+
+* The setup on the AWS account side already done, this is all technical work.
+
+* We need to open a CNCF service account ticket for the download.falco.org subdomain to point to the S3 bucket we want to use
+
+## The Plan
+
+We want to propose to move the drivers and the container dependencies to S3.
+
+#### Moving means:
+
+* We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+
+* We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
+
+* We move the current content keeping the same web server directory structure
+
+* We change the Falco Dockerfiles and driver loader script accordingly
+
+* We update test-infra to push the drivers to S3
+
+* Once we have the drivers in S3, we can ask bintray to relax the limits for this month so that our users are able to download the other packages we keep there. Otherwise they will have to wait until November 1st. We only want to do that after the moving because otherwise we will hit the limits pretty quickly.
+
+#### The repositories we want to move are:
+
+* [https://bintray.com/falcosecurity/driver](https://bintray.com/falcosecurity/driver) will become https://download.falco.org/driver
+
+* [https://bintray.com/falcosecurity/dependencies](https://bintray.com/falcosecurity/dependencies) will become https://download.falco.org/dependencies
+
+#### Changes in Falco
+
+* [Search for bintray ](https://github.com/falcosecurity/falco/search?p=2&q=bintray)on the Falco repo and replace the URL for the CMake and Docker files.
+
+* It’s very important to change the DRIVERS_REPO environment variable [here](https://github.com/falcosecurity/falco/blob/0a33f555eb8e019806b46fea8b80a6302a935421/CMakeLists.txt#L86) - this is what updates the falco-driver-loader scripts that the users and container images use to fetch the module
+
+#### Changes in Test Infra
+
+* We need to use the S3 cli instead of jfrog cli to upload to the s3 bucket after building [here](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml)
+
+* We can probably remove jfrog from that repo since it only deals with drivers and drivers are being put on S3 now
+
+* Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver)
+
+    * `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`
+
+#### Changes to Falco website
+
+* Changes should not be necessary, we are not updating the way people install Falco but only the driver. The driver is managed by a script we can change.
+
+## Mitigation and next steps for the users
+
+* **The average users should be good to go now, Bintray raised our limits and we have some room to do this without requiring manual steps on your end**
+
+* **Users that can’t wait for us to have the S3 setup done: **can setup an S3 as driver repo themselves, push the drivers they need to it after compiling them (they can use [Driverkit](https://github.com/falcosecurity/driverkit) for that) Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver).
+
+* **Users that can’t wait but don’t want to setup a webserver themselves**: the falco-driver-loader script can also compile the module for you. Make sure to install the kernel-headers on your nodes.
+
+* **Users that can wait** we will approve this document and act on the plan described here by providing the DRIVERS_REPO at  [https://download.falco.org/driver](https://download.falco.org/driver) that then you can use
+
+### How to use an alternative DRIVERS_REPO ?
+
+**On bash:**
+
+export DRIVERS_REPO=https://your-url-here
+
+**Docker**
+
+Pass it as environment variable using the docker run flag -e - for example:
+
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)
+
+**Kubernetes**
+
+spec:
+
+  containers:
+
+  - env:
+
+    - name: DRIVERS_REPO
+
+      value: https://your-url-here
+
+## Release
+
+Next release is on December 1st, we want to rollout a hotfix 0.26.2 release that only contains the updated script before that date so that users don’t get confused and we can just tell them "update Falco" to get the thing working again.
+

proposals/20210119-libraries-contribution.md

@@ -0,0 +1,167 @@
+# OSS Libraries Contribution Plan
+
+## Summary
+
+Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
+
+This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
+
+This plan aims to describe and clarify the terms and goals to get the contribution done.
+
+## Motivation
+
+There are two main OSS projects using the libraries and drivers that we are aware of:
+
+- [sysdig](https://github.com/draios/sysdig)  the command line tool
+- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
+
+Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
+
+Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
+
+This change is win-win for both parties because of the following reasons:
+
+- The Falco community owns the source code of the three most important parts of the software it distributes.
+  - Right now it is "only" an engine on top of the libraries. This **contribution** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
+
+- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
+
+- Sysdig (the company) can now focus on the user experience and user space features
+
+- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
+
+- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
+
+## Goals
+
+There are many sub-projects and each of them interacts in a different way in this contribution.
+
+Let's see the goals per sub-project.
+
+### libsinsp
+
+1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the contribution is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
+
+19. Document the API
+
+### libscap
+
+1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the contribution is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libscap  release process for the build
+
+19. Document the API
+
+### Drivers: Kernel module and eBPF probe
+
+1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the Makefiles and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
+
+9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+10. Every other additional change will need to have its own process with a proposal
+
+11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
+
+    - Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
+
+12. This project will go already "Official support" once the migration is completed.
+
+### Falco
+
+1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
+
+2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
+
+### Driverkit
+
+1. Change the source location for the drivers to point to the new driver repository
+
+### pdig
+
+1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location

proposals/20210501-plugin-system.md

@@ -0,0 +1,613 @@
+# Plugin System
+
+## Summary
+
+This is a proposal to create an infrastructure to extend the functionality of the Falco libraries via plugins.
+
+Plugins will allow users to easily extend the functionality of the libraries and, as a consequence, of Falco and any other tool based on the libraries.
+
+This proposal, in particular, focuses on two types of plugins: source plugins and extractor plugins.
+
+## Motivation
+
+[libscap](https://github.com/falcosecurity/libs/tree/master/userspace/libscap) and [libsinsp](https://github.com/falcosecurity/libs/tree/master/userspace/libsinsp) provide a powerful data capture framework, with a rich set of features that includes:
+
+- data capture
+- trace files management
+- enrichment
+- filtering
+- formatting and screen rendering
+- Lua scripting (chisels)
+
+These features have been designed with one specific input in mind: system calls. However, they are generically adaptable to a broad set of inputs, such as cloud logs.
+
+With this proposal, we want to dramatically extend the scope of what the libraries, Falco and other tools can be applied to. We want to do it in a way that is easy, efficient and empowers anyone in the community to write a plugin.
+
+## Goals
+
+- To design and implement a plugin framework that makes the libraries more modular and extensible
+- To have a framework that is easy to use
+- To support dynamic loading of plugins, so that the libraries can be extended without having to be recompiled and relinked
+- To enable users to write plugins in any language, with a particular focus on Go, C and C++
+- To have an efficient plugin framework so that, performance-wise, writing a plugin is as close as possible as extending the libraries internal source code
+- To make it possible to write plugins for Linux, MacOS and Windows
+
+## Non-Goals
+
+- To implement plugins other than source and extractor: to be approached as separate task
+- To document the plugin framework and interface: to be approached as separate task
+
+## Proposal
+
+### Plugin Common Information
+
+Both source and extractor plugins have the following:
+
+- A required api version, to ensure compatibility with the plugin framework.
+- A name
+- A description
+- A version
+- A contact field for the plugin authors (website, github repo, twitter, etc).
+- Functions to initialize and destroy the plugin internal state.
+
+### Plugin types
+
+Initially, we will implement support for two types of plugins: source plugins and extractor plugins.
+
+#### Source Plugin
+
+A source plugin implements a new sinsp/scap event source. It has the ability to "open" and "close" a session that provides events. It also has the ability to return an event to the plugin framework via a next() method. Events returned by source plugins have an "event source", which describes the information in the event. This is distinct from the plugin name to allow for multiple kinds of plugins to generate the same kind of events. For example, there might be plugins gke-audit-bridge, eks-audit-bridge, ibmcloud-audit-bridge, etc. that all fetch [K8s Audit](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) information. The plugins would have different names but would have the same event source "k8s_audit".
+
+Source plugins also have the ability to extract information from events based on fields. For example, a field proc.name extracts a process name from a syscall event. The plugin returns a set of supported fields, and there are functions to extract a value given an event and field. The plugin framework can then build filtering expressions/Falco rule conditions based on these fields combined with relational and/or logical operators. For example, given an expression "ct.name=root and ct.region=us-east-1", the plugin framework handles parsing the expression, calling the plugin to extract values for a given event, and determining the result of the expression. In a Falco output string like "An EC2 Node was created (name=%ec2.name region=%ct.region)", the plugin framework handles parsing the output string, calling the plugin to extract values for a given event, and building the resolved string.
+
+Source plugins also provide an "id", which is globally unique and is used in capture files (see below).
+
+#### Extractor Plugin
+
+An extractor plugin focuses only on field extraction from events generated by other plugins, or by the core libraries. It does *not* provide an event source, but can extract fields from other event sources. An example is json field extraction, where a plugin might be able to extract fields from arbitrary json payloads.
+
+An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the extractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
+
+### Support for Plugin Events in Capture Files.
+
+libscap will define a new event type called "pluginevent" that contains two fields:
+
+* "plugin ID": This uniquely identifies the plugin that generated this event.
+* "event_data": This is a variable-length data buffer containing the event data, as returned by the plugin.
+
+Defining an event for plugins allows creating capture files from plugins. These capture files can be saved, read, filtered, etc, like any other capture file, allowing for later analysis/display/etc.
+
+### Plugins format
+
+Plugins are dynamic libraries (.so files in Unix, .dll files in windows) that export a minimum set of functions that the libraries will recognize.
+
+Plugins are versioned using semantic versioning to minimize regressions and compatibility issues.
+
+Plugins can be written in any language, as long as they export the required functions. Go, however, is the preferred language to write plugins, followed by C/C++.
+
+### Protecting from plugin issues
+
+The libraries will do everything possible to validate the data coming from the plugins and protect Falco and the other consumers from corrupted data. However, for performance reasons, plugins will be "trusted": they will run in the same thread and address space as Falco and they could crash the program. We assume that the user will be in control of plugin loading and will make sure only trusted plugins are loaded/packaged with Falco.
+
+### Plugin/Event Source registries
+
+Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unambiguously recognize their dependencies.
+
+To facilitate the allocation and distribution of plugin IDs, we will require that plugin developers request IDs for their plugins to the Falco organization. The mechanism used for plugin allocation is not determined yet and will be discussed in the future.
+
+Similarly, plugin developers must register event sources with the Falco organization. This allows coordination between plugins that wish to provide compatible payloads, and to allow extractor plugins to know what data format is associated with a given event source.
+
+### golang plugin SDK
+
+To facilitate the development of plugins written in go, an SDK has been developed. We intend this SDK (and future SDKs for other languages) to be part of the Falco organization. For this reason, we submitted the following incubation request: https://github.com/falcosecurity/evolution/issues/62
+
+### Proposed API (subject to change)
+
+```c
+// This struct represents an event returned by the plugin, and is used
+// below in next()/next_batch().
+// - data: pointer to a memory buffer pointer. The plugin will set it
+//   to point to the memory containing the next event. Once returned,
+//   the memory is owned by the plugin framework and will be freed via
+//   a call to free().
+// - datalen: pointer to a 32bit integer. The plugin will set it the size of the
+//   buffer pointed by data.
+// - ts: the event timestamp. Can be (uint64_t)-1, in which case the engine will
+//   automatically fill the event time with the current time.
+typedef struct ss_plugin_event
+{
+	uint8_t *data;
+	uint32_t datalen;
+	uint64_t ts;
+} ss_plugin_event;
+
+//
+// This is the opaque pointer to the state of a plugin.
+// It points to any data that might be needed plugin-wise. It is
+// allocated by init() and must be destroyed by destroy().
+// It is defined as void because the engine doesn't care what it is
+// and it treats is as opaque.
+//
+typedef void ss_plugin_t;
+
+//
+// This is the opaque pointer to the state of an open instance of the source
+// plugin.
+// It points to any data that is needed while a capture is running. It is
+// allocated by open() and must be destroyed by close().
+// It is defined as void because the engine doesn't care what it is
+// and it treats is as opaque.
+//
+typedef void ss_instance_t;
+
+//
+// Interface for a sinsp/scap source plugin
+//
+//
+// NOTE: For all functions below that return a char *, the memory
+// pointed to by the char * must be allocated by the plugin using
+// malloc() and should be freed by the caller using free().
+//
+// For each function below, the exported symbol from the dynamic
+// library should have a prefix of "plugin_"
+// (e.g. plugin_get_required_api_version, plugin_init, etc.)
+//
+typedef struct
+{
+	//
+	// Return the version of the plugin API used by this plugin.
+	// Required: yes
+	// Return value: the API version string, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// NOTE: to ensure correct interoperability between the engine and the plugins,
+	//       we use a semver approach. Plugins are required to specify the version
+	//       of the API they run against, and the engine will take care of checking
+	//       and enforcing compatibility.
+	//
+	char* (*get_required_api_version)();
+	//
+	// Return the plugin type.
+	// Required: yes
+	// Should return TYPE_SOURCE_PLUGIN. It still makes sense to
+	// have a function get_type() as the plugin interface will
+	// often dlsym() functions from shared libraries, and can't
+	// inspect any C struct type.
+	//
+	uint32_t (*get_type)();
+	//
+	// Initialize the plugin and, if needed, allocate its state.
+	// Required: yes
+	// Arguments:
+	// - config: a string with the plugin configuration. The format of the
+	//   string is chosen by the plugin itself.
+	// - rc: pointer to an integer that will contain the initialization result,
+	//   as a SCAP_* value (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: pointer to the plugin state that will be treated as opaque
+	//   by the engine and passed to the other plugin functions.
+	//   If rc is SCAP_FAILURE, this function should return NULL.
+	//
+	ss_plugin_t* (*init)(char* config, int32_t* rc);
+	//
+	// Destroy the plugin and, if plugin state was allocated, free it.
+	// Required: yes
+	//
+	void (*destroy)(ss_plugin_t* s);
+	//
+	// Return a string with the error that was last generated by
+	// the plugin.
+        // Required: yes
+	//
+	// In cases where any other api function returns an error, the
+	// plugin should be prepared to return a human-readable error
+	// string with more context for the error. The plugin manager
+	// calls get_last_error() to access that string.
+	//
+	char* (*get_last_error)(ss_plugin_t* s);
+	//
+	// Return the unique ID of the plugin.
+	// Required: yes
+	// EVERY SOURCE PLUGIN (see get_type()) MUST OBTAIN AN OFFICIAL ID FROM THE
+	// FALCOSECURITY ORGANIZATION, OTHERWISE IT WON'T PROPERLY COEXIST WITH OTHER PLUGINS.
+	//
+	uint32_t (*get_id)();
+	//
+	// Return the name of the plugin, which will be printed when displaying
+	// information about the plugin.
+	// Required: yes
+	//
+	char* (*get_name)();
+	//
+	// Return the descriptions of the plugin, which will be printed when displaying
+	// information about the plugin or its events.
+	// Required: yes
+	//
+	char* (*get_description)();
+	//
+	// Return a string containing contact info (url, email, twitter, etc) for
+	// the plugin authors.
+	// Required: yes
+	//
+	char* (*get_contact)();
+	//
+	// Return the version of this plugin itself
+	// Required: yes
+	// Return value: a string with a version identifier, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// This differs from the api version in that this versions the
+	// plugin itself, as compared to the plugin interface. When
+	// reading capture files, the major version of the plugin that
+	// generated events must match the major version of the plugin
+	// used to read events.
+	//
+	char* (*get_version)();
+	//
+	// Return a string describing the events generated by this source plugin.
+	// Required: yes
+	// Example event sources would be strings like "syscall",
+	// "k8s_audit", etc.  The source can be used by extractor
+	// plugins to filter the events they receive.
+	//
+	char* (*get_event_source)();
+	//
+	// Return the list of extractor fields exported by this plugin. Extractor
+	// fields can be used in Falco rule conditions and sysdig filters.
+	// Required: no
+	// Return value: a string with the list of fields encoded as a json
+	//   array.
+	//   Each field entry is a json object with the following properties:
+	//     "type": one of "string", "uint64"
+	//     "name": a string with a name for the field
+	//     "desc": a string with a description of the field
+	// Example return value:
+	// [
+	//    {"type": "string", "name": "field1", "desc": "Describing field 1"},
+	//    {"type": "uint64", "name": "field2", "desc": "Describing field 2"}
+	// ]
+	char* (*get_fields)();
+	//
+	// Open the source and start a capture.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin state returned by init()
+	// - params: the open parameters, as a string. The format is defined by the plugin
+	//   itself
+	// - rc: pointer to an integer that will contain the open result, as a SCAP_* value
+	//   (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: a pointer to the open context that will be passed to next(),
+	//   close(), event_to_string() and extract_*.
+	//
+	ss_instance_t* (*open)(ss_plugin_t* s, char* params, int32_t* rc);
+	//
+	// Close a capture.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin context, returned by init(). Can be NULL.
+	// - h: the capture context, returned by open(). Can be NULL.
+	//
+	void (*close)(ss_plugin_t* s, ss_instance_t* h);
+	//
+	// Return the next event.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin context, returned by init(). Can be NULL.
+	// - h: the capture context, returned by open(). Can be NULL.
+	//
+        // - evt: pointer to a ss_plugin_event pointer. The plugin should
+        //   allocate a ss_plugin_event struct using malloc(), as well as
+	//   allocate the data buffer within the ss_plugin_event struct.
+	//   Both the struct and data buffer are owned by the plugin framework
+	//   and will free them using free().
+	//
+	// Return value: the status of the operation (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1,
+	//   SCAP_TIMEOUT=-1)
+	//
+	int32_t (*next)(ss_plugin_t* s, ss_instance_t* h, ss_plugin_event **evt);
+	//
+	// Return the read progress.
+	// Required: no
+	// Arguments:
+	// - progress_pct: the read progress, as a number between 0 (no data has been read)
+	//   and 10000 (100% of the data has been read). This encoding allows the engine to
+	//   print progress decimals without requiring to deal with floating point numbers
+	//   (which could cause incompatibility problems with some languages).
+	// Return value: a string representation of the read
+	//   progress. This might include the progress percentage
+	//   combined with additional context added by the plugin. If
+	//   NULL, progress_pct should be used.
+	// NOTE: reporting progress is optional and in some case could be impossible. However,
+	//       when possible, it's recommended as it provides valuable information to the
+	//       user.
+	//
+	char* (*get_progress)(ss_plugin_t* s, ss_instance_t* h, uint32_t* progress_pct);
+	//
+	// Return a text representation of an event generated by this source plugin.
+	// Required: yes
+	// Arguments:
+	// - data: the buffer from an event produced by next().
+	// - datalen: the length of the buffer from an event produced by next().
+	// Return value: the text representation of the event. This is used, for example,
+	//   by sysdig to print a line for the given event.
+	//
+	char *(*event_to_string)(ss_plugin_t *s, const uint8_t *data, uint32_t datalen);
+	//
+	// Extract a filter field value from an event.
+	// We offer multiple versions of extract(), differing from each other only in
+	// the type of the value they return (string, integer...).
+	// Required: no
+	// Arguments:
+	// - evtnum: the number of the event that is bein processed
+	// - id: the numeric identifier of the field to extract. It corresponds to the
+	//   position of the field in the array returned by get_fields().
+	// - arg: the field argument, if an argument has been specified for the field,
+	//   otherwise it's NULL. For example:
+	//    * if the field specified by the user is foo.bar[pippo], arg will be the
+	//      string "pippo"
+	//    * if the field specified by the user is foo.bar, arg will be NULL
+	// - data: the buffer produced by next().
+	// - datalen: the length of the buffer produced by next().
+	// - field_present: nonzero if the field is present for the given event.
+	// Return value: the produced value of the filter field. For extract_str(), a
+	//   NULL return value means that the field is missing for the given event.
+	//
+	char *(*extract_str)(ss_plugin_t *s, uint64_t evtnum, const char * field, const char *arg, uint8_t *data, uint32_t datalen);
+	uint64_t (*extract_u64)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen, uint32_t *field_present);
+	//
+	// This is an optional, internal, function used to speed up event capture by
+	// batching the calls to next().
+	// On success:
+	//   - nevts will be filled in with the number of events.
+        //   - evts: pointer to an ss_plugin_event pointer. The plugin should
+        //     allocate an array of contiguous ss_plugin_event structs using malloc(),
+	//     as well as allocate each data buffer within each ss_plugin_event
+	//     struct using malloc(). Both the array of structs and each data buffer are
+	//     owned by the plugin framework and will free them using free().
+	// Required: no
+	//
+	int32_t (*next_batch)(ss_plugin_t* s, ss_instance_t* h, uint32_t *nevts, ss_plugin_event **evts);
+	//
+	// This is an optional, internal, function used to speed up value extraction
+	// Required: no
+	//
+	int32_t (*register_async_extractor)(ss_plugin_t *s, async_extractor_info *info);
+
+	//
+	// The following members are PRIVATE for the engine and should not be touched.
+	//
+	ss_plugin_t* state;
+	ss_instance_t* handle;
+	uint32_t id;
+	char *name;
+} source_plugin_info;
+
+//
+// Interface for a sinsp/scap extractor plugin
+//
+//
+// NOTE: For all functions below that return a char *, the memory
+// pointed to by the char * must be allocated by the plugin using
+// malloc() and should be freed by the caller using free().
+//
+typedef struct
+{
+	//
+	// Return the version of the plugin API used by this plugin.
+	// Required: yes
+	// Return value: the API version string, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// NOTE: to ensure correct interoperability between the engine and the plugins,
+	//       we use a semver approach. Plugins are required to specify the version
+	//       of the API they run against, and the engine will take care of checking
+	//       and enforcing compatibility.
+	//
+	char* (*get_required_api_version)();
+	//
+	// Return the plugin type.
+	// Required: yes
+	// Should return TYPE_EXTRACTOR_PLUGIN. It still makes sense to
+	// have a function get_type() as the plugin interface will
+	// often dlsym() functions from shared libraries, and can't
+	// inspect any C struct type.
+	//
+	uint32_t (*get_type)();
+	//
+	// Initialize the plugin and, if needed, allocate its state.
+	// Required: yes
+	// Arguments:
+	// - config: a string with the plugin configuration. The format of the
+	//   string is chosen by the plugin itself.
+	// - rc: pointer to an integer that will contain the initialization result,
+	//   as a SCAP_* value (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: pointer to the plugin state that will be treated as opaque
+	//   by the engine and passed to the other plugin functions.
+	//
+	ss_plugin_t* (*init)(char* config, int32_t* rc);
+	//
+	// Destroy the plugin and, if plugin state was allocated, free it.
+	// Required: yes
+	//
+	void (*destroy)(ss_plugin_t* s);
+	//
+	// Return a string with the error that was last generated by
+	// the plugin.
+        // Required: yes
+	//
+	// In cases where any other api function returns an error, the
+	// plugin should be prepared to return a human-readable error
+	// string with more context for the error. The plugin manager
+	// calls get_last_error() to access that string.
+	//
+	char* (*get_last_error)(ss_plugin_t* s);
+	//
+	// Return the name of the plugin, which will be printed when displaying
+	// information about the plugin.
+	// Required: yes
+	//
+	char* (*get_name)();
+	//
+	// Return the descriptions of the plugin, which will be printed when displaying
+	// information about the plugin or its events.
+	// Required: yes
+	//
+	char* (*get_description)();
+	//
+	// Return a string containing contact info (url, email, twitter, etc) for
+	// the plugin author.
+	// Required: yes
+	//
+	char* (*get_contact)();
+	//
+	// Return the version of this plugin itself
+	// Required: yes
+	// Return value: a string with a version identifier, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// This differs from the api version in that this versions the
+	// plugin itself, as compared to the plugin interface. When
+	// reading capture files, the major version of the plugin that
+	// generated events must match the major version of the plugin
+	// used to read events.
+	//
+	char* (*get_version)();
+	//
+	// Return a string describing the event sources that this
+	// extractor plugin can consume.
+	// Required: no
+	// Return value: a json array of strings containing event
+	//   sources returned by a source plugin's get_event_source()
+	//   function.
+	// This function is optional--if NULL then the extractor
+	// plugin will receive every event.
+	//
+	char* (*get_extract_event_sources)();
+	//
+	// Return the list of extractor fields exported by this plugin. Extractor
+	// fields can be used in Falco rules and sysdig filters.
+	// Required: yes
+	// Return value: a string with the list of fields encoded as a json
+	//   array.
+	//
+	char* (*get_fields)();
+	//
+	// Extract a filter field value from an event.
+	// We offer multiple versions of extract(), differing from each other only in
+	// the type of the value they return (string, integer...).
+	// Required: for plugins of type TYPE_EXTRACTOR_PLUGIN only
+	// Arguments:
+	// - evtnum: the number of the event that is being processed
+	// - id: the numeric identifier of the field to extract. It corresponds to the
+	//   position of the field in the array returned by get_fields().
+	// - arg: the field argument, if an argument has been specified for the field,
+	//   otherwise it's NULL. For example:
+	//    * if the field specified by the user is foo.bar[pippo], arg will be the
+	//      string "pippo"
+	//    * if the field specified by the user is foo.bar, arg will be NULL
+	// - data: the buffer produced by next().
+	// - datalen: the length of the buffer produced by next().
+	// - field_present: nonzero if the field is present for the given event.
+	// Return value: the produced value of the filter field. For extract_str(), a
+	// NULL return value means that the field is missing for the given event.
+	//
+	char *(*extract_str)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen);
+	uint64_t (*extract_u64)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen, uint32_t *field_present);
+} extractor_plugin_info;
+
+```
+
+### Event Sources and Falco Rules
+
+Falco rules already have the notion of a "source", using the source property in rules objects, and there are currently two kinds of event sources: "syscall" and "k8s_audit". We will use the source property in Falco rules to map a given rule to the event source on which the rule runs.
+
+For example, given a plugin with source "aws_cloudtrail", and a Falco rule with source "aws_cloudtrail", the rule will be evaluated for any events generated by the plugin.
+
+Similarly, an extractor plugin that includes "aws_cloudtrail" in its set of event sources will have the opportunity to extract information from aws_cloudtrail events if a matching field is found in the rule's condition, exception, or output properties.
+
+This, combined with the restrictions below, allows a set of loaded rules files to contain a mix of rules for plugins as well as "core" syscall/k8s_audit events.
+
+We will also make a change to compile rules/macros/lists selectively based on the set of loaded plugins (specifically, their event sources), instead of unconditionally as Falco is started. This is especially important for macros, which do not contain a source property, but might contain fields that are only implemented by a given plugin.
+
+### Handling Duplicate/Overlapping Fields in Plugins/Libraries Core
+
+At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts manageable.
+
+Remember that field extraction is always done in the context of an event, and each event can be mapped back to an event source. So we only need to ensure that filtercheck fields are distinct for a given event source. For example, it's perfectly valid for an AWS Cloudtrail plugin to define a proc.name field, as the events generated by that plugin are wholly separate from syscall events. For syscall events, the AWS Cloudtrail plugin is not involved and the core libraries extract the process name for the tid performing a syscall. For AWS Cloudtrail events, the core libraries are not involved in field extraction and is performed by the AWS Cloudtrail plugin instead.
+
+We only need to ensure the following:
+
+* That only one plugin is loaded at a time that exports a given event source. For example, the libraries can load either a gke-audit-bridge plugin with event source k8s_audit, or eks-audit-bridge with event source k8s_audit, but not both.
+* That for a mix of source and extractor plugins having the same event source, that the fields are distinct. For example, a source plugin with source k8s_audit can export ka.* fields, and an extractor plugin with event source k8s_audit can export a jevt.value[/...] field, and the appropriate plugin will be used to extract fields from k8s_audit events as fields are parsed from condition expressions/output format strings.
+
+### Plugin Versions and Falco Rules
+
+To allow rules files to document the plugin versions they are compatible with, we will add a new top-level field `required_plugin_versions` to the Falco rules file format. The field is optional, and if not provided no plugin compatibility checks will be performed. The syntax of `required_plugin_versions` will be the following:
+
+```yaml
+- required_plugin_versions:
+  - name: <plugin_name>
+    version: x.y.z
+  ...
+```
+
+Below required_plugin_versions is a list of objects, where each object has `name` and `version` properties. If a plugin is loaded, and if an entry in `required_plugin_versions` has a matching name, then the loaded plugin version must be semver compatible with the version property.
+
+Falco can load multiple rules files, and each file may contain its own `required_plugin_versions` property. In this case, name+version pairs across all files will be merged, and in the case of duplicate names all provided versions must be compatible.
+
+### Loading the plugins
+
+The mechanics of loading a plugin are implemented in the libraries and leverage the dynamic library functionality of the operating system (dlopen/dlsym in unix, LoadLibrary/GetProcAddress in Windows). The plugin loading code also ensures that:
+
+- the plugin is valid, i.e. that it exports the set of expected symbols
+- the plugin has an api version number that is compatible with the libraries instance
+- that only one source plugin is loaded at a time for a given event source
+- if a mix of source and extractor plugins are loaded for a given event source, that the exported fields have unique names that don't overlap across plugins
+
+#### Loading plugins in falcosecurity/libs
+
+At the libraries level, loading plugins is handled via the static method:
+
+```c++
+void sinsp_plugin::register_plugin(sinsp* inspector, string filepath, char* config, ...)
+```
+
+filepath points to a dynamic library containing code that exports plugin API functions. config contains arbitrary config content which is passed to init().
+
+Note that the code using the libraries is responsible for determining the location of plugin libraries and their configuration.
+
+#### Loading plugins in falcosecurity/falco
+
+Falco will control/configure loading plugins via the new "plugins" property in falco.yaml. Here's an example:
+
+```yaml
+plugins:
+  - name: aws_cloudtrail
+    library_path: aws_cloudtrail/plugin.so
+    init_config: "..."
+    open_params: "..."
+  - name: http_json
+    library_path: http_json/plugin.so
+    init_config_file: http_json/config.txt
+    open_params_file: http_json/params.txt
+
+# Optional
+load_plugins: [aws_cloudtrail]
+```
+
+A new "plugins" property in falco.yaml will define the set of plugins that can be loaded by Falco. The property contains a list of objects, with the following properties:
+
+* name: Only used for load_plugins, but by convention should be the same as the value returned by the name() api function.
+* library_path: a path to the shared library. The path can be relative, in which case it is relative to Falco's "share" directory under a "plugins" subdirectory e.g. /usr/share/falco/plugins.
+* init_config: If present, the exact configuration text that will be provided as an argument to the init() function.
+* init_config_file: If present, the provided file will be read and the contents will be provided as an argument to the init() function.
+* open_params: If present, the exact params text that will be provided as an argument to the open() function.
+* open_params_file: If present, the provided file will be read and the contents will be provided as an argument to the open() function.
+
+For a given yaml object in the plugins list, only one of init_config/init_config_file and one of open_params/open_params_file can be provided at a time.
+
+A new "load_plugins" property in falco.yaml will allow for loading a subset of the plugins defined in plugins. If present, only the plugins with the provided names will be loaded.
+
+### Examples
+
+We have an initial version working, consisting of:
+
+* A version of falcosecurity/libs that supports the [plugin framework](https://github.com/falcosecurity/libs/tree/new/plugin-system-api-additions)
+* Support code and examples for [writing plugins in go](https://github.com/mstemm/libsinsp-plugin-sdk-go/tree/new/plugin-system-api-additions)
+* A [cloudtrail](https://github.com/mstemm/plugins/tree/new/plugin-system-api-additions) plugin that can generate events from cloudtrail logs and extract fields from those events.
+* A version of Falco that uses all of the above to [load and evaluate rules with plugins](https://github.com/leogr/falco/tree/new/plugin-system-api-additions)

proposals/20221129-artifacts-distribution.md

@@ -0,0 +1,173 @@
+# Artifacts distribution
+
+This proposal aims to define guidelines for the official distribution of artifacts published by Falcosecurity. 
+
+Therefore, to create a unified management of the distribution of artifacts, this document supersedes (for the parts concerning the distributions of artifacts) proposals [Falco Artifacts Scope - Part 1](https://github.com/falcosecurity/falco/blob/master/proposals/20200506-artifacts-scope-part-1.md), [Falco Artifacts Scope - Part 2](https://github.com/falcosecurity/falco/blob/master/proposals/20200506-artifacts-scope-part-2.md), and [Falco Drivers Storage S3](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md) and also extends and generalizes the proposal [Falco Rules and Plugin distribution](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) for [falcoctl](https://github.com/falcosecurity/falcoctl).
+
+## Goals
+
+- Allow users to consume artifacts in a consistent way
+- Define official artifacts
+- Unify distribution mechanism, infrastructure and tooling
+- Provide generic guidelines applicable to any artifact to be distributed
+
+## Non-Goals
+
+- Infra/CI implementation details
+- Supply chain security topics
+
+## Proposal
+
+With officially supported artifacts, we mean that set of artifacts published 
+by Falcosecurity as part of Falco or its ecosystem.
+
+At the time of writing, the Falcosecurity organization distributes several kinds of artifacts in the form of files or container images. They include:
+- Installation packages
+- Helm charts
+- Drivers (eg, kmod, eBPF)
+- Rule files
+- Plugins
+- Other kinds may be added in the future.
+
+Features shipped with **official artifacts are intended for general availability(GA)**, unless otherwise specified (eg. if experimental or non-production ready features are present, they must be indicated in the release notes). 
+
+The same artifacts can be distributed via multiple distribution channels, and each channel can be mirrored. **The [falco.org](https://falco.org/) website must list all official distribution channels and mirrors**. Any distribution channel not listed on our official website must not be considered part of the official distribution. However, maintainers can still use other channels for experimentation or incubating projects eventually.
+
+### Distribution channels
+
+#### HTTP Distribution
+
+Distributing artifacts as plain files via HTTP is mostly intended for **humans, simple and legacy clients** (e.g., a shell script that downloads a file). 
+
+The allowed publishing channels are:
+- **[download.falco.org](https://download.falco.org/)** where most of the file artifacts lives
+- **endpoints made available by GitHub** for the Falcosecurity organization (e.g., release download URL, GitHub pages, etc.).
+
+Typically, all official artifacts that can be shipped as plain files should be published at [download.falco.org](https://download.falco.org/) and available for download. 
+
+Using the GitHub platform is allowed as an alternative assuming that artifacts are published under the Falcosecurity organization and the GitHub platform usage limitations are being respected (a notable example is publishing a [Helm chart index file using GitHub pages](https://falcosecurity.github.io/charts/)).
+
+It is allowed to publish other non-official artifacts (for example, [development builds](https://download.falco.org/?prefix=packages/bin-dev/)), taking that those are correctly denoted.
+
+Introducing other HTTP channels is discouraged. Providing mirrors is discouraged unless required for technical reasons.
+
+#### OCI Distribution
+
+Some artifacts are in the form of Open Container Initiative (OCI) images and require OCI registries to be distributed. Nevertheless, since the [OCI Distribution Spec](https://specs.opencontainers.org/distribution-spec/?v=v1.0.0) allows any content, even regular files can be stored in OCI registries and distributed likewise. Notably, the [Helm project in early 2022 started storing charts in OCI](https://helm.sh/blog/storing-charts-in-oci/) registries. One our tool [falcoctl did the same](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) later.
+
+Distributing artifacts via OCI registries is intended for all compatible consumers (i.e., [falcoctl](https://github.com/falcosecurity/falcoctl)). It is **allowed and encouraged for any artifacts**. All official artifacts should be published so.
+
+The allowed publishing channels are:
+
+
+| Registry | Name | Account URL |
+| -------- | -------- | -------- |
+| `docker.io`    | Docker Hub     | https://hub.docker.com/u/falcosecurity |
+| `ghcr.io`    | Github Packages Container registry     | https://github.com/orgs/falcosecurity/packages |
+
+
+Both channels are equivalent and may publish the same artifacts. However, for historical reasons and to avoid confusion, the **`docker.io` registry should only be used for container images** and not for other kinds of artifacts (e.g., plugins, rules, etc.).
+
+
+Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal reccomends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
+
+
+Official **channels and mirrors must be listed at [falco.org](https://falco.org/)**. 
+
+It is allowed to publish other non-official artifacts, even using image tags, taking that those are correctly denoted.
+
+
+#### Other channels
+
+At the time of writing, no other distribution channels are present or needed. However, in case a new kind of artifact will require a particular distribution mechanism (for example, in case an existing package manager system need to consume the artifact using its protocol), the rule of thumb is first to use the available GitHub features for the Falcosecurity organization, if possible. Users will quickly recognize the association between the artifact and the publisher (i.e., falcosecurity), and for that reason is usually preferable.
+
+In all other cases, introducing a new distribution channel must require extensive discussion among maintainers. Nevertheless, **introducing too many distribution channels is discouraged** because it disperses the effort and can mislead users. 
+
+
+### Publishing
+
+#### Source repository
+
+Artifacts must always be built starting from the originating source code and thru an auditable and reproducible process that runs on our infra. It's recommended that the naming and versioning of the published artifact consistently match the originating repository's naming and versioning. For example, the package `falco-0.33.0-x86_64.tar.gz` must match the source code of the git tag [0.33.0](https://github.com/falcosecurity/falco/tree/0.33.0) of the [falco](https://github.com/falcosecurity/falco) repository.
+
+It's recommended that **each repository publish only one kind of artifact** associated with it. 
+
+Exceptions are allowed for:
+ - mono repos (notably [charts](https://github.com/falcosecurity/charts) and [plugins](https://github.com/falcosecurity/plugins)), 
+ - or whenever technical constraints impose a different approach (notably, our Driver Build Grid lives on [test-infra](https://github.com/falcosecurity/test-infra), but the source code is in [libs](https://github.com/falcosecurity/libs)).
+
+Exceptions should be documented to avoid the users and contributors might be confused.
+
+#### Namespacing
+
+As a general rule, to avoid name clashing among different projects under the Falcosecurity organization, all **published artifacts should reflect the originating repository name** in their publishing URL. For example, all artifacts generated by the [falcosecurity/plugins](https://github.com/falcosecurity/plugins) repository should have `falcosecurity/plugins` as the URL's base path.
+
+Exceptions are allowed for:
+- legacy and already published artifacts (to avoid disruption);
+- justified technical reasons.
+
+#### Versioning
+
+All published artifacts must be labeled with version numbers following the **[Semantic Versioning 2 specification](https://semver.org/)**.
+
+For the [HTTP Distribution](#http-distribution), the version number must be reflected in the file name (including build metadata like the targeted arch and platform).
+
+For the [OCI Distribution](#oci-distribution), the version number must be reflected in the image tag (build metadata may be avoided if included in the manifest).
+
+### Tooling
+
+Tooling is essential to deliver a consistent and straightforward UX to our users since the limited set of distribution channels is acceptable to provide just one (or a limited set of) tool(s) capable of working with various artifacts published by the Falcosecurity organization.
+
+In this regard, this proposal follows up the [Falco Rules and Plugin distribution](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) proposal and recommends to use of **[falcoctl](https://github.com/falcosecurity/falcoctl) as the tool to managing artifacts specifically intended for Falco**. The tool's design should consider that other kinds of artifacts may be added in the future.
+
+Likewise, relying on existing **third-party tools for generic or well-known kinds of artifacts** (for example, Helm charts) is recommended.
+
+### Ecosystem
+
+Compatibility with other tools on the broader cloud native ecosystem should be considered when dealing with artifacts and their distribution.
+
+It is also recommended to use third-party solutions and projects that facilitate our users' discovery of published artifacts (for example, https://artifacthub.io/).
+
+
+## Action items
+
+The following subsections indicate major action items to be executed in order to transition from the current to the desiderate state of the art, as noted in this proposal.
+
+### Move [Falco rules](https://github.com/falcosecurity/falco/tree/master/rules) to their own repo
+
+Falco rules files (i.e., the ruleset for the data source syscall) are currently only distributed in bundles with Falco. However, now falcoctl can manage rules artifacts so that we can ship them separately.
+
+The benefits of having rules living in their repository are:
+  - dedicated versioning
+  - rules release will not be tied anymore to a Falco release (e.g., no need to wait for the scheduled Falco release to publish a new rule aiming to detect the latest published CVE)
+  - consistent installation/update mechanism with other rulesets (plugins rules are already published in their repository and can be consumed by falcoctl)
+
+Note that this change will not introduce a breaking change: Falco will continue shipping the default ruleset by including the published ruleset package.
+
+### Make `falcoctl` official
+
+Considering the centrality of falcoctl for managing official artifacts for Falco, the falcoctl project must be promoted to "Official" status, and its repository assumed to be [core](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md#core-repositories).
+
+### Deprecate `falco-driver-loader`
+
+At the time of writing, `falco-driver-loader` is a shell script shipped in a bundle with Falco that has the responsibility of installing a driver by either downloading it from our distribution channels or trying to build it on-the-fly.
+
+Our experience showed all the limitations of this approach, and it's now clear that such as script is hard to maintain. Furthermore, its responsibility overlaps with our aim to use `falcoctl` as the tool for managing artifacts.
+
+Thus, this proposal mandates to deprecate of `falco-driver-loader` in favor of `falcoctl.`
+
+However, to avoid user disruption and breaking legacy use case, it's recommended to provide still a faced script that exposes the same command line usage of `falco-driver-loader` but forward its execution to the new tool `falcoctl`.
+
+This implicitly requires that `falcoctl` be shipped in a bundle with Falco.
+
+### Update the documentation
+
+This proposal mandates making use of official documentation (i.e., falco.org) to state official items, such as artifacts, distribution channels, and mirrors.
+
+For that reason, it becomes imperative to update the documentation periodically concerning the list of officially supported distribution channels and mirrors.
+
+### Usage of GitHub Packages
+
+Since GitHub is the primary platform where the Falcosecurity organization hosts its code and infrastructure, its provided features should be preferred whenever possible.
+
+This proposal recommends using the GitHub Packages feature when the need to distribute a new kind of artifact arises. Such as convention should be adopted among all repositories of the organization.

proposals/20230511-roadmap-management.md

@@ -0,0 +1,100 @@
+# Falco Roadmap Management Proposal
+
+## Summary 
+
+This document proposes the introduction of a structured process for managing Falco's roadmap and implementing related changes in our development process. The goal is to ensure the efficient execution of our roadmap objectives.
+
+### Goals
+
+The pillars of this proposal are:
+
+- Define processes for release cycles and development iterations
+- Provide guidelines for planning and prioritizing efforts
+- Introduce regular meetings for core maintainers
+- Using *GitHub Project* as the primary tool for managing *The Falco Project* roadmap
+
+
+### Non-Goals
+
+- Providing an exact set of criteria for task prioritization
+- Detailing testing procedures
+- Providing detailed instructions for GitHub Project usage
+- Addressing hotfix releases
+
+### Scope of this Proposal
+
+Primarily, the roadmap targets the planning of Falco development and releases. However, given Falco's dependence on numerous components, it's inevitable that scheduling and planning activities span across multiple repositories. We anticipate that all [core repositories](https://github.com/falcosecurity/evolution#official) will be interconnected with the roadmap, making it comprehensive enough to incorporate items from all related [Falcosecurity repositories](https://github.com/falcosecurity) as necessary.
+
+This proposal does **not apply to hotfix releases** that may happen whenever needed at the maintainers' discretion.
+
+## Release Cycles and Development Iterations
+
+Falco releases happen 3 times per year. Each release cycle completes, respectively, by the end of January, May, and September.
+
+A **release cycle is a 16-week time frame** between two subsequent releases.
+
+Using this schema, in a 52-week calendar year, we allocate 48 weeks for scheduled activities (16 weeks *x* 3 releases), leaving 4 weeks for breaks.
+
+The 16-week release cycle is further divided into three distinct iterations:
+
+| Iteration Name | Duration | Description |
+|---------------|----------|-------------|
+| Development | 8 weeks | Development phase |
+| Stabilization | 4 weeks | Feature completion and bug fixing |
+| Release Preparation | 4 weeks | Release preparation, testing, bug fixing, no new feature |
+
+### Targeted Release Date
+
+The final week of the *Release Preparation* should conclude before the *last Monday of the release month* (ie. January/May/September). This *last Monday* is designated as the **targeted release date** (when the release is being published), and the remaining part of the week is considered a break period.
+
+### Milestones
+
+For each release, we create a [GitHub Milestone](https://github.com/falcosecurity/falco/milestones) (whose due date must be equal to the target release date). We use the milestone to collect all items to be tentatively completed within the release. 
+
+### Alignment of Falco Components
+
+The release schedule of the [components Falco depends on](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-components-versioning) needs to be synchronized to conform to these stipulations. For instance, a [falcosecurity/libs](https://github.com/falcosecurity/libs) release may be required at least one week prior to the termination of each iteration.
+
+The maintainers are responsible for adapting those components' release schedules and procedures to release cycles and development iterations of Falco. Furthermore, all release processes must be documented and provide clear expectations regarding release dates.
+
+## Project Roadmap
+
+We use the [GitHub Project called *Falco Roadmap*](https://github.com/orgs/falcosecurity/projects/5) to plan and track the progress of each release cycle. The GitHub Project needs to be configured with the above mentioned iterations and break periods, compiled with actual dates. It's recommended to preconfigure the GitHub Project to accommodate the current plus the following three release cycles.
+
+### Roadmap Planning
+
+The roadmap serves as a strategic planning tool that outlines the goals and objectives for Falco. Its purpose is to visually represent the overall direction and timeline, enhance transparency and engage the community.
+
+The onus is on the [Core Maintainers](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md#core-maintainers) to manage the roadmap. In this regard, Core Maintainers meet in **planning sessions on the first week of each calendar month**. 
+
+During these planning sessions, tasks are allocated to the current iteration or postponed to one of the following iterations. The assigned iteration indicates the projected completion date for a particular workstream.
+
+When a session matches with the commencement of an iteration, maintainers convene to assess the planning and prioritize tasks for the iteration. The first planning session of a release cycle must define top priorities for the related release.
+
+## Testing and Quality Assurance (QA)
+
+Each iteration's output must include at least one Falco pre-release (or a viable development build) designated for testing and QA activities. While it's acceptable for these builds to contain unfinished features or known bugs, they must enable any community member to contribute to the testing and QA efforts.
+
+The targeted schedule for these Testing/QA activities should be the **last week of each iteration** (or earlier during the *Release Preparation*).
+
+Testing and Quality Assurance criteria and procedures must be defined and documented across relevant repositories.
+
+Furthermore, given the strong reliance of Falco on [falcosecurity/libs](https://github.com/falcosecurity/libs), the above-mentioned pre-release/build for Testing/QA purposes must be based on the most recent *libs* development for the intended iteration. This means that during each interaction, a *libs* release (either pre or stable) must happen early enough to be used for this purpose.
+
+## Next Steps and Conclusions
+
+The Falco 0.36 release cycle, running from June to September 2023, will mark the initiation of the new process. This cycle will also serve as an experimental phase for refining the process.
+
+Furthermore, as soon as possible, we will kick off a Working Group specifically to ensure smooth execution. This group will involve community members in assisting maintainers with roadmap management. It will provide curated feature suggestions for the roadmap, informed by community needs. This approach would facilitate the core maintainers' decisions, as they would mostly need just to review and adopt these pre-vetted recommendations, enhancing efficiency.
+
+The Working Group's responsibilities will include (non-exhaustive list):
+
+- Address input from the [2023-04-27 Core Maintainers meeting](https://github.com/falcosecurity/community/blob/main/meeting-notes/2023-04-27-Falco-Roadmap-Discussion.md)
+- Sorting and reviewing pending issues to identify key topics for discussion and potential inclusion in the roadmap
+- Establishing protocols not explicitly covered in this document
+- Updating the documentation accordingly
+- Supporting Core Maintainers in managing the [Falco Roadmap GitHub project](https://github.com/orgs/falcosecurity/projects/5)
+- Gathering suggestions from all involved stakeholders to put forward potential enhancements
+
+Finally, we anticipate the need for minor adjustments, which will become apparent only after an initial period of experimentation. Thus we have to intend this process to be flexible enough to adapt to emerging needs and improvements as long as the fundamental spirit of this proposal is upheld.
+