update(cmake): bumped falcoctl to v0.10.1.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
update(ci): replace aarch64 actuated runners with oracle
2026-03-20 11:42:06 +00:00 · 2024-11-21 10:56:21 +01:00 · 2024-11-21 10:56:21 +01:00 · 2024-11-21 10:56:21 +01:00 · 2024-10-08 12:54:09 +02:00 · 2024-10-08 12:54:09 +02:00
237 changed files with 16361 additions and 10934 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -1,16 +1,36 @@
---
 Language: Cpp
-BasedOnStyle: LLVM
-AccessModifierOffset: -8
-BreakBeforeBraces: Allman
+BasedOnStyle: Google
+AccessModifierOffset: -4
+BreakBeforeBraces: Attach
+AllowAllArgumentsOnNextLine: false
+AllowAllConstructorInitializersOnNextLine: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+BinPackArguments: false
+BinPackParameters: false
+ColumnLimit: 100
+DerivePointerBinding: false
+IndentCaseLabels: false
+IndentWidth: 4
+SpaceAfterTemplateKeyword: false
+TabWidth: 4
+UseTab: ForIndentation
 BreakConstructorInitializers: AfterColon
-ColumnLimit: 0
 ConstructorInitializerIndentWidth: 8
 ContinuationIndentWidth: 8
 DerivePointerAlignment: true
-IndentWidth: 8
-SortIncludes: false
-SpaceAfterTemplateKeyword: false
+SortIncludes: Never
 SpaceBeforeCtorInitializerColon: false
 SpaceBeforeParens: Never
-UseTab: Always
+InsertNewlineAtEOF: true
+---
+Language: Proto
+DisableFormat: true
+---
+Language: JavaScript
+DisableFormat: true
+---
+Language: Java
+DisableFormat: true
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@@ -0,0 +1,3 @@
+# These files contain some JSON schema definitions that are not C++ code
+userspace/falco/config_json_schema.h
+userspace/engine/rule_json_schema.h
--- a/.cmake-format
+++ b/.cmake-format
@@ -1,119 +0,0 @@
-# --------------------------
-# General Formatting Options
-# --------------------------
-# How wide to allow formatted cmake files
-line_width = 120
-
-# How many spaces to tab for indent
-tab_size = 2
-
-# If arg lists are longer than this, break them always
-max_subargs_per_line = 3
-
-# If true, separate flow control names from their parentheses with a space
-separate_ctrl_name_with_space = False
-
-# If true, separate function names from parentheses with a space
-separate_fn_name_with_space = False
-
-# If a statement is wrapped to more than one line, than dangle the closing
-# parenthesis on it's own line
-dangle_parens = False
-
-# If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this among, then force reject un-nested
-# layouts.
-max_prefix_chars = 2
-
-# If a candidate layout is wrapped horizontally but it exceeds this many lines,
-# then reject the layout.
-max_lines_hwrap = 2
-
-# What style line endings to use in the output.
-line_ending = 'unix'
-
-# Format command names consistently as 'lower' or 'upper' case
-command_case = 'canonical'
-
-# Format keywords consistently as 'lower' or 'upper' case
-keyword_case = 'unchanged'
-
-# Specify structure for custom cmake functions
-additional_commands = {
-  "pkg_find": {
-    "kwargs": {
-      "PKG": "*"
-    }
-  }
-}
-
-# A list of command names which should always be wrapped
-always_wrap = []
-
-# Specify the order of wrapping algorithms during successive reflow attempts
-algorithm_order = [0, 1, 2, 3, 4]
-
-# If true, the argument lists which are known to be sortable will be sorted
-# lexicographically
-enable_sort = True
-
-# If true, the parsers may infer whether or not an argument list is sortable
-# (without annotation).
-autosort = False
-
-# If a comment line starts with at least this many consecutive hash characters,
-# then don't lstrip() them off. This allows for lazy hash rulers where the first
-# hash char is not separated by space
-hashruler_min_length = 10
-
-# A dictionary containing any per-command configuration overrides. Currently
-# only `command_case` is supported.
-per_command = {}
-
-
-# --------------------------
-# Comment Formatting Options
-# --------------------------
-# What character to use for bulleted lists
-bullet_char = '*'
-
-# What character to use as punctuation after numerals in an enumerated list
-enum_char = '.'
-
-# enable comment markup parsing and reflow
-enable_markup = True
-
-# If comment markup is enabled, don't reflow the first comment block in each
-# listfile. Use this to preserve formatting of your copyright/license
-# statements.
-first_comment_is_literal = False
-
-# If comment markup is enabled, don't reflow any comment block which matches
-# this (regex) pattern. Default is `None` (disabled).
-literal_comment_pattern = None
-
-# Regular expression to match preformat fences in comments
-# default=r'^\s*([`~]{3}[`~]*)(.*)$'
-fence_pattern = '^\\s*([`~]{3}[`~]*)(.*)$'
-
-# Regular expression to match rulers in comments
-# default=r'^\s*[^\w\s]{3}.*[^\w\s]{3}$'
-ruler_pattern = '^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'
-
-# If true, then insert a space between the first hash char and remaining hash
-# chars in a hash ruler, and normalize it's length to fill the column
-canonicalize_hashrulers = True
-
-
-# ---------------------------------
-# Miscellaneous Options
-# ---------------------------------
-# If true, emit the unicode byte-order mark (BOM) at the start of the file
-emit_byteorder_mark = False
-
-# Specify the encoding of the input file. Defaults to utf-8.
-input_encoding = 'utf-8'
-
-# Specify the encoding of the output file. Defaults to utf-8. Note that cmake
-# only claims to support utf-8 so be careful when using anything else
-output_encoding = 'utf-8'
--- a/.cmake-format.json
+++ b/.cmake-format.json
@@ -0,0 +1,254 @@
+{
+	"_help_format": "Options affecting formatting.",
+	"format": {
+		"_help_disable": [
+			"Disable formatting entirely, making cmake-format a no-op"
+		],
+		"disable": false,
+		"_help_line_width": [
+			"How wide to allow formatted cmake files"
+		],
+		"line_width": 100,
+		"_help_tab_size": [
+			"How many spaces to tab for indent"
+		],
+		"tab_size": 4,
+		"_help_use_tabchars": [
+			"If true, lines are indented using tab characters (utf-8",
+			"0x09) instead of <tab_size> space characters (utf-8 0x20).",
+			"In cases where the layout would require a fractional tab",
+			"character, the behavior of the  fractional indentation is",
+			"governed by <fractional_tab_policy>"
+		],
+		"use_tabchars": true,
+		"_help_fractional_tab_policy": [
+			"If <use_tabchars> is True, then the value of this variable",
+			"indicates how fractional indentions are handled during",
+			"whitespace replacement. If set to 'use-space', fractional",
+			"indentation is left as spaces (utf-8 0x20). If set to",
+			"`round-up` fractional indentation is replaced with a single",
+			"tab character (utf-8 0x09) effectively shifting the column",
+			"to the next tabstop"
+		],
+		"fractional_tab_policy": "use-space",
+		"_help_max_subgroups_hwrap": [
+			"If an argument group contains more than this many sub-groups",
+			"(parg or kwarg groups) then force it to a vertical layout."
+		],
+		"max_subgroups_hwrap": 2,
+		"_help_max_pargs_hwrap": [
+			"If a positional argument group contains more than this many",
+			"arguments, then force it to a vertical layout."
+		],
+		"max_pargs_hwrap": 6,
+		"_help_max_rows_cmdline": [
+			"If a cmdline positional group consumes more than this many",
+			"lines without nesting, then invalidate the layout (and nest)"
+		],
+		"max_rows_cmdline": 2,
+		"_help_separate_ctrl_name_with_space": [
+			"If true, separate flow control names from their parentheses",
+			"with a space"
+		],
+		"separate_ctrl_name_with_space": false,
+		"_help_separate_fn_name_with_space": [
+			"If true, separate function names from parentheses with a",
+			"space"
+		],
+		"separate_fn_name_with_space": false,
+		"_help_dangle_parens": [
+			"If a statement is wrapped to more than one line, than dangle",
+			"the closing parenthesis on its own line."
+		],
+		"dangle_parens": true,
+		"_help_dangle_align": [
+			"If the trailing parenthesis must be 'dangled' on its on",
+			"line, then align it to this reference: `prefix`: the start",
+			"of the statement,  `prefix-indent`: the start of the",
+			"statement, plus one indentation  level, `child`: align to",
+			"the column of the arguments"
+		],
+		"dangle_align": "prefix",
+		"_help_min_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is smaller than this amount, then force reject",
+			"nested layouts."
+		],
+		"min_prefix_chars": 4,
+		"_help_max_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is larger than the tab width by more than this",
+			"amount, then force reject un-nested layouts."
+		],
+		"max_prefix_chars": 10,
+		"_help_max_lines_hwrap": [
+			"If a candidate layout is wrapped horizontally but it exceeds",
+			"this many lines, then reject the layout."
+		],
+		"max_lines_hwrap": 2,
+		"_help_line_ending": [
+			"What style line endings to use in the output."
+		],
+		"line_ending": "unix",
+		"_help_command_case": [
+			"Format command names consistently as 'lower' or 'upper' case"
+		],
+		"command_case": "canonical",
+		"_help_keyword_case": [
+			"Format keywords consistently as 'lower' or 'upper' case"
+		],
+		"keyword_case": "unchanged",
+		"_help_always_wrap": [
+			"A list of command names which should always be wrapped"
+		],
+		"always_wrap": [],
+		"_help_enable_sort": [
+			"If true, the argument lists which are known to be sortable",
+			"will be sorted lexicographicall"
+		],
+		"enable_sort": true,
+		"_help_autosort": [
+			"If true, the parsers may infer whether or not an argument",
+			"list is sortable (without annotation)."
+		],
+		"autosort": false,
+		"_help_require_valid_layout": [
+			"By default, if cmake-format cannot successfully fit",
+			"everything into the desired linewidth it will apply the",
+			"last, most agresive attempt that it made. If this flag is",
+			"True, however, cmake-format will print error, exit with non-",
+			"zero status code, and write-out nothing"
+		],
+		"require_valid_layout": false,
+		"_help_layout_passes": [
+			"A dictionary mapping layout nodes to a list of wrap",
+			"decisions. See the documentation for more information."
+		],
+		"layout_passes": {}
+	},
+	"_help_markup": "Options affecting comment reflow and formatting.",
+	"markup": {
+		"_help_bullet_char": [
+			"What character to use for bulleted lists"
+		],
+		"bullet_char": "*",
+		"_help_enum_char": [
+			"What character to use as punctuation after numerals in an",
+			"enumerated list"
+		],
+		"enum_char": ".",
+		"_help_first_comment_is_literal": [
+			"If comment markup is enabled, don't reflow the first comment",
+			"block in each listfile. Use this to preserve formatting of",
+			"your copyright/license statements."
+		],
+		"first_comment_is_literal": false,
+		"_help_literal_comment_pattern": [
+			"If comment markup is enabled, don't reflow any comment block",
+			"which matches this (regex) pattern. Default is `None`",
+			"(disabled)."
+		],
+		"literal_comment_pattern": null,
+		"_help_fence_pattern": [
+			"Regular expression to match preformat fences in comments",
+			"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
+		],
+		"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
+		"_help_ruler_pattern": [
+			"Regular expression to match rulers in comments default=",
+			"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
+		],
+		"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
+		"_help_explicit_trailing_pattern": [
+			"If a comment line matches starts with this pattern then it",
+			"is explicitly a trailing comment for the preceding",
+			"argument. Default is '#<'"
+		],
+		"explicit_trailing_pattern": "#<",
+		"_help_hashruler_min_length": [
+			"If a comment line starts with at least this many consecutive",
+			"hash characters, then don't lstrip() them off. This allows",
+			"for lazy hash rulers where the first hash char is not",
+			"separated by space"
+		],
+		"hashruler_min_length": 10,
+		"_help_canonicalize_hashrulers": [
+			"If true, then insert a space between the first hash char and",
+			"remaining hash chars in a hash ruler, and normalize its",
+			"length to fill the column"
+		],
+		"canonicalize_hashrulers": true,
+		"_help_enable_markup": [
+			"enable comment markup parsing and reflow"
+		],
+		"enable_markup": true
+	},
+	"_help_lint": "Options affecting the linter",
+	"lint": {
+		"_help_disabled_codes": [
+			"a list of lint codes to disable"
+		],
+		"disabled_codes": [],
+		"_help_function_pattern": [
+			"regular expression pattern describing valid function names"
+		],
+		"function_pattern": "[0-9a-z_]+",
+		"_help_macro_pattern": [
+			"regular expression pattern describing valid macro names"
+		],
+		"macro_pattern": "[0-9A-Z_]+",
+		"_help_global_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global (cache) scope"
+		],
+		"global_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_internal_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global scope (but internal semantic)"
+		],
+		"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
+		"_help_local_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with local scope"
+		],
+		"local_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_private_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"privatedirectory variables"
+		],
+		"private_var_pattern": "_[0-9a-z_]+",
+		"_help_public_var_pattern": [
+			"regular expression pattern describing valid names for public",
+			"directory variables"
+		],
+		"public_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_argument_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"function/macro arguments and loop variables."
+		],
+		"argument_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_keyword_pattern": [
+			"regular expression pattern describing valid names for",
+			"keywords used in functions or macros"
+		],
+		"keyword_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_max_conditionals_custom_parser": [
+			"In the heuristic for C0201, how many conditionals to match",
+			"within a loop in before considering the loop a parser."
+		],
+		"max_conditionals_custom_parser": 2,
+		"_help_min_statement_spacing": [
+			"Require at least this many newlines between statements"
+		],
+		"min_statement_spacing": 1,
+		"_help_max_statement_spacing": [
+			"Require no more than this many newlines between statements"
+		],
+		"max_statement_spacing": 2,
+		"max_returns": 6,
+		"max_branches": 12,
+		"max_arguments": 5,
+		"max_localvars": 15,
+		"max_statements": 50
+	}
+}
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,2 @@
+# This commit formatted the Falco code for the first time.
+50b98b30e588eadce641136da85bc94a60eb6a3d
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,16 +12,29 @@ concurrency:
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true  

+permissions:  
+  contents: read
+  
 jobs:
  fetch-version:
    uses: ./.github/workflows/reusable_fetch_version.yaml

-  build-dev-packages:
+  build-dev-packages-sanitizers-x86_64:
    needs: [fetch-version]
    uses: ./.github/workflows/reusable_build_packages.yaml
    with:
      arch: x86_64
      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
+
+  build-dev-packages-x86_64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Release

  build-dev-packages-arm64:
    needs: [fetch-version]
@@ -29,21 +42,26 @@ jobs:
    with:
      arch: aarch64
      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: false

  test-dev-packages:
-    needs: [fetch-version, build-dev-packages]
+    needs: [fetch-version, build-dev-packages-sanitizers-x86_64]
    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
    with:
      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      sanitizers: true
+      # static: ${{ matrix.static != '' && true || false }}
      version: ${{ needs.fetch-version.outputs.version }}

  test-dev-packages-arm64:
-    needs: [fetch-version, build-dev-packages]
+    needs: [fetch-version, build-dev-packages-arm64]
    uses: ./.github/workflows/reusable_test_packages.yaml
    strategy:
      fail-fast: false
@@ -80,6 +98,7 @@ jobs:
      arch: x86_64
      git_ref: ${{ github.event.pull_request.head.sha }}
      minimal: false
+      sanitizers: true
      build_type: Debug
      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"

--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -18,10 +18,13 @@ on:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]

+permissions:  
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
@@ -42,7 +45,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,16 +63,11 @@ jobs:

    - name: Prepare project
      run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On ..
-          popd
+          cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On

    - name: Build
      run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,6 +1,10 @@
 name: Codespell
 on:
  pull_request:
+    
+permissions:  
+  contents: read
+
 jobs:
  codespell:
    runs-on: ubuntu-latest
--- a/.github/workflows/engine-version-weakcheck.yaml
+++ b/.github/workflows/engine-version-weakcheck.yaml
@@ -9,6 +9,9 @@ on:
      - 'userspace/engine/*.cpp'
      - 'userspace/engine/*.h'

+permissions:  
+  contents: read
+
 jobs:
  paths-filter:
    runs-on: ubuntu-latest
--- a/.github/workflows/format.yaml
+++ b/.github/workflows/format.yaml
@@ -0,0 +1,38 @@
+name: Format code
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - "release/**"
+
+jobs:
+  format:
+    name: format code 🐲
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository 🎉
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends ca-certificates pip git
+          pip install pre-commit
+
+      - name: Run pre-commit ©️
+        run: |
+          pre-commit run --all-files
+
+      - name: Generate the git-diff 🚒
+        if: failure()
+        run: git diff > format_diff.patch
+
+      - name: Upload the git diff artifact 📦
+        if: failure()
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: format_diff.patch
+          path: ./format_diff.patch
--- a/.github/workflows/insecure-api.yaml
+++ b/.github/workflows/insecure-api.yaml
@@ -6,12 +6,15 @@ on:
      - 'release/**'
      - 'maintainers/**'

+permissions:  
+  contents: read
+
 jobs:
  insecure-api:
    name: check-insecure-api
    runs-on: ubuntu-latest
    container:
-      image: returntocorp/semgrep:1.41.0@sha256:85956fbe795a0e8a3825d5252f175887c0e0c6ce7a766a07062c0fb68415cd67
+      image: semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
    steps:
      - name: Checkout Falco ⤵️
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -6,7 +6,7 @@ on:
 # Checks if any concurrent jobs is running for master CI and eventually cancel it
 concurrency:
  group: ci-master
-  cancel-in-progress: true  
+  cancel-in-progress: true

 jobs:
  fetch-version:
@@ -31,13 +31,15 @@ jobs:
  test-dev-packages:
    needs: [fetch-version, build-dev-packages]
    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
    with:
      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
      version: ${{ needs.fetch-version.outputs.version }}
  
  test-dev-packages-arm64:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,7 +7,7 @@ on:
 concurrency:
  group: ci-release
  cancel-in-progress: true  
-
+  
 jobs:
  release-settings:
    runs-on: ubuntu-latest
@@ -16,7 +16,7 @@ jobs:
      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
    steps:
      - name: Get latest release
-        uses: rez0n/actions-github-release@v2.0
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
        id: latest_release
        env:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -69,13 +69,16 @@ jobs:
  test-packages:
    needs: [release-settings, build-packages]
    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
    with:
      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
      version: ${{ github.event.release.tag_name }}
  
  test-packages-arm64:
@@ -137,7 +140,7 @@ jobs:
        run: |
          cp .github/release_template.md release-body.md
          LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
-          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
+          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
          
@@ -147,7 +150,7 @@ jobs:
          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
          
      - name: Generate release notes
-        uses: leodido/rn2md@1378404a058ecf86701f3ab533d487333fc675a7
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
        with:
          milestone: ${{ github.event.release.tag_name }}
          output: ./notes.md
--- a/.github/workflows/reusable_build_dev.yaml
+++ b/.github/workflows/reusable_build_dev.yaml
@@ -14,6 +14,11 @@ on:
        description: Minimal build
        required: true
        type: boolean
+      sanitizers:
+        description: Enable sanitizer support
+        required: false
+        default: false
+        type: boolean
      build_type:
        description: One of 'Debug' or 'Release'
        required: true
@@ -28,10 +33,13 @@ on:
        default: ''
        type: string

+permissions: 
+  contents: read
+
 jobs:
  build-and-test:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-22.04' }}
    outputs:
      cmdout: ${{ steps.run_cmd.outputs.out }}
    steps:
@@ -53,22 +61,23 @@ jobs:

      - name: Prepare project
        run: |
-          mkdir build
-          pushd build
-          cmake \
+          cmake -B build -S .\
            -DBUILD_FALCO_UNIT_TESTS=On \
            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DBUILD_FALCO_MODERN_BPF=Off \
            -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
            -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
            -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-            ..
-          popd
+            -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_BUNDLED_DEPS=Off \
+            -DUSE_BUNDLED_NLOHMANN_JSON=On \
+            -DUSE_BUNDLED_CXXOPTS=On \
+            -DUSE_BUNDLED_CPPHTTPLIB=On \

      - name: Build
        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4

      - name: Run unit tests
        run: |
--- a/.github/workflows/reusable_build_docker.yaml
+++ b/.github/workflows/reusable_build_docker.yaml
@@ -24,10 +24,14 @@ on:
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
 # In this way, we don't need to publish any arch specific image, 
 # and this "build" workflow is actually only building images.
+
+permissions:  
+  contents: read
+
 jobs:
  build-docker:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
    env:
      TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
    steps:
--- a/.github/workflows/reusable_build_packages.yaml
+++ b/.github/workflows/reusable_build_packages.yaml
@@ -10,117 +10,148 @@ on:
        description: The Falco version to use when building packages
        required: true
        type: string
+      build_type:
+        description: The build type
+        required: false
+        type: string
+        default: 'Release'
+      sanitizers:
+        description: enable sanitizer support
+        required: false
+        type: boolean
+        default: false
+
+permissions:  
+  contents: read

 jobs:
  build-modern-bpf-skeleton:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
    container: fedora:latest
    steps:
      # Always install deps before invoking checkout action, to properly perform a full clone.
      - name: Install build dependencies
        run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
-    
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
+
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

      - name: Build modern BPF skeleton
        run: |
-          mkdir skeleton-build && cd skeleton-build
-          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} ..
-          make ProbeSkeleton -j6
-          
+          cmake -B skeleton-build -S . \
+                -DUSE_BUNDLED_DEPS=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }}
+          cmake --build skeleton-build --target ProbeSkeleton -j6
+
      - name: Upload skeleton
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
          name: bpf_probe_${{ inputs.arch }}.skel.h
          path: skeleton-build/skel_dir/bpf_probe.skel.h
          retention-days: 1
-          
+
  build-packages:
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
    needs: [build-modern-bpf-skeleton]
    container: centos:7
    steps:
      # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Install build dependencies
+      - name: Fix mirrors to use vault.centos.org
+        run: |
+          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
+          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
+          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
+
+      - name: Install scl repos
        run: |
          yum -y install centos-release-scl
+
+      - name: Fix new mirrors to use vault.centos.org
+        run: |
+          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
+          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
+          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
+
+      - name: Fix arm64 scl repos to use correct mirror
+        if: inputs.arch == 'aarch64'
+        run: |
+          sed -i 's/vault.centos.org\/centos/vault.centos.org\/altarch/g' /etc/yum.repos.d/CentOS-SCLo-scl*.repo
+
+      - name: Install build deps
+        run: |
          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
-    
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
+
      - name: Checkout
        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-    
+
      - name: Download skeleton
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: bpf_probe_${{ inputs.arch }}.skel.h
          path: /tmp
-          
+
      - name: Install updated cmake
        run: |
-          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
-          gzip -d /tmp/cmake.tar.gz
-          tar -xpf /tmp/cmake.tar --directory=/tmp
-          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
-          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
-    
+          curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
+            | tar --directory=/usr --strip-components=1 -xzp
+
      - name: Prepare project
        run: |
-          mkdir build && cd build
          source /opt/rh/devtoolset-9/enable
-          cmake \
-              -DCMAKE_BUILD_TYPE=Release \
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
              -DUSE_BUNDLED_DEPS=On \
              -DFALCO_ETC_DIR=/etc/falco \
-              -DBUILD_FALCO_MODERN_BPF=ON \
              -DMODERN_BPF_SKEL_DIR=/tmp \
              -DBUILD_DRIVER=Off \
              -DBUILD_BPF=Off \
-              -DFALCO_VERSION=${{ inputs.version }} \
-              ..
-              
+              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
+              -DFALCO_VERSION=${{ inputs.version }}
+
      - name: Build project
        run: |
-          cd build
          source /opt/rh/devtoolset-9/enable
-          make falco -j6
-      
+          cmake --build build --target falco -j6
+
      - name: Build packages
        run: |
-          cd build
          source /opt/rh/devtoolset-9/enable
-          make package
+          cmake --build build --target package

      - name: Upload Falco tar.gz package
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
          path: |
            ${{ github.workspace }}/build/falco-*.tar.gz
-            
+
      - name: Upload Falco deb package
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.deb
          path: |
            ${{ github.workspace }}/build/falco-*.deb
-      
+
      - name: Upload Falco rpm package
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.rpm
          path: |
            ${{ github.workspace }}/build/falco-*.rpm
-            
+
+  # The musl build job is currently disabled because we link libelf dynamically and it is
+  # not possible to dynamically link with musl
  build-musl-package:
    # x86_64 only for now
-    if: ${{ inputs.arch == 'x86_64' }}
+    # if: ${{ inputs.arch == 'x86_64' }}
+    if: false
    runs-on: ubuntu-latest
    container: alpine:3.17
    steps:
@@ -128,32 +159,33 @@ jobs:
      - name: Install build dependencies
        run: |
          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-    
+
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
          fetch-depth: 0
-          
+
      - name: Prepare project
        run: |
-          mkdir build && cd build
-          cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }}
-          
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+                -DCPACK_GENERATOR=TGZ \
+                -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
+                -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
+
      - name: Build project
        run: |
-          cd build
-          make -j6 all
-      
+          cmake --build build -j6
+
      - name: Build packages
        run: |
-          cd build
-          make -j6 package
+          cmake --build build -j6 --target package

      - name: Rename static package
        run: |
          cd build
-          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
-          
+          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
+
      - name: Upload Falco static package
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
@@ -175,41 +207,39 @@ jobs:
        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
        with:
          node-version: 14
-    
+
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
          fetch-depth: 0
-          
+
      - name: Prepare project
        run: |
-          mkdir build && cd build
-          emcmake cmake \
+          emcmake cmake -B build -S . \
            -DBUILD_BPF=Off \
            -DBUILD_DRIVER=Off \
-            -DBUILD_LIBSCAP_MODERN_BPF=OFF \
-            -DCMAKE_BUILD_TYPE=Release \
+            -DBUILD_FALCO_MODERN_BPF=Off \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
            -DUSE_BUNDLED_DEPS=On \
            -DFALCO_ETC_DIR=/etc/falco \
            -DBUILD_FALCO_UNIT_TESTS=On \
-            -DFALCO_VERSION=${{ inputs.version }} \
-            ..
-          
+            -DFALCO_VERSION=${{ inputs.version }}
+
      - name: Build project
        run: |
          cd build
          emmake make -j6 all
-      
+
      - name: Run unit Tests
        run: |
          cd build
          node ./unit_tests/falco_unit_tests.js
-      
+
      - name: Build packages
        run: |
          cd build
          emmake make -j6 package
-          
+
      - name: Upload Falco WASM package
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
@@ -226,19 +256,18 @@ jobs:
        with:
          fetch-depth: 0

+      # NOTE: Backslash doesn't work as line continuation on Windows.
      - name: Prepare project
        run: |
-          mkdir build
-          cd build
-          cmake -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} ..
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}

      - name: Build project
        run: |
-          cmake --build build --target package --config Release
+          cmake --build build --target package --config ${{ inputs.build_type }}

      - name: Run unit Tests
        run: |
-          build/unit_tests/Release/falco_unit_tests.exe
+          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe

      - name: Upload Falco win32 installer
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@@ -251,7 +280,7 @@ jobs:
        with:
          name: falco-${{ inputs.version }}-win32.exe
          path: |
-            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
+            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe

  build-macos-package:
    if: ${{ inputs.arch == 'x86_64' }}
@@ -264,9 +293,8 @@ jobs:

      - name: Prepare project
        run: |
-          mkdir build
-          cd build
-          cmake -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} ..
+          cmake -B build -S . \
+                -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}

      - name: Build project
        run: |
--- a/.github/workflows/reusable_fetch_version.yaml
+++ b/.github/workflows/reusable_fetch_version.yaml
@@ -5,34 +5,36 @@ on:
      version:
        description: "Falco version"
        value: ${{ jobs.fetch-version.outputs.version }}
-    
+
+permissions:  
+  contents: read
+
 jobs:
  # We need to use an ubuntu-latest to fetch Falco version because
  # Falco version is computed by some cmake scripts that do git sorceries
  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # But centos7 jobs have a git version too old and actions/checkout does not
  # fully clone the repo, but uses http rest api instead.
  fetch-version:
    runs-on: ubuntu-latest
    # Map the job outputs to step outputs
    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
+      version: ${{ steps.store_version.outputs.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
          fetch-depth: 0
-          
+
      - name: Install build dependencies
        run: |
-          sudo apt update 
+          sudo apt update
          sudo apt install -y cmake build-essential
-      
+
      - name: Configure project
        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
+          cmake -B build -S . -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off
+
      - name: Load and store Falco version output
        id: store_version
        run: |
--- a/.github/workflows/reusable_publish_docker.yaml
+++ b/.github/workflows/reusable_publish_docker.yaml
@@ -152,9 +152,7 @@ jobs:

      - name: Setup Cosign
        if: inputs.sign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-        with:
-          cosign-release: v2.0.2
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Sign images with cosign
        if: inputs.sign
--- a/.github/workflows/reusable_publish_packages.yaml
+++ b/.github/workflows/reusable_publish_packages.yaml
@@ -65,12 +65,21 @@ jobs:
          name: falco-${{ inputs.version }}-aarch64.tar.gz
          path: /tmp/falco-build-bin

+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
      - name: Download static binary x86_64
+        if: false
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
          path: /tmp/falco-build-bin-static

+      - name: Download WASM package
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: falco-${{ inputs.version }}-wasm.tar.gz
+          path: /tmp/falco-wasm
+
      - name: Import gpg key
        env:
          GPG_KEY: ${{ secrets.GPG_KEY }}
@@ -81,6 +90,10 @@ jobs:
          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256

+      - name: Publish wasm
+        run: |
+          ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
+          
      - name: Publish rpm
        run: |
          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
@@ -89,11 +102,14 @@ jobs:
        run: |
          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-          
+
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
      - name: Publish static
+        if: false
        run: |
          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          
+
  publish-packages-deb:
    runs-on: ubuntu-latest
    container: docker.io/debian:stable
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -15,27 +15,24 @@ on:
        description: The Falco version to use when testing packages
        required: true
        type: string
+      sanitizers:
+        description: Use sanitizer enabled build
+        required: false
+        default: false
+        type: boolean

+permissions:  
+  contents: read
+  
 jobs:
  test-packages:
    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
    steps:
-      - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        with:
-          fetch-depth: 0
-          submodules: 'true'
-      
-      - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          go-version: '>=1.17.0'
-
      - name: Download binary
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
-          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
      
      - name: Install Falco package
        run: |
@@ -43,54 +40,29 @@ jobs:
          tar -xvf $(ls falco-*.tar.gz)
          cd falco-${{ inputs.version }}-${{ inputs.arch }}
          sudo cp -r * /
-      
-      # Note: most probably the plugin related tests should be moved to the plugin repo sooner or later.
-      - name: Install needed artifacts using falcoctl
-        if: ${{ inputs.static == false }}
-        run: |
-          sudo mkdir -p /usr/share/falco/plugins
-          sudo falcoctl artifact install k8saudit-rules
-          sudo falcoctl artifact install cloudtrail-rules
     
      # We only run driver loader tests on x86_64
-      - name: Install dependencies for falco-driver-loader tests
+      - name: Install kernel headers for falco-driver-loader tests
        if: ${{ inputs.arch == 'x86_64' }}
        run: |
          sudo apt update -y
-          sudo apt install -y --no-install-recommends build-essential clang make llvm gcc dkms linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)

-      - name: Install go-junit-report
+      # Some builds use sanitizers, we always install support for them so they can run
+      - name: Install sanitizer support
        run: |
-          pushd submodules/falcosecurity-testing
-          go install github.com/jstemmer/go-junit-report/v2@latest
-          popd
-  
-      - name: Generate regression test files
-        run: |
-          pushd submodules/falcosecurity-testing
-          go generate ./...
-          popd
-
-      - name: Run regression tests
+          sudo apt update -y
+          sudo apt install -y libasan5 libubsan1
+          
+      - name: Run tests
        env:
-          # fixme(leogr): this is a workaround for https://github.com/falcosecurity/falco/issues/2784
-          HOST_ROOT: ""
-        run: |
-          pushd submodules/falcosecurity-testing
-          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          if ${{ inputs.static && 'false' || 'true' }}; then
-            ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            if ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}; then
-                sudo ./build/falco-driver-loader.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            fi    
-          fi
-          cat ./report.txt | go-junit-report -set-exit-code > report.xml
-          popd
-
-      - name: Test Summary
-        if: always() # run this even if previous step fails
-        uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
+          LSAN_OPTIONS: "intercept_tls_get_addr=0"
+        uses: falcosecurity/testing@main 
        with:
-          paths: "submodules/falcosecurity-testing/report.xml"
-          show: "fail"
+          test-falco: 'true'
+          test-falcoctl: 'true'
+          test-k8saudit: 'true'
+          test-dummy: 'true'
+          static: ${{ inputs.static && 'true' || 'false' }}
+          test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
+          show-all: 'true'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -43,7 +43,7 @@ jobs:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
--- a/.github/workflows/staticanalysis.yaml
+++ b/.github/workflows/staticanalysis.yaml
@@ -1,6 +1,9 @@
 name: StaticAnalysis
 on:
  pull_request:
+permissions:  
+  contents: read
+
 jobs:
  staticanalysis:
    runs-on: ubuntu-22.04
@@ -19,10 +22,11 @@ jobs:

      - name: Build and run cppcheck 🏎️
        run: |
-          mkdir build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
-          make -j4 cppcheck
-          make -j4 cppcheck_htmlreport
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE="release" \
+                -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off
+          cmake --build build -j4 --target cppcheck
+          cmake --build build -j4 --target cppcheck_htmlreport

      - name: Upload reports ⬆️
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,7 +2,3 @@
 	path = submodules/falcosecurity-rules
 	url = https://github.com/falcosecurity/rules.git
 	branch = main
-[submodule "submodules/falcosecurity-testing"]
-	path = submodules/falcosecurity-testing
-	url = https://github.com/falcosecurity/testing.git
-	branch = main
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,23 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+fail_fast: false
+minimum_pre_commit_version: '0'
+repos:
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+    stages: [commit]
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: v18.1.8
+  hooks:
+  - id: clang-format
+    types_or: [c++, c]
+    stages: [commit]
+- repo: local
+  hooks:
+  - id: dco-hook-local
+    name: DCO hook local
+    entry: ./tools/local_hooks/dco-pre-commit-msg.sh
+    language: script
+    stages: [prepare-commit-msg]
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -74,6 +74,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Thought Machine](https://www.thoughtmachine.net) Thought Machine builds Vault Core and Vault Payments: cloud-native core and payments technology enabling banks and fintechs to remain competitive and flourish into the future. Vault Core and Vault Payments are the foundation layer of a bank's technology stack. They can run any bank, any product, and any payment set. Thought Machine uses Falco to perform cloud agnostic real time detections of suspicious container behaviour.

+* [Tulip Retail](https://tulip.com) Tulip Retail uses Falco to monitor container activity in our environments. It's numerous integration points, easy deployment and easily customizable rules were the main reasons we chose Falco.
+
 * [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).

 * [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,444 @@
 # Change Log

+## v0.39.1
+
+Released on 2024-10-09
+
+### Bug Fixes
+
+* fix(engine): allow null init_config for plugin info [[#3372](https://github.com/falcosecurity/falco/pull/3372)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [[#3363](https://github.com/falcosecurity/falco/pull/3363)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/falco): fix event set selection for plugin with parsing capability [[#3368](https://github.com/falcosecurity/falco/pull/3368)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      3 |
+| Total           |      3 |
+
+
+## v0.39.0
+
+Released on 2024-10-01
+
+### Breaking Changes :warning:
+
+* fix(falco_metrics)!: split tags label into multiple `tag_`-prefixed labels [[#3337](https://github.com/falcosecurity/falco/pull/3337)] - [@ekoops](https://github.com/ekoops)
+* fix(falco_metrics)!: use full name for configs and rules files [[#3337](https://github.com/falcosecurity/falco/pull/3337)] - [@ekoops](https://github.com/ekoops)
+* update(falco_metrics)!: rearrange `n_evts_cpu` and `n_drops_cpu` Prometheus metrics to follow best practices [[#3319](https://github.com/falcosecurity/falco/pull/3319)] - [@incertum](https://github.com/incertum)
+* cleanup(userspace/falco)!: drop deprecated -t,-T,-D options. [[#3311](https://github.com/falcosecurity/falco/pull/3311)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* feat(stats): add host_netinfo networking information stats family [[#3344](https://github.com/falcosecurity/falco/pull/3344)] - [@ekoops](https://github.com/ekoops)
+* new(falco): add json_include_message_property to have a message field without date and priority [[#3314](https://github.com/falcosecurity/falco/pull/3314)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(userspace/falco,userspace/engine): rule json schema validation [[#3313](https://github.com/falcosecurity/falco/pull/3313)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): introduce append_output configuration [[#3308](https://github.com/falcosecurity/falco/pull/3308)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(userspace/falco): added --config-schema action to print config schema [[#3312](https://github.com/falcosecurity/falco/pull/3312)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): enable CLI options with -o key={object} [[#3310](https://github.com/falcosecurity/falco/pull/3310)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(config): add `container_engines` config to falco.yaml [[#3266](https://github.com/falcosecurity/falco/pull/3266)] - [@incertum](https://github.com/incertum)
+* new(metrics): add host_ifinfo metric [[#3253](https://github.com/falcosecurity/falco/pull/3253)] - [@incertum](https://github.com/incertum)
+* new(userspace,unit_tests): validate configs against schema [[#3302](https://github.com/falcosecurity/falco/pull/3302)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* update(falco): upgrade libs to 0.18.1 [[#3349](https://github.com/falcosecurity/falco/pull/3349)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(systemd): users can refer to systemd falco services with a consistent unique alias falco.service [[#3332](https://github.com/falcosecurity/falco/pull/3332)] - [@ekoops](https://github.com/ekoops)
+* update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. [[#3330](https://github.com/falcosecurity/falco/pull/3330)] - [@FedeDP](https://github.com/FedeDP)
+* chore(userspace/falco): deprecate `cri` related CLI options. [[#3329](https://github.com/falcosecurity/falco/pull/3329)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): bumped falcoctl to v0.10.0 and rules to 3.2.0 [[#3327](https://github.com/falcosecurity/falco/pull/3327)] - [@FedeDP](https://github.com/FedeDP)
+* update(falco_metrics): change prometheus rules metric naming [[#3324](https://github.com/falcosecurity/falco/pull/3324)] - [@incertum](https://github.com/incertum)
+
+
+### Bug Fixes
+
+* fix(falco): allow disable_cri_async from both CLI and config [[#3353](https://github.com/falcosecurity/falco/pull/3353)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(engine): sync outputs before printing stats at shutdown [[#3338](https://github.com/falcosecurity/falco/pull/3338)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(falco): allow plugin init_config map in json schema [[#3335](https://github.com/falcosecurity/falco/pull/3335)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set [[#3334](https://github.com/falcosecurity/falco/pull/3334)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* feat(cmake): add conditional builds for falcoctl and rules paths [[#3305](https://github.com/falcosecurity/falco/pull/3305)] - [@tembleking](https://github.com/tembleking)
+* cleanup(falco): ignore lint commit [[#3354](https://github.com/falcosecurity/falco/pull/3354)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(falco): apply code formatting [[#3350](https://github.com/falcosecurity/falco/pull/3350)] - [@poiana](https://github.com/poiana)
+* chore: ignore_some_files for clang format [[#3351](https://github.com/falcosecurity/falco/pull/3351)] - [@Andreagit97](https://github.com/Andreagit97)
+* sync: release 0.39.x [[#3340](https://github.com/falcosecurity/falco/pull/3340)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/engine): improve rule json schema to account for `source` and `required_plugin_versions` [[#3328](https://github.com/falcosecurity/falco/pull/3328)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(falco): use header file for json schema [[#3325](https://github.com/falcosecurity/falco/pull/3325)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(engine): modify append_output format [[#3322](https://github.com/falcosecurity/falco/pull/3322)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore: scaffolding for enabling code formatting [[#3321](https://github.com/falcosecurity/falco/pull/3321)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): bump libs and driver to 0.18.0-rc1. [[#3320](https://github.com/falcosecurity/falco/pull/3320)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): restore master and release CI workflow permissions. [[#3317](https://github.com/falcosecurity/falco/pull/3317)] - [@FedeDP](https://github.com/FedeDP)
+* fixed the token-permission and pinned-dependencies issue [[#3299](https://github.com/falcosecurity/falco/pull/3299)] - [@harshitasao](https://github.com/harshitasao)
+* update(cmake): bump falcoctl to v0.10.0-rc1 [[#3316](https://github.com/falcosecurity/falco/pull/3316)] - [@alacuku](https://github.com/alacuku)
+* ci(insecure-api): update semgrep docker image [[#3315](https://github.com/falcosecurity/falco/pull/3315)] - [@francesco-furlan](https://github.com/francesco-furlan)
+* Add demo environment instructions and docker-config files [[#3295](https://github.com/falcosecurity/falco/pull/3295)] - [@bbl232](https://github.com/bbl232)
+* chore(deps): Bump submodules/falcosecurity-rules from `baecf18` to `b6ad373` [[#3301](https://github.com/falcosecurity/falco/pull/3301)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump libs and driver to latest master  [[#3283](https://github.com/falcosecurity/falco/pull/3283)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(deps): Bump submodules/falcosecurity-rules from `342b20d` to `baecf18` [[#3298](https://github.com/falcosecurity/falco/pull/3298)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(deps): Bump submodules/falcosecurity-rules from `068f0f2` to `342b20d` [[#3288](https://github.com/falcosecurity/falco/pull/3288)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* vote: add sgaist to OWNERS [[#3264](https://github.com/falcosecurity/falco/pull/3264)] - [@sgaist](https://github.com/sgaist)
+* Add Tulip Retail to adopters list [[#3291](https://github.com/falcosecurity/falco/pull/3291)] - [@bbl232](https://github.com/bbl232)
+* chore(deps): Bump submodules/falcosecurity-rules from `28b98b6` to `068f0f2` [[#3282](https://github.com/falcosecurity/falco/pull/3282)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(deps): Bump submodules/falcosecurity-rules from `c0a9bf1` to `28b98b6` [[#3267](https://github.com/falcosecurity/falco/pull/3267)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Added the OpenSSF Scorecard Badge [[#3250](https://github.com/falcosecurity/falco/pull/3250)] - [@harshitasao](https://github.com/harshitasao)
+* chore(deps): Bump submodules/falcosecurity-rules from `ea57e78` to `c0a9bf1` [[#3247](https://github.com/falcosecurity/falco/pull/3247)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake,userspace): bump libs and driver to latest master. [[#3263](https://github.com/falcosecurity/falco/pull/3263)] - [@FedeDP](https://github.com/FedeDP)
+* If rule compilation fails, return immediately [[#3260](https://github.com/falcosecurity/falco/pull/3260)] - [@mstemm](https://github.com/mstemm)
+* new(userspace/engine): generalize indexable ruleset [[#3251](https://github.com/falcosecurity/falco/pull/3251)] - [@mstemm](https://github.com/mstemm)
+* update(cmake): bump libs to master. [[#3249](https://github.com/falcosecurity/falco/pull/3249)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `df963b6` to `ea57e78` [[#3240](https://github.com/falcosecurity/falco/pull/3240)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): enable dummy tests on the testing framework. [[#3233](https://github.com/falcosecurity/falco/pull/3233)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `679a50a` to `df963b6` [[#3231](https://github.com/falcosecurity/falco/pull/3231)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump libs and driver to master. [[#3225](https://github.com/falcosecurity/falco/pull/3225)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `9e56293` to `679a50a` [[#3222](https://github.com/falcosecurity/falco/pull/3222)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(docs): update CHANGELOG for 0.38.0 (master branch) [[#3224](https://github.com/falcosecurity/falco/pull/3224)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     35 |
+| Release note    |     22 |
+| Total           |     57 |
+
+## v0.38.2
+
+Released on 2024-08-19
+
+### Bug Fixes
+
+* fix(engine): fix metrics names to better adhere to best practices [[#3272](https://github.com/falcosecurity/falco/pull/3272)] - [@incertum](https://github.com/incertum)
+* fix(ci): use vault.centos.org for centos:7 CI build. [[#3274](https://github.com/falcosecurity/falco/pull/3274)] - [@FedeDP](https://github.com/FedeDP)
+
+## v0.38.1
+
+Released on 2024-06-19
+
+### Major Changes
+
+* new(metrics): enable plugins metrics [[#3228](https://github.com/falcosecurity/falco/pull/3228)] - [@mrgian](https://github.com/mrgian)
+
+
+### Minor Changes
+
+* cleanup(falco): clarify that --print variants only affect syscalls [[#3238](https://github.com/falcosecurity/falco/pull/3238)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [[#3239](https://github.com/falcosecurity/falco/pull/3239)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Bug Fixes
+
+* fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [[#3236](https://github.com/falcosecurity/falco/pull/3236)] - [@mrgian](https://github.com/mrgian)
+* fix(metrics): allow each metric output channel to be selected independently [[#3232](https://github.com/falcosecurity/falco/pull/3232)] - [@incertum](https://github.com/incertum)
+* fix(userspace/falco): fixed `falco_metrics::to_text` implementation when running with plugins [[#3230](https://github.com/falcosecurity/falco/pull/3230)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      6 |
+| Total           |      6 |
+
+## v0.38.0
+
+Released on 2024-05-30
+
+### Breaking Changes :warning:
+
+* new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [[#3154](https://github.com/falcosecurity/falco/pull/3154)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(falco.yaml)!: remove some deprecated configs [[#3087](https://github.com/falcosecurity/falco/pull/3087)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(docker)!: remove unused builder dockerfile [[#3088](https://github.com/falcosecurity/falco/pull/3088)] - [@Andreagit97](https://github.com/Andreagit97)
+
+More details: https://falco.org/blog/falco-0-38-0/#breaking-changes-and-deprecations
+
+### Major Changes
+
+* new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new `metrics.prometheus_enabled` configuration option. It will only be activated if the `metrics.enabled` is true as well. [[#3140](https://github.com/falcosecurity/falco/pull/3140)] - [@sgaist](https://github.com/sgaist)
+* new(metrics): add `rules_counters_enabled` option [[#3192](https://github.com/falcosecurity/falco/pull/3192)] - [@incertum](https://github.com/incertum)
+* new(build): provide signatures for .tar.gz packages [[#3201](https://github.com/falcosecurity/falco/pull/3201)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(engine): add print_enabled_rules_falco_logger when log_level debug [[#3189](https://github.com/falcosecurity/falco/pull/3189)] - [@incertum](https://github.com/incertum)
+* new(falco): allow selecting which rules to load from the configuration file or command line [[#3178](https://github.com/falcosecurity/falco/pull/3178)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(metrics): add file sha256sum metrics for loaded config and rules files [[#3187](https://github.com/falcosecurity/falco/pull/3187)] - [@incertum](https://github.com/incertum)
+* new(engine): throw an error when an invalid macro/list name is used [[#3116](https://github.com/falcosecurity/falco/pull/3116)] - [@mrgian](https://github.com/mrgian)
+* new(engine): raise warning instead of error on invalid macro/list name [[#3167](https://github.com/falcosecurity/falco/pull/3167)] - [@mrgian](https://github.com/mrgian)
+* new(userspace): support split config files [[#3024](https://github.com/falcosecurity/falco/pull/3024)] - [@FedeDP](https://github.com/FedeDP)
+* new(engine): enforce unique exceptions names [[#3134](https://github.com/falcosecurity/falco/pull/3134)] - [@mrgian](https://github.com/mrgian)
+* new(engine): add warning when appending an exception with no values [[#3133](https://github.com/falcosecurity/falco/pull/3133)] - [@mrgian](https://github.com/mrgian)
+* feat(metrics): coherent metrics stats model  including few metrics naming changes [[#3129](https://github.com/falcosecurity/falco/pull/3129)] - [@incertum](https://github.com/incertum)
+* new(config): add `falco_libs.thread_table_size` [[#3071](https://github.com/falcosecurity/falco/pull/3071)] - [@incertum](https://github.com/incertum)
+* new(proposals): introduce on host anomaly detection framework [[#2655](https://github.com/falcosecurity/falco/pull/2655)] - [@incertum](https://github.com/incertum)
+
+
+### Minor Changes
+
+* update(cmake): bump falcoctl to v0.8.0. [[#3219](https://github.com/falcosecurity/falco/pull/3219)] - [@FedeDP](https://github.com/FedeDP)
+* update(rules): update falco-rules to 3.1.0 [[#3217](https://github.com/falcosecurity/falco/pull/3217)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): move falco logger under falco engine [[#3208](https://github.com/falcosecurity/falco/pull/3208)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(docs): apply features adoption and deprecation proposal to config file keys [[#3206](https://github.com/falcosecurity/falco/pull/3206)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(metrics): add original rule name as label [[#3205](https://github.com/falcosecurity/falco/pull/3205)] - [@incertum](https://github.com/incertum)
+* update(falco): deprecate options -T, -t and -D [[#3193](https://github.com/falcosecurity/falco/pull/3193)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor: bump libs and driver, support field modifiers [[#3186](https://github.com/falcosecurity/falco/pull/3186)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): deprecated old 'rules_file' config key [[#3162](https://github.com/falcosecurity/falco/pull/3162)] - [@FedeDP](https://github.com/FedeDP)
+* chore(falco): update falco libs and driver to master (Apr 8th 2024) [[#3158](https://github.com/falcosecurity/falco/pull/3158)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [[#3151](https://github.com/falcosecurity/falco/pull/3151)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: minor adjustments to readme, add new testing section [[#3072](https://github.com/falcosecurity/falco/pull/3072)] - [@incertum](https://github.com/incertum)
+* refactor(userspace/engine): reduce allocations during rules loading [[#3065](https://github.com/falcosecurity/falco/pull/3065)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(CI): publish wasm package as dev-wasm [[#3017](https://github.com/falcosecurity/falco/pull/3017)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): fix state initialization avoid a crash during hot reload [[#3190](https://github.com/falcosecurity/falco/pull/3190)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/engine): make sure exception fields are not optional in replace mode [[#3108](https://github.com/falcosecurity/falco/pull/3108)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(docker): added zstd to driver loader images [[#3203](https://github.com/falcosecurity/falco/pull/3203)] - [@FedeDP](https://github.com/FedeDP)
+* fix(engine): raise warning instead of error on not-unique exceptions names [[#3159](https://github.com/falcosecurity/falco/pull/3159)] - [@mrgian](https://github.com/mrgian)
+* fix(engine): apply output substitutions for all sources [[#3135](https://github.com/falcosecurity/falco/pull/3135)] - [@mrgian](https://github.com/mrgian)
+* fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [[#3127](https://github.com/falcosecurity/falco/pull/3127)] - [@sgaist](https://github.com/sgaist)
+* fix(engine): logical issue in exceptions condition [[#3115](https://github.com/falcosecurity/falco/pull/3115)] - [@mrgian](https://github.com/mrgian)
+* fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [[#3105](https://github.com/falcosecurity/falco/pull/3105)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* update(scripts/falcoctl): bump falco-rules version to 3 [[#3128](https://github.com/falcosecurity/falco/pull/3128)] - [@alacuku](https://github.com/alacuku)
+* build(deps): Bump submodules/falcosecurity-rules from `59bf03b` to `9e56293` [[#3212](https://github.com/falcosecurity/falco/pull/3212)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(gha): update cosign to v3.5.0 [[#3209](https://github.com/falcosecurity/falco/pull/3209)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `29c41c4` to `59bf03b` [[#3207](https://github.com/falcosecurity/falco/pull/3207)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [[#3204](https://github.com/falcosecurity/falco/pull/3204)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `3f668d0` to `3cac61c` [[#3044](https://github.com/falcosecurity/falco/pull/3044)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-testing from `ae3950a` to `7abf76f` [[#3094](https://github.com/falcosecurity/falco/pull/3094)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): enforce bundled deps OFF in build-dev CI [[#3118](https://github.com/falcosecurity/falco/pull/3118)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `88a40c8` to `869c9a7` [[#3156](https://github.com/falcosecurity/falco/pull/3156)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped falcoctl to v0.8.0-rc5. [[#3199](https://github.com/falcosecurity/falco/pull/3199)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `4f153f5` to `29c41c4` [[#3198](https://github.com/falcosecurity/falco/pull/3198)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump falcoctl to v0.8.0-rc4 [[#3191](https://github.com/falcosecurity/falco/pull/3191)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: smart pointer usage [[#3184](https://github.com/falcosecurity/falco/pull/3184)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `ec255e6` to `4f153f5` [[#3182](https://github.com/falcosecurity/falco/pull/3182)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs and driver to latest master. [[#3177](https://github.com/falcosecurity/falco/pull/3177)] - [@FedeDP](https://github.com/FedeDP)
+* chore(cmake): enable modern bpf build by default. [[#3180](https://github.com/falcosecurity/falco/pull/3180)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(docs): fix typo in license blocks [[#3175](https://github.com/falcosecurity/falco/pull/3175)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(docker,scripts): set old eBPF probe as lowest priority driver. [[#3173](https://github.com/falcosecurity/falco/pull/3173)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `869c9a7` to `ec255e6` [[#3170](https://github.com/falcosecurity/falco/pull/3170)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(app): close inspectors at teardown time [[#3169](https://github.com/falcosecurity/falco/pull/3169)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(docker): fixed docker entrypoints for driver loading. [[#3168](https://github.com/falcosecurity/falco/pull/3168)] - [@FedeDP](https://github.com/FedeDP)
+* fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [[#3166](https://github.com/falcosecurity/falco/pull/3166)] - [@FedeDP](https://github.com/FedeDP)
+* update(ci): build both release and debug versions [[#3161](https://github.com/falcosecurity/falco/pull/3161)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/falco): watch all configs files. [[#3160](https://github.com/falcosecurity/falco/pull/3160)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): update scorecard-action to v2.3.1 [[#3153](https://github.com/falcosecurity/falco/pull/3153)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(falco): consolidate falco::grpc::server in one class [[#3150](https://github.com/falcosecurity/falco/pull/3150)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build): enable ASan and UBSan builds with options and in CI [[#3147](https://github.com/falcosecurity/falco/pull/3147)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace): variable / function shadowing [[#3123](https://github.com/falcosecurity/falco/pull/3123)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `fbf0a4e` to `88a40c8` [[#3145](https://github.com/falcosecurity/falco/pull/3145)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [[#3146](https://github.com/falcosecurity/falco/pull/3146)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [[#3143](https://github.com/falcosecurity/falco/pull/3143)] - [@Sryther](https://github.com/Sryther)
+* build(deps): Bump submodules/falcosecurity-rules from `44addef` to `fbf0a4e` [[#3139](https://github.com/falcosecurity/falco/pull/3139)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump to latest libs commit [[#3137](https://github.com/falcosecurity/falco/pull/3137)] - [@Andreagit97](https://github.com/Andreagit97)
+* refactor: Use FetchContent for integrating three bundled libs [[#3107](https://github.com/falcosecurity/falco/pull/3107)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `dc7970d` to `44addef` [[#3136](https://github.com/falcosecurity/falco/pull/3136)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `f88b991` to `dc7970d` [[#3126](https://github.com/falcosecurity/falco/pull/3126)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* refactor(ci): Avoid using command make directly [[#3101](https://github.com/falcosecurity/falco/pull/3101)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* docs(proposal): 20231220-features-adoption-and-deprecation.md [[#2986](https://github.com/falcosecurity/falco/pull/2986)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b499a1d` to `f88b991` [[#3125](https://github.com/falcosecurity/falco/pull/3125)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(README.md): Falco Graduates within the CNCF [[#3124](https://github.com/falcosecurity/falco/pull/3124)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `497e011` to `b499a1d` [[#3111](https://github.com/falcosecurity/falco/pull/3111)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped codeql actions. [[#3114](https://github.com/falcosecurity/falco/pull/3114)] - [@FedeDP](https://github.com/FedeDP)
+* Cleanup warnings and smart ptrs [[#3112](https://github.com/falcosecurity/falco/pull/3112)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* new(build): add options to use bundled dependencies [[#3092](https://github.com/falcosecurity/falco/pull/3092)] - [@mrgian](https://github.com/mrgian)
+* fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [[#3110](https://github.com/falcosecurity/falco/pull/3110)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: bump libs and driver, and adopt unique pointers wherever possible [[#3109](https://github.com/falcosecurity/falco/pull/3109)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: falco_engine test fixture [[#3099](https://github.com/falcosecurity/falco/pull/3099)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* refactor: test AtomicSignalHandler.handle_once_wait_consistency [[#3100](https://github.com/falcosecurity/falco/pull/3100)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* Cleanup variable use [[#3097](https://github.com/falcosecurity/falco/pull/3097)] - [@sgaist](https://github.com/sgaist)
+* cleanup(submodules): dropped testing submodule. [[#3098](https://github.com/falcosecurity/falco/pull/3098)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(ci): make use of falcosecurity/testing provided composite action [[#3093](https://github.com/falcosecurity/falco/pull/3093)] - [@FedeDP](https://github.com/FedeDP)
+* Improve const correctness [[#3083](https://github.com/falcosecurity/falco/pull/3083)] - [@sgaist](https://github.com/sgaist)
+* Improve exception throwing [[#3085](https://github.com/falcosecurity/falco/pull/3085)] - [@sgaist](https://github.com/sgaist)
+* fix(ci): update sync in deb and rpm scripts with acl [[#3062](https://github.com/falcosecurity/falco/pull/3062)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(tests): consolidate Falco engine and rule loader tests [[#3066](https://github.com/falcosecurity/falco/pull/3066)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: falco_engine deps and include paths [[#3090](https://github.com/falcosecurity/falco/pull/3090)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* fix: Some compiler warnings [[#3089](https://github.com/falcosecurity/falco/pull/3089)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `0f60976` to `497e011` [[#3081](https://github.com/falcosecurity/falco/pull/3081)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing explicit to single argument constructors [[#3069](https://github.com/falcosecurity/falco/pull/3069)] - [@sgaist](https://github.com/sgaist)
+* Improve class initialization [[#3074](https://github.com/falcosecurity/falco/pull/3074)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `6ed2036` to `0f60976` [[#3078](https://github.com/falcosecurity/falco/pull/3078)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `1053b2d` to `6ed2036` [[#3067](https://github.com/falcosecurity/falco/pull/3067)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing overrides [[#3064](https://github.com/falcosecurity/falco/pull/3064)] - [@sgaist](https://github.com/sgaist)
+* new(build): prune deb-dev and rpm-dev directories [[#3056](https://github.com/falcosecurity/falco/pull/3056)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): align falco to gen-event class family deprecation [[#3051](https://github.com/falcosecurity/falco/pull/3051)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(deps): Bump submodules/falcosecurity-rules from `3cac61c` to `1053b2d` [[#3047](https://github.com/falcosecurity/falco/pull/3047)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix: adopt new libsinsp logger [[#3026](https://github.com/falcosecurity/falco/pull/3026)] - [@therealbobo](https://github.com/therealbobo)
+* refactor: cleanup libs relative include paths [[#2936](https://github.com/falcosecurity/falco/pull/2936)] - [@therealbobo](https://github.com/therealbobo)
+* chore(ci): bumped rn2md to latest master. [[#3046](https://github.com/falcosecurity/falco/pull/3046)] - [@FedeDP](https://github.com/FedeDP)
+* Support alternate rules loader [[#3008](https://github.com/falcosecurity/falco/pull/3008)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed release body driver version. [[#3042](https://github.com/falcosecurity/falco/pull/3042)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `c39d31a` to `3f668d0` [[#3039](https://github.com/falcosecurity/falco/pull/3039)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
+
+## v0.37.1
+
+Released on 2024-02-13
+
+### Major Changes
+
+* new(docker): added option for insecure http driver download to falco and driver-loader images [[#3058](https://github.com/falcosecurity/falco/pull/3058)] - [@toamto94](https://github.com/toamto94)
+
+### Minor Changes
+
+* update(cmake): bumped falcoctl to v0.7.2 [[#3076](https://github.com/falcosecurity/falco/pull/3076)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): link libelf dynamically [[#3048](https://github.com/falcosecurity/falco/pull/3048)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Bug Fixes
+
+* fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [[#3060](https://github.com/falcosecurity/falco/pull/3060)] - [@FedeDP](https://github.com/FedeDP)
+
+### Non user-facing changes
+
+* Added http headers option for driver download in docker images [[#3075](https://github.com/falcosecurity/falco/pull/3075)] - [@toamto94](https://github.com/toamto94)
+* fix(build): install libstdc++ in the Wolfi image [[#3053](https://github.com/falcosecurity/falco/pull/3053)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+## v0.37.0
+
+Released on 2024-01-30
+
+### Breaking Changes
+
+- The deprecated `rate-limiter` mechanism is removed as it is no longer used.
+  - the deprecated `outputs.rate` Falco config is removed.
+  - the deprecated `outputs.max_burst` Falco config is removed.
+- The deprecated `--userspace` CLI option is removed as it is no longer used.
+- The `falco-driver-loader` script will be removed and embedded into falcoctl. The new falcoctl driven implementation will drop:
+  - `--source-only` CLI option.
+  - `BPF_USE_LOCAL_KERNEL_SOURCES` environment variable.
+  - `DRIVER_CURL_OPTIONS` environment variable.
+  - `FALCO_BPF_PROBE` environment variable is not used by the new falcoctl driver loader, since it is already deprecated and will be removed in the next major version.
+  
+  Some env vars were renamed:
+  - `DRIVERS_REPO` env variable has been replaced by `FALCOCTL_DRIVER_NAME`  or `--name` command line argument for `falcoctl driver` command
+  - `DRIVERS_NAME` env variable has been replaced by `FALCOCTL_DRIVER_REPOS`, or `--repo` command line argument for `falcoctl driver` command
+  - `DRIVER_KERNEL_RELEASE` env variable has been replaced by `--kernelrelease` command line argument for `falcoctl driver install` command
+  - `DRIVER_KERNEL_VERSION` env variable has been replaced by `--kernelversion` command line argument for `falcoctl driver install` command
+  - `DRIVER_INSECURE_DOWNLOAD` env variable has been replaced by `--http-insecure` command line argument for `falcoctl driver install` command
+- Remove `-K/-k` options from Falco in favor of the new `k8smeta` plugin.
+- Drop plugins shipped with Falco since plugins are now be managed by falcoctl.
+- Falco 0.37.0 allows environment variables to be expanded even if they are part of a string. This introduces small breaking changes:
+  - Previously, environment variables used in YAML that were empty or defined as `“”` would be expanded to the default value. This was not consistent with the way YAML was handled in other cases, where we only returned the default values if the node was not defined. Now expanded env vars retain the same behavior of all other variables.
+  - Falco 0.37.0 will return default value for nodes that cannot be parsed to chosen type.
+  - `program_output` command will be env-expanded at init time, instead of letting `popen` and thus the `sh` shell expand it. This is technically a breaking change even if no behavioral change is expected. Also, you can avoid env var expansion by using `${{FOO}}` instead of `${FOO}`. It will resolve to `${FOO}` and won't be resolved to the env var value.
+
+### Major Changes
+
+* new!: dropped falco-driver-loader script in favor of new falcoctl driver command [[#2905](https://github.com/falcosecurity/falco/pull/2905)] - [@FedeDP](https://github.com/FedeDP)
+* update!: bump libs to latest and deprecation of k8s metadata options and configs [[#2914](https://github.com/falcosecurity/falco/pull/2914)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(falco)!: remove `outputs.rate` and `outputs.max_burst` from Falco config [[#2841](https://github.com/falcosecurity/falco/pull/2841)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(falco)!: remove `--userspace` support [[#2839](https://github.com/falcosecurity/falco/pull/2839)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(engine): add selective overrides for Falco rules [[#2981](https://github.com/falcosecurity/falco/pull/2981)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the `falco.yaml` file can be used for that purpose. Both are disabled by default. [[#2974](https://github.com/falcosecurity/falco/pull/2974)] - [@sgaist](https://github.com/sgaist)
+* new(userspace): support env variable expansion in all yaml, even inside strings. [[#2918](https://github.com/falcosecurity/falco/pull/2918)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [[#2773](https://github.com/falcosecurity/falco/pull/2773)] - [@vjjmiras](https://github.com/vjjmiras)
+* new(falco): print system info when Falco starts [[#2927](https://github.com/falcosecurity/falco/pull/2927)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: driver selection in falco.yaml [[#2413](https://github.com/falcosecurity/falco/pull/2413)] - [@therealbobo](https://github.com/therealbobo)
+* new(build): enable compilation on win32 and macOS. [[#2889](https://github.com/falcosecurity/falco/pull/2889)] - [@therealbobo](https://github.com/therealbobo)
+* feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the `falco.yaml` file. [[#2890](https://github.com/falcosecurity/falco/pull/2890)] - [@sgaist](https://github.com/sgaist)
+
+### Minor Changes
+
+* update(userspace/falco): add `engine_version_semver` key in `/versions` endpoint [[#2899](https://github.com/falcosecurity/falco/pull/2899)] - [@loresuso](https://github.com/loresuso)
+* update: default ruleset upgrade to version 3.0 [[#3034](https://github.com/falcosecurity/falco/pull/3034)] - [@leogr](https://github.com/leogr)
+* update!(config): soft deprecation of drop stats counters in `syscall_event_drops` [[#3015](https://github.com/falcosecurity/falco/pull/3015)] - [@incertum](https://github.com/incertum)
+* update(cmake): bumped falcoctl tool to v0.7.1. [[#3030](https://github.com/falcosecurity/falco/pull/3030)] - [@FedeDP](https://github.com/FedeDP)
+* update(rule_loader): deprecate the `append` flag in Falco rules [[#2992](https://github.com/falcosecurity/falco/pull/2992)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup!(cmake): drop bundled plugins in Falco [[#2997](https://github.com/falcosecurity/falco/pull/2997)] - [@FedeDP](https://github.com/FedeDP)
+* update(config): clarify deprecation notices + list all env vars [[#2988](https://github.com/falcosecurity/falco/pull/2988)] - [@incertum](https://github.com/incertum)
+* update: now the `watch_config_files` config option monitors file/directory moving and deletion, too [[#2965](https://github.com/falcosecurity/falco/pull/2965)] - [@NitroCao](https://github.com/NitroCao)
+* update(userspace): enhancements in rule description feature [[#2934](https://github.com/falcosecurity/falco/pull/2934)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): add libsinsp state metrics option [[#2883](https://github.com/falcosecurity/falco/pull/2883)] - [@incertum](https://github.com/incertum)
+* update(doc): Add Thought Machine as adopters [[#2919](https://github.com/falcosecurity/falco/pull/2919)] - [@RichardoC](https://github.com/RichardoC)
+* update(docs): add Wireshark/Logray as adopter [[#2867](https://github.com/falcosecurity/falco/pull/2867)] - [@geraldcombs](https://github.com/geraldcombs)
+* update: engine_version in semver representation [[#2838](https://github.com/falcosecurity/falco/pull/2838)] - [@loresuso](https://github.com/loresuso)
+* update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [[#2817](https://github.com/falcosecurity/falco/pull/2817)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+### Bug Fixes
+
+* fix(userspace/metric): minor fixes in new libsinsp state metrics handling [[#3033](https://github.com/falcosecurity/falco/pull/3033)] - [@incertum](https://github.com/incertum)
+* fix(userspace/engine): avoid storing escaped strings in engine defs [[#3028](https://github.com/falcosecurity/falco/pull/3028)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): cache latest rules compilation output [[#2900](https://github.com/falcosecurity/falco/pull/2900)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): solve description of macro-only rules [[#2898](https://github.com/falcosecurity/falco/pull/2898)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): fix memory leak [[#2877](https://github.com/falcosecurity/falco/pull/2877)] - [@therealbobo](https://github.com/therealbobo)
+
+### Non user-facing changes
+
+* fix: nlohmann_json lib include path [[#3032](https://github.com/falcosecurity/falco/pull/3032)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore: bump falco rules [[#3021](https://github.com/falcosecurity/falco/pull/3021)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump Falco to libs 0.14.1 [[#3020](https://github.com/falcosecurity/falco/pull/3020)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(build): remove outdated development libs [[#2946](https://github.com/falcosecurity/falco/pull/2946)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(falco): bump Falco to `000d576` libs commit [[#2944](https://github.com/falcosecurity/falco/pull/2944)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(gha): update rpmsign [[#2856](https://github.com/falcosecurity/falco/pull/2856)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `424b258` to `1221b9e` [[#3000](https://github.com/falcosecurity/falco/pull/3000)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `2ac430b` to `c39d31a` [[#3019](https://github.com/falcosecurity/falco/pull/3019)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco.yaml): rename `none` in `nodriver` [[#3012](https://github.com/falcosecurity/falco/pull/3012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(config): graduate outputs_queue to stable [[#3016](https://github.com/falcosecurity/falco/pull/3016)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump falcoctl to v0.7.0. [[#3009](https://github.com/falcosecurity/falco/pull/3009)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `1221b9e` to `2ac430b` [[#3007](https://github.com/falcosecurity/falco/pull/3007)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped rn2md to latest master. [[#3006](https://github.com/falcosecurity/falco/pull/3006)] - [@FedeDP](https://github.com/FedeDP)
+* chore: bump Falco to latest libs [[#3002](https://github.com/falcosecurity/falco/pull/3002)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump driver version [[#2998](https://github.com/falcosecurity/falco/pull/2998)] - [@Andreagit97](https://github.com/Andreagit97)
+* Add addl source related methods [[#2939](https://github.com/falcosecurity/falco/pull/2939)] - [@mstemm](https://github.com/mstemm)
+* build(deps): Bump submodules/falcosecurity-rules from `cd33bc3` to `424b258` [[#2993](https://github.com/falcosecurity/falco/pull/2993)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(engine): clarify deprecation notice for engines [[#2987](https://github.com/falcosecurity/falco/pull/2987)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped falcoctl to v0.7.0-rc1. [[#2983](https://github.com/falcosecurity/falco/pull/2983)] - [@FedeDP](https://github.com/FedeDP)
+* chore(ci): revert #2961. [[#2984](https://github.com/falcosecurity/falco/pull/2984)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-testing from `930170b` to `9b9630e` [[#2980](https://github.com/falcosecurity/falco/pull/2980)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump Falco to latest libs [[#2977](https://github.com/falcosecurity/falco/pull/2977)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `262f569` to `cd33bc3` [[#2976](https://github.com/falcosecurity/falco/pull/2976)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Allow enabling rules by ruleset id in addition to name [[#2920](https://github.com/falcosecurity/falco/pull/2920)] - [@mstemm](https://github.com/mstemm)
+* chore(ci): enable aarch64 falco driver loader tests. [[#2961](https://github.com/falcosecurity/falco/pull/2961)] - [@FedeDP](https://github.com/FedeDP)
+* chore(unit_tests): added more tests for yaml env vars expansion. [[#2972](https://github.com/falcosecurity/falco/pull/2972)] - [@FedeDP](https://github.com/FedeDP)
+* chore(falco.yaml): use HOME env var for ebpf probe path. [[#2971](https://github.com/falcosecurity/falco/pull/2971)] - [@FedeDP](https://github.com/FedeDP)
+* chore: bump falco to latest libs [[#2970](https://github.com/falcosecurity/falco/pull/2970)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `dd38952` to `262f569` [[#2969](https://github.com/falcosecurity/falco/pull/2969)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(readme): add actuated.dev badge [[#2967](https://github.com/falcosecurity/falco/pull/2967)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [[#2968](https://github.com/falcosecurity/falco/pull/2968)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `64e2adb` to `dd38952` [[#2959](https://github.com/falcosecurity/falco/pull/2959)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(docker): small fixes in docker entrypoints for new driver loader. [[#2966](https://github.com/falcosecurity/falco/pull/2966)] - [@FedeDP](https://github.com/FedeDP)
+* chore(build): allow usage of non-bundled nlohmann-json [[#2947](https://github.com/falcosecurity/falco/pull/2947)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* update(ci): enable actuated.dev [[#2945](https://github.com/falcosecurity/falco/pull/2945)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: fix several warnings from a Clang build [[#2948](https://github.com/falcosecurity/falco/pull/2948)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(docker/falco): add back some deps to falco docker image. [[#2932](https://github.com/falcosecurity/falco/pull/2932)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-testing from `92c313f` to `5248e6d` [[#2937](https://github.com/falcosecurity/falco/pull/2937)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `e206c1a` to `8f0520f` [[#2904](https://github.com/falcosecurity/falco/pull/2904)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco): remove decode_uri as it is no longer used [[#2933](https://github.com/falcosecurity/falco/pull/2933)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(engine): port decode_uri in falco engine [[#2912](https://github.com/falcosecurity/falco/pull/2912)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(falco): update to libs on nov 28th [[#2929](https://github.com/falcosecurity/falco/pull/2929)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(falco): remove `init` in the configuration constructor [[#2917](https://github.com/falcosecurity/falco/pull/2917)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `8f0520f` to `64e2adb` [[#2908](https://github.com/falcosecurity/falco/pull/2908)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(userspace/engine): remove legacy k8saudit implementation [[#2913](https://github.com/falcosecurity/falco/pull/2913)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(gha): disable branch protection rule trigger for scorecard [[#2911](https://github.com/falcosecurity/falco/pull/2911)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): set cosign-installer to v3.1.2 [[#2901](https://github.com/falcosecurity/falco/pull/2901)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docs): sync changelog for 0.36.2. [[#2894](https://github.com/falcosecurity/falco/pull/2894)] - [@FedeDP](https://github.com/FedeDP)
+* Run OpenSSF Scorecard in pipeline [[#2888](https://github.com/falcosecurity/falco/pull/2888)] - [@maxgio92](https://github.com/maxgio92)
+* cleanup: replace banned.h with semgrep [[#2881](https://github.com/falcosecurity/falco/pull/2881)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): upgrade GitHub actions [[#2876](https://github.com/falcosecurity/falco/pull/2876)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `a22d0d7` to `e206c1a` [[#2865](https://github.com/falcosecurity/falco/pull/2865)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `d119706` to `a22d0d7` [[#2860](https://github.com/falcosecurity/falco/pull/2860)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(gha): use fedora instead of centos 7 for package publishing [[#2854](https://github.com/falcosecurity/falco/pull/2854)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): pin versions to hashes [[#2849](https://github.com/falcosecurity/falco/pull/2849)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `c366d5b` to `d119706` [[#2847](https://github.com/falcosecurity/falco/pull/2847)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* new(ci): properly link libs and driver releases linked to a Falco release [[#2846](https://github.com/falcosecurity/falco/pull/2846)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `7a7cf24` to `c366d5b` [[#2842](https://github.com/falcosecurity/falco/pull/2842)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `77ba57a` to `7a7cf24` [[#2836](https://github.com/falcosecurity/falco/pull/2836)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped rn2md to latest master. [[#2844](https://github.com/falcosecurity/falco/pull/2844)] - [@FedeDP](https://github.com/FedeDP)
+
 ## v0.36.2

 Released on 2023-10-27
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,69 +2,99 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)

 project(falco)

-option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
-option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(
+	MINIMAL_BUILD
+	"Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)"
+	OFF
+)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
+option(USE_ASAN "Build with AddressSanitizer" OFF)
+option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)

 if(WIN32)
+	if(POLICY CMP0091)
+		# Needed for CMAKE_MSVC_RUNTIME_LIBRARY
+		# https://cmake.org/cmake/help/latest/policy/CMP0091.html
+		cmake_policy(SET CMP0091 NEW)
+	endif()
 	set(CPACK_GENERATOR "NSIS") # this needs NSIS installed, and available
-elseif (APPLE)
+elseif(APPLE)
 	set(CPACK_GENERATOR "DragNDrop")
 elseif(EMSCRIPTEN)
-  set(USE_BUNDLED_DEPS ON CACHE BOOL "" FORCE)
-  set(BUILD_DRIVER OFF CACHE BOOL "" FORCE)
-  set(ENABLE_DKMS OFF CACHE BOOL "" FORCE)
-  set(BUILD_BPF OFF CACHE BOOL "" FORCE)
-  set(CPACK_GENERATOR TGZ CACHE BOOL "" FORCE)
+	set(USE_BUNDLED_DEPS
+		ON
+		CACHE BOOL "" FORCE
+	)
+	set(BUILD_DRIVER
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(ENABLE_DKMS
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(BUILD_BPF
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(CPACK_GENERATOR
+		TGZ
+		CACHE BOOL "" FORCE
+	)
 endif()

 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
-  option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
-  if (BUILD_FALCO_GVISOR)
-    add_definitions(-DHAS_GVISOR)
-  endif()
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
+   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
+   AND NOT MINIMAL_BUILD
+)
+	option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
+	if(BUILD_FALCO_GVISOR)
+		add_definitions(-DHAS_GVISOR)
+	endif()
 endif()

 # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
 if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
-  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
-  if(BUILD_FALCO_MODERN_BPF)
-    add_definitions(-DHAS_MODERN_BPF)
-  endif()
+	option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON)
+	if(BUILD_FALCO_MODERN_BPF)
+		add_definitions(-DHAS_MODERN_BPF)
+	endif()
 endif()

 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
-if (${EP_UPDATE_DISCONNECTED})
-  set_property(
-    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+if(${EP_UPDATE_DISCONNECTED})
+	set_property(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} PROPERTY EP_UPDATE_DISCONNECTED TRUE)
 endif()

-# Elapsed time
-# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
+# Elapsed time set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") #
+# TODO(fntlnz, leodido): add a flag to enable this

 # Make flag for parallel processing
 include(ProcessorCount)
-processorcount(PROCESSOR_COUNT)
+ProcessorCount(PROCESSOR_COUNT)
 if(NOT PROCESSOR_COUNT EQUAL 0)
-  set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
+	set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
 endif()

 # Custom CMake modules
@@ -74,14 +104,14 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 include(GNUInstallDirs)

 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+	set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()

 # This will be used to print the architecture for which Falco is compiled.
-if (EMSCRIPTEN)
-  set(FALCO_TARGET_ARCH "wasm")
+if(EMSCRIPTEN)
+	set(FALCO_TARGET_ARCH "wasm")
 else()
-  set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
+	set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
 endif()

 include(CompilerFlags)
@@ -91,19 +121,20 @@ set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")

-# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
-# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` This is the same
+# fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
 set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
 add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")

 if(NOT DEFINED FALCO_COMPONENT_NAME)
-    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+	set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
 endif()

 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-  set(CMAKE_INSTALL_PREFIX
-      /usr
-      CACHE PATH "Default install path" FORCE)
+	set(CMAKE_INSTALL_PREFIX
+		/usr
+		CACHE PATH "Default install path" FORCE
+	)
 endif()

 set(CMD_MAKE make)
@@ -122,63 +153,98 @@ include(njson)
 # yaml-cpp
 include(yaml-cpp)

-if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-  # OpenSSL
-  include(openssl)
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+	# OpenSSL
+	include(openssl)

-  # libcurl
-  include(curl)
+	# libcurl
+	include(curl)

-  # todo(jasondellaluce,rohith-raju): support webserver for non-linux builds too
-  # cpp-httlib
-  include(cpp-httplib)
+	# todo(jasondellaluce,rohith-raju): support webserver for non-linux builds too cpp-httlib
+	include(cpp-httplib)
 endif()

 include(cxxopts)

 # One TBB
-if (NOT EMSCRIPTEN)
-  include(tbb)
+if(NOT EMSCRIPTEN)
+	include(tbb)
 endif()

 include(zlib)
-if (NOT MINIMAL_BUILD)
-  if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN)
-    include(cares)
-    include(protobuf)
-    # gRPC
-    include(grpc)
-  endif()
+include(valijson)
+if(NOT MINIMAL_BUILD)
+	if(NOT WIN32
+	   AND NOT APPLE
+	   AND NOT EMSCRIPTEN
+	)
+		include(cares)
+		include(protobuf)
+		# gRPC
+		include(grpc)
+	endif()
 endif()

 # Installation
 if(WIN32)
-	set(FALCO_INSTALL_CONF_FILE "%PROGRAMFILES%/${PACKAGE_NAME}-${FALCO_VERSION}/etc/falco/falco.yaml")
-	install(FILES falco.yaml DESTINATION etc/falco/ COMPONENT "${FALCO_COMPONENT_NAME}")
+	set(FALCO_INSTALL_CONF_FILE
+		"%PROGRAMFILES%/${PACKAGE_NAME}-${FALCO_VERSION}/etc/falco/falco.yaml"
+	)
+	install(
+		FILES falco.yaml
+		DESTINATION etc/falco/
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION etc/falco/config.d
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 elseif(APPLE)
 	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
-	install(FILES falco.yaml DESTINATION etc/falco/ COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES falco.yaml
+		DESTINATION etc/falco/
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION etc/falco/config.d
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 else()
 	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
-	install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES falco.yaml
+		DESTINATION "${FALCO_ETC_DIR}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ETC_DIR}/config.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()

 if(NOT MINIMAL_BUILD)
-  # Coverage
-  include(Coverage)
+	# Coverage
+	include(Coverage)
 endif()

 # Rules
 include(rules)

-# Clang format
-# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
+# Clang format add_custom_target(format COMMAND clang-format --style=file -i
+# $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

 # Static analysis
 include(static-analysis)

 # Shared build variables
-set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
@@ -187,13 +253,17 @@ add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)

-if(NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
-  include(falcoctl)
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT EMSCRIPTEN
+   AND NOT MUSL_OPTIMIZED_BUILD
+)
+	include(falcoctl)
 endif()

 # Packages configuration
 include(CPackConfig)

 if(BUILD_FALCO_UNIT_TESTS)
-  add_subdirectory(unit_tests)
+	add_subdirectory(unit_tests)
 endif()
--- a/Contributing.md
+++ b/Contributing.md
@@ -0,0 +1,207 @@
+# How to contribute
+
+## Enforce coding style 💻
+
+### Introduction
+
+This document introduces the coding style that will be applied in this repository.
+This coding style involves all the following files: `.c`, `.h`, `.cpp`, `.cmake`, `CMakeLists.txt`. To enforce it we rely on two main tools:
+
+1. `clang-format` version `18.1.8`.
+2. `cmake-format` version `0.6.13`.
+
+> __Please note__: tools versions are important! Different versions will enforce slightly different changes on the code. For example `clang-format-18` will produce a slightly different output respect to `clang-format-17` always respecting the imposed style.
+
+The coding style is expressed through the 2 configuration file that you find in this repo: `.clang-format`, `.cmake-format.json`.  
+
+### Enforce the style locally
+
+There are many ways to enforce the style locally, here we will describe two of them:
+
+1. Use `pre-commit` framework.
+2. Use the repo `Makefile`.
+
+#### 1.Pre-commit framework (suggested if you don't have the 2 tools already installed on your machine)
+
+The `pre-commit` framework allows you to automatically install different `git-hooks` that will run at every new commit. More precisely, if you use the `.pre-commit-config.yaml` in this repo you will install 3 different hooks:
+
+1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
+2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
+3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
+
+Now let's see what we need to use `pre-commit` framework.
+
+##### Step 1
+
+Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
+
+> __Please note__: you have to follow only the "Installation" section.
+
+##### Step 2
+
+Once you have installed `pre-commit`, you don't need to install anything else! This is the good point of using a framework like `pre-commit`, all the tools necessary to format your code will be directly managed by the framework. But in order to be ready, you need to install the git hooks in your local repo.
+
+This simple command allows you to install the two `pre-commit` git hooks, `clang-format` and `cmake-format`.
+
+```bash
+pre-commit install --install-hooks --hook-type pre-commit --overwrite  
+```
+
+If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+You have done, at every new commit, this hook will check that your patch respects the coding style of this repo!
+
+If you want to detach the git hooks, you can simply type:
+
+```bash
+pre-commit uninstall --hook-type prepare-commit-msg
+pre-commit uninstall --hook-type pre-commit 
+```
+
+#### 2.Makefile
+
+##### Step 1
+
+In order to use the repo `Makefile`, you need to install on your local machine the two aforementioned tools:
+
+__clang-format v18.1.8__
+
+One of the easiest ways to install `clang-format` could be directly downloading its static binary from [here](https://github.com/muttleyxd/clang-tools-static-binaries).
+There are other ways for example you can download the package for your distro or you can also build it from sources.
+
+__cmake-format v0.6.13__
+
+To install `cmake-format` you can follow the official documentation [here](https://cmake-format.readthedocs.io/en/latest/installation.html).
+
+> __NOTE__: Please check the versions of the two tool with `clang-format --version` and `cmake-format --version`.
+
+##### Step 2
+
+Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
+
+Remember to do that before submitting a new patch upstream! 😁
+
+#### Other solutions
+
+Obviously, you can also install the 2 tools locally and enable some extension of your favorite IDE (like `VScode`) to format your code every time you save your files!
+
+## Add DCO signed-off to your commits 🔏
+
+### Introduction
+
+Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
+Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
+
+```bash
+git config --get user.name
+git config --get user.email
+```
+
+If they are correct you have done, otherwise, you have to set them:
+
+```bash
+git config user.name <full-name>
+git config user.email <mail-used_with-GitHub-profile>
+```
+
+>__Please note__: If you have problems in doing this you can read the full documentation [here](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git).
+
+### Enforce the DCO locally
+
+Now you are ready to sign your commits! You have two main ways to do this:
+
+1. Manually with `git` tool.
+2. Use the `pre-commit-msg` hook quoted before.
+
+### Manually
+
+To do this you just need to remember the `-s` while performing your commits:
+
+```bash
+git commit -s
+```
+
+or with the inline message:
+
+```bash
+git commit -s -m "my first commit"
+```
+
+### Use `pre-commit` hook
+
+Here if you have already added the hook in the [previous section](#step-2), you have to do nothing otherwise you have to simply install the DCO hook with:
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+And you have done! Now you don't have to remember the `-s` option every time you commit something, the DCO hook will automatically add the DCO if you forget it! 😄
+
+## Some best practices 📏
+
+### Class variables
+
+To know whether a variable belongs to a `class` or a `function`, we start member variables with `m_`.
+
+Example:
+
+```c
+    public int32_t m_counter;
+```
+
+### Global variables
+
+To know whether the variable is global or not, we start globals with `g_`.
+
+Example:
+
+```c
+    int g_nplugins;
+```
+
+### Capitalization
+
+The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
+
+Example:
+
+```c
+    int32_t g_global_bean_counter;
+    int32_t count_beans();
+```
+
+and not,
+
+```c
+    int32_t GlobalBeanCounter;
+    int32_t CountBeans();
+```
+
+### Packed Structures
+
+Packed structures should use the GCC and MSVC-style supported `pragma`:
+
+Example:
+
+```c
+    #pragma pack(push,1)
+    struct frame_control
+    {
+        struct fields....
+    };
+    #pragma pack(pop)
+```
+
+### 64-bit constants
+
+Put an `LL` at the end of your `64-bit` constants. Without the `LL`, some platform compilers try to interpret the constant on the right-hand side as a `long integer` instead of a `long long` and this could lead to an error at building time.
+
+Example:
+
+```c
+    x=0X00FF00000000000LL
+```
--- a/81
+++ b/81
@@ -0,0 +1,81 @@
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# mofidy the following variables to match your paths
+CLANG_FORMAT_EXE ?= clang-format
+CLANG_FORMAT_VERSION = "$(shell ${CLANG_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CLANG_FORMAT_DESIRED_VERSION ="18.1.8"
+
+CMAKE_FORMAT_EXE ?= cmake-format
+CMAKE_FORMAT_VERSION = "$(shell ${CMAKE_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CMAKE_FORMAT_DESIRED_VERSION = "0.6.13"
+
+PROJECT_ROOT_DIR = $(shell git rev-parse --show-toplevel)
+
+######################
+#    Clang-format    #
+######################
+.PHONY: clang-format-install
+clang-format-install:
+ifeq (, $(shell ${CLANG_FORMAT_EXE} --version))
+	@echo "${CLANG_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CLANG_FORMAT_VERSION), $(CLANG_FORMAT_DESIRED_VERSION))
+	@echo "${CLANG_FORMAT_EXE} version is not '${CLANG_FORMAT_DESIRED_VERSION}'. Actual version is '${CLANG_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-clang
+format-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -i
+
+.PHONY: check-clang
+check-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -n
+
+######################
+#    Cmake-format    #
+######################
+.PHONY: cmake-format-install
+cmake-format-install:
+ifeq (, $(shell ${CMAKE_FORMAT_EXE} --version))
+	@echo "${CMAKE_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CMAKE_FORMAT_VERSION), $(CMAKE_FORMAT_DESIRED_VERSION))
+	@echo "${CMAKE_FORMAT_EXE} version is not '${CMAKE_FORMAT_DESIRED_VERSION}'. Actual version is '${CMAKE_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-cmake
+format-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json -i
+
+.PHONY: check-cmake
+check-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json --check
+
+# Add new formatters here...
+
+.PHONY: format-all
+format-all: format-clang format-cmake
+
+.PHONY: check-all
+check-all: check-clang check-cmake
+
--- a/1
+++ b/1
@@ -6,6 +6,7 @@ approvers:
  - andreagit97
  - incertum
  - LucaGuerra
+  - sgaist
 reviewers:
  - kaizhe
 emeritus_approvers:
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 [![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)

-[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>

 [![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)

@@ -10,15 +10,15 @@

 At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

-Falco, originally created by [Sysdig](https://sysdig.com), is an incubating project under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).
+Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated project** under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).

 For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.

-For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.
+For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md). Additionally, we have documented the [Release Process](RELEASE.md) for delivering new versions of Falco.

 ## Falco Repo: Powering the Core of The Falco Project

-This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libs](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:

 - [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
 - [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
@@ -29,7 +29,7 @@ For more information, visit the official hub of The Falco Project: [falcosecurit

 ## Getting Started with Falco

-Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).
+Carefully review and follow the [Official Documentation](https://falco.org/docs/install-operate/).

 Considerations and guidance for Falco adopters:

@@ -43,14 +43,17 @@ Considerations and guidance for Falco adopters:

 5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.

+### Demo Environment
+
+A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)

 ## How to Contribute

-Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
+Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.

 ## Join the Community

-To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
+To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.

 If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.

@@ -64,7 +67,7 @@ How to reach out?

 Full reports of various security audits can be found [here](./audits/).

-In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.
+In addition, you can refer to the [falco](https://github.com/falcosecurity/falco/security) and [libs](https://github.com/falcosecurity/libs/security) security sections for detailed updates on security advisories and policies.

 To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).

@@ -76,8 +79,49 @@ Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap]

 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.

+## Testing
+
+<details>
+	<summary>Expand Testing Instructions</summary>
+
+Falco's [Build Falco from source](https://falco.org/docs/install-operate/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
+
+Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
+
+```bash
+cmake \
+-DUSE_BUNDLED_DEPS=ON \
+-DBUILD_LIBSCAP_GVISOR=ON \
+-DBUILD_BPF=ON \
+-DBUILD_DRIVER=ON \
+-DBUILD_FALCO_MODERN_BPF=ON \
+-DCREATE_TEST_TARGETS=ON \
+-DBUILD_FALCO_UNIT_TESTS=ON ..;
+```
+
+Build and run the unit test suite:
+
+```bash
+nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');
+make -j$(($nproc-1)) falco_unit_tests;
+# Run the tests
+sudo ./unit_tests/falco_unit_tests;
+```
+
+Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.
+
+Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity/testing](https://github.com/falcosecurity/testing).
+
+
+</details>
+
+</br>
+
 ## Why is Falco in C++ rather than Go or {language}?

+<details>
+	<summary>Expand Information</summary>
+
 1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
 2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
 3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
@@ -89,6 +133,8 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 9. Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
 10. The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.

+</details>
+</br>

 ## Resources

@@ -99,3 +145,5 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
 - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
 - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
+ - [Install and Operate](https://falco.org/docs/install-operate/)
+ - [Troubleshooting](https://falco.org/docs/troubleshooting/)
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
@@ -2,24 +2,53 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
 endif()

 if(CPACK_GENERATOR MATCHES "TGZ")
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -2,19 +2,21 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got
+# @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
@@ -24,32 +26,35 @@ set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
-if (EMSCRIPTEN)
-  set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
+if(EMSCRIPTEN)
+	set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
 else()
-  set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
+	set(CPACK_PACKAGE_FILE_NAME
+		"${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}"
+	)
 endif()

 if(WIN32)
-	SET(CPACK_PACKAGE_INSTALL_DIRECTORY "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
+	set(CPACK_PACKAGE_INSTALL_DIRECTORY "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
 endif()

 # Built packages will include only the following components
 set(CPACK_INSTALL_CMAKE_PROJECTS
-  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/" 
+	"${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
 )

 if(CMAKE_SYSTEM_NAME MATCHES "Linux") # only Linux has drivers
-  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
-    "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/")
+	list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+		 "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+	)
 endif()

 if(NOT CPACK_GENERATOR)
-  if (CMAKE_SYSTEM_NAME MATCHES "Linux")
-    set(CPACK_GENERATOR DEB RPM TGZ)
-  else()
-    set(CPACK_GENERATOR TGZ)
-  endif()
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+		set(CPACK_GENERATOR DEB RPM TGZ)
+	else()
+		set(CPACK_GENERATOR TGZ)
+	endif()
 endif()

 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
@@ -57,15 +62,15 @@ message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")

 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 endif()
 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
-  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
 endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+	"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
@@ -77,13 +82,14 @@ set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preunin
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
 set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
-    /usr/src
-    /usr/share/man
-    /usr/share/man/man8
-    /etc
-    /usr
-    /usr/bin
-    /usr/share)
+	/usr/src
+	/usr/share/man
+	/usr/share/man/man8
+	/etc
+	/usr
+	/usr/bin
+	/usr/share
+)
 set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")

 include(CPack)
--- a/cmake/modules/CompilerFlags.cmake
+++ b/cmake/modules/CompilerFlags.cmake
@@ -2,67 +2,82 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_EXTENSIONS OFF)

 if(NOT FALCO_EXTRA_DEBUG_FLAGS)
-  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
+	set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
 endif()

 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
 else()
-  set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
-  add_definitions(-DBUILD_TYPE_RELEASE)
+	set(CMAKE_BUILD_TYPE "release")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_RELEASE)
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

 if(MINIMAL_BUILD)
-  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+	set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
 endif()

 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -fPIE -pie")
-  add_definitions(-DMUSL_OPTIMIZED)
+	set(MUSL_FLAGS "-static -Os -fPIE -pie")
+	add_definitions(-DMUSL_OPTIMIZED)
 endif()

 # explicitly set hardening flags
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(FALCO_SECURITY_FLAGS "")
 if(LINUX)
-  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -Wl,-z,relro,-z,now -fstack-protector-strong")
+	set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fstack-protector-strong")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
 endif()

-
 if(NOT MSVC)

 	if(CMAKE_BUILD_TYPE STREQUAL "release")
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
 	endif()

-	set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+	if(USE_ASAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
+	endif()
+
+	if(USE_UBSAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")
+		if(UBSAN_HALT_ON_ERROR)
+			set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-sanitize-recover=undefined")
+		endif()
+	endif()
+
+	set(CMAKE_COMMON_FLAGS
+		"${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}"
+	)

 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_SUPPRESSED_WARNINGS
 			"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
 		)
-		set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
+		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
+		set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
 	endif()

 	set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-	set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
+	set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS}")

 	set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
 	set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
@@ -72,17 +87,13 @@ if(NOT MSVC)

 else() # MSVC
 	set(MINIMAL_BUILD ON)
+	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")

-	# The WIN32_LEAN_AND_MEAN define avoids possible macro pollution
-	# when a libsinsp consumer includes the windows.h header.
-	# See: https://stackoverflow.com/a/28380820
-
+	# The WIN32_LEAN_AND_MEAN define avoids possible macro pollution when a libsinsp consumer
+	# includes the windows.h header: https://stackoverflow.com/a/28380820 Same goes for NOMINMAX:
+	# https://stackoverflow.com/questions/5004858/why-is-stdmin-failing-when-windows-h-is-included
 	add_compile_definitions(
-		_HAS_STD_BYTE=0
-		_CRT_SECURE_NO_WARNINGS
-		WIN32
-		MINIMAL_BUILD
-		WIN32_LEAN_AND_MEAN 
+		_HAS_STD_BYTE=0 _CRT_SECURE_NO_WARNINGS WIN32 MINIMAL_BUILD WIN32_LEAN_AND_MEAN NOMINMAX
 	)

 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
--- a/cmake/modules/Coverage.cmake
+++ b/cmake/modules/Coverage.cmake
@@ -2,25 +2,28 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 # Tests coverage
 option(FALCO_COVERAGE "Build test suite with coverage information" OFF)
 if(FALCO_COVERAGE)
-  if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")))
-    message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
-  endif()
+	if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES
+														   "Clang"))
+	)
+		message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
+	endif()

-  message(STATUS "Building with coverage information")
-  add_compile_options(-g --coverage)
-  set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
-  set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
+	message(STATUS "Building with coverage information")
+	add_compile_options(-g --coverage)
+	set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
+	set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
 endif()
--- a/cmake/modules/copy_files_to_build_dir.cmake
+++ b/cmake/modules/copy_files_to_build_dir.cmake
@@ -2,30 +2,32 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 function(copy_files_to_build_dir source_files targetsuffix)

-  set(build_files)
+	set(build_files)

-  foreach(file_path ${source_files})
-	  get_filename_component(trace_file ${file_path} NAME)
-	  list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-  endforeach()
+	foreach(file_path ${source_files})
+		get_filename_component(trace_file ${file_path} NAME)
+		list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	endforeach()

-  add_custom_target(copy-files-${targetsuffix} ALL
-	  DEPENDS ${build_files})
+	add_custom_target(copy-files-${targetsuffix} ALL DEPENDS ${build_files})

-  add_custom_command(OUTPUT ${build_files}
-	  COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
-	  DEPENDS ${source_files})
+	add_custom_command(
+		OUTPUT ${build_files}
+		COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
+		DEPENDS ${source_files}
+	)

 endfunction()
--- a/cmake/modules/cpp-httplib.cmake
+++ b/cmake/modules/cpp-httplib.cmake
@@ -2,32 +2,27 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-#
-# cpp-httplib (https://github.com/yhirose/cpp-httplib)
-#
-if(CPPHTTPLIB_INCLUDE)
-	# we already have cpp-httplib
+option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_CPPHTTPLIB)
+	include(FetchContent)
+	FetchContent_Declare(
+		cpp-httplib
+		URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.15.3.tar.gz
+		URL_HASH SHA256=2121bbf38871bb2aafb5f7f2b9b94705366170909f434428352187cb0216124e
+	)
+	FetchContent_MakeAvailable(cpp-httplib)
 else()
-	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
-	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
-
-	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
-
-	ExternalProject_Add(cpp-httplib
-		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.13.1.tar.gz"
-		URL_HASH "SHA256=9b837d290b61e3f0c4239da0b23bbf14c382922e2bf2a9bac21c1e3feabe1ff9"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ""
-		INSTALL_COMMAND "")	
+	find_package(httplib CONFIG REQUIRED)
 endif()
--- a/cmake/modules/cxxopts.cmake
+++ b/cmake/modules/cxxopts.cmake
@@ -2,23 +2,44 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
-set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+#
+# cxxopts (https://github.com/jarro2783/cxxopts)
+#

-ExternalProject_Add(
-        cxxopts
-        URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
-        URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
-	CONFIGURE_COMMAND ""
-	BUILD_COMMAND ""
-	INSTALL_COMMAND "")
+option(USE_BUNDLED_CXXOPTS "Enable building of the bundled cxxopts" ${USE_BUNDLED_DEPS})
+
+if(CXXOPTS_INCLUDE_DIR)
+	# we already have cxxopts
+elseif(NOT USE_BUNDLED_CXXOPTS)
+	find_package(cxxopts CONFIG REQUIRED)
+	get_target_property(CXXOPTS_INCLUDE_DIR cxxopts::cxxopts INTERFACE_INCLUDE_DIRECTORIES)
+else()
+	set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
+	set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+
+	message(STATUS "Using bundled cxxopts in ${CXXOPTS_SRC}")
+
+	ExternalProject_Add(
+		cxxopts
+		URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
+		URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
+
+if(NOT TARGET cxxopts)
+	add_custom_target(cxxopts)
+endif()
--- a/cmake/modules/driver-repo/CMakeLists.txt
+++ b/cmake/modules/driver-repo/CMakeLists.txt
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)

@@ -20,12 +21,12 @@ message(STATUS "Driver repository: ${DRIVER_REPO}")
 message(STATUS "Driver version: ${DRIVER_VERSION}")

 ExternalProject_Add(
-  driver
-  URL "https://github.com/${DRIVER_REPO}/archive/${DRIVER_VERSION}.tar.gz"
-  URL_HASH "${DRIVER_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
+	driver
+	URL "https://github.com/${DRIVER_REPO}/archive/${DRIVER_VERSION}.tar.gz"
+	URL_HASH "${DRIVER_CHECKSUM}"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	TEST_COMMAND ""
+	PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
 )
--- a/cmake/modules/driver.cmake
+++ b/cmake/modules/driver.cmake
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 set(DRIVER_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/driver-repo")
@@ -18,37 +19,42 @@ set(DRIVER_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/driver-repo")
 file(MAKE_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})

 if(DRIVER_SOURCE_DIR)
-  set(DRIVER_VERSION "0.0.0-local")
-  message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
+	set(DRIVER_VERSION "0.0.0-local")
+	message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
 else()
-  # DRIVER_REPO accepts a repository name (<org name>/<repo name>) alternative to the falcosecurity/libs repository.
-  # In case you want to test against a fork of falcosecurity/libs just pass the variable -
-  # ie., `cmake -DDRIVER_REPO=<your-gh-handle>/libs ..` 
-  if (NOT DRIVER_REPO)
-    set(DRIVER_REPO "falcosecurity/libs")
-  endif()
+	# DRIVER_REPO accepts a repository name (<org name>/<repo name>) alternative to the
+	# falcosecurity/libs repository. In case you want to test against a fork of falcosecurity/libs
+	# just pass the variable - ie., `cmake -DDRIVER_REPO=<your-gh-handle>/libs ..`
+	if(NOT DRIVER_REPO)
+		set(DRIVER_REPO "falcosecurity/libs")
+	endif()

-  # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
-  # which contains the driver source code under the `/driver` directory.
-  # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
-  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DDRIVER_VERSION=dev ..`
-  if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "7.0.0+driver")
-    set(DRIVER_CHECKSUM "SHA256=9f2a0f14827c0d9d1c3d1abe45b8f074dea531ebeca9859363a92f0d2475757e")
-  endif()
+	# DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the
+	# falcosecurity/libs repository which contains the driver source code under the `/driver`
+	# directory. The chosen driver version must be compatible with the given
+	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
+	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
+	if(NOT DRIVER_VERSION)
+		set(DRIVER_VERSION "7.3.0+driver")
+		set(DRIVER_CHECKSUM
+			"SHA256=8f572d9a83feda635a3fa53b859d61e37af127c241e35068aadee3bc50d212c0"
+		)
+	endif()

-  # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}"
-      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
-      -DDRIVER_REPO=${DRIVER_REPO}
-      -DDRIVER_VERSION=${DRIVER_VERSION}
-      -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
-    ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+	# cd /path/to/build && cmake /path/to/source
+	execute_process(
+		COMMAND
+			"${CMAKE_COMMAND}" -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" -DDRIVER_REPO=${DRIVER_REPO}
+			-DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+			${DRIVER_CMAKE_SOURCE_DIR}
+		WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR}
+	)

-  # cmake --build .
-  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}")
-  set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
+	# cmake --build .
+	execute_process(
+		COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}"
+	)
+	set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
 endif()

 add_definitions(-D_GNU_SOURCE)
--- a/cmake/modules/falco-version.cmake
+++ b/cmake/modules/falco-version.cmake
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 # Retrieve git ref and commit hash
@@ -17,33 +18,39 @@ include(GetVersionFromGit)

 # Get Falco version variable according to git index
 if(NOT FALCO_VERSION)
-  set(FALCO_VERSION "0.0.0")
-  get_version_from_git(FALCO_VERSION "" "")
+	set(FALCO_VERSION "0.0.0")
+	get_version_from_git(FALCO_VERSION "" "")
 endif()

 # Remove the starting "v" in case there is one
 string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")

 string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                     "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR
+					 "${FALCO_VERSION}"
+)
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3"
+					 FALCO_VERSION_PATCH "${FALCO_VERSION}"
+)
 string(
-  REGEX
-  REPLACE
-    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-    "\\5"
-    FALCO_VERSION_PRERELEASE
-    "${FALCO_VERSION}")
+	REGEX
+	REPLACE
+		"^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+		"\\5"
+		FALCO_VERSION_PRERELEASE
+		"${FALCO_VERSION}"
+)

 if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_PRERELEASE "")
+	set(FALCO_VERSION_PRERELEASE "")
 endif()
 if(NOT FALCO_VERSION_BUILD)
-  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+	string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD
+						 "${FALCO_VERSION}"
+	)
 endif()
 if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_BUILD "")
+	set(FALCO_VERSION_BUILD "")
 endif()

 message(STATUS "Falco version: ${FALCO_VERSION}")
--- a/cmake/modules/falcoctl.cmake
+++ b/cmake/modules/falcoctl.cmake
@@ -2,36 +2,55 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 include(ExternalProject)

-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
+option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON)

-set(FALCOCTL_VERSION "0.7.1")
+if(ADD_FALCOCTL_DEPENDENCY)
+	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)

-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "f142507c0e2b1e7dc03fd0b1ec36b479eb171f1f58c17f90d2d8edeb00668ef5")
-else() # aarch64
-    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "93e4800b68e21057da82c8c7aafa0970598594d62cd9929ebb9b38a9c02159a6")
+	set(FALCOCTL_VERSION "0.10.1")
+
+	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
+
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
+		set(FALCOCTL_HASH "039961004a72d27409ab6ba82542134bd5df8a69ad341c897f3d26b6596b9e6a")
+	else() # aarch64
+		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
+		set(FALCOCTL_HASH "fbaf83512cc73e99f14f90cb14ed4eee83f40efde3d398c7b7ef02163116f2fc")
+	endif()
+
+	ExternalProject_Add(
+		falcoctl
+		URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
+		URL_HASH "SHA256=${FALCOCTL_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+
+	install(
+		PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl"
+		DESTINATION "${FALCO_BIN_DIR}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+else()
+	message(STATUS "Won't build with falcoctl")
 endif()
-
-ExternalProject_Add(
-        falcoctl
-        URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
-        URL_HASH "SHA256=${FALCOCTL_HASH}"
-        CONFIGURE_COMMAND ""
-        BUILD_COMMAND ""
-        INSTALL_COMMAND "")
-
-install(PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl" DESTINATION "${FALCO_BIN_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
--- a/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
+++ b/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)

@@ -20,11 +21,11 @@ message(STATUS "Libs repository: ${FALCOSECURITY_LIBS_REPO}")
 message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")

 ExternalProject_Add(
-  falcosecurity-libs
-  URL "https://github.com/${FALCOSECURITY_LIBS_REPO}/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
-  URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
+	falcosecurity-libs
+	URL "https://github.com/${FALCOSECURITY_LIBS_REPO}/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+	URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	TEST_COMMAND ""
 )
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -2,93 +2,144 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
+set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo"
+)
 set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")

 file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})

 # explicitly disable the bundled driver, since we pull it separately
-set(USE_BUNDLED_DRIVER OFF CACHE BOOL "")
+set(USE_BUNDLED_DRIVER
+	OFF
+	CACHE BOOL ""
+)

 if(FALCOSECURITY_LIBS_SOURCE_DIR)
-  set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
-  message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+	set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
+	message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
 else()
-  # FALCOSECURITY_LIBS_REPO accepts a repository name (<org name>/<repo name>) alternative to the falcosecurity/libs repository.
-  # In case you want to test against a fork of falcosecurity/libs just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_REPO=<your-gh-handle>/libs ..`
-  if (NOT FALCOSECURITY_LIBS_REPO)
-    set(FALCOSECURITY_LIBS_REPO "falcosecurity/libs")
-  endif()
+	# FALCOSECURITY_LIBS_REPO accepts a repository name (<org name>/<repo name>) alternative to the
+	# falcosecurity/libs repository. In case you want to test against a fork of falcosecurity/libs
+	# just pass the variable - ie., `cmake -DFALCOSECURITY_LIBS_REPO=<your-gh-handle>/libs ..`
+	if(NOT FALCOSECURITY_LIBS_REPO)
+		set(FALCOSECURITY_LIBS_REPO "falcosecurity/libs")
+	endif()

-  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
-  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
-  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.14.1")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=defdea24bf3b176c63f10900d3716fe4373151965cc09d3fe67a31a3a9af0b13")
-  endif()
+	# FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the
+	# falcosecurity/libs repository. In case you want to test against another falcosecurity/libs
+	# version (or branch, or commit) just pass the variable - ie., `cmake
+	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
+	if(NOT FALCOSECURITY_LIBS_VERSION)
+		set(FALCOSECURITY_LIBS_VERSION "0.18.2")
+		set(FALCOSECURITY_LIBS_CHECKSUM
+			"SHA256=b2e3e42c3255a6d41960afe086e8189d73e27f1dbc23abefaf6b05cf118eb6f4"
+		)
+	endif()

-  # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}"
-      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
-      -DFALCOSECURITY_LIBS_REPO=${FALCOSECURITY_LIBS_REPO}
-      -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
-      -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
-    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+	# cd /path/to/build && cmake /path/to/source
+	execute_process(
+		COMMAND
+			"${CMAKE_COMMAND}" -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+			-DFALCOSECURITY_LIBS_REPO=${FALCOSECURITY_LIBS_REPO}
+			-DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
+			-DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+			${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}
+		WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}
+	)

-  # cmake --build .
-  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
-  set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
+	# cmake --build .
+	execute_process(
+		COMMAND "${CMAKE_COMMAND}" --build .
+		WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}"
+	)
+	set(FALCOSECURITY_LIBS_SOURCE_DIR
+		"${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs"
+	)
 endif()

 set(LIBS_PACKAGE_NAME "falcosecurity")

 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-  add_definitions(-D_GNU_SOURCE)
-  add_definitions(-DHAS_CAPTURE)
+	add_definitions(-D_GNU_SOURCE)
+	add_definitions(-DHAS_CAPTURE)
 endif()

 if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
+	add_definitions(-DMUSL_OPTIMIZED)
 endif()

 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME")
 set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH")

-if(NOT LIBSCAP_DIR)
-  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+if(NOT LIBS_DIR)
+	set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()

-set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
-
 # configure gVisor support
-set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
+set(BUILD_LIBSCAP_GVISOR
+	${BUILD_FALCO_GVISOR}
+	CACHE BOOL ""
+)

 # configure modern BPF support
-set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "")
+set(BUILD_LIBSCAP_MODERN_BPF
+	${BUILD_FALCO_MODERN_BPF}
+	CACHE BOOL ""
+)

 # explicitly disable the tests/examples of this dependency
-set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
-set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
+set(CREATE_TEST_TARGETS
+	OFF
+	CACHE BOOL ""
+)
+set(BUILD_LIBSCAP_EXAMPLES
+	OFF
+	CACHE BOOL ""
+)

-set(USE_BUNDLED_TBB ON CACHE BOOL "")
-set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
-set(USE_BUNDLED_NLOHMANN_JSON ON CACHE BOOL "")
-set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
-set(USE_BUNDLED_RE2 ON CACHE BOOL "")
-set(USE_BUNDLED_UTHASH ON CACHE BOOL "")
+set(USE_BUNDLED_TBB
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_JSONCPP
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_VALIJSON
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_RE2
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_UTHASH
+	ON
+	CACHE BOOL ""
+)
+if(USE_DYNAMIC_LIBELF)
+	set(USE_BUNDLED_LIBELF
+		OFF
+		CACHE BOOL ""
+	)
+	set(USE_SHARED_LIBELF
+		ON
+		CACHE BOOL ""
+	)
+endif()

 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")

@@ -96,15 +147,18 @@ include(CheckSymbolExists)
 check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)

 if(HAVE_STRLCPY)
-  message(STATUS "Existing strlcpy and strlcat found, will *not* use local definition by setting -DHAVE_STRLCPY and -DHAVE_STRLCAT.")
-  add_definitions(-DHAVE_STRLCPY)
-  add_definitions(-DHAVE_STRLCAT)
+	message(
+		STATUS
+			"Existing strlcpy and strlcat found, will *not* use local definition by setting -DHAVE_STRLCPY and -DHAVE_STRLCAT."
+	)
+	add_definitions(-DHAVE_STRLCPY)
+	add_definitions(-DHAVE_STRLCAT)
 else()
-  message(STATUS "No strlcpy and strlcat found, will use local definition")
+	message(STATUS "No strlcpy and strlcat found, will use local definition")
 endif()

 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-  include(driver)
+	include(driver)
 endif()
 include(libscap)
 include(libsinsp)
--- a/cmake/modules/njson.cmake
+++ b/cmake/modules/njson.cmake
@@ -2,26 +2,27 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

-if(USE_BUNDLED_NLOHMANN_JSON)
-    ExternalProject_Add(njson
-        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-        CMAKE_ARGS -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=${PROJECT_BINARY_DIR}/njson-prefix -DJSON_BuildTests=OFF -DBUILD_TESTING=OFF
-    )
+option(USE_BUNDLED_NLOHMANN_JSON "Enable building of the bundled nlohmann-json" ${USE_BUNDLED_DEPS})

-    set(nlohmann_json_INCLUDE_DIRS ${PROJECT_BINARY_DIR}/njson-prefix/include)
+if(USE_BUNDLED_NLOHMANN_JSON)
+	include(FetchContent)
+	FetchContent_Declare(
+		nlohmann_json
+		URL https://github.com/nlohmann/json/archive/v3.11.3.tar.gz
+		URL_HASH SHA256=0d8ef5af7f9794e3263480193c491549b2ba6cc74bb018906202ada498a79406
+	)
+	FetchContent_MakeAvailable(nlohmann_json)
 else()
-    find_package(nlohmann_json CONFIG REQUIRED)
-    get_target_property(nlohmann_json_INCLUDE_DIRS nlohmann_json::nlohmann_json INTERFACE_INCLUDE_DIRECTORIES)
-    add_custom_target(njson)
+	find_package(nlohmann_json CONFIG REQUIRED)
 endif()
--- a/cmake/modules/rules.cmake
+++ b/cmake/modules/rules.cmake
@@ -1,37 +1,48 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2024 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 include(GNUInstallDirs)
 include(ExternalProject)

-# falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.0.0-rc1")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2e91799fee49c2daf58fb482e47410a21433eb116e02cde18206f7af87449ddb")
-set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
-ExternalProject_Add(
-  falcosecurity-rules-falco
-  URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
-  URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-)
+if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
+	# falco_rules.yaml
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.2.0")
+	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
+		"SHA256=b3990bf0209cfbf6a903b361e458a1f5851a9a5aeee808ad26a5ddbe1377157d"
+	)
+	set(FALCOSECURITY_RULES_FALCO_PATH
+		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"
+	)
+	ExternalProject_Add(
+		falcosecurity-rules-falco
+		URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
+		URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+		TEST_COMMAND ""
+	)
+endif()

-# falco_rules.local.yaml
-set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml")
-file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
+if(NOT DEFINED FALCOSECURITY_RULES_LOCAL_PATH)
+	# falco_rules.local.yaml
+	set(FALCOSECURITY_RULES_LOCAL_PATH
+		"${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml"
+	)
+	file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
+endif()

 if(NOT DEFINED FALCO_ETC_DIR)
 	set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
@@ -42,34 +53,43 @@ if(WIN32 OR APPLE)
 endif()

 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
-  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
-  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
+	set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
+	set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
 endif()

-if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
-  install(
-    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
-    COMPONENT "${FALCO_COMPONENT}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}")
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects,
+	# intentionally *not* installing all rulesets.
+	install(
+		FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+		COMPONENT "${FALCO_COMPONENT}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_RULES_DEST_FILENAME}"
+	)

-  install(
-    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
-    COMPONENT "${FALCO_COMPONENT}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+		COMPONENT "${FALCO_COMPONENT}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+	)
 else() # Default Falco installation
-  install(
-    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_RULES_DEST_FILENAME}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)

-  install(
-    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)

-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ETC_DIR}/rules.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 # create the reports folder
@@ -22,35 +23,42 @@ find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)

 if(NOT CPPCHECK)
-  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+	message(
+		STATUS
+			"cppcheck command not found, static code analysis using cppcheck will not be available."
+	)
 else()
-  message(STATUS "cppcheck found at: ${CPPCHECK}")
-  # we are aware that cppcheck can be run
-  # along with the software compilation in a single step
-  # using the CMAKE_CXX_CPPCHECK variables.
-  # However, for practical needs we want to keep the
-  # two things separated and have a specific target for it.
-  # Our cppcheck target reads the compilation database produced by CMake
-  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
-  add_custom_target(
-      cppcheck
-      COMMAND ${CPPCHECK}
-      "--enable=all"
-      "--force"
-      "--inconclusive"
-      "--inline-suppr" # allows to specify suppressions directly in source code
-      "--xml" # we want to generate a report
-      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
-      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
-      "${CMAKE_SOURCE_DIR}"
-  )
+	message(STATUS "cppcheck found at: ${CPPCHECK}")
+	# we are aware that cppcheck can be run along with the software compilation in a single step
+	# using the CMAKE_CXX_CPPCHECK variables. However, for practical needs we want to keep the two
+	# things separated and have a specific target for it. Our cppcheck target reads the compilation
+	# database produced by CMake
+	set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+	add_custom_target(
+		cppcheck
+		COMMAND
+			${CPPCHECK} "--enable=all" "--force" "--inconclusive" "--inline-suppr" # allows to
+			# specify suppressions directly in source code
+			"--xml" # we want to generate a report
+			"--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate
+			# the report under the reports folder in the build folder
+			"-i${CMAKE_CURRENT_BINARY_DIR}" # exclude the build folder
+			"${CMAKE_SOURCE_DIR}"
+	)
 endif() # CPPCHECK

 if(NOT CPPCHECK_HTMLREPORT)
-  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+	message(
+		STATUS
+			"cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results"
+	)
 else()
-  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
-  add_custom_target(
-    cppcheck_htmlreport
-    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+	message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+	add_custom_target(
+		cppcheck_htmlreport
+		COMMAND
+			${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME}
+			--report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck
+			--file=static-analysis-reports/cppcheck/cppcheck.xml
+	)
 endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -2,40 +2,27 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
-mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
-if(NOT USE_BUNDLED_DEPS)
-  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
-  find_library(YAMLCPP_LIB NAMES yaml-cpp)
-  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
-    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system yamlcpp")
-  endif()
-  add_custom_target(yamlcpp)
+
+option(USE_BUNDLED_YAMLCPP "Enable building of the bundled yamlcpp" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_YAMLCPP)
+	include(FetchContent)
+	FetchContent_Declare(
+		yamlcpp
+		URL https://github.com/jbeder/yaml-cpp/archive/refs/tags/0.8.0.tar.gz
+		URL_HASH SHA256=fbe74bbdcee21d656715688706da3c8becfd946d92cd44705cc6098bb23b3a16
+	)
+	FetchContent_MakeAvailable(yamlcpp)
 else()
-  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-  if(NOT WIN32)
-    set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-  else()
-    set(YAMLCPP_LIB "${YAMLCPP_SRC}/${CMAKE_BUILD_TYPE}/yaml-cpp.lib")
-  endif()
-  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-  ExternalProject_Add(
-    yamlcpp
-    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.7.0.tar.gz"
-    URL_HASH "SHA256=43e6a9fcb146ad871515f0d0873947e5d497a1c9c60c58cb102a97b47208b7c3"
-    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
-    CMAKE_ARGS -DCMAKE_BUILD_TYPE=Release -DYAML_MSVC_SHARED_RT=Off -DYAML_BUILD_SHARED_LIBS=Off -DYAML_CPP_BUILD_TESTS=Off -DYAML_CPP_BUILD_TOOLS=OFF -DYAML_CPP_BUILD_CONTRIB=OFF -DCMAKE_DEBUG_POSTFIX=''
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
+	find_package(yaml-cpp CONFIG REQUIRED)
 endif()
--- a/docker/builder/README.md
+++ b/docker/builder/README.md
@@ -1,6 +0,0 @@
-# Builder folder
-
-* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
-  * Falco `tar.gz`.
-  * Falco `deb` package.
-  * Falco `rpm` package.
--- a/docker/builder/modern-falco-builder.Dockerfile
+++ b/docker/builder/modern-falco-builder.Dockerfile
@@ -1,43 +0,0 @@
-
-FROM centos:7 AS build-stage
-
-# To build Falco you need to pass the cmake option
-ARG CMAKE_OPTIONS=""
-ARG MAKE_JOBS=6
-
-# Install all the dependencies
-WORKDIR /
-
-RUN yum -y install centos-release-scl; \
-    yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++; \
-    source scl_source enable devtoolset-9; \
-    yum install -y git wget make m4 rpm-build
-
-# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
-RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
-    gzip -d /tmp/cmake.tar.gz; \
-    tar -xpf /tmp/cmake.tar --directory=/tmp; \
-    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
-    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
-
-# Copy Falco folder from the build context
-COPY . /source
-WORKDIR /build/release
-
-RUN source scl_source enable devtoolset-9; \
-    cmake ${CMAKE_OPTIONS} /source; \
-    make falco -j${MAKE_JOBS}
-RUN make package
-
-# We need `make all` for integration tests.
-RUN make all -j${MAKE_JOBS}
-
-FROM scratch AS export-stage
-
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG DEST_BUILD_DIR="/build"
-
-COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
-COPY --from=build-stage /build/release/falco-*.deb /packages/
-COPY --from=build-stage /build/release/falco-*.rpm /packages/
--- a/docker/docker-compose/README.md
+++ b/docker/docker-compose/README.md
@@ -0,0 +1,17 @@
+# Warning
+
+This environment is provided for demonstration purposes only and does not represent a production ready deployment of Falco.
+
+# Components
+The components that this docker-compose file spins up are [Falco](https://falco.org/), [falcosidekick](https://github.com/falcosecurity/falcosidekick), [falcosidekick-ui](https://github.com/falcosecurity/falcosidekick-ui) and a [redis](https://redis.io/) database.
+
+# Running
+To start this environment run `docker-compose up`.
+Note: You may need to use sudo for Falco to start correctly.
+
+# Cleaning up
+
+To clean up run `docker-compose rm`.
+
+# Generating events
+If you'd like to generate events that will trigger rules and show up in the UI you can run `docker run -it --rm falcosecurity/event-generator run syscall --loop`
--- a/docker/docker-compose/config/http_output.yml
+++ b/docker/docker-compose/config/http_output.yml
@@ -0,0 +1,11 @@
+# [Stable] `http_output`
+#
+# Send logs to an HTTP endpoint or webhook.
+#
+# When using falcosidekick, it is necessary to set `json_output` to true.
+json_output: true
+json_include_output_property: true
+http_output:
+  enabled: true
+  url: "http://falco-sidekick:2801/"
+  
--- a/docker/docker-compose/docker-compose.yaml
+++ b/docker/docker-compose/docker-compose.yaml
@@ -0,0 +1,34 @@
+version: "3"
+services:
+  falco:
+    container_name: falco
+    cap_drop:
+      - all
+    cap_add:
+      - sys_admin
+      - sys_resource
+      - sys_ptrace
+    volumes:
+      - /var/run/docker.sock:/host/var/run/docker.sock
+      - /proc:/host/proc:ro
+      - /etc:/host/etc:ro
+      - ./config/http_output.yml:/etc/falco/config.d/http_output.yml
+    image: falcosecurity/falco-no-driver:latest
+
+  sidekick:
+    container_name: falco-sidekick
+    image: falcosecurity/falcosidekick
+    environment:
+      WEBUI_URL: http://falco-webui:2802
+
+  webui:
+    container_name: falco-webui
+    image: falcosecurity/falcosidekick-ui:2.2.0
+    ports:
+      - 2802:2802
+    depends_on:
+      - redis
+    command: ['-r', 'redis:6379', '-d']
+
+  redis:
+    image: redis/redis-stack:7.2.0-v11
--- a/docker/driver-loader-legacy/Dockerfile
+++ b/docker/driver-loader-legacy/Dockerfile
@@ -37,6 +37,7 @@ RUN apt-get update \
 	netcat \
 	patchelf \
 	xz-utils \
+	zstd \
 	&& rm -rf /var/lib/apt/lists/*

 RUN if [ "$TARGETARCH" = "amd64" ]; \
@@ -92,7 +93,7 @@ RUN rm -rf /usr/bin/clang \
 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*

--- a/docker/driver-loader-legacy/docker-entrypoint.sh
+++ b/docker/driver-loader-legacy/docker-entrypoint.sh
@@ -24,19 +24,23 @@ print_usage() {
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
 	echo ""
 	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "  modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }

@@ -50,18 +54,18 @@ done

 ENABLE_COMPILE="false"
 ENABLE_DOWNLOAD="false"
-has_driver=
+HTTP_INSECURE="false"
+driver=
 has_opts=
 while test $# -gt 0; do
 	case "$1" in
-		kmod|ebpf)
-			if [ -n "$has_driver" ]; then
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
 				>&2 echo "Only one driver per invocation"
 				print_usage
 				exit 1
 			else
-				/usr/bin/falcoctl driver config --type $1
-				has_driver="true"
+			  driver=$1
 			fi
 			;;
 		-h|--help)
@@ -80,10 +84,8 @@ while test $# -gt 0; do
 			ENABLE_DOWNLOAD="true"
 			has_opts="true"
 			;;
-		--source-only)
-		    >&2 echo "Support dropped in Falco 0.37.0."
-			print_usage
-			exit 1
+		--http-insecure)
+			HTTP_INSECURE="true"
 			;;
 		--print-env)
 			/usr/bin/falcoctl driver printenv
@@ -103,9 +105,22 @@ while test $# -gt 0; do
    shift
 done

+# No opts passed, enable both compile and download
 if [ -z "$has_opts" ]; then
-	ENABLE_COMPILE="true"
-	ENABLE_DOWNLOAD="true"
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
 fi

-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
--- a/docker/driver-loader/docker-entrypoint.sh
+++ b/docker/driver-loader/docker-entrypoint.sh
@@ -24,19 +24,25 @@ print_usage() {
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 	echo ""
 	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help                   show this help message"
+	echo "  --clean                  try to remove an already present driver installation"
+	echo "  --compile                try to compile the driver locally (default true)"
+	echo "  --download               try to download a prebuilt driver (default true)"
+	echo "  --kernel-release <value> set the kernel release"
+	echo "  --kernel-version <value> set the kernel version"
+ 	echo "  --http-insecure	         enable insecure downloads"
+	echo "  --print-env              skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }

@@ -50,18 +56,20 @@ done

 ENABLE_COMPILE="false"
 ENABLE_DOWNLOAD="false"
-has_driver=
+HTTP_INSECURE="false"
+driver=
 has_opts=
+extra_args=
+
 while test $# -gt 0; do
 	case "$1" in
-		kmod|ebpf)
-			if [ -n "$has_driver" ]; then
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
 				>&2 echo "Only one driver per invocation"
 				print_usage
 				exit 1
 			else
-				/usr/bin/falcoctl driver config --type $1
-				has_driver="true"
+				driver=$1
 			fi
 			;;
 		-h|--help)
@@ -80,10 +88,16 @@ while test $# -gt 0; do
 			ENABLE_DOWNLOAD="true"
 			has_opts="true"
 			;;
-		--source-only)
-		    >&2 echo "Support dropped in Falco 0.37.0."
-			print_usage
-			exit 1
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;
+		--kernel-release)
+			extra_args+="--kernelrelease=$2 "
+			shift
+			;;
+		--kernel-version)
+			extra_args+="--kernelversion=$2 "
+			shift
 			;;
 		--print-env)
 			/usr/bin/falcoctl driver printenv
@@ -103,9 +117,22 @@ while test $# -gt 0; do
    shift
 done

+# No opts passed, enable both compile and download
 if [ -z "$has_opts" ]; then
-	ENABLE_COMPILE="true"
-	ENABLE_DOWNLOAD="true"
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
 fi

-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -39,12 +39,13 @@ RUN apt-get update \
 	netcat-openbsd \
 	patchelf \
 	xz-utils \
+	zstd \
 	&& rm -rf /var/lib/apt/lists/*

 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*

--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -24,19 +24,23 @@ print_usage() {
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
 	echo ""
 	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "  modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }

@@ -57,19 +61,19 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then

    ENABLE_COMPILE="false"
    ENABLE_DOWNLOAD="false"
-    has_driver=
+    HTTP_INSECURE="false"
+    driver=
    has_opts=
    for opt in "${falco_driver_loader_option_arr[@]}"
    do
        case "$opt" in
-            kmod|ebpf)
-                if [ -n "$has_driver" ]; then
+            auto|kmod|ebpf|modern_ebpf)
+                if [ -n "$driver" ]; then
                    >&2 echo "Only one driver per invocation"
                    print_usage
                    exit 1
                else
-                    /usr/bin/falcoctl driver config --type $opt
-                    has_driver="true"
+                    driver=$opt
                fi
                ;;
            -h|--help)
@@ -88,32 +92,44 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
                ENABLE_DOWNLOAD="true"
                has_opts="true"
                ;;
-            --source-only)
-                >&2 echo "Support dropped in Falco 0.37.0."
-                print_usage
-                exit 1
-                ;;    
+            --http-insecure)
+                HTTP_INSECURE="true"
+                ;;
            --print-env)
                /usr/bin/falcoctl driver printenv
                exit 0
                ;;
            --*)
-                >&2 echo "Unknown option: $1"
+                >&2 echo "Unknown option: $opt"
                print_usage
                exit 1
                ;;
            *)
-                >&2 echo "Unknown driver: $1"
+                >&2 echo "Unknown driver: $opt"
                print_usage
                exit 1
                ;;
        esac
    done
+
+    # No opts passed, enable both compile and download
    if [ -z "$has_opts" ]; then
        ENABLE_COMPILE="true"
        ENABLE_DOWNLOAD="true"
    fi
-    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+
+    # Default value: auto
+    if [ -z "$driver" ]; then
+      driver="auto"
+    fi
+
+    if [ "$driver" != "auto" ]; then
+      /usr/bin/falcoctl driver config --type $driver
+    else
+      # Needed because we need to configure Falco to start with correct driver
+      /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+    fi
+    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

 fi

--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -28,7 +28,7 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

-RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
    && apt clean -y && rm -rf /var/lib/apt/lists/*

 ENV HOST_ROOT /host
--- a/docker/no-driver/Dockerfile.distroless
+++ b/docker/no-driver/Dockerfile.distroless
@@ -6,7 +6,7 @@ ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}

-RUN apk update && apk add build-base gcc curl ca-certificates jq
+RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils

 WORKDIR /

@@ -21,7 +21,7 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

-FROM cgr.dev/chainguard/glibc-dynamic
+FROM cgr.dev/chainguard/wolfi-base

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -29,6 +29,8 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

+RUN apk update && apk add libelf libstdc++
+
 ENV HOST_ROOT /host
 ENV HOME /root

--- a/falco.yaml
+++ b/falco.yaml
@@ -25,49 +25,63 @@
 #
 #     (Falco command-line arguments)
 #     (Falco environment variables)
+# Falco config files settings
+#     config_files [Stable]
+#     watch_config_files [Stable]
 # Falco rules files
-#     rules_file
+#     rules_files [Stable]
+# Falco rules
+#     rules [Incubating]
 # Falco engine
-#     engine
+#     engine [Stable]
 # Falco plugins
-#     load_plugins
-#     plugins
-# Falco config files
-#     watch_config_files
+#     load_plugins [Stable]
+#     plugins [Stable]
 # Falco outputs settings
-#     time_format_iso_8601
-#     priority
-#     json_output
-#     json_include_output_property
-#     json_include_tags_property
-#     buffered_outputs
-#     rule_matching
-#     outputs_queue
+#     time_format_iso_8601 [Stable]
+#     priority [Stable]
+#     json_output [Stable]
+#     json_include_output_property [Stable]
+#     json_include_tags_property [Stable]
+#     buffered_outputs [Stable]
+#     rule_matching [Incubating]
+#     outputs_queue [Stable]
 # Falco outputs channels
-#     stdout_output
-#     syslog_output
-#     file_output
-#     http_output
-#     program_output
-#     grpc_output
+#     stdout_output [Stable]
+#     syslog_output [Stable]
+#     file_output [Stable]
+#     http_output [Stable]
+#     program_output [Stable]
+#     grpc_output [Stable]
 # Falco exposed services
-#     grpc
-#     webserver
+#     grpc [Stable]
+#     webserver [Stable]
 # Falco logging / alerting / metrics related to software functioning (basic)
-#     log_stderr
-#     log_syslog
-#     log_level
-#     libs_logger
+#     log_stderr [Stable]
+#     log_syslog [Stable]
+#     log_level [Stable]
+#     libs_logger [Stable]
 # Falco logging / alerting / metrics related to software functioning (advanced)
-#     output_timeout
-#     syscall_event_timeouts
-#     syscall_event_drops -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead
-#     metrics
+#     output_timeout [Stable]
+#     syscall_event_timeouts [Stable]
+#     syscall_event_drops [Stable] -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead
+#     metrics [Stable]
 # Falco performance tuning (advanced)
-#     syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine.<driver>.buf_size_preset` starting Falco 0.38!
-#     syscall_drop_failed_exit [DEPRECATED] -> Replaced by `engine.<driver>.drop_failed_exit` starting Falco 0.38! 
-#     base_syscalls
-#     modern_bpf.cpus_for_each_syscall_buffer [DEPRECATED] -> Replaced by `engine.modern_ebpf.cpus_for_each_buffer` starting Falco 0.38! 
+#     base_syscalls [Stable]
+# Falco libs
+#     falco_libs [Incubating]
+
+########################
+# Config maturity tags #
+########################
+
+# As per features adoption and deprecation proposal we support 4 levels of configuration keys maturity:
+# * Sandbox -> Experimental/alpha features, not recommended for production use, can be removed at any time without further notice.
+# * Incubating -> Beta features, long-term support is not guaranteed.
+# * Stable -> General Availability (GA) features for which long-term support is expected.
+# * Deprecated -> Deprecated keys, soon to be removed.
+#
+# For more info, please take a look at the proposal: https://github.com/falcosecurity/falco/blob/master/proposals/20231220-features-adoption-and-deprecation.md.


 ################################
@@ -96,10 +110,6 @@
 #   when deploying Falco over a container with read-only host mounts instead of
 #   directly on the host. Defaults to "/host". 
 #
-# - !!! [DEPRECATED] FALCO_BPF_PROBE: Specify a custom path to the BPF object code file (`bpf`
-#   driver). This is not needed for the modern_bpf driver. 
-#   -> Replaced by `engine.kind: ebpf` and `engine.ebpf` starting Falco 0.38!
-#
 # - FALCO_HOSTNAME: Customize the hostname output field logged by Falco by
 #   setting the "FALCO_HOSTNAME" environment variable.
 #
@@ -120,15 +130,44 @@
 # disabling the automatic artifacts followed by falcoctl.


+###############################
+# Falco config files settings #
+###############################
+
+# [Stable] `config_files`
+#
+# Falco will load additional configs files specified here.
+# Their loading is assumed to be made *after* main config file has been processed,
+# exactly in the order they are specified.
+# Therefore, loaded config files *can* override values from main config file.
+# Also, nested include is not allowed, ie: included config files won't be able to include other config files.
+#
+# Like for 'rules_files', specifying a folder will load all the configs files present in it in a lexicographical order.
+config_files:
+  - /etc/falco/config.d
+
+# [Stable] `watch_config_files`
+#
+# Falco monitors configuration and rules files for changes and automatically
+# reloads itself to apply the updated configuration when any modifications are
+# detected. This feature is particularly useful when you want to make real-time
+# changes to the configuration or rules of Falco without interrupting its
+# operation or losing its state. For more information about Falco's state
+# engine, please refer to the `base_syscalls` section.
+watch_config_files: true
+
 #####################
 # Falco rules files #
 #####################

-# [Stable] `rules_file`
+# [Stable] `rules_files`
+
+# NOTICE: Before Falco 0.38, this config key was `rules_file` (singular form), which is now deprecated in favor of `rules_files` (plural form).
 #
 # Falco rules can be specified using files or directories, which are loaded at
-# startup. The name "rules_file" is maintained for backwards compatibility. If
-# the entry is a file, it will be read directly. If the entry is a directory,
+# startup.
+#
+# If the entry is a file, it will be read directly. If the entry is a directory,
 # all files within that directory will be read in alphabetical order.
 #
 # The falco_rules.yaml file ships with the Falco package and is overridden with
@@ -157,11 +196,44 @@
 # "first match wins" principle. However, enabling the `all` matching option may result
 # in a performance penalty. We recommend carefully testing this alternative setting  
 # before deploying it in production. Read more under the `rule_matching` configuration.
-rules_file:
+rules_files:
  - /etc/falco/falco_rules.yaml
  - /etc/falco/falco_rules.local.yaml
  - /etc/falco/rules.d

+# [Incubating] `rules`
+#
+# --- [Description]
+#
+# Falco rules can be enabled or disabled by name (with wildcards *) and/or by tag.
+#
+# This configuration is applied after all rules files have been loaded, including
+# their overrides, and will take precedence over the enabled/disabled configuration
+# specified or overridden in the rules files.
+#
+# The ordering matters and selections are evaluated in order. For instance, if you
+# need to only enable a rule you would first disable all of them and then only
+# enable what you need, regardless of the enabled status in the files.
+#
+# --- [Examples]
+#
+# Only enable two rules:
+#
+# rules:
+#   - disable:
+#       rule: "*"
+#   - enable:
+#       rule: Netcat Remote Code Execution in Container
+#   - enable:
+#       rule: Delete or rename shell history
+#
+# Disable all rules with a specific tag:
+#
+# rules:
+#   - disable:
+#       tag: network
+#
+
 ################
 # Falco engine #
 ################
@@ -328,7 +400,7 @@ rules_file:
 # buffers (higher `cpus_for_each_buffer`) can lower the memory footprint.
 #
 engine:
-  kind: kmod
+  kind: modern_ebpf
  kmod:
    buf_size_preset: 4
    drop_failed_exit: false
@@ -396,7 +468,7 @@ load_plugins: []
 plugins:
  - name: k8saudit
    library_path: libk8saudit.so
-    init_config:
+    init_config: ""
    #   maxEventSize: 262144
    #   webhookMaxBatchSize: 12582912
    #   sslCertificate: /etc/falco/falco.pem
@@ -409,21 +481,6 @@ plugins:
    library_path: libjson.so


-######################
-# Falco config files #
-######################
-
-# [Stable] `watch_config_files`
-#
-# Falco monitors configuration and rule files for changes and automatically
-# reloads itself to apply the updated configuration when any modifications are
-# detected. This feature is particularly useful when you want to make real-time
-# changes to the configuration or rules of Falco without interrupting its
-# operation or losing its state. For more information about Falco's state
-# engine, please refer to the `base_syscalls` section.
-watch_config_files: true
-
-
 ##########################
 # Falco outputs settings #
 ##########################
@@ -461,6 +518,15 @@ json_output: false
 # case.
 json_include_output_property: true

+# [Incubating] `json_include_message_property`
+#
+# When using JSON output in Falco, you have the option to include the formatted
+# rule output without timestamp or priority. For instance, if a rule specifies
+# an "output" property like "Opened process %proc.name" the "message" field will
+# only contain "Opened process bash" whereas the "output" field will contain more
+# information.
+json_include_message_property: false
+
 # [Stable] `json_include_tags_property`
 #
 # When using JSON output in Falco, you have the option to include the "tags"
@@ -477,7 +543,7 @@ json_include_tags_property: true
 # output mechanism. By default, buffering is disabled (false).
 buffered_outputs: false

-# [Experimental] `rule_matching`
+# [Incubating] `rule_matching`
 #
 # The `rule_matching` configuration key's values are:
 #  - `first`: Falco stops checking conditions of rules against upcoming event
@@ -519,6 +585,48 @@ rule_matching: first
 outputs_queue:
  capacity: 0

+# [Sandbox] `append_output`
+#
+# Add information to the Falco output.
+# With this setting you can add more information to the Falco output message, customizable by
+# rule, tag or source.
+# You can also add additional data that will appear in the output_fields property
+# of JSON formatted messages or gRPC output but will not be part of the regular output message.
+# This allows you to add custom fields that can help you filter your Falco events without
+# polluting the message text.
+#
+# Each append_output entry has an optional `match` map which specifies which rules will be
+# affected.
+# `match`:
+#   `rule`: append output only to a specific rule
+#   `source`: append output only to a specific source
+#   `tags`: append output only to rules that have all of the specified tags
+# If none of the above are specified (or `match` is omitted)
+# output is appended to all events.
+# If more than one match condition is specified output will be appended to events 
+# that match all conditions.
+# And several options to add output:
+#   `extra_output`: add output to the Falco message
+#   `extra_fields`: add new fields to the JSON output and structured output, which will not
+#             affect the regular Falco message in any way. These can be specified as a
+#             custom name with a custom format or as any supported field
+#             (see: https://falco.org/docs/reference/rules/supported-fields/)
+#
+# Example:
+# 
+# append_output:
+#   - match:
+#       source: syscall
+#     extra_output: "on CPU %evt.cpu"
+#     extra_fields:
+#       - home_directory: "${HOME}"
+#       - evt.hostname
+#
+# In the example above every event coming from the syscall source will get an extra message
+# at the end telling the CPU number. In addition, if `json_output` is true, in the "output_fields"
+# property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
+# environment variable $HOME, and "evt.hostname" which will contain the hostname.
+

 ##########################
 # Falco outputs channels #
@@ -701,6 +809,11 @@ webserver:
  # Can be an IPV4 or IPV6 address, defaults to IPV4
  listen_address: 0.0.0.0
  k8s_healthz_endpoint: /healthz
+  # [Incubating] `prometheus_metrics_enabled`
+  #
+  # Enable the metrics endpoint providing Prometheus values
+  # It will only have an effect if metrics.enabled is set to true as well.
+  prometheus_metrics_enabled: false
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

@@ -930,6 +1043,8 @@ syscall_event_drops:
 # as Falco does not automatically rotate the file. It can be used in combination
 # with `output_rule`.
 #
+# `rules_counters_enabled`: Emit counts for each rule.
+#
 # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage
 # is reported as a percentage of one CPU and can be normalized to the total
 # number of CPUs to determine overall usage. Memory metrics are provided in raw
@@ -957,6 +1072,9 @@ syscall_event_drops:
 # counters reflect monotonic values since Falco's start and are exported at a
 # constant stats interval.
 #
+# `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters
+# per CPU. Typically used when debugging and not in production.
+#
 # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`,
 # providing information such as the number of invocations of each BPF program
 # attached by Falco and the time spent in each program measured in nanoseconds.
@@ -973,19 +1091,32 @@ syscall_event_drops:
 # beneficial for exploring the data schema and ensuring that fields with empty
 # values are included in the output.
 #
-# todo: prometheus export option
+# `plugins_metrics_enabled`: Falco can now expose your custom plugins' 
+# metrics. Please note that if the respective plugin has no metrics implemented, 
+# there will be no metrics available. In other words, there are no default or 
+# generic plugin metrics at this time. This may be subject to change.
+#
+# If metrics are enabled, the web server can be configured to activate the
+# corresponding Prometheus endpoint using `webserver.prometheus_metrics_enabled`.
+# Prometheus output can be used in combination with the other output options.
+#
 # todo: syscall_counters_enabled option
 metrics:
  enabled: false
  interval: 1h
  # Typically, in production, you only use `output_rule` or `output_file`, but not both. 
  # However, if you have a very unique use case, you can use both together.
+  # Set `webserver.prometheus_metrics_enabled` for Prometheus output.
  output_rule: true
  # output_file: /tmp/falco_stats.jsonl
+  rules_counters_enabled: true
  resource_utilization_enabled: true
  state_counters_enabled: true
  kernel_event_counters_enabled: true
+  # Enabling `kernel_event_counters_per_cpu_enabled` automatically enables `kernel_event_counters_enabled`
+  kernel_event_counters_per_cpu_enabled: false
  libbpf_stats_enabled: true
+  plugins_metrics_enabled: true
  convert_memory_to_mb: true
  include_empty_values: false

@@ -993,76 +1124,6 @@ metrics:
 # Falco performance tuning (advanced) #
 #######################################

-# [DEPRECATED] `syscall_buf_size_preset` -> Replaced by `engine.<driver>.buf_size_preset` starting Falco 0.38!
-#
-# Deprecated in favor of engine.{kmod,ebpf,modern_ebpf}.buf_size_preset.
-# This config is evaluated only if the default `engine` config block is not changed,
-# otherwise it is ignored.
-#
-# --- [Description]
-#
-# The syscall buffer index determines the size of the shared space between Falco
-# and its drivers. This shared space serves as a temporary storage for syscall
-# events, allowing them to be transferred from the kernel to the userspace
-# efficiently. The buffer size for each online CPU is determined by the buffer
-# index, and each CPU has its own dedicated buffer. Adjusting this index allows
-# you to control the overall size of the syscall buffers.
-#
-# --- [Usage]
-#
-# The index 0 is reserved, and each subsequent index corresponds to an
-# increasing size in bytes. For example, index 1 corresponds to a size of 1 MB,
-# index 2 corresponds to 2 MB, and so on:
-#
-# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
-#   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
-#   |    |     |     |     |     |      |      |       |       |       |
-#   0    1     2     3     4     5      6      7       8       9       10
-#
-#
-# The buffer dimensions in bytes are determined by the following requirements:
-# (1) a power of 2.
-# (2) a multiple of your system_page_dimension.
-# (3) greater than `2 * (system_page_dimension).
-#
-# The buffer size constraints may limit the usability of certain indexes. Let's
-# consider an example to illustrate this:
-#
-# If your system has a page size of 1 MB, the first available buffer size would
-# be 4 MB because 2 MB is exactly equal to 2 * (system_page_size), which is not
-# sufficient as we require more than 2 * (system_page_size). In this example, it
-# is evident that if the page size is 1 MB, the first index that can be used is 3.
-#
-# However, in most cases, these constraints do not pose a limitation, and all
-# indexes from 1 to 10 can be used. You can check your system's page size using
-# the Falco `--page-size` command-line option.
-# 
-# --- [Suggestions]
-#
-# The buffer size was previously fixed at 8 MB (index 4). You now have the
-# option to adjust the size based on your needs. Increasing the size, such as to
-# 16 MB (index 5), can reduce syscall drops in heavy production systems, but may
-# impact performance. Decreasing the size can speed up the system but may
-# increase syscall drops. It's important to note that the buffer size is mapped
-# twice in the process' virtual memory, so a buffer of 8 MB will result in a 16
-# MB area in virtual memory. Use this parameter with caution and only modify it
-# if the default size is not suitable for your use case.
-syscall_buf_size_preset: 4
-
-# [DEPRECATED] `syscall_drop_failed_exit` -> Replaced by `engine.<driver>.drop_failed_exit` starting Falco 0.38! 
-#
-# Deprecated in favor of engine.{kmod,ebpf,modern_ebpf}.drop_failed_exit.
-# This config is evaluated only if the default `engine` config block is not changed,
-# otherwise it is ignored.
-#
-# Enabling this option in Falco allows it to drop failed system call exit events
-# in the kernel drivers before pushing them onto the ring buffer. This
-# optimization can result in lower CPU usage and more efficient utilization of
-# the ring buffer, potentially reducing the number of event losses. However, it
-# is important to note that enabling this option also means sacrificing some
-# visibility into the system.
-syscall_drop_failed_exit: false
-
 # [Stable] `base_syscalls`, use with caution, read carefully
 #
 # --- [Description]
@@ -1178,117 +1239,66 @@ base_syscalls:
  custom_set: []
  repair: false

-# [DEPRECATED] `modern_bpf.cpus_for_each_syscall_buffer`, modern_bpf only -> Replaced by `engine.modern_ebpf.cpus_for_each_buffer` starting Falco 0.38! 
-#
-# Deprecated in favor of engine.modern_ebpf.cpus_for_each_buffer.
-# This config is evaluated only if the default `engine` config block is not changed,
-# otherwise it is ignored.
-#
-# --- [Description]
-#
-# The modern_bpf driver in Falco utilizes the new BPF ring buffer, which has a
-# different memory footprint compared to the current BPF driver that uses the
-# perf buffer. The Falco core maintainers have discussed the differences and
-# their implications, particularly in Kubernetes environments where limits need
-# to be carefully set to avoid interference with the Falco daemonset deployment
-# from the OOM killer. Based on guidance received from the kernel mailing list,
-# it is recommended to assign multiple CPUs to one buffer instead of allocating
-# a buffer for each CPU individually. This helps optimize resource allocation
-# and prevent potential issues related to memory usage.
-#
-# This is an index that controls how many CPUs you want to assign to a single
-# syscall buffer (ring buffer). By default, for modern_bpf every syscall buffer
-# is associated to 2 CPUs, so the mapping is 1:2. The modern BPF probe allows
-# you to choose different mappings, for example, changing the value to `1`
-# results in a 1:1 mapping and would mean one syscall buffer for each CPU (this
-# is the default for the `bpf` driver).
-#
-# --- [Usage]
-#
-# You can choose an index from 0 to MAX_NUMBER_ONLINE_CPUs to set the dimension
-# of the syscall buffers. The value 0 represents a single buffer shared among
-# all online CPUs. It serves as a flexible option when the exact number of
-# online CPUs is unknown. Here's an example to illustrate this:
-#
-# Consider a system with 7 online CPUs:
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#
-# - `1` means a syscall buffer for each CPU so 7 buffers
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     1  2        3  4  5  6
-#
-# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     0  1        1  2  2  3
-#
-# Please note that in this example, there are 4 buffers in total. Three of the
-# buffers are associated with pairs of CPUs, while the last buffer is mapped to
-# a single CPU. This arrangement is necessary because we have an odd number of
-# CPUs.
-#
-# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all
-#   CPUs, so 1 buffer
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     0  0        0  0  0  0
-#
-# Moreover, you have the option to combine this parameter with
-# `syscall_buf_size_preset` index. For instance, you can create a large shared
-# syscall buffer of 512 MB (using syscall_buf_size_preset=10) that is
-# allocated among all the online CPUs.
-#
-# --- [Suggestions]
-#
-# The default choice of index 2 (one syscall buffer for each CPU pair) was made
-# because the modern bpf probe utilizes a different memory allocation strategy
-# compared to the other two drivers (bpf and kernel module). However, you have
-# the flexibility to experiment and find the optimal configuration for your
-# system.
-# 
-# When considering a fixed syscall_buf_size_preset and a fixed buffer dimension:
-# - Increasing this configs value results in lower number of buffers and you can
-#   speed up your system and reduce memory usage
-# - However, using too few buffers may increase contention in the kernel,
-#   leading to a slowdown.
-# 
-# If you have low event throughputs and minimal drops, reducing the number of
-# buffers (higher `cpus_for_each_syscall_buffer`) can lower the memory footprint.
-modern_bpf:
-  cpus_for_each_syscall_buffer: 2
+##############
+# Falco libs #
+##############

-# [Stable] Guidance for Kubernetes container engine command-line args settings
+# [Incubating] `falco_libs`
 #
-# Modern cloud environments, particularly Kubernetes, heavily rely on
-# containerized workload deployments. When capturing events with Falco, it
-# becomes essential to identify the owner of the workload for which events are
-# being captured, such as syscall events. Falco integrates with the container
-# runtime to enrich its events with container information, including fields like
-# `container.image.repository`, `container.image.tag`, ... , `k8s.ns.name`,
-# `k8s.pod.name`, `k8s.pod.*` in the Falco output (Falco retrieves Kubernetes
-# namespace and pod name directly from the container runtime, see
-# https://falco.org/docs/reference/rules/supported-fields/#field-class-container).
+# `thread_table_size`
 #
-# Furthermore, Falco exposes container events themselves as a data source for
-# alerting. To achieve this integration with the container runtime, Falco
-# requires access to the runtime socket. By default, for Kubernetes, Falco
-# attempts to connect to the following sockets:
-# "/run/containerd/containerd.sock", "/run/crio/crio.sock",
-# "/run/k3s/containerd/containerd.sock". If you have a custom path, you can use
-# the `--cri` option to specify the correct location.
+# Set the maximum number of entries (the absolute maximum value can only be MAX UINT32) 
+# for Falco's internal threadtable (process cache). Please note that Falco operates at a 
+# granular level, focusing on individual threads. Falco rules reference the thread leader 
+# as the process. The size of the threadtable should typically be much higher than the 
+# number of currently alive processes. The default value should work well on modern 
+# infrastructures and be sufficient to absorb bursts.
 #
-# In some cases, you may encounter empty fields for container metadata. To
-# address this, you can explore the `--disable-cri-async` option, which disables
-# asynchronous fetching if the fetch operation is not completing quickly enough.
+# Reducing its size can help in better memory management, but as a consequence, your 
+# process tree may be more frequently disrupted due to missing threads. You can explore 
+# `metrics.state_counters_enabled` to measure how the internal state handling is performing, 
+# and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you
+# if you should increase this value for optimal performance.
+falco_libs:
+  thread_table_size: 262144
+
+# [Incubating] `container_engines`
 #
-# To get more information on these command-line arguments, you can run `falco
-# --help` in your terminal to view their current descriptions.
+# This option allows you to explicitly enable or disable API lookups against container 
+# runtime sockets for each supported container runtime. 
+# Access to these sockets enables Falco to retrieve container and Kubernetes fields, 
+# helping identify workload owners in modern containerized environments. 
+# Refer to the fields docs:
+# 
+# - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s)
+# - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container)
+# 
+# Additionally, Falco can use container events as a data source for alerting (evt.type = container).
+# 
+# For most container engines, you can solely enable or disable them, and Falco will search the 
+# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker.
 #
-# !!! The options mentioned here are not available in the falco.yaml
-# configuration file. Instead, they can can be used as a command-line argument
-# when running the Falco command.
+# However, for Kubernetes settings, you can customize the CRI socket paths:
+# 
+# - `container_engines.cri.sockets`: Pass a list of container runtime sockets.
+# - `container_engines.cri.disable_async`: Since API lookups may not always be quick or 
+# perfect, resulting in empty fields for container metadata, you can use this option option 
+# to disable asynchronous fetching. Note that missing fields may still occasionally occur.
+# 
+# The equivalent (stable) CLI args are `--cri` or `--disable-cri-async`.
+
+container_engines:
+  docker:
+    enabled: true
+  cri:
+    enabled: true
+    sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"]
+    disable_async: false
+  podman:
+    enabled: true
+  lxc:
+    enabled: true
+  libvirt_lxc:
+    enabled: true
+  bpm:
+    enabled: true
--- a/proposals/20210501-plugin-system.md
+++ b/proposals/20210501-plugin-system.md
@@ -335,7 +335,7 @@ typedef struct
 	// the type of the value they return (string, integer...).
 	// Required: no
 	// Arguments:
-	// - evtnum: the number of the event that is bein processed
+	// - evtnum: the number of the event that is being processed
 	// - id: the numeric identifier of the field to extract. It corresponds to the
 	//   position of the field in the array returned by get_fields().
 	// - arg: the field argument, if an argument has been specified for the field,
--- a/proposals/20230620-anomaly-detection-framework.md
+++ b/proposals/20230620-anomaly-detection-framework.md
@@ -0,0 +1,112 @@
+# On Host Anomaly Detection Framework - New `anomalydetection` Plugin
+
+## Motivation
+
+**A Wind of Change for Threat Detection**
+
+Feel that light breeze? That is the continued advancement of cloud native security blowing steady. But despite our progress, threat actors are outpacing our innovation constantly finding new ways to thwart and tornado past our achievements — rule-based detections focus on what we *think* attackers will do, not on what they *are* doing and generate enough alerts to bury security analysts in a sandstorm of poor signal-to-noise. Can this dynamic be blown back to shift the information asymmetry in favor of defenders?
+
+This framework lays the foundation on how to create high-value, kernel signals that are difficult to bypass - but not in the traditional way. Advanced data analytics is an emerging crosswind that enables us to soar past attackers by detecting deviations in current behavior from past behavior. 
+
+## Benefits to the Ecosystem
+
+Advanced data analytics enables us to combine the intricacies of the Linux kernel with on-host anomaly detection in cloud native and cloud environments to determine patterns of past behavior in running applications. By detecting deviations in current behavior from past behavior, we can shift the focus away from relying solely on signatures and rule matching to catch attackers.
+
+Threat detection in open source and more importantly cloud native is constrained by the amount of rules we can write and the signatures we know to look for in our environments. But these have the same problem: they assume our attackers don't change what they're doing. The reality is attackers are not limited to the ways, means, and methods they employ to expose, manipulate, or even destroy our data, systems, and organizations. 
+
+This framework leverages an attacker's mindset applied to detection engineering: observing and learning about our targets to create more rich and actionable alerts so we can catch them earlier and more often - regardless if it's behavior we know about, or something we haven't seen yet.
+
+## Elevator Pitch
+
+When Falco processes events in userspace, its rules engine filters the events while the parsers simultaneously update and maintain an internal state. This state includes a process tree cache that enhances Falco alerts by providing contextual information derived from previous events. The goal is to enhance the "state engine" even further and provide an option for monitoring the behavior of applications over time.
+
+To achieve this, end users define a "behavior profile" in the configuration by combining existing event fields such as process name, file descriptor (fd), executable path, parent lineage, cmdline, and others. During event parsing on the hot path, Falco compresses and stores this information in a "filter" - an efficient probabilistic data structure that optimizes space, time, robustness and accuracy. As time progresses, Falco provides more accurate estimates of application behavior counts and identifies events as rare or heavy hitters. Instead of analyzing the original event stream, you can write Falco rules based on pre-filtered data. 
+
+This approach introduces a novel threat detection framework that analyzes abnormal application behavior in real-time, derived and observed in a data-driven fashion, without requiring operator reconfiguration of Falco. It complements the operator's expertise and extends capabilities similar to our current practices. The new capability draws inspiration from big data stream and database query optimizations, ensuring that Falco maintains a streamlined real-time one-pass stream with zero allocations.
+
+Similar to Falco rules, the analysis of events may require multiple behavior profiles of different dimensions based on sets of events. These profiles can either vote in parallel or in a cascading fashion, a common practice in established algorithms. This is just the beginning and and paves the way for more sophisticated approaches, such as running Falco in a DAST-like capacity to build a pre-state pattern file on a workload with test data and soften the cold-start via distributing it to production.
+
+## Challenges and Considerations
+
+First, The Falco Project is committed to continuously ensuring access to the most accurate data possible for on-host threat detection. As an example, recent efforts involved expanding kernel signal logging, such as verifying if an execve call is linked to a file descriptor existing exclusively in memory or improving the efficient and reliable resolution of symlinks for executable paths. Therefore, the proposed anomaly detection framework operates under the assumption of having the *correct* data, thereby complementing the ongoing efforts to expand logging coverage and improve its quality. In summary, the primary focus of the framework is to derive increased value from the existing *right* data that is currently available.
+
+There is a common perception that attacks on running cloud applications, as well as their indicators of compromise, are typically rare when the appropriate data or combination of signals is considered. While this holds true, there are inherent challenges in applying this concept of rarity to robust data analytics approaches. 
+
+On the one hand, this is due to the diverse range of attacks and attack vectors. An attacker may introduce a new malicious binary (which is comparatively easier to detect using traditional rules and high-value kernel signals) after gaining initial access. Alternatively, they may exploit existing binaries, shell built-ins, and employ obfuscation techniques to "live off the land". The Turing completeness of the latter scenario, in particular, leads to an infinite number of attack possibilities.
+
+However, what poses even more challenges in anomaly detection lies not necessarily in the nature of attacks but rather in identifying the right signals and their appropriate combinations for robust analytics to distinguish between normal and anomalous behavior. This challenge becomes particularly evident when considering the natural fluctuations in application behavior over time and the occurrence of ad-hoc legitimate debugging activities. Such fluctuations can arise from various factors, including routine deployment updates. Moreover, certain applications may produce random file names or execute arbitrary executable paths as part of their regular operations, adding to the challenge of anomaly detection. This is compounded by the inherent "cold start" issue when initially observing an application. In such cases, the algorithms must demonstrate flexibility and robustness by recognizing and encoding consistent patterns, similar to how humans can identify the sameness by examining combinations of file names, command arguments, parent process lineage, and other attributes. Furthermore, factors like data inconsistency and the diverse forms of data representations (comprising a mix of numeric data and strings with varying meanings) further complicate the task.
+
+We believe it is important to incorporate operator heuristics or domain knowledge into the algorithm's definition of rarity. For example, while current algorithms are capable of generating human faces, they used to frequently produce images with different eye colors. However, if we were to inform the machine that humans typically have matching eye colors, it could easily correct this discrepancy. This highlights the role of the security engineer as a guiding hand to the algorithms, both in terms of handling noise tolerance and choosing the appropriate data to be ingested into the algorithm. This is crucial as machines are currently limited in their ability to draw meaningful observations from limited data and constrained memory. In summary, this is where the fusion of data-driven anomaly detection and rules matching will come into play.
+
+Lastly, the value proposition of conducting real-time anomaly analysis on the host lies in the unique options it offers, which cannot be achieved through alternative methods. On the host, we can observe anomalies based on all relevant and observed kernel events. In contrast, sending a large volume of kernel events to a centralized system would be impractical, resulting in significant costs for data pipeline management and data lake compute expenses.
+
+## Initial Scope
+
+The initial scope is to implement the Count Min Sketch algorithm using n shared sketches and expose its count estimates as new filterchecks for use in Falco rules. An MVP can be explored in this libs draft PR [wip: new(userspace/libsinsp): MVP CountMinSketch Powered Probabilistic Counting and Filtering](https://github.com/falcosecurity/libs/pull/1453). Moreover, the initial anomaly detection framework will include a transparent `plugin` user interface for defining application behavior profiles and utilizing sketch count estimates in Falco rules. The primary direct benefit lies in establishing a safety boundary for Falco rules in production environments, allowing for broader rule monitoring while preventing Falco rules from blowing up in production.
+
+Furthermore, The Falco Project will provide adopters with valuable initial use cases, recommended thresholds, and callouts for known issues. One important consideration is the identification of SRE anti-patterns. Another consideration is to provide *very clear* guidance to adopters for setting and configuring parameters, including recommended minimums. Additionally, guidance should be provided on indicators to look for in order to determine if adjustments need to be made and in which direction, particularly when defining application behavior profiles.
+
+## High-Level Technical Design of a New `anomalydetection` Plugin
+
+This document provides a high-level proposal with limited technical details.
+
+*Probabilistic Data Structures*
+
+One option for implementing the probabilistic filter is by utilizing a robust two-dimensional probabilistic data structure known as the Count Min Sketch. This data structure is widely employed in distributed stream processing frameworks such as Apache Spark, Apache Storm, Apache Flink, and others, as well as databases like Redis and PostgreSQL.
+
+Technical details and implications are extensively covered in numerous research papers and textbooks. Therefore, here are some key points to consider in order to make informed choices:
+
+- The challenges posed by both hard and soft collisions can be mitigated by using multiple non-cryptographic hash functions, which has been mathematically proven to be effective.
+- Despite providing one-sided error bounds and preventing undercounting, the sketchy data structure requires adopters to define a tolerance level for overcounting. This tolerance level determines what qualifies as rare or noteworthy.
+- To enhance accuracy and reduce estimation errors, consider debiasing data (e.g. Count Min Sketch with Conservative Updates) or applying a logarithmic scale to address kernel event data skew. The logarithmic scale may suit threat detection, targeting low-frequency or long-tail attack-related items. However, only use if performance overhead is acceptable.
+- Use larger shared sketches and incorporate container IDs as part of the behavior profiles to differentiate between workloads / applications. Conversely, use separate sketches for distinct behavior profiles, also known as the "what we are counting".
+- ... and numerous other aspects that will be discussed in subsequent implementation PRs.
+
+*Plumbing and Interface*
+
+The ultimate goal is to introduce these new capabilities as plugin. A significant amount of work will be dedicated to addressing the necessary plumbing required to support the new framework and integrate it with the existing rules filtering, `libsinsp` and `plugin` mechanisms. This integration aims to provide a user-friendly interface that allows users to easily configure and utilize the opt-in framework for different use cases. 
+
+For instance, the interface should empower end users to define error tolerances and, consequently, sketch dimensions, along with other tuning parameters, bounds, and settings. Ultimately, it should enable the definition of n behavior profiles to facilitate the use of count estimates in Falco rules.
+
+## What this Framework is Not
+
+- This framework is not intended to function as an event aggregator or enhancer, such as netflow data. Its sole purpose is to serve as an anomaly filter for individual events, utilizing the existing sinsp state, the newly built state through sketches, and the current rules engine.
+- The development of this framework will not be swayed by overly specific use cases that limit its broader adoption and coverage.
+- While it may not offer flawless attack threat detection from the beginning, it serves as an initial step towards comprehensive event logging and analysis, capturing all events that exhibit any form of new or changing behavior we observe. Therefore, initially, the greatest value lies in combining it with regular Falco rules based on the anomaly-filtered event stream.
+
+## Why now?
+
+In case you haven't noticed, advanced data analytics is quite the big deal these days, and we can leverage robust established algorithms used in real production settings across various industries. The novelty lies in addressing the specific data encoding challenges unique to the field of cybersecurity, not re-inventing already established algorithms.
+
+Furthermore, over the past several Falco releases, we have significantly improved stability, configurability, and capabilities. Notably, the plugins system has been refined over the past year to efficiently access the complete `libsinsp` state, now also featuring an improved CPP SDK. Additionally, it now seamlessly collaborates with the existing primary syscalls event source, deviating from its original purpose of processing new data sources. This improvement allows for more intuitive functionality, as demonstrated by the new `k8smeta` plugin. Now is the opportune time to further enhance proven threat detection capabilities and expand the plugins system even more. 
+
+*Initial community feedback concerning the KubeCon NA 2023 Full Talk*
+
+- Overall, the feedback for [A Wind of Change for Threat Detection](https://kccncna2023.sched.com/event/1R2mX/a-wind-of-change-for-threat-detection-melissa-kilby-apple) was very positive and appreciative, particularly regarding the direct real-life benefits (a safety boundary for Falco rules enabling broader monitoring that won't blow up in production). Suggestions for future development included integrating the sketch directly into the kernel driver (which would be a remarkable achievement if feasible). Lastly, people have inquired about the timeline for the availability of this feature.
+- Refer to the [KubeCon NA 2023 Slides](https://static.sched.com/hosted_files/kccncna2023/c5/A%20Wind%20of%20Change%20for%20Threat%20Detection%20-%20Melissa%20Kilby%20-%20KubeCon%20NA%202023.pdf) or [attached PDF](kubeconna23-anomaly-detection-slides.pdf) for more information. Here's the [Talk Recording](https://www.youtube.com/watch?v=1y1m9Vz93Yo) (please note that the first four minutes of the video are missing, but the slides and audio recordings are complete).
+
+*Falco Community Call - January 17, 2024*
+
+See dedicated [HackMD](https://hackmd.io/Ss0_1avySUuxArBQm-oaGQ?view):
+
+- While not blocking the start of the plugin or an alpha dev version, there's feedback from @jasondellaluce that plugins cannot access the existing `libsinsp` filtercheck. It would be advantageous to enable this access to avoid reimplementing them and the constant risk of falling out of sync with `libs`. @leogr mentioned that supporting this over time should be possible.
+- We have discussed the plugins config and are currently undecided on whether the definition of the behavior profile per sketch, meaning the fields that are string concatenated together and counted, should reside in the plugins config or in the rules files. The latter would potentially require a new rules component. Final decisions will be deferred to a later stage to ensure the config is intuitive, and we want to guarantee proper sketch definition when attempting to run Falco rules using the `anomalydetection` plugin.  
+- One use case, namely determining if a rule has previously occurred in a container, could be addressed by this framework as well. However, we are currently unsure how to expose the rule names, as `libsinsp` is not aware of them. This may be an optimization we can address later and does not block the development of an initial version.
+- Future use cases might involve counting distinct values, utilizing the hyper log log algorithm. However, there will be additional technical challenges to overcome.
+- Finally, just to reiterate some feedback from the KubeCon talk, there's a suggestion that, perhaps in the future, we could pass intelligence back and forth between the drivers and userspace. This idea has been discussed independently, especially in the context of kernel-side filtering. However, such capabilities would be a long-term consideration.
+
+## Proposed Timelines
+
+- Falco 0.37.0: Design details and scaffolding
+- Falco 0.38.0: Experimental release
+- Falco 0.39.0: First release
+
+## Resources / References
+
+- [Probabilistic Data Structures and Algorithms
+for Big Data Applications](https://www.gakhov.com/books/pdsa.html) book
+- [Count Min Sketch blog 1](https://towardsdatascience.com/big-data-with-sketchy-structures-part-1-the-count-min-sketch-b73fb3a33e2a)
+- [Count Min Sketch blog 2](https://www.synnada.ai/blog/probabilistic-data-structures-in-streaming-count-min-sketch)
+- [Count Min Log Sketch](https://arxiv.org/pdf/1502.04885.pdf) paper
+- [Count Min Sketch with Conservative Updates](https://hal.science/hal-03613957/document#:~:text=Count%2DMin%20Sketch%20with%20Conservative%20Updates%20(CMS%2DCU),because%20of%20its%20inherent%20difficulty) paper
+- [xxHash](https://github.com/Cyan4973/xxHash) as new dependency for fast and reliable hashing (using xxh3)
--- a/proposals/20231220-features-adoption-and-deprecation.md
+++ b/proposals/20231220-features-adoption-and-deprecation.md
@@ -0,0 +1,219 @@
+# Features Adoption and Deprecation Policies Proposal
+
+This proposal aims to introduce a balance between maintaining adopter trust and the need for The Falco Project to evolve. Historically, Falco has favored rapid evolution over providing long-term support for features and interfaces. However, some project subsystems have been implicitly assumed not to allow backward-incompatible changes (e.g., we have almost never removed a condition syntax field). These implicit conventions have never been formalized, and decisions in this regard have been left unspecified.
+
+## Goals
+
+- Establish adopter expectations on the operational cost of using Falco.
+- Provide a clear path for features to be adopted and dismissed.
+- Allow quick evolution and experimentation without disrupting our adopters' deployments.
+- Detail the process for introducing new features, following a "sandbox" to "incubating" to "stable" progression.
+- Define the scope of the policy, including which aspects of Falco are covered (e.g., command line flags, configuration files, rules syntax).
+- Establish stages for deprecating features, aligning with the project's current status (pre- and post-1.0 stages).
+- Adopt a semantic versioning (semver) approach.
+
+## Non-Goals
+
+- Define the number of previous releases that will receive patches or security updates and the duration of this support.
+- Define the criteria for Falco 1.0.
+
+## Scope
+
+The proposed policies apply to Falco, its subsystems (e.g., rules, the plugin system), and all [core projects](https://github.com/falcosecurity/evolution#core) which are deemed [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable), thus officially supported by The Falco Project.
+
+## Definitions
+
+### Feature Changes
+
+A feature is a distinct and specific functionality or characteristic of Falco and its core components that provides value to the user by enabling them to perform particular tasks. Features encompass aspects such as functionality, user value, usability, integrability, scalability, configurability, and discoverability. Features can range from essential user interface elements to complex, multifunctional operations.
+
+A feature change refers to any modification or update to an existing feature or the addition of a new feature. This does not include documentation, Falco compatibility across different environments, platforms, systems, or other software or hardware, bug fixing (stated it does not require a feature change to overcome the problem), and performance (unless a change produces a measurable effect on usability).
+
+### Behavior Changes
+
+A behavior change refers to alterations in how Falco, or a specific feature within it, operates or responds under certain conditions. Unlike feature changes, behavior changes are more about tweaking the underlying logic or the way existing features interact or perform, particularly the expected behavior of Falco when run with the default configuration.
+
+Behaviors are generally documented. Any modification that does not meet the conditions and expectations of an already documented feature is assumed to be a behavior change.
+
+Undocumented behaviors may be included in this definition if there's strong evidence or suspicion that users rely on those undocumented behaviors.
+
+### User-Facing Changes
+
+User-facing changes refer to any feature changes, behavior changes, modifications, or additions that are directly noticeable and interactable by the end users. These changes affect how Falco operates from the user's perspective (notably any change that can lead to user disruption). Unlike internal changes (i.e., code refactoring, CI, maintenance-related changes), which are under-the-hood improvements not directly visible to the user, user-facing changes are evident in the Falco and its core components interface and functionality.
+
+### CLI/Config Area
+
+Falco is comprised of the Falco binary and other programs and tools cooperating (notably [falcoctl](https://github.com/falcosecurity/falcoctl)). These programs are the primary user interface for Falco. Any feature or behavior changes to the following elements of these programs are assumed to be user-facing changes to the CLI/Config area:
+
+- Program name.
+- Distribution mechanism and packaging (e.g., a container image).
+- Command line flags and options.
+- Environment variables.
+- Configurations.
+- Elements that affect the program's lifecycle (e.g., the effect of sending a SIGINT to the program).
+- Elements that allow scripting, automation, or interaction with other programs (e.g., piping and redirection).
+- Program inputs, excluding elements explicitly governed by other areas (e.g., [Falco rules](#rules-area)).
+- Program outputs excluding elements explicitly governed by other areas (e.g., [Falco outputs/alerts](#outputs-alerts-area)).
+
+### Rules System Area
+
+Rules are the primary input for Falco. Any feature or behavior changes to the following aspects or elements are assumed to be user-facing changes to the rules system area:
+
+- Syntax.
+- File format.
+- Schema (i.e., supported fields).
+- Elements that affect the way users can implement rules.
+- Elements that affect the way rules are triggered.
+
+However, any change related to the rule's output when triggered (i.e., the alert) is out of scope for this area (see next section).
+
+Note that this area does not include changes related to the ruleset files. Ruleset distributions follow their own [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) policies. 
+
+### Outputs/Alerts Area
+
+Alerts, delivered through Falco output channels, are Falco's primary output. The way and the format in which alerts are produced can have a significant impact on adopters. For example, removing a supported rule field also impacts this area, as adopters may have relied on that field when consuming Falco output.
+
+Any feature or behavior changes to the following aspects or elements are assumed to be user-facing changes to the Outputs/Alerts area:
+
+- Output and logging formats.
+- Schema of outputted data (i.e., supported fields).
+- Falco output channels.
+- Any element that might be consumed from the output.
+
+### Subsystem APIs (Plugins, gRPC Output, Metrics, etc.) Area
+
+Falco is also comprised of several subsystems providing specific APIs. These subsystems notably include plugin system API, gRPC output API, and metrics API.
+
+In the context of this proposal, only changes to **public APIs** are assumed to be user-facing changes to this area.
+
+Public APIs are defined as those supporting Falco functioning and explicitly intended for user usage. Internal APIs consumed by Falco or other tools are out of scope for this area. For instance, the driver APIs or libs APIs are intended to be mainly consumed by Falco and not by users.
+
+### Platform Support Area
+
+Platform support for Falco encompasses the range of platforms, systems, and environments it is designed to operate in. Platform support may significantly vary by Falco's data sources and use cases. For example, its compatibility differs when utilized for Kubernetes audit events versus system call events. Additionally, platform support can be influenced by deployment methods (e.g., directly on a host versus within Kubernetes) or configurations (e.g., running in privileged versus least privileged mode).
+
+Given the diversity of potential platforms and setups, only those explicitly listed in Falco's documentation are considered officially supported. While Falco may function on other platforms, official support is guaranteed solely for documented ones.
+
+Therefore, changes in platform compatibility or behavior that are documented explicitly assumed to be user-facing changes to the Platform Support area.
+
+### Release Cycle
+
+In the context of this proposal, a release cycle is the period between two consecutive major or minor releases of Falco. Hotfix/Patch releases must not be counted.
+
+The actual duration of a release cycle can vary. Still, it's assumed to be about 16 weeks (as per our current defined [Release Cycles and Development Iterations](https://github.com/falcosecurity/falco/blob/master/proposals/20230511-roadmap-management.md#release-cycles-and-development-iterations)). In case of future modification to the Falco release schedule, a period of minimum 3 months must be assumed.
+
+## Proposal
+
+### Maturation Levels
+
+Maturation levels (inspired by those we already have in place for [repositories](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#status)) are used to characterize the maturity of a feature. Each feature will have an assigned level  at any specific time (i.e., a Falco release). Levels are shown in the table below.
+
+| Maturity Level | Intended for |
+| --- | --- |
+| Sandbox |  Experimental/alpha features, not recommended for production use, can be removed at any time without further notice. |
+| Incubating | Beta features, long-term support is not guaranteed. |
+| Stable | General Availability (GA) features for which long-term support is expected. |
+| Deprecated | See the [deprecation policy](#Deprecation-policy) section below. |
+
+### Adoption Policy
+
+The adoption policy applies to any backward compatible user-facing changes which add functionalities. For non-backward compatible changes see the [deprecation policy](#Deprecation-policy) below.
+
+**Adoption rules**:
+1. A feature can be introduced at only one of the following levels:
+   - Sandbox: The feature must be opt-in (e.g., not enabled by default), labeled as *Sandbox* and the user must be proactively informed by the experimental nature of the feature (i.e. emitting a notice when the feature is being enabled).
+   - Incubating: The feature must be labeled as *Incubating*.
+2. Any functionality additions to an existing feature are inherently introduced at the same level as the feature itself unless logically separable (for instance, a sub-feature that may be enabled separately).
+3. A feature can be promoted *from Sandbox to Incubating* or *from Incubating to Stable* only after at least one release cycle has passed without user-facing changes to the feature.
+4. A feature cannot be demoted to a previous level.
+
+
+_Note about behaviors_:
+This policy indirectly applies to behaviors, too. Behavior changes are assumed to be a consequence of a feature change. The adoption level of a documented behavior is considered to be the same as the related feature. Furthermore, behavior changes are particularly relevant in the context of deprecation (see the next section).
+
+
+### Deprecation Policy
+
+The deprecation policy applies to any non-backward compatible user-facing changes. Any other changes introduced in a backward-compatible manner does not fall under the scope of this deprecation policy.
+
+**Deprecation rules**:
+1. Sandbox features can be removed or changed at any time without notice. No deprecation period is required.
+2. Incubating or Stable features and documented behaviors must enter a deprecation period and function for no less than the indicated release cycles (see tables below) after their announced deprecation. 
+   - If the change affects the feature partially, the deprecation applies only to that feature part. 
+   - If the change removes the feature entirely, the deprecation applies to the entire feature.
+3. At least for the entire deprecation period, the feature must be labeled as *Deprecated* in all relevant documentation, and:
+   - for deprecated configurations or CLI elements, a warning must be emitted warnings when the feature is being enabled or used;
+   - for deprecated APIs, when technically feasible, the API should be signal the deprecation status (this may vary depending on the specific subsystem);
+   - for deprecated behaviors the documentation must highlight the _before_ and _after_ behavior, alongside with a prominent deprecation notice.
+4. Any Pull Request introducing a deprecation notice must be labeled and include a note in the format `DEPRECATION NOTICE: ...`.
+5. Any Pull Request introducing a breaking change due to the end of the deprecation notice period must be labeled and include a note in the format `BREAKING CHANGE: ...`. 
+   - It is also recommended for code commits that introduce a breaking change to follow the related [conventional commit spec](https://www.conventionalcommits.org/en/v1.0.0/#specification).
+
+The minimum deprecation period length depends on the affected area. If a single change spans multiple areas, the area with the most extended deprecation period is assumed. Longer deprecation periods are allowed if the feature is deemed to be particularly critical or widely used.
+
+#### Deprecation Period Lengths
+
+_The units represent the number of releases._
+
+##### Before Falco 1.0
+
+| Area           | Stable | Incubating |
+| -------------- | ------ | ---------- |
+| *all areas*    | 1      | 0          |
+
+##### Since Falco 1.0 onward
+
+| Area           | Stable | Incubating |
+| -------------- | ------ | ---------- |
+| Behaviors      | 2      | 1          |
+| Rules System   | 2      | 1          |
+| Output/Alerts  | 2      | 1          |
+| Platform       | 2      | 1          |
+| CLI/Config     | 1      | 1          |
+| Subsystem APIs | 1      | 0          |
+
+### Examples
+
+**Example 1** Let's consider a feature _foo_ in the Output/Alerts Area introduced in Falco 1.0.0 and labeled as *Incubating*. The feature is promoted to *Stable* in Falco 1.1.0 (because the feature did not get any user-facing change).
+Subsequently, maintainers decide that backward-compatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
+
+**Example 2** The `--bar` flag in the CLI/Config Area has been introduced since Falco 1.1.0 and is labeled as *Stable*. Before releasing Falco 1.5.0, maintainers realize `--bar` is redundant and should be removed. The flag is labeled as *Deprecated* in Falco 1.5.0, and the deprecation period starts. The flag is removed in Falco 1.6.0.
+
+### Exceptions
+
+- Ruleset in the official distributions follow the [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) policies.
+- Subsystems or subcomponents may have additional criteria and exceptions. Stated other criteria and exceptions must not directly affect the main Falco distribution (e.g., *falcoctl* can have a different release cycle and different policies; however, if Falco relies on a specific *falcoctl* feature, that *falcoctl* feature adoption and deprecation must be strictly compatible with the rules described in this proposal).
+- Internal APIs are out of scope for this policy. Their adoption models and deprecation policies might be regulated separately.
+- Different parties may provide plugins, and each plugin may have a different maturity level. Only those plugins officially maintained by The Falco Project and identified as "core" for Falco are in scope for this policy; all others are excluded.
+- Any other exceptions to the rules provided by this policy require a formal core maintainer majority vote.
+
+### Versioning
+
+Regarding the above policies, component versioning must adhere to [Semantic Versioning 2.0.0](https://semver.org/). However, in the context of Falco core components, the scope extends beyond the strict API definition and includes any user-facing changes.
+
+Thus, given a version number `MAJOR.MINOR.PATCH` increment the:
+
+- *MAJOR* version when the deprecation period of one or more _stable_ features ends, thus introducing incompatible user-facing or API changes.
+- *MINOR* version when adding functionality in a backward-compatible manner.
+- *PATCH* version when making backward-compatible bug fixes.
+
+Moreover, *MAJOR* version zero (0.y.z) is for versioning stabilization (i.e., before defining the public set of user-facing features and APIs). At this stage, the *MINOR* version is allowed to be incremented instead of the *MAJOR* version.
+
+### Documentation
+
+Documentation must be tied to a specific release and reflect the adoption level status of a feature at that specific release. In particular:
+
+- Deprecated items must be labeled `DEPRECATED` in all relevant documentation.
+- Stable items must be sufficiently documented. Explicitly labeling the Stable status is not required or recommended.
+- Incubating items must be sufficiently documented and labeled  `INCUBATING` in all relevant documentation.
+- Sandbox items may be partially documented and labeled `SANDBOX` in all relevant documentation, if any. The relevant documentation must also explicitly state the experimental nature of the item.
+
+## Transition Phases
+
+Since software components may need to adapt to implement the requirements this proposal mandates, we assume the following stages are required to transition from the current state to the desired state fully:
+
+- Within Falco 0.38, at least stable features must be identified, and the adoption policy and relevant documentation should be implemented in Falco. Exceptions may be made temporarily for the deprecation policy.
+- Within subsequent releases and no later than Falco 1.0.0 (still not scheduled to date), all the policies must be strictly implemented in Falco and documented in [falco.org](falco.org). The [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) must be adapted to ensure it aligns with the spirit of this proposal. Exceptions may be made temporarily for other [core projects](https://github.com/falcosecurity/evolution#core) with [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) status, assuming exceptions don't severely affect the main Falco distribution.
+- Within Falco 1.1.0, all the policies must be strictly implemented in Falco and in all [core projects](https://github.com/falcosecurity/evolution#core) with [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) status.
+
+During the transition phases, maintainers can fine-tune these policies and add further exceptions, eventually. After this initial transition phases, the policy is assumed to be established. From then on, any policy modifications, updates, and exceptions must be subject to a core maintainer majority vote to ensure the policy remains relevant and practical.
--- a/proposals/kubeconna23-anomaly-detection-slides.pdf
+++ b/proposals/kubeconna23-anomaly-detection-slides.pdf
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -2,35 +2,44 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	# Systemd
 	file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/scripts/systemd)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service"
-			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)
+	configure_file(
+		"${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
+	)

 	# Debian
 	configure_file(debian/postinst.in debian/postinst COPYONLY)
@@ -44,10 +53,32 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 endif()

 # Install Falcoctl config file
-if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT EMSCRIPTEN
+   AND NOT MUSL_OPTIMIZED_BUILD
+)
 	if(NOT DEFINED FALCOCTL_ETC_DIR)
 		set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
 	endif()
-	configure_file(${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml)
-	install(FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+	set(FALCOCTL_DRIVER_TYPES_LIST "")
+	if(BUILD_FALCO_MODERN_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "modern_ebpf")
+	endif()
+	if(BUILD_DRIVER)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod")
+	endif()
+	if(BUILD_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf")
+	endif()
+	string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}")
+	configure_file(
+		${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in
+		${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml
+	)
+	install(
+		FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml
+		DESTINATION "${FALCOCTL_ETC_DIR}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -17,7 +17,8 @@
 # limitations under the License.
 #

-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
 chosen_unit=
 CHOICE=

@@ -38,43 +39,56 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true

 if [ "$1" = "configure" ]; then
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
        case $FALCO_DRIVER_CHOICE in
-              kmod)
-                  CHOICE=2
+              none)
+                  CHOICE=1
                  ;;
-              ebpf)
+              kmod)
                  CHOICE=3
                  ;;
-              modern_ebpf)
+              ebpf)
                  CHOICE=4
                  ;;
+              modern_ebpf)
+                  CHOICE=5
+                  ;;
        esac     
        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
            # If dialog is installed, create a dialog to let users choose the correct driver for them
            CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                    1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                    2>&1 >/dev/tty)
-        fi         
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
        case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
+            1)
+                chosen_driver=""
                ;;
            3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
+                chosen_driver="kmod"
                ;;
            4)
+                chosen_driver="ebpf"
+                ;;
+            5)
                chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
                ;;
        esac
-        if [ -n "$CHOICE" ]; then
-            echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
            CHOICE=
            case $FALCOCTL_ENABLED in
                no)
@@ -108,10 +122,15 @@ case "$chosen_driver" in
      # Only compile for kmod, in this way we use dkms
      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
      falcoctl driver install --download=false
+      chosen_unit="kmod"
      ;;
    "ebpf")
      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
      falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
      ;;
 esac

--- a/scripts/falcoctl/falcoctl.yaml.in
+++ b/scripts/falcoctl/falcoctl.yaml.in
@@ -1,5 +1,5 @@
 driver:
-    type: "kmod"
+    type: [@FALCOCTL_DRIVER_TYPES@]
    name: "@DRIVER_NAME@"
    repos:
        - "@DRIVERS_REPO@"
@@ -10,7 +10,7 @@ artifact:
    every: 6h0m0s
    falcoVersions: http://localhost:8765/versions
    refs:
-    - falco-rules:0
+    - falco-rules:3
 indexes:
 - name: falcosecurity
  url: https://falcosecurity.github.io/falcoctl/index.yaml
--- a/scripts/publish-bin
+++ b/scripts/publish-bin
@@ -39,9 +39,15 @@ fi
 s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
 cloudfront_path="/packages/${repo}/${arch}"

+# sign
+
+gpg --detach-sign --digest-algo SHA256 --armor ${file}
+
 # publish
 package=$(basename -- ${file})
 echo "Publishing ${package} to ${s3_bucket_repo}..."
 aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+aws s3 cp ${file}.asc ${s3_bucket_repo}/${package}.asc --acl public-read

-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
--- a/scripts/publish-deb
+++ b/scripts/publish-deb
@@ -121,6 +121,47 @@ update_repo() {
    popd > /dev/null
 }

+reduce_dir_size() {
+    local DIR=$1
+    local MAX_SIZE_GB=$2
+    local EXTENSION=$3
+    local MAX_SIZE=$((MAX_SIZE_GB*1024*1024))  # Convert GB to KB for du command
+
+    # Check if directory exists
+    if [[ ! -d "$DIR" ]]; then
+        echo "The directory $DIR does not exist."
+        return 1
+    fi
+
+    # Calculate current directory size in KB
+    local CUR_SIZE=$(du -sk "$DIR" | cut -f1)
+
+    # Check if we need to delete any files
+    if ((CUR_SIZE <= MAX_SIZE)); then
+        return 0
+    fi
+
+    # Calculate size to delete in bytes
+    local DEL_SIZE=$(( (CUR_SIZE - MAX_SIZE) * 1024 ))
+
+    local ACC_SIZE=0
+    find "$DIR" -maxdepth 1 -type f -name "*.$EXTENSION" -printf "%T+ %s %p\n" | sort | while read -r date size file; do
+        if ((ACC_SIZE + size < DEL_SIZE)); then
+            rm "$file"
+            ACC_SIZE=$((ACC_SIZE + size))
+            
+            local asc_file="$file.asc"
+            if [[ -e "$asc_file" ]]; then
+                local asc_size=$(stat --format="%s" "$asc_file")
+                rm "$asc_file"
+                ACC_SIZE=$((ACC_SIZE + asc_size))
+            fi
+        else
+            break
+        fi
+    done
+}
+
 # parse options
 while getopts ":f::r::s" opt; do
    case "${opt}" in
@@ -188,6 +229,11 @@ if [ "${sign_all}" ]; then
  sign_repo ${tmp_repo_path} ${debSuite}
 fi

+# remove old dev packages if necessary
+if [[ ${repo} == "deb-dev" ]]; then
+  reduce_dir_size "${tmp_repo_path}/${debSuite}" 10 deb
+fi
+
 # update the repo by adding new packages
 if ! [ ${#files[@]} -eq 0 ]; then
  for file in "${files[@]}"; do
@@ -211,4 +257,10 @@ fi

 # sync dists
 aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
+
+# delete packages that have been pruned
+# the dryrun option is there so we can check that we're doing the right thing, can be removed after testing
+if [[ ${repo} == "deb-dev" ]]; then
+  aws s3 sync "${tmp_repo_path}/${debSuite}" ${s3_bucket_repo} --dryrun --delete --acl public-read
+fi
--- a/scripts/publish-rpm
+++ b/scripts/publish-rpm
@@ -53,6 +53,47 @@ update_repo() {
    popd > /dev/null
 }

+reduce_dir_size() {
+    local DIR=$1
+    local MAX_SIZE_GB=$2
+    local EXTENSION=$3
+    local MAX_SIZE=$((MAX_SIZE_GB*1024*1024))  # Convert GB to KB for du command
+
+    # Check if directory exists
+    if [[ ! -d "$DIR" ]]; then
+        echo "The directory $DIR does not exist."
+        return 1
+    fi
+
+    # Calculate current directory size in KB
+    local CUR_SIZE=$(du -sk "$DIR" | cut -f1)
+
+    # Check if we need to delete any files
+    if ((CUR_SIZE <= MAX_SIZE)); then
+        return 0
+    fi
+
+    # Calculate size to delete in bytes
+    local DEL_SIZE=$(( (CUR_SIZE - MAX_SIZE) * 1024 ))
+
+    local ACC_SIZE=0
+    find "$DIR" -maxdepth 1 -type f -name "*.$EXTENSION" -printf "%T+ %s %p\n" | sort | while read -r date size file; do
+        if ((ACC_SIZE + size < DEL_SIZE)); then
+            rm "$file"
+            ACC_SIZE=$((ACC_SIZE + size))
+            
+            local asc_file="$file.asc"
+            if [[ -e "$asc_file" ]]; then
+                local asc_size=$(stat --format="%s" "$asc_file")
+                rm "$asc_file"
+                ACC_SIZE=$((ACC_SIZE + asc_size))
+            fi
+        else
+            break
+        fi
+    done
+}
+
 # parse options
 while getopts ":f::r::s" opt; do
    case "${opt}" in
@@ -115,6 +156,11 @@ if [ "${sign_all}" ]; then
  sign_repo ${tmp_repo_path}
 fi

+# remove old dev packages if necessary
+if [[ ${repo} == "rpm-dev" ]]; then
+  reduce_dir_size ${tmp_repo_path} 10 rpm
+fi
+
 # update the repo by adding new packages
 if ! [ ${#files[@]} -eq 0 ]; then
  for file in "${files[@]}"; do
@@ -138,4 +184,10 @@ fi

 # sync repodata
 aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
+
+# delete packages that have been pruned
+# the dryrun option is there so we can check that we're doing the right thing, can be removed after testing
+if [[ ${repo} == "rpm-dev" ]]; then
+  aws s3 sync ${tmp_repo_path} ${s3_bucket_repo} --dryrun --delete --acl public-read
+fi
--- a/scripts/publish-wasm
+++ b/scripts/publish-wasm
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.tar.gz>"
+    exit 1
+}
+
+# parse options
+while getopts ":f:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" >&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ]; then
+    usage
+fi
+
+repo="wasm-dev" 
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
--- a/scripts/rpm/postinstall.in
+++ b/scripts/rpm/postinstall.in
@@ -16,7 +16,8 @@
 # limitations under the License.
 #

-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
 chosen_unit=
 CHOICE=

@@ -37,43 +38,56 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true

 if [ $1 -ge 1 ]; then
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
        case $FALCO_DRIVER_CHOICE in
-              kmod)
-                  CHOICE=2
+              none)
+                  CHOICE=1
                  ;;
-              ebpf)
+              kmod)
                  CHOICE=3
                  ;;
-              modern_ebpf)
+              ebpf)
                  CHOICE=4
                  ;;
+              modern_ebpf)
+                  CHOICE=5
+                  ;;
        esac     
        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
            # If dialog is installed, create a dialog to let users choose the correct driver for them
            CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                    1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                    2>&1 >/dev/tty)
-        fi         
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
        case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
+            1)
+                chosen_driver=""
                ;;
            3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
+                chosen_driver="kmod"
                ;;
            4)
+                chosen_driver="ebpf"
+                ;;
+            5)
                chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
                ;;
        esac
-        if [ -n "$CHOICE" ]; then
-            echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
            CHOICE=
            case $FALCOCTL_ENABLED in
                no)
@@ -105,12 +119,17 @@ systemctl --system daemon-reload || true
 case "$chosen_driver" in
    "kmod")
      # Only compile for kmod, in this way we use dkms
-       echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
-       falcoctl driver install --download=false
+      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
+      falcoctl driver install --download=false
+      chosen_unit="kmod"
      ;;
    "ebpf")
      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
      falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
      ;;
 esac

--- a/scripts/systemd/falco-bpf.service
+++ b/scripts/systemd/falco-bpf.service
@@ -24,3 +24,4 @@ StandardOutput=null

 [Install]
 WantedBy=multi-user.target
+Alias=falco.service
--- a/scripts/systemd/falco-custom.service
+++ b/scripts/systemd/falco-custom.service
@@ -24,3 +24,4 @@ StandardOutput=null

 [Install]
 WantedBy=multi-user.target
+Alias=falco.service
--- a/scripts/systemd/falco-modern-bpf.service
+++ b/scripts/systemd/falco-modern-bpf.service
@@ -24,3 +24,4 @@ StandardOutput=null

 [Install]
 WantedBy=multi-user.target
+Alias=falco.service
--- a/submodules/falcosecurity-rules
+++ b/submodules/falcosecurity-rules
--- a/submodules/falcosecurity-testing
+++ b/submodules/falcosecurity-testing
--- a/tools/local_hooks/dco-pre-commit-msg.sh
+++ b/tools/local_hooks/dco-pre-commit-msg.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# This is a git pre-commit-msg hook which automatically add a 
+# DCO signed-off message if one is missing.
+#
+
+MESSAGE_FILE="$1"
+GIT_AUTHOR=$(git var GIT_AUTHOR_IDENT)
+SIGNOFF_BY=$(echo $GIT_AUTHOR | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
+
+# Verify if a DCO signoff message exists.
+# Append a DCO signoff message if one doesn't exist.
+if ! $(grep -qs "^$SIGNOFF_BY" "$MESSAGE_FILE") ; then
+  echo -e "\n$SIGNOFF_BY" >> "$MESSAGE_FILE"
+fi
+exit 0
--- a/unit_tests/CMakeLists.txt
+++ b/unit_tests/CMakeLists.txt
@@ -2,14 +2,15 @@
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #

 message(STATUS "Falco unit tests build enabled")
@@ -17,73 +18,72 @@ message(STATUS "Falco unit tests build enabled")
 include(FetchContent)

 FetchContent_Declare(
-  googletest
-  GIT_REPOSITORY https://github.com/google/googletest.git
-  GIT_TAG        release-1.12.1
+	googletest
+	GIT_REPOSITORY https://github.com/google/googletest.git
+	GIT_TAG v1.14.0
 )

 FetchContent_MakeAvailable(googletest)

-file(GLOB_RECURSE ENGINE_TESTS ${CMAKE_CURRENT_SOURCE_DIR}/engine/*.cpp)
-file(GLOB_RECURSE FALCO_TESTS ${CMAKE_CURRENT_SOURCE_DIR}/falco/*.cpp)
-
-# Create a libscap_test_var.h file with some variables used by our tests
-# for example the kmod path or the bpf path.
-configure_file (
-    "${CMAKE_CURRENT_SOURCE_DIR}/falco_test_var.h.in"
-    "${CMAKE_CURRENT_BINARY_DIR}/falco_test_var.h"
+# Create a libscap_test_var.h file with some variables used by our tests for example the kmod path
+# or the bpf path.
+configure_file(
+	${CMAKE_CURRENT_SOURCE_DIR}/falco_test_var.h.in ${CMAKE_CURRENT_BINARY_DIR}/falco_test_var.h
 )

-set(FALCO_UNIT_TESTS_SOURCES
-  "${ENGINE_TESTS}"
-  falco/test_configuration.cpp
-  falco/app/actions/test_select_event_sources.cpp
-  falco/app/actions/test_load_config.cpp
+add_executable(
+	falco_unit_tests
+	test_falco_engine.cpp
+	engine/test_add_source.cpp
+	engine/test_alt_rule_loader.cpp
+	engine/test_enable_rule.cpp
+	engine/test_extra_output.cpp
+	engine/test_falco_utils.cpp
+	engine/test_filter_details_resolver.cpp
+	engine/test_filter_macro_resolver.cpp
+	engine/test_filter_warning_resolver.cpp
+	engine/test_plugin_requirements.cpp
+	engine/test_rule_loader.cpp
+	engine/test_rulesets.cpp
+	falco/test_configuration.cpp
+	falco/test_configuration_rule_selection.cpp
+	falco/test_configuration_config_files.cpp
+	falco/test_configuration_env_vars.cpp
+	falco/test_configuration_output_options.cpp
+	falco/test_configuration_schema.cpp
+	falco/app/actions/test_select_event_sources.cpp
+	falco/app/actions/test_load_config.cpp
 )

-if (CMAKE_SYSTEM_NAME MATCHES "Linux")
-  list(APPEND FALCO_UNIT_TESTS_SOURCES
-    falco/test_atomic_signal_handler.cpp
-    falco/app/actions/test_configure_interesting_sets.cpp
-    falco/app/actions/test_configure_syscall_buffer_num.cpp)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	target_sources(
+		falco_unit_tests
+		PRIVATE falco/test_atomic_signal_handler.cpp
+				falco/app/actions/test_configure_interesting_sets.cpp
+				falco/app/actions/test_configure_syscall_buffer_num.cpp
+	)
 endif()

-set(FALCO_UNIT_TESTS_INCLUDES
-    PRIVATE
-    ${CMAKE_SOURCE_DIR}/userspace
-    ${CMAKE_BINARY_DIR}/userspace/falco # we need it to include indirectly `config_falco.h` file
-    ${CMAKE_SOURCE_DIR}/userspace/engine # we need it to include indirectly `falco_common.h` file
-	"${CMAKE_CURRENT_BINARY_DIR}" # we need it to include `falco_test_var.h`
-)
-
-set(FALCO_UNIT_TESTS_DEPENDENCIES
-  gtest
-  gtest_main
-  falco_application
+target_include_directories(
+	falco_unit_tests
+	PRIVATE ${CMAKE_SOURCE_DIR}/userspace
+			${CMAKE_BINARY_DIR}/userspace/falco # we need it to include indirectly `config_falco.h`
+			# file
+			${CMAKE_SOURCE_DIR}/userspace/engine # we need it to include indirectly `falco_common.h`
+			# file
+			${CMAKE_CURRENT_BINARY_DIR} # we need it to include `falco_test_var.h`
 )

 get_target_property(FALCO_APPLICATION_LIBRARIES falco_application LINK_LIBRARIES)

-set(FALCO_UNIT_TESTS_LIBRARIES
-  gtest
-  gtest_main
-  falco_application
-  ${FALCO_APPLICATION_LIBRARIES}
+target_link_libraries(
+	falco_unit_tests falco_application GTest::gtest GTest::gtest_main
+	${FALCO_APPLICATION_LIBRARIES}
 )

-message(STATUS "FALCO_UNIT_TESTS_SOURCES: ${FALCO_UNIT_TESTS_SOURCES}")
-message(STATUS "FALCO_UNIT_TESTS_INCLUDES: ${FALCO_UNIT_TESTS_INCLUDES}")
-message(STATUS "FALCO_UNIT_TESTS_DEPENDENCIES: ${FALCO_UNIT_TESTS_DEPENDENCIES}")
-message(STATUS "FALCO_UNIT_TESTS_LIBRARIES: ${FALCO_UNIT_TESTS_LIBRARIES}")
-
-add_executable(falco_unit_tests ${FALCO_UNIT_TESTS_SOURCES})
-target_include_directories(falco_unit_tests ${FALCO_UNIT_TESTS_INCLUDES})
-target_link_libraries(falco_unit_tests ${FALCO_UNIT_TESTS_LIBRARIES})
-add_dependencies(falco_unit_tests ${FALCO_UNIT_TESTS_DEPENDENCIES})
-
-if (EMSCRIPTEN)
+if(EMSCRIPTEN)
 	target_compile_options(falco_unit_tests PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
 	target_link_options(falco_unit_tests PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
-  target_link_options(falco_unit_tests PRIVATE "-sALLOW_MEMORY_GROWTH=1")
+	target_link_options(falco_unit_tests PRIVATE "-sALLOW_MEMORY_GROWTH=1")
 	target_link_options(falco_unit_tests PRIVATE "-sEXPORTED_FUNCTIONS=['_main','_htons','_ntohs']")
 endif()
--- a/unit_tests/engine/test_add_source.cpp
+++ b/unit_tests/engine/test_add_source.cpp
@@ -26,40 +26,31 @@ static std::string syscall_source_name = "syscall";
 // for the underlying ruleset. This allows testing of
 // ruleset_for_source

-namespace
-{
-class test_ruleset_factory : public evttype_index_ruleset_factory
-{
+namespace {
+class test_ruleset_factory : public evttype_index_ruleset_factory {
 public:
-	test_ruleset_factory(std::shared_ptr<gen_event_filter_factory> factory):
-		evttype_index_ruleset_factory(factory)
-	{
+	explicit test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
+	        evttype_index_ruleset_factory(factory) {
 		ruleset = evttype_index_ruleset_factory::new_ruleset();
 	}

 	virtual ~test_ruleset_factory() = default;

-	inline std::shared_ptr<filter_ruleset> new_ruleset() override
-	{
-		return ruleset;
-	}
+	inline std::shared_ptr<filter_ruleset> new_ruleset() override { return ruleset; }

 	std::shared_ptr<filter_ruleset> ruleset;
 };
-}; // namespace
+};  // namespace

-TEST(AddSource, basic)
-{
+TEST(AddSource, basic) {
 	falco_engine engine;
 	sinsp inspector;
 	sinsp_filter_check_list filterchecks;

-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
-		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
-		new sinsp_evt_formatter_factory(&inspector, filterchecks));
-	test_ruleset_factory *test_factory = new test_ruleset_factory(filter_factory);
-	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(test_factory);
+	auto filter_factory = std::make_shared<sinsp_filter_factory>(&inspector, filterchecks);
+	auto formatter_factory =
+	        std::make_shared<sinsp_evt_formatter_factory>(&inspector, filterchecks);
+	auto ruleset_factory = std::make_shared<test_ruleset_factory>(filter_factory);

 	falco_source syscall_source;
 	syscall_source.name = syscall_source_name;
@@ -69,9 +60,9 @@ TEST(AddSource, basic)
 	syscall_source.formatter_factory = formatter_factory;

 	size_t source_idx = engine.add_source(syscall_source_name,
-					      filter_factory,
-					      formatter_factory,
-					      ruleset_factory);
+	                                      filter_factory,
+	                                      formatter_factory,
+	                                      ruleset_factory);

 	ASSERT_TRUE(engine.is_source_valid(syscall_source_name));

@@ -84,6 +75,6 @@ TEST(AddSource, basic)
 	ASSERT_EQ(engine.ruleset_factory_for_source(syscall_source_name), ruleset_factory);
 	ASSERT_EQ(engine.ruleset_factory_for_source(source_idx), ruleset_factory);

-	ASSERT_EQ(engine.ruleset_for_source(syscall_source_name), test_factory->ruleset);
-	ASSERT_EQ(engine.ruleset_for_source(source_idx), test_factory->ruleset);
+	ASSERT_EQ(engine.ruleset_for_source(syscall_source_name), ruleset_factory->ruleset);
+	ASSERT_EQ(engine.ruleset_for_source(source_idx), ruleset_factory->ruleset);
 }
--- a/unit_tests/engine/test_alt_rule_loader.cpp
+++ b/unit_tests/engine/test_alt_rule_loader.cpp
@@ -0,0 +1,322 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string>
+
+#include <gtest/gtest.h>
+
+#include <sinsp.h>
+#include <filter_check_list.h>
+#include <filter.h>
+#include <eventformatter.h>
+
+#include <falco_engine.h>
+#include "indexed_vector.h"
+#include "evttype_index_ruleset.h"
+
+#include "rule_loader_reader.h"
+#include "rule_loader_collector.h"
+#include "rule_loader_compiler.h"
+
+namespace {
+
+struct test_object_info {
+	std::string name;
+	std::string property;
+};
+
+struct test_compile_output : public rule_loader::compile_output {
+	test_compile_output() = default;
+	~test_compile_output() = default;
+
+	std::set<std::string> defined_test_properties;
+};
+
+class test_compiler : public rule_loader::compiler {
+public:
+	test_compiler() = default;
+	virtual ~test_compiler() = default;
+
+	std::unique_ptr<rule_loader::compile_output> new_compile_output() override {
+		return std::make_unique<test_compile_output>();
+	}
+
+	void compile(rule_loader::configuration& cfg,
+	             const rule_loader::collector& col,
+	             rule_loader::compile_output& out) const override;
+};
+
+class test_collector : public rule_loader::collector {
+public:
+	test_collector() = default;
+	virtual ~test_collector() = default;
+
+	indexed_vector<test_object_info> test_object_infos;
+};
+
+class test_reader : public rule_loader::reader {
+public:
+	test_reader() = default;
+	virtual ~test_reader() = default;
+
+protected:
+	rule_loader::context create_context(const YAML::Node& item,
+	                                    const rule_loader::context& parent) {
+		return rule_loader::context(item,
+		                            rule_loader::context::EXTENSION_ITEM,
+		                            "test object",
+		                            parent);
+	};
+
+	void read_item(rule_loader::configuration& cfg,
+	               rule_loader::collector& collector,
+	               const YAML::Node& item,
+	               const rule_loader::context& parent) override {
+		test_collector& test_col = dynamic_cast<test_collector&>(collector);
+
+		if(item["test_object"].IsDefined()) {
+			rule_loader::context tmp = create_context(item, parent);
+			test_object_info obj;
+			std::string name;
+			std::string property;
+
+			decode_val(item, "test_object", name, tmp);
+			decode_val(item, "property", property, tmp);
+
+			obj.name = name;
+			obj.property = property;
+
+			test_col.test_object_infos.insert(obj, obj.name);
+		} else {
+			rule_loader::reader::read_item(cfg, collector, item, parent);
+		}
+	};
+};
+
+class test_ruleset : public evttype_index_ruleset {
+public:
+	explicit test_ruleset(std::shared_ptr<sinsp_filter_factory> factory):
+	        evttype_index_ruleset(factory) {};
+	virtual ~test_ruleset() = default;
+
+	void add_compile_output(const rule_loader::compile_output& compile_output,
+	                        falco_common::priority_type min_priority,
+	                        const std::string& source) {
+		evttype_index_ruleset::add_compile_output(compile_output, min_priority, source);
+
+		std::shared_ptr<filter_ruleset> ruleset;
+		get_engine_state().get_ruleset(source, ruleset);
+		EXPECT_EQ(this, ruleset.get());
+
+		const test_compile_output& test_output =
+		        dynamic_cast<const test_compile_output&>(compile_output);
+
+		defined_properties = test_output.defined_test_properties;
+	};
+
+	std::set<std::string> defined_properties;
+};
+
+class test_ruleset_factory : public filter_ruleset_factory {
+public:
+	explicit test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
+	        m_filter_factory(factory) {}
+
+	virtual ~test_ruleset_factory() = default;
+
+	inline std::shared_ptr<filter_ruleset> new_ruleset() override {
+		return std::make_shared<test_ruleset>(m_filter_factory);
+	}
+
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
+};
+};  // namespace
+
+void test_compiler::compile(rule_loader::configuration& cfg,
+                            const rule_loader::collector& col,
+                            rule_loader::compile_output& out) const {
+	rule_loader::compiler::compile(cfg, col, out);
+
+	const test_collector& test_col = dynamic_cast<const test_collector&>(col);
+
+	test_compile_output& test_output = dynamic_cast<test_compile_output&>(out);
+
+	for(auto& test_obj : test_col.test_object_infos) {
+		test_output.defined_test_properties.insert(test_obj.property);
+	}
+}
+
+static std::string content = R"END(
+
+- test_object: test
+  property: my-value
+
+- test_object: test2
+  property: other-value
+
+- list: shell_binaries
+  items: [sh, bash]
+
+- macro: spawned_process
+  condition: evt.type=execve and proc.name in (shell_binaries)
+
+- rule: test info rule
+  desc: A test info rule
+  condition: spawned_process
+  output: A test info rule matched (evt.type=%evt.type proc.name=%proc.name)
+  priority: INFO
+  source: syscall
+  tags: [process]
+
+- rule: test k8s_audit rule
+  desc: A k8s audit test rule
+  condition: ka.target.resource=deployments
+  output: A k8s audit rule matched (ka.verb=%ka.verb resource=%ka.target.resource)
+  priority: INFO
+  source: k8s_audit
+  tags: [process]
+
+- rule: test debug rule
+  desc: A test debug rule
+  condition: spawned_process and proc.name="bash"
+  output: A test debug rule matched (evt.type=%evt.type proc.name=%proc.name)
+  priority: DEBUG
+  source: syscall
+  tags: [process]
+)END";
+
+static std::string syscall_source_name = "syscall";
+
+static std::shared_ptr<rule_loader::configuration> create_configuration(
+        sinsp& inspector,
+        sinsp_filter_check_list& filterchecks,
+        indexed_vector<falco_source>& sources) {
+	auto filter_factory = std::make_shared<sinsp_filter_factory>(&inspector, filterchecks);
+	auto formatter_factory =
+	        std::make_shared<sinsp_evt_formatter_factory>(&inspector, filterchecks);
+	auto ruleset_factory = std::make_shared<evttype_index_ruleset_factory>(filter_factory);
+
+	falco_source syscall_source;
+	syscall_source.name = syscall_source_name;
+	syscall_source.ruleset = ruleset_factory->new_ruleset();
+	syscall_source.ruleset_factory = ruleset_factory;
+	syscall_source.filter_factory = filter_factory;
+	syscall_source.formatter_factory = formatter_factory;
+
+	sources.insert(syscall_source, syscall_source_name);
+
+	return std::make_shared<rule_loader::configuration>(content, sources, "test configuration");
+}
+
+static void load_rules(sinsp& inspector,
+                       sinsp_filter_check_list& filterchecks,
+                       std::unique_ptr<rule_loader::compile_output>& compile_output,
+                       indexed_vector<falco_source>& sources) {
+	std::shared_ptr<rule_loader::configuration> cfg =
+	        create_configuration(inspector, filterchecks, sources);
+
+	rule_loader::reader reader;
+	rule_loader::collector collector;
+	rule_loader::compiler compiler;
+
+	EXPECT_TRUE(reader.read(*cfg, collector));
+
+	compile_output = compiler.new_compile_output();
+
+	compiler.compile(*cfg, collector, *compile_output);
+}
+
+TEST(engine_loader_alt_loader, load_rules) {
+	sinsp inspector;
+	sinsp_filter_check_list filterchecks;
+	std::unique_ptr<rule_loader::compile_output> compile_output;
+	indexed_vector<falco_source> sources;
+
+	load_rules(inspector, filterchecks, compile_output, sources);
+
+	// Note that the k8s_audit rule will be skipped as load_rules
+	// only adds a syscall source.
+	EXPECT_EQ(compile_output->lists.size(), 1);
+	EXPECT_TRUE(compile_output->lists.at("shell_binaries") != nullptr);
+
+	EXPECT_EQ(compile_output->macros.size(), 1);
+	EXPECT_TRUE(compile_output->macros.at("spawned_process") != nullptr);
+
+	EXPECT_EQ(compile_output->rules.size(), 2);
+	EXPECT_TRUE(compile_output->rules.at("test info rule") != nullptr);
+	EXPECT_TRUE(compile_output->rules.at("test debug rule") != nullptr);
+}
+
+TEST(engine_loader_alt_loader, pass_compile_output_to_ruleset) {
+	sinsp inspector;
+	sinsp_filter_check_list filterchecks;
+	std::unique_ptr<rule_loader::compile_output> compile_output;
+	indexed_vector<falco_source> sources;
+
+	load_rules(inspector, filterchecks, compile_output, sources);
+
+	std::shared_ptr<filter_ruleset> ruleset = sources.at(syscall_source_name)->ruleset;
+
+	ruleset->add_compile_output(*compile_output,
+	                            falco_common::PRIORITY_INFORMATIONAL,
+	                            syscall_source_name);
+
+	// Enable all rules for a ruleset id. Because the compile
+	// output contained one rule with priority >= INFO, that rule
+	// should be enabled.
+	uint16_t ruleset_id = 0;
+	ruleset->enable("", filter_ruleset::match_type::substring, ruleset_id);
+
+	EXPECT_EQ(ruleset->enabled_count(ruleset_id), 1);
+}
+
+TEST(engine_loader_alt_loader, falco_engine_alternate_loader) {
+	falco_engine engine;
+	sinsp inspector;
+	sinsp_filter_check_list filterchecks;
+
+	auto filter_factory = std::make_shared<sinsp_filter_factory>(&inspector, filterchecks);
+	auto formatter_factory =
+	        std::make_shared<sinsp_evt_formatter_factory>(&inspector, filterchecks);
+	auto ruleset_factory = std::make_shared<test_ruleset_factory>(filter_factory);
+
+	engine.add_source(syscall_source_name, filter_factory, formatter_factory, ruleset_factory);
+
+	auto reader = std::make_shared<test_reader>();
+	auto collector = std::make_shared<test_collector>();
+	auto compiler = std::make_shared<test_compiler>();
+
+	engine.set_rule_reader(reader);
+	engine.set_rule_collector(collector);
+	engine.set_rule_compiler(compiler);
+
+	EXPECT_EQ(reader, engine.get_rule_reader());
+	EXPECT_EQ(collector, engine.get_rule_collector());
+	EXPECT_EQ(compiler, engine.get_rule_compiler());
+
+	engine.load_rules(content, "test_rules.yaml");
+
+	EXPECT_EQ(collector->test_object_infos.size(), 2);
+
+	std::shared_ptr<filter_ruleset> ruleset = engine.ruleset_for_source(syscall_source_name);
+	std::set<std::string>& defined_properties =
+	        std::dynamic_pointer_cast<test_ruleset>(ruleset)->defined_properties;
+
+	EXPECT_TRUE(defined_properties.find("my-value") != defined_properties.end());
+	EXPECT_TRUE(defined_properties.find("other-value") != defined_properties.end());
+	EXPECT_TRUE(defined_properties.find("not-exists-value") == defined_properties.end());
+};
--- a/unit_tests/engine/test_enable_rule.cpp
+++ b/unit_tests/engine/test_enable_rule.cpp
@@ -23,7 +23,7 @@ limitations under the License.
 #include <filter_check_list.h>
 #include <filter.h>

-#include <falco_engine.h>
+#include "../test_falco_engine.h"

 static std::string single_rule = R"END(
 - rule: test rule
@@ -44,6 +44,34 @@ static std::string single_rule = R"END(
  tags: [exec process]
 )END";

+static std::string multi_rule = R"END(
+- rule: first actual rule
+  desc: A test rule
+  condition: evt.type=execve
+  output: A test rule matched (evt.type=%evt.type)
+  priority: INFO
+  source: syscall
+  tags: [process]
+
+- rule: second disabled rule
+  desc: A disabled rule
+  condition: evt.type=execve
+  output: A disabled 2 rule matched (evt.type=%evt.type)
+  priority: INFO
+  source: syscall
+  enabled: false
+  tags: [exec process]
+
+- rule: third disabled rule
+  desc: A disabled rule
+  condition: evt.type=execve
+  output: A disabled 3 rule matched (evt.type=%evt.type)
+  priority: INFO
+  source: syscall
+  enabled: false
+  tags: [exec]
+)END";
+
 // This must be kept in line with the (private) falco_engine::s_default_ruleset
 static const std::string default_ruleset = "falco-default-ruleset";

@@ -52,200 +80,198 @@ static const std::string ruleset_2 = "ruleset-2";
 static const std::string ruleset_3 = "ruleset-3";
 static const std::string ruleset_4 = "ruleset-4";

-static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_check_list& filterchecks)
-{
-	std::unique_ptr<falco::load_result> res;
-
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
-		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
-		new sinsp_evt_formatter_factory(&inspector, filterchecks));
-
-	engine.add_source("syscall", filter_factory, formatter_factory);
-
-	res = engine.load_rules(single_rule, "single_rule.yaml");
-
-	EXPECT_TRUE(res->successful());
-}
-
-TEST(EnableRule, enable_rule_name)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-
-	load_rules(engine, inspector, filterchecks);
+TEST_F(test_falco_engine, enable_rule_name) {
+	load_rules(single_rule, "single_rule.yaml");

 	// No rules should be enabled yet for any custom rulesets
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

 	// Enable for first ruleset, only that ruleset should have an
 	// enabled rule afterward
-	engine.enable_rule("test", true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test", true, ruleset_1);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

 	// Enable for second ruleset
-	engine.enable_rule("test", true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test", true, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

 	// When the substring is blank, all rules are enabled
 	// (including the disabled rule)
-	engine.enable_rule("", true, ruleset_3);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("", true, ruleset_3);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));

 	// Now disable for second ruleset
-	engine.enable_rule("test", false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test", false, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
 }

-TEST(EnableRule, enable_rule_tags)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
+TEST_F(test_falco_engine, enable_rule_tags) {
 	std::set<std::string> process_tags = {"process"};

-	load_rules(engine, inspector, filterchecks);
+	load_rules(single_rule, "single_rule.yaml");

 	// No rules should be enabled yet for any custom rulesets
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));

 	// Enable for first ruleset, only that ruleset should have an
 	// enabled rule afterward
-	engine.enable_rule_by_tag(process_tags, true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
+	m_engine->enable_rule_by_tag(process_tags, true, ruleset_1);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));

 	// Enable for second ruleset
-	engine.enable_rule_by_tag(process_tags, true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
+	m_engine->enable_rule_by_tag(process_tags, true, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));

 	// Now disable for second ruleset
-	engine.enable_rule_by_tag(process_tags, false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
+	m_engine->enable_rule_by_tag(process_tags, false, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
 }

-TEST(EnableRule, enable_disabled_rule_by_tag)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
+TEST_F(test_falco_engine, enable_disabled_rule_by_tag) {
 	std::set<std::string> exec_process_tags = {"exec process"};

-	load_rules(engine, inspector, filterchecks);
+	load_rules(single_rule, "single_rule.yaml");

 	// Only the first rule should be enabled
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));

 	// Enable the disabled rule by tag
-	engine.enable_rule_by_tag(exec_process_tags, true);
+	m_engine->enable_rule_by_tag(exec_process_tags, true);

 	// Both rules should be enabled now
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(default_ruleset));
 }

-TEST(EnableRule, enable_rule_id)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
+TEST_F(test_falco_engine, enable_rule_id) {
 	uint16_t ruleset_1_id;
 	uint16_t ruleset_2_id;
 	uint16_t ruleset_3_id;

-	load_rules(engine, inspector, filterchecks);
+	load_rules(single_rule, "single_rule.yaml");

 	// The cases are identical to above, just using ruleset ids
 	// instead of names.

-	ruleset_1_id = engine.find_ruleset_id(ruleset_1);
-	ruleset_2_id = engine.find_ruleset_id(ruleset_2);
-	ruleset_3_id = engine.find_ruleset_id(ruleset_3);
+	ruleset_1_id = m_engine->find_ruleset_id(ruleset_1);
+	ruleset_2_id = m_engine->find_ruleset_id(ruleset_2);
+	ruleset_3_id = m_engine->find_ruleset_id(ruleset_3);

-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

-	engine.enable_rule("test rule", true, ruleset_1_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test rule", true, ruleset_1_id);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

-	engine.enable_rule("test rule", true, ruleset_2_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test rule", true, ruleset_2_id);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));

-	engine.enable_rule("", true, ruleset_3_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("", true, ruleset_3_id);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));

-	engine.enable_rule("test", false, ruleset_2_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
+	m_engine->enable_rule("test", false, ruleset_2_id);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_3));
 }

-TEST(EnableRule, enable_rule_name_exact)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
+TEST_F(test_falco_engine, enable_rule_name_exact) {
+	load_rules(single_rule, "single_rule.yaml");

-	load_rules(engine, inspector, filterchecks);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));

-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
+	m_engine->enable_rule_exact("test rule", true, ruleset_1);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));

-	engine.enable_rule_exact("test rule", true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
-
-	engine.enable_rule_exact("test rule", true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
+	m_engine->enable_rule_exact("test rule", true, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));

 	// This should **not** enable as this is a substring and not
 	// an exact match.
-	engine.enable_rule_exact("test", true, ruleset_3);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
+	m_engine->enable_rule_exact("test", true, ruleset_3);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));

-	engine.enable_rule_exact("", true, ruleset_4);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4));
+	m_engine->enable_rule_exact("", true, ruleset_4);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_4));

-	engine.enable_rule("test rule", false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4));
+	m_engine->enable_rule("test rule", false, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(2, m_engine->num_rules_for_ruleset(ruleset_4));
+}
+
+TEST_F(test_falco_engine, enable_rule_name_wildcard) {
+	load_rules(multi_rule, "multi_rule.yaml");
+
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(default_ruleset));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
+
+	// As long as there are no *, exact matches work
+	m_engine->enable_rule_wildcard("first actual rule", true, ruleset_1);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
+
+	m_engine->enable_rule_wildcard("*rule", true, ruleset_2);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(3, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
+
+	// This should enable the second rule
+	m_engine->enable_rule_wildcard("*second*r*", true, ruleset_3);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(3, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(0, m_engine->num_rules_for_ruleset(ruleset_4));
+
+	m_engine->enable_rule_wildcard("*", true, ruleset_4);
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_1));
+	EXPECT_EQ(3, m_engine->num_rules_for_ruleset(ruleset_2));
+	EXPECT_EQ(1, m_engine->num_rules_for_ruleset(ruleset_3));
+	EXPECT_EQ(3, m_engine->num_rules_for_ruleset(ruleset_4));
 }
--- a/unit_tests/engine/test_extra_output.cpp
+++ b/unit_tests/engine/test_extra_output.cpp
@@ -0,0 +1,154 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+
+#include "../test_falco_engine.h"
+
+TEST_F(test_falco_engine, extra_format_all) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: user=%user.name command=%proc.cmdline file=%fd.name
+  priority: INFO
+)END";
+
+	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "", false);
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	EXPECT_EQ(get_compiled_rule_output("legit_rule"),
+	          "user=%user.name command=%proc.cmdline file=%fd.name evt.type=%evt.type");
+}
+
+TEST_F(test_falco_engine, extra_format_by_rule) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 1
+  priority: INFO
+
+- rule: another_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 2
+  priority: INFO
+)END";
+
+	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "legit_rule", false);
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 evt.type=%evt.type");
+	EXPECT_EQ(get_compiled_rule_output("another_rule"), "out 2");
+}
+
+TEST_F(test_falco_engine, extra_format_by_tag_rule) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 1
+  priority: INFO
+  tags: [tag1]
+
+- rule: another_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 2
+  priority: INFO
+  tags: [tag1]
+
+- rule: a_third_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 3
+  priority: INFO
+  tags: [tag1, tag2]
+)END";
+
+	m_engine->add_extra_output_format("extra 1", "", {"tag1"}, "", false);
+	m_engine->add_extra_output_format("extra 2", "", {}, "another_rule", false);
+	m_engine->add_extra_output_format("extra 3", "", {"tag1", "tag2"}, "", false);
+
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 extra 1");
+	EXPECT_EQ(get_compiled_rule_output("another_rule"), "out 2 extra 1 extra 2");
+	EXPECT_EQ(get_compiled_rule_output("a_third_rule"), "out 3 extra 1 extra 3");
+}
+
+TEST_F(test_falco_engine, extra_format_replace_container_info) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 1 (%container.info)
+  priority: INFO
+  tags: [tag1]
+
+- rule: another_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 2
+  priority: INFO
+  tags: [tag1]
+)END";
+
+	m_engine->add_extra_output_format("extra 1", "", {}, "", true);
+
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 (extra 1)");
+	EXPECT_EQ(get_compiled_rule_output("another_rule"), "out 2 extra 1");
+}
+
+TEST_F(test_falco_engine, extra_format_do_not_replace_container_info) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: out 1 (%container.info)
+  priority: INFO
+  tags: [tag1]
+)END";
+
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	auto output = get_compiled_rule_output("legit_rule");
+	EXPECT_TRUE(output.find("%container.info") == output.npos);
+}
+
+TEST_F(test_falco_engine, extra_fields_all) {
+	std::string rules_content = R"END(
+- rule: legit_rule
+  desc: legit rule description
+  condition: evt.type=open
+  output: user=%user.name command=%proc.cmdline file=%fd.name
+  priority: INFO
+)END";
+
+	std::unordered_map<std::string, std::string> extra_formatted_fields = {
+	        {"my_field", "hello %evt.num"}};
+	for(auto const& f : extra_formatted_fields) {
+		m_engine->add_extra_output_formatted_field(f.first, f.second, "", {}, "");
+	}
+
+	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
+
+	EXPECT_EQ(get_compiled_rule_formatted_fields("legit_rule"), extra_formatted_fields);
+}
--- a/unit_tests/engine/test_falco_utils.cpp
+++ b/unit_tests/engine/test_falco_utils.cpp
@@ -18,8 +18,7 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <engine/falco_utils.h>

-TEST(FalcoUtils, is_unix_scheme)
-{
+TEST(FalcoUtils, is_unix_scheme) {
 	/* Wrong prefix */
 	ASSERT_EQ(falco::utils::network::is_unix_scheme("something:///run/falco/falco.sock"), false);

@@ -38,15 +37,14 @@ TEST(FalcoUtils, is_unix_scheme)
 	ASSERT_EQ(falco::utils::network::is_unix_scheme(url_char), true);
 }

-TEST(FalcoUtils, parse_prometheus_interval)
-{
+TEST(FalcoUtils, parse_prometheus_interval) {
 	/* Test matrix around correct time conversions. */
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1ms"), 1UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1s"), 1000UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1m"), 60000UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1h"), 3600000UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1d"), 86400000UL);
-	ASSERT_EQ(falco::utils::parse_prometheus_interval("1w"), 604800000UL);	
+	ASSERT_EQ(falco::utils::parse_prometheus_interval("1w"), 604800000UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("1y"), (unsigned long)31536000000UL);

 	ASSERT_EQ(falco::utils::parse_prometheus_interval("300ms"), 300UL);
@@ -57,8 +55,11 @@ TEST(FalcoUtils, parse_prometheus_interval)
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("60m"), 3600000UL);

 	/* Test matrix for concatenated time interval examples. */
-	ASSERT_EQ(falco::utils::parse_prometheus_interval("1h3m2s1ms"), 3600000UL + 3 * 60000UL + 2 * 1000UL + 1UL);
-	ASSERT_EQ(falco::utils::parse_prometheus_interval("1y1w1d1h1m1s1ms"),(unsigned long) 31536000000UL + 604800000UL + 86400000UL + 3600000UL + 60000UL + 1000UL + 1UL);
+	ASSERT_EQ(falco::utils::parse_prometheus_interval("1h3m2s1ms"),
+	          3600000UL + 3 * 60000UL + 2 * 1000UL + 1UL);
+	ASSERT_EQ(falco::utils::parse_prometheus_interval("1y1w1d1h1m1s1ms"),
+	          (unsigned long)31536000000UL + 604800000UL + 86400000UL + 3600000UL + 60000UL +
+	                  1000UL + 1UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("2h5m"), 2 * 3600000UL + 5 * 60000UL);
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("2h 5m"), 2 * 3600000UL + 5 * 60000UL);

@@ -72,3 +73,32 @@ TEST(FalcoUtils, parse_prometheus_interval)
 	 */
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("200"), 0UL);
 }
+
+TEST(FalcoUtils, sanitize_rule_name) {
+	ASSERT_EQ(falco::utils::sanitize_rule_name("Testing rule   2 (CVE-2244)"),
+	          "Testing_rule_2_CVE_2244");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("Testing rule__:2)"), "Testing_rule_:2");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("This@is_a$test rule123"), "This_is_a_test_rule123");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("RULEwith:special#characters"),
+	          "RULEwith:special_characters");
+}
+
+TEST(FalcoUtils, matches_wildcard) {
+	ASSERT_TRUE(falco::utils::matches_wildcard("*", "anything"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("**", "anything"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("*", ""));
+	ASSERT_TRUE(falco::utils::matches_wildcard("no star", "no star"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("", ""));
+	ASSERT_TRUE(falco::utils::matches_wildcard("hello*world", "hello new world"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("hello*world*", "hello new world yes"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("*hello*world", "come on hello this world"));
+	ASSERT_TRUE(falco::utils::matches_wildcard("*hello*****world", "come on hello this world"));
+
+	ASSERT_FALSE(falco::utils::matches_wildcard("no star", ""));
+	ASSERT_FALSE(falco::utils::matches_wildcard("", "no star"));
+	ASSERT_FALSE(falco::utils::matches_wildcard("star", "no star"));
+	ASSERT_FALSE(falco::utils::matches_wildcard("hello*world", "hello new thing"));
+	ASSERT_FALSE(falco::utils::matches_wildcard("hello*world", "hello new world yes"));
+	ASSERT_FALSE(falco::utils::matches_wildcard("*hello*world", "come on hello this world yes"));
+	ASSERT_FALSE(falco::utils::matches_wildcard("*hello*world*", "come on hello this yes"));
+}
--- a/unit_tests/engine/test_filter_details_resolver.cpp
+++ b/unit_tests/engine/test_filter_details_resolver.cpp
@@ -18,33 +18,33 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <engine/filter_details_resolver.h>

+TEST(DetailsResolver, resolve_ast) {
+	std::string cond =
+	        "(spawned_process or evt.type = open) and (proc.name icontains cat or proc.name in "
+	        "(known_procs, ps))";
+	auto ast = libsinsp::filter::parser(cond).parse();
+	filter_details details;
+	details.known_macros.insert("spawned_process");
+	details.known_lists.insert("known_procs");
+	filter_details_resolver resolver;
+	resolver.run(ast.get(), details);

-TEST(DetailsResolver, resolve_ast)
-{
-    std::string cond = "(spawned_process or evt.type = open) and (proc.name icontains cat or proc.name in (known_procs, ps))";
-    auto ast = libsinsp::filter::parser(cond).parse();
-    filter_details details;
-    details.known_macros.insert("spawned_process");
-    details.known_lists.insert("known_procs");
-    filter_details_resolver resolver;
-    resolver.run(ast.get(), details);
+	// Assert fields
+	ASSERT_EQ(details.fields.size(), 2);
+	ASSERT_NE(details.fields.find("evt.type"), details.fields.end());
+	ASSERT_NE(details.fields.find("proc.name"), details.fields.end());

-    // Assert fields
-    ASSERT_EQ(details.fields.size(), 2);
-    ASSERT_NE(details.fields.find("evt.type"), details.fields.end());
-    ASSERT_NE(details.fields.find("proc.name"), details.fields.end());
+	// Assert macros
+	ASSERT_EQ(details.macros.size(), 1);
+	ASSERT_NE(details.macros.find("spawned_process"), details.macros.end());

-    // Assert macros
-    ASSERT_EQ(details.macros.size(), 1);
-    ASSERT_NE(details.macros.find("spawned_process"), details.macros.end());
-    
-    // Assert operators
-    ASSERT_EQ(details.operators.size(), 3);
-    ASSERT_NE(details.operators.find("="), details.operators.end());
-    ASSERT_NE(details.operators.find("icontains"), details.operators.end());
-    ASSERT_NE(details.operators.find("in"), details.operators.end());
+	// Assert operators
+	ASSERT_EQ(details.operators.size(), 3);
+	ASSERT_NE(details.operators.find("="), details.operators.end());
+	ASSERT_NE(details.operators.find("icontains"), details.operators.end());
+	ASSERT_NE(details.operators.find("in"), details.operators.end());

-    // Assert lists
-    ASSERT_EQ(details.lists.size(), 1);
-    ASSERT_NE(details.lists.find("known_procs"), details.lists.end());
+	// Assert lists
+	ASSERT_EQ(details.lists.size(), 1);
+	ASSERT_NE(details.lists.find("known_procs"), details.lists.end());
 }
--- a/unit_tests/engine/test_filter_macro_resolver.cpp
+++ b/unit_tests/engine/test_filter_macro_resolver.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERT_EQd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -18,36 +18,42 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <engine/filter_macro_resolver.h>

+namespace filter_ast = libsinsp::filter::ast;
+
 static std::vector<filter_macro_resolver::value_info>::const_iterator find_value(
-	const std::vector<filter_macro_resolver::value_info>& values,
-	const std::string& ref)
-{
+        const std::vector<filter_macro_resolver::value_info>& values,
+        const std::string& ref) {
 	return std::find_if(
-		values.begin(),
-		values.end(),
-		[&ref](const filter_macro_resolver::value_info& v)
-		{ return v.first == ref; });
+	        values.begin(),
+	        values.end(),
+	        [&ref](const filter_macro_resolver::value_info& v) { return v.first == ref; });
 }

 #define MACRO_NAME "test_macro"
 #define MACRO_A_NAME "test_macro_1"
 #define MACRO_B_NAME "test_macro_2"

-TEST(MacroResolver, should_resolve_macros_on_a_filter_AST)
-{
-	libsinsp::filter::ast::pos_info macro_pos(12, 85, 27);
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST) {
+	filter_ast::pos_info macro_pos(12, 85, 27);

-	std::shared_ptr<libsinsp::filter::ast::expr> macro = libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists");
+	std::shared_ptr<filter_ast::expr> macro =
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("test.field", ""),
+	                                             "exists");

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_and;
-	filter_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
-	filter_and.push_back(libsinsp::filter::ast::not_expr::create(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos)));
-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::and_expr::create(filter_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> filter_and;
+	filter_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("evt.name", ""),
+	                                             "exists"));
+	filter_and.push_back(filter_ast::not_expr::create(
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos)));
+	std::shared_ptr<filter_ast::expr> filter = filter_ast::and_expr::create(filter_and);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_and;
-	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
-	expected_and.push_back(libsinsp::filter::ast::not_expr::create(clone(macro.get())));
-	std::shared_ptr<libsinsp::filter::ast::expr> expected = libsinsp::filter::ast::and_expr::create(expected_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> expected_and;
+	expected_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("evt.name", ""),
+	                                             "exists"));
+	expected_and.push_back(filter_ast::not_expr::create(clone(macro.get())));
+	std::shared_ptr<filter_ast::expr> expected = filter_ast::and_expr::create(expected_and);

 	filter_macro_resolver resolver;
 	resolver.set_macro(MACRO_NAME, macro);
@@ -67,19 +73,21 @@ TEST(MacroResolver, should_resolve_macros_on_a_filter_AST)
 	ASSERT_TRUE(filter->is_equal(expected.get()));
 }

-TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_single_node)
-{
-	libsinsp::filter::ast::pos_info macro_pos(12, 85, 27);
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_single_node) {
+	filter_ast::pos_info macro_pos(12, 85, 27);

-	std::shared_ptr<libsinsp::filter::ast::expr> macro = libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists");
+	std::shared_ptr<filter_ast::expr> macro =
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("test.field", ""),
+	                                             "exists");

-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos);
+	std::shared_ptr<filter_ast::expr> filter =
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos);

 	filter_macro_resolver resolver;
 	resolver.set_macro(MACRO_NAME, macro);

 	// first run
-	libsinsp::filter::ast::expr* old_filter_ptr = filter.get();
+	filter_ast::expr* old_filter_ptr = filter.get();
 	ASSERT_TRUE(resolver.run(filter));
 	ASSERT_NE(filter.get(), old_filter_ptr);
 	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
@@ -97,23 +105,26 @@ TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_single_node)
 	ASSERT_TRUE(filter->is_equal(macro.get()));
 }

-TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_multiple_macros)
-{
-	libsinsp::filter::ast::pos_info a_macro_pos(11, 75, 43);
-	libsinsp::filter::ast::pos_info b_macro_pos(91, 21, 9);
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_multiple_macros) {
+	filter_ast::pos_info a_macro_pos(11, 75, 43);
+	filter_ast::pos_info b_macro_pos(91, 21, 9);

-	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists");
-	std::shared_ptr<libsinsp::filter::ast::expr> b_macro = libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists");
+	std::shared_ptr<filter_ast::expr> a_macro =
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("one.field", ""),
+	                                             "exists");
+	std::shared_ptr<filter_ast::expr> b_macro = filter_ast::unary_check_expr::create(
+	        filter_ast::field_expr::create("another.field", ""),
+	        "exists");

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_or;
-	filter_or.push_back(libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos));
-	filter_or.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::or_expr::create(filter_or);
+	std::vector<std::unique_ptr<filter_ast::expr>> filter_or;
+	filter_or.push_back(filter_ast::identifier_expr::create(MACRO_A_NAME, a_macro_pos));
+	filter_or.push_back(filter_ast::identifier_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<filter_ast::expr> filter = filter_ast::or_expr::create(filter_or);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_or;
+	std::vector<std::unique_ptr<filter_ast::expr>> expected_or;
 	expected_or.push_back(clone(a_macro.get()));
 	expected_or.push_back(clone(b_macro.get()));
-	std::shared_ptr<libsinsp::filter::ast::expr> expected_filter = libsinsp::filter::ast::or_expr::create(expected_or);
+	std::shared_ptr<filter_ast::expr> expected_filter = filter_ast::or_expr::create(expected_or);

 	filter_macro_resolver resolver;
 	resolver.set_macro(MACRO_A_NAME, a_macro);
@@ -141,25 +152,32 @@ TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_multiple_macros)
 	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
 }

-TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_nested_macros)
-{
-	libsinsp::filter::ast::pos_info a_macro_pos(47, 1, 76);
-	libsinsp::filter::ast::pos_info b_macro_pos(111, 65, 2);
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_nested_macros) {
+	filter_ast::pos_info a_macro_pos(47, 1, 76);
+	filter_ast::pos_info b_macro_pos(111, 65, 2);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> a_macro_and;
-	a_macro_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
-	a_macro_and.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
-	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = libsinsp::filter::ast::and_expr::create(a_macro_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> a_macro_and;
+	a_macro_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("one.field", ""),
+	                                             "exists"));
+	a_macro_and.push_back(filter_ast::identifier_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<filter_ast::expr> a_macro = filter_ast::and_expr::create(a_macro_and);

-	std::shared_ptr<libsinsp::filter::ast::expr> b_macro =
-		libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists");
+	std::shared_ptr<filter_ast::expr> b_macro = filter_ast::unary_check_expr::create(
+	        filter_ast::field_expr::create("another.field", ""),
+	        "exists");

-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos);
+	std::shared_ptr<filter_ast::expr> filter =
+	        filter_ast::identifier_expr::create(MACRO_A_NAME, a_macro_pos);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_and;
-	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
-	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists"));
-	std::shared_ptr<libsinsp::filter::ast::expr> expected_filter = libsinsp::filter::ast::and_expr::create(expected_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> expected_and;
+	expected_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("one.field", ""),
+	                                             "exists"));
+	expected_and.push_back(filter_ast::unary_check_expr::create(
+	        filter_ast::field_expr::create("another.field", ""),
+	        "exists"));
+	std::shared_ptr<filter_ast::expr> expected_filter = filter_ast::and_expr::create(expected_and);

 	filter_macro_resolver resolver;
 	resolver.set_macro(MACRO_A_NAME, a_macro);
@@ -189,14 +207,16 @@ TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_nested_macros)
 	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
 }

-TEST(MacroResolver, should_find_unknown_macros)
-{
-	libsinsp::filter::ast::pos_info macro_pos(9, 4, 2);
+TEST(MacroResolver, should_find_unknown_macros) {
+	filter_ast::pos_info macro_pos(9, 4, 2);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_and;
-	filter_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
-	filter_and.push_back(libsinsp::filter::ast::not_expr::create(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos)));
-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::and_expr::create(filter_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> filter_and;
+	filter_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("evt.name", ""),
+	                                             "exists"));
+	filter_and.push_back(filter_ast::not_expr::create(
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos)));
+	std::shared_ptr<filter_ast::expr> filter = filter_ast::and_expr::create(filter_and);

 	filter_macro_resolver resolver;
 	ASSERT_FALSE(resolver.run(filter));
@@ -206,17 +226,19 @@ TEST(MacroResolver, should_find_unknown_macros)
 	ASSERT_TRUE(resolver.get_resolved_macros().empty());
 }

-TEST(MacroResolver, should_find_unknown_nested_macros)
-{
-	libsinsp::filter::ast::pos_info a_macro_pos(32, 84, 9);
-	libsinsp::filter::ast::pos_info b_macro_pos(1, 0, 5);
+TEST(MacroResolver, should_find_unknown_nested_macros) {
+	filter_ast::pos_info a_macro_pos(32, 84, 9);
+	filter_ast::pos_info b_macro_pos(1, 0, 5);

-	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> a_macro_and;
-	a_macro_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
-	a_macro_and.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
-	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = libsinsp::filter::ast::and_expr::create(a_macro_and);
+	std::vector<std::unique_ptr<filter_ast::expr>> a_macro_and;
+	a_macro_and.push_back(
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("one.field", ""),
+	                                             "exists"));
+	a_macro_and.push_back(filter_ast::identifier_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<filter_ast::expr> a_macro = filter_ast::and_expr::create(a_macro_and);

-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos);
+	std::shared_ptr<filter_ast::expr> filter =
+	        filter_ast::identifier_expr::create(MACRO_A_NAME, a_macro_pos);
 	auto expected_filter = clone(a_macro.get());

 	filter_macro_resolver resolver;
@@ -232,14 +254,17 @@ TEST(MacroResolver, should_find_unknown_nested_macros)
 	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
 }

-TEST(MacroResolver, should_undefine_macro)
-{
-	libsinsp::filter::ast::pos_info macro_pos_1(12, 9, 3);
-	libsinsp::filter::ast::pos_info macro_pos_2(9, 6, 3);
+TEST(MacroResolver, should_undefine_macro) {
+	filter_ast::pos_info macro_pos_1(12, 9, 3);
+	filter_ast::pos_info macro_pos_2(9, 6, 3);

-	std::shared_ptr<libsinsp::filter::ast::expr> macro = libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists");
-	std::shared_ptr<libsinsp::filter::ast::expr> a_filter = libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos_1);
-	std::shared_ptr<libsinsp::filter::ast::expr> b_filter = libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos_2);
+	std::shared_ptr<filter_ast::expr> macro =
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("test.field", ""),
+	                                             "exists");
+	std::shared_ptr<filter_ast::expr> a_filter =
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos_1);
+	std::shared_ptr<filter_ast::expr> b_filter =
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos_2);
 	filter_macro_resolver resolver;

 	resolver.set_macro(MACRO_NAME, macro);
@@ -259,11 +284,13 @@ TEST(MacroResolver, should_undefine_macro)
 }

 /* checks that the macro AST is cloned and not shared across resolved filters */
-TEST(MacroResolver, should_clone_macro_AST)
-{
-	libsinsp::filter::ast::pos_info macro_pos(5, 2, 8888);
-	std::shared_ptr<libsinsp::filter::ast::unary_check_expr> macro = libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists");
-	std::shared_ptr<libsinsp::filter::ast::expr> filter = libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos);
+TEST(MacroResolver, should_clone_macro_AST) {
+	filter_ast::pos_info macro_pos(5, 2, 8888);
+	std::shared_ptr<filter_ast::unary_check_expr> macro =
+	        filter_ast::unary_check_expr::create(filter_ast::field_expr::create("test.field", ""),
+	                                             "exists");
+	std::shared_ptr<filter_ast::expr> filter =
+	        filter_ast::identifier_expr::create(MACRO_NAME, macro_pos);
 	filter_macro_resolver resolver;

 	resolver.set_macro(MACRO_NAME, macro);
@@ -274,6 +301,6 @@ TEST(MacroResolver, should_clone_macro_AST)
 	ASSERT_TRUE(resolver.get_unknown_macros().empty());
 	ASSERT_TRUE(filter->is_equal(macro.get()));

-	macro->field = "another.field";
+	macro->left = filter_ast::field_expr::create("another.field", "");
 	ASSERT_FALSE(filter->is_equal(macro.get()));
 }
--- a/unit_tests/engine/test_filter_warning_resolver.cpp
+++ b/unit_tests/engine/test_filter_warning_resolver.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -18,16 +18,14 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <engine/filter_warning_resolver.h>

-static bool warns(const std::string& condition)
-{
+static bool warns(const std::string& condition) {
 	std::set<falco::load_result::warning_code> w;
 	auto ast = libsinsp::filter::parser(condition).parse();
 	filter_warning_resolver().run(ast.get(), w);
 	return !w.empty();
 }

-TEST(WarningResolver, warnings_in_filtering_conditions)
-{
+TEST(WarningResolver, warnings_in_filtering_conditions) {
 	ASSERT_FALSE(warns("ka.field exists"));
 	ASSERT_FALSE(warns("some.field = <NA>"));
 	ASSERT_TRUE(warns("jevt.field = <NA>"));
--- a/unit_tests/engine/test_plugin_requirements.cpp
+++ b/unit_tests/engine/test_plugin_requirements.cpp
@@ -20,22 +20,19 @@ limitations under the License.
 #include <gtest/gtest.h>

 static bool check_requirements(std::string& err,
-			       const std::vector<falco_engine::plugin_version_requirement>& plugins,
-			       const std::string& ruleset_content)
-{
-	std::unique_ptr<falco_engine> e(new falco_engine());
+                               const std::vector<falco_engine::plugin_version_requirement>& plugins,
+                               const std::string& ruleset_content) {
+	falco_engine e;
 	falco::load_result::rules_contents_t c = {{"test", ruleset_content}};

-	auto res = e->load_rules(c.begin()->second, c.begin()->first);
-	if(!res->successful())
-	{
+	auto res = e.load_rules(c.begin()->second, c.begin()->first);
+	if(!res->successful()) {
 		return false;
 	}
-	return e->check_plugin_requirements(plugins, err);
+	return e.check_plugin_requirements(plugins, err);
 }

-TEST(PluginRequirements, check_plugin_requirements_success)
-{
+TEST(PluginRequirements, check_plugin_requirements_success) {
 	std::string error;

 	/* No requirement */
@@ -47,7 +44,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
  - name: k8saudit
    version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin newer version */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.2.0"}}, R"(
@@ -55,7 +52,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
  - name: k8saudit
    version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.1.0"}, {"json", "0.3.0"}}, R"(
@@ -65,7 +62,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
  - name: json
    version: 0.3.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin multiple versions */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.2.0"}}, R"(
@@ -76,7 +73,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
  - name: k8saudit
    version: 0.2.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin with alternatives */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.5.0"}}, R"(
@@ -87,7 +84,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
      - name: k8saudit-other
        version: 0.4.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins with alternatives */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.5.0"}, {"json2", "0.5.0"}}, R"(
@@ -103,7 +100,7 @@ TEST(PluginRequirements, check_plugin_requirements_success)
      - name: json2
        version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins with alternatives with multiple versions */
 	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.7.0"}, {"json2", "0.5.0"}}, R"(
@@ -125,11 +122,10 @@ TEST(PluginRequirements, check_plugin_requirements_success)
      - name: k8saudit-other
        version: 0.7.0
        )")) << error
-	     << std::endl;
+	         << std::endl;
 }

-TEST(PluginRequirements, check_plugin_requirements_reject)
-{
+TEST(PluginRequirements, check_plugin_requirements_reject) {
 	std::string error;

 	/* No plugin loaded */
@@ -138,7 +134,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
  - name: k8saudit
    version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin wrong name */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
@@ -146,7 +142,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
  - name: k8saudit2
    version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin wrong version */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
@@ -154,7 +150,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
  - name: k8saudit
    version: 0.2.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
@@ -164,7 +160,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
  - name: json
    version: 0.3.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin multiple versions */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
@@ -175,7 +171,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
  - name: k8saudit
    version: 0.2.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin with alternatives */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit2", "0.5.0"}}, R"(
@@ -186,7 +182,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
      - name: k8saudit-other
        version: 0.4.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Single plugin with overlapping alternatives */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.5.0"}}, R"(
@@ -197,7 +193,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
      - name: k8saudit
        version: 0.4.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins with alternatives */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit-other", "0.5.0"}, {"json3", "0.5.0"}}, R"(
@@ -213,7 +209,7 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
      - name: json2
        version: 0.1.0
        )")) << error
-	     << std::endl;
+	         << std::endl;

 	/* Multiple plugins with alternatives with multiple versions */
 	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.7.0"}, {"json2", "0.5.0"}}, R"(
@@ -235,5 +231,5 @@ TEST(PluginRequirements, check_plugin_requirements_reject)
      - name: k8saudit-other
        version: 0.7.0
        )")) << error
-	     << std::endl;
+	         << std::endl;
 }
--- a/unit_tests/engine/test_rule_loader.cpp
+++ b/unit_tests/engine/test_rule_loader.cpp
--- a/unit_tests/engine/test_rulesets.cpp
+++ b/unit_tests/engine/test_rulesets.cpp
@@ -23,41 +23,35 @@ limitations under the License.
 #define RULESET_2 2

 /* Helpers methods */
-static std::shared_ptr<gen_event_filter_factory> create_factory(filter_check_list& list)
-{
-	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL, list));
-	return ret;
+static std::shared_ptr<sinsp_filter_factory> create_factory(sinsp* inspector,
+                                                            filter_check_list& list) {
+	return std::make_shared<sinsp_filter_factory>(inspector, list);
 }

-static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<gen_event_filter_factory> f)
-{
-	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
-	return ret;
+static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<sinsp_filter_factory> f) {
+	return std::make_shared<evttype_index_ruleset>(f);
 }

-static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<gen_event_filter_factory> f)
-{
+static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(
+        std::shared_ptr<sinsp_filter_factory> f) {
 	libsinsp::filter::parser parser("evt.type=open");
-	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
-	return ret;
+	return parser.parse();
 }

-static std::shared_ptr<gen_event_filter> create_filter(
-	std::shared_ptr<gen_event_filter_factory> f,
-	std::shared_ptr<libsinsp::filter::ast::expr> ast)
-{
-	sinsp_filter_compiler compiler(f, ast.get());
-	std::shared_ptr<gen_event_filter> filter(compiler.compile());
-	return filter;
+static std::shared_ptr<sinsp_filter> create_filter(std::shared_ptr<sinsp_filter_factory> f,
+                                                   libsinsp::filter::ast::expr* ast) {
+	sinsp_filter_compiler compiler(f, ast);
+	return std::shared_ptr<sinsp_filter>(compiler.compile());
 }

-TEST(Ruleset, enable_disable_rules_using_names)
-{
+TEST(Ruleset, enable_disable_rules_using_names) {
+	sinsp inspector;
+
 	sinsp_filter_check_list filterlist;
-	auto f = create_factory(filterlist);
+	auto f = create_factory(&inspector, filterlist);
 	auto r = create_ruleset(f);
 	auto ast = create_ast(f);
-	auto filter = create_filter(f, ast);
+	auto filter = create_filter(f, ast.get());

 	falco_rule rule_A = {};
 	rule_A.name = "rule_A";
@@ -76,55 +70,80 @@ TEST(Ruleset, enable_disable_rules_using_names)
 	r->add(rule_C, filter, ast);

 	/* Enable `rule_A` for RULESET_0 */
-	r->enable(rule_A.name, true, RULESET_0);
+	r->enable(rule_A.name, filter_ruleset::match_type::exact, RULESET_0);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Disable `rule_A` for RULESET_1, this should have no effect */
-	r->disable(rule_A.name, true, RULESET_1);
+	r->disable(rule_A.name, filter_ruleset::match_type::exact, RULESET_1);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Enable a not existing rule for RULESET_2, this should have no effect */
-	r->disable("<NA>", true, RULESET_2);
+	r->disable("<NA>", filter_ruleset::match_type::exact, RULESET_2);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Enable all rules for RULESET_0 */
-	r->enable("rule_", false, RULESET_0);
+	r->enable("rule_", filter_ruleset::match_type::substring, RULESET_0);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 3);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Try to disable all rules with exact match for RULESET_0, this should have no effect */
-	r->disable("rule_", true, RULESET_0);
+	r->disable("rule_", filter_ruleset::match_type::exact, RULESET_0);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 3);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Disable all rules for RULESET_0 */
-	r->disable("rule_", false, RULESET_0);
+	r->disable("rule_", filter_ruleset::match_type::substring, RULESET_0);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 0);

 	/* Enable rule_C for RULESET_2 without exact_match */
-	r->enable("_C", false, RULESET_2);
+	r->enable("_C", filter_ruleset::match_type::substring, RULESET_2);
 	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
 	ASSERT_EQ(r->enabled_count(RULESET_2), 1);
+
+	/* Disable rule_C for RULESET_2 without exact_match */
+	r->disable("_C", filter_ruleset::match_type::substring, RULESET_2);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable all rules for RULESET_0 with wildcard */
+	r->enable("*", filter_ruleset::match_type::wildcard, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 3);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Disable rule C for RULESET_0 with wildcard */
+	r->disable("*C*", filter_ruleset::match_type::wildcard, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 2);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Disable all rules for RULESET_0 with wildcard */
+	r->disable("*_*", filter_ruleset::match_type::wildcard, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
 }

-TEST(Ruleset, enable_disable_rules_using_tags)
-{
+TEST(Ruleset, enable_disable_rules_using_tags) {
+	sinsp inspector;
+
 	sinsp_filter_check_list filterlist;
-	auto f = create_factory(filterlist);
+	auto f = create_factory(&inspector, filterlist);
 	auto r = create_ruleset(f);
 	auto ast = create_ast(f);
-	auto filter = create_filter(f, ast);
+	auto filter = create_filter(f, ast.get());

 	falco_rule rule_A = {};
 	rule_A.name = "rule_A";
--- a/unit_tests/falco/app/actions/app_action_helpers.h
+++ b/unit_tests/falco/app/actions/app_action_helpers.h
@@ -19,5 +19,17 @@ limitations under the License.
 #include <falco/app/state.h>
 #include <falco/app/actions/actions.h>

-#define EXPECT_ACTION_OK(r)     { auto result = r; EXPECT_TRUE(result.success); EXPECT_TRUE(result.proceed); EXPECT_EQ(result.errstr, ""); }
-#define EXPECT_ACTION_FAIL(r)   { auto result = r; EXPECT_FALSE(result.success); EXPECT_FALSE(result.proceed); EXPECT_NE(result.errstr, ""); }
+#define EXPECT_ACTION_OK(r)           \
+	{                                 \
+		auto result = r;              \
+		EXPECT_TRUE(result.success);  \
+		EXPECT_TRUE(result.proceed);  \
+		EXPECT_EQ(result.errstr, ""); \
+	}
+#define EXPECT_ACTION_FAIL(r)         \
+	{                                 \
+		auto result = r;              \
+		EXPECT_FALSE(result.success); \
+		EXPECT_FALSE(result.proceed); \
+		EXPECT_NE(result.errstr, ""); \
+	}
--- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
+++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@@ -16,28 +16,28 @@ limitations under the License.

 */

-#include <falco_engine.h>
+#include "../../../test_falco_engine.h"
+
+#include <utility>

 #include <falco/app/app.h>
 #include "app_action_helpers.h"

-#define ASSERT_NAMES_EQ(a, b) { \
-	EXPECT_EQ(_order(a).size(), _order(b).size()); \
-	ASSERT_EQ(_order(a), _order(b)); \
-}
+#define ASSERT_NAMES_EQ(a, b)                          \
+	{                                                  \
+		EXPECT_EQ(_order(a).size(), _order(b).size()); \
+		ASSERT_EQ(_order(a), _order(b));               \
+	}

-#define ASSERT_NAMES_CONTAIN(a, b) { \
-	ASSERT_NAMES_EQ(unordered_set_intersection(a, b), b); \
-}
+#define ASSERT_NAMES_CONTAIN(a, b) \
+	{ ASSERT_NAMES_EQ(unordered_set_intersection(a, b), b); }

-#define ASSERT_NAMES_NOCONTAIN(a, b) { \
-	ASSERT_NAMES_EQ(unordered_set_intersection(a, b), strset_t({})); \
-}
+#define ASSERT_NAMES_NOCONTAIN(a, b) \
+	{ ASSERT_NAMES_EQ(unordered_set_intersection(a, b), strset_t({})); }

 using strset_t = std::unordered_set<std::string>;

-static std::set<std::string> _order(const strset_t& s) 
-{
+static std::set<std::string> _order(const strset_t& s) {
 	return std::set<std::string>(s.begin(), s.end());
 }

@@ -46,89 +46,87 @@ static std::string s_sample_ruleset = "sample-ruleset";
 static std::string s_sample_source = falco_common::syscall_source;

 static strset_t s_sample_filters = {
-	"evt.type=connect or evt.type=accept or evt.type=accept4 or evt.type=umount2",
-	"evt.type in (open, ptrace, mmap, execve, read, container)",
-	"evt.type in (open, execve, mprotect) and not evt.type=mprotect"};
+        "evt.type=connect or evt.type=accept or evt.type=accept4 or evt.type=umount2",
+        "evt.type in (open, ptrace, mmap, execve, read, container)",
+        "evt.type in (open, execve, mprotect) and not evt.type=mprotect"};

-static strset_t s_sample_generic_filters = {
-	"evt.type=syncfs or evt.type=fanotify_init"};
+static strset_t s_sample_generic_filters = {"evt.type=syncfs or evt.type=fanotify_init"};

 static strset_t s_sample_nonsyscall_filters = {
-	"evt.type in (procexit, switch, pluginevent, container)"};
+        "evt.type in (procexit, switch, pluginevent, container)"};

-
-// todo(jasondellaluce): once we have deeper and more modular
-// control on the falco engine, make this a little nicer
-static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& filters)
-{
-	// craft a fake ruleset with the given filters
-	int n_rules = 0;
+static std::string ruleset_from_filters(const strset_t& filters) {
 	std::string dummy_rules;
 	falco::load_result::rules_contents_t content = {{"dummy_rules.yaml", dummy_rules}};
-	for (const auto& f : filters)
-	{
+	int n_rules = 0;
+	for(const auto& f : filters) {
 		n_rules++;
-		dummy_rules +=
-			"- rule: Dummy Rule " + std::to_string(n_rules) + "\n"
-			+ "  output: Dummy Output " + std::to_string(n_rules) + "\n"
-			+ "  condition: " + f + "\n"
-			+ "  desc: Dummy Desc " + std::to_string(n_rules) + "\n"
-			+ "  priority: CRITICAL\n\n";
+		dummy_rules += "- rule: Dummy Rule " + std::to_string(n_rules) + "\n" +
+		               "  output: Dummy Output " + std::to_string(n_rules) + "\n" +
+		               "  condition: " + f + "\n" + "  desc: Dummy Desc " +
+		               std::to_string(n_rules) + "\n" + "  priority: CRITICAL\n\n";
 	}

-	// create a falco engine and load the ruleset
-	sinsp_filter_check_list filterlist;
-	std::shared_ptr<falco_engine> res(new falco_engine());
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
-			new sinsp_filter_factory(nullptr, filterlist));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
-			new sinsp_evt_formatter_factory(nullptr, filterlist));
-	res->add_source(s_sample_source, filter_factory, formatter_factory);
-	res->load_rules(dummy_rules, "dummy_rules.yaml");
-	res->enable_rule("", true, s_sample_ruleset);
-	return res;
+	return dummy_rules;
 }

-TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
-{
+TEST_F(test_falco_engine, engine_codes_syscalls_set) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");

-	auto engine = mock_engine_from_filters(s_sample_filters);
-	auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
+	auto enabled_count = m_engine->num_rules_for_ruleset(s_sample_ruleset);
 	ASSERT_EQ(enabled_count, s_sample_filters.size());

 	// test if event code names were extracted from each rule in test ruleset.
-	auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
+	auto rules_event_set = m_engine->event_codes_for_ruleset(s_sample_source);
 	auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
-	ASSERT_NAMES_EQ(rules_event_names, strset_t({
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", "asyncevent"}));
+	ASSERT_NAMES_EQ(rules_event_names,
+	                strset_t({"connect",
+	                          "accept",
+	                          "accept4",
+	                          "umount2",
+	                          "open",
+	                          "ptrace",
+	                          "mmap",
+	                          "execve",
+	                          "read",
+	                          "container",
+	                          "asyncevent"}));

 	// test if sc code names were extracted from each rule in test ruleset.
 	// note, this is not supposed to contain "container", as that's an event
 	// not mapped through the ppm_sc_code enumerative.
-	auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
+	auto rules_sc_set = m_engine->sc_codes_for_ruleset(s_sample_source);
 	auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
-	ASSERT_NAMES_EQ(rules_sc_names, strset_t({
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
+	ASSERT_NAMES_EQ(rules_sc_names,
+	                strset_t({"connect",
+	                          "accept",
+	                          "accept4",
+	                          "umount2",
+	                          "open",
+	                          "ptrace",
+	                          "mmap",
+	                          "execve",
+	                          "read"}));
 }

-TEST(ConfigureInterestingSets, preconditions_postconditions)
-{
-	auto mock_engine = mock_engine_from_filters(s_sample_filters);
+TEST_F(test_falco_engine, preconditions_postconditions) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s1;

-	s1.engine = mock_engine;
-	s1.config = nullptr;
+	s1.engine = nullptr;
+	s1.config = std::make_shared<falco_configuration>();
+	s1.options.all_events = false;
 	auto result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_FALSE(result.success);
 	ASSERT_NE(result.errstr, "");

-	s1.engine = nullptr;
-	s1.config = std::make_shared<falco_configuration>();
+	s1.engine = m_engine;
+	s1.config = nullptr;
 	result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_FALSE(result.success);
 	ASSERT_NE(result.errstr, "");

-	s1.engine = mock_engine;
 	s1.config = std::make_shared<falco_configuration>();
 	result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_TRUE(result.success);
@@ -141,42 +139,66 @@ TEST(ConfigureInterestingSets, preconditions_postconditions)
 	ASSERT_EQ(prev_selection_size, s1.selected_sc_set.size());
 }

-TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
-{
+TEST_F(test_falco_engine, engine_codes_nonsyscalls_set) {
 	auto filters = s_sample_filters;
 	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
 	filters.insert(s_sample_nonsyscall_filters.begin(), s_sample_nonsyscall_filters.end());

-	auto engine = mock_engine_from_filters(filters);
-	auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
+	load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
+
+	auto enabled_count = m_engine->num_rules_for_ruleset(s_sample_ruleset);
 	ASSERT_EQ(enabled_count, filters.size());

-	auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
+	auto rules_event_set = m_engine->event_codes_for_ruleset(s_sample_source);
 	auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
 	// note: including even one generic event will cause PPME_GENERIC_E to be
 	// included in the ruleset's event codes. As such, when translating to names,
 	// PPME_GENERIC_E will cause all names of generic events to be added!
 	// This is a good example of information loss from ppm_event_code <-> ppm_sc_code.
 	auto generic_names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E});
-	auto expected_names = strset_t({
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", // ruleset
-		"procexit", "switch", "pluginevent", "asyncevent"}); // from non-syscall event filters
+	auto expected_names = strset_t({"connect",
+	                                "accept",
+	                                "accept4",
+	                                "umount2",
+	                                "open",
+	                                "ptrace",
+	                                "mmap",
+	                                "execve",
+	                                "read",
+	                                "container",  // ruleset
+	                                "procexit",
+	                                "switch",
+	                                "pluginevent",
+	                                "asyncevent"});  // from non-syscall event filters
 	expected_names.insert(generic_names.begin(), generic_names.end());
 	ASSERT_NAMES_EQ(rules_event_names, expected_names);

-	auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
+	auto rules_sc_set = m_engine->sc_codes_for_ruleset(s_sample_source);
 	auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
-	ASSERT_NAMES_EQ(rules_sc_names, strset_t({
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read",
-		"procexit", "switch", "syncfs", "fanotify_init", // from generic event filters
-	}));
+	ASSERT_NAMES_EQ(rules_sc_names,
+	                strset_t({
+	                        "connect",
+	                        "accept",
+	                        "accept4",
+	                        "umount2",
+	                        "open",
+	                        "ptrace",
+	                        "mmap",
+	                        "execve",
+	                        "read",
+	                        "procexit",
+	                        "switch",
+	                        "syncfs",
+	                        "fanotify_init",  // from generic event filters
+	                }));
 }

-TEST(ConfigureInterestingSets, selection_not_allevents)
-{
+TEST_F(test_falco_engine, selection_not_allevents) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s2;
 	// run app action with fake engine and without the `-A` option
-	s2.engine = mock_engine_from_filters(s_sample_filters);
+	s2.engine = m_engine;
 	s2.options.all_events = false;

 	ASSERT_EQ(s2.options.all_events, false);
@@ -191,10 +213,22 @@ TEST(ConfigureInterestingSets, selection_not_allevents)
 	ASSERT_GT(s2.selected_sc_set.size(), 1);
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s2.selected_sc_set);
 	auto expected_sc_names = strset_t({
-		// note: we expect the "read" syscall to have been erased
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset
-		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
-		"socket", "bind", "close" // from sinsp state set (network, files)
+	        // note: we expect the "read" syscall to have been erased
+	        "connect",
+	        "accept",
+	        "accept4",
+	        "umount2",
+	        "open",
+	        "ptrace",
+	        "mmap",
+	        "execve",  // from ruleset
+	        "clone",
+	        "clone3",
+	        "fork",
+	        "vfork",  // from sinsp state set (spawned_process)
+	        "socket",
+	        "bind",
+	        "close"  // from sinsp state set (network, files)
 	});
 	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);

@@ -206,8 +240,7 @@ TEST(ConfigureInterestingSets, selection_not_allevents)
 	// check that final selected set is exactly sinsp state + ruleset
 	auto rule_set = s2.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
 	auto state_set = libsinsp::events::sinsp_state_sc_set();
-	for (const auto &erased : ignored_set)
-	{
+	for(const auto& erased : ignored_set) {
 		rule_set.remove(erased);
 		state_set.remove(erased);
 	}
@@ -217,11 +250,12 @@ TEST(ConfigureInterestingSets, selection_not_allevents)
 	ASSERT_EQ(s2.selected_sc_set, union_set);
 }

-TEST(ConfigureInterestingSets, selection_allevents)
-{
+TEST_F(test_falco_engine, selection_allevents) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s3;
 	// run app action with fake engine and with the `-A` option
-	s3.engine = mock_engine_from_filters(s_sample_filters);
+	s3.engine = m_engine;
 	s3.options.all_events = true;
 	auto result = falco::app::actions::configure_interesting_sets(s3);
 	ASSERT_TRUE(result.success);
@@ -234,10 +268,23 @@ TEST(ConfigureInterestingSets, selection_allevents)
 	ASSERT_GT(s3.selected_sc_set.size(), 1);
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s3.selected_sc_set);
 	auto expected_sc_names = strset_t({
-		// note: we expect the "read" syscall to not be erased
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", // from ruleset
-		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
-		"socket", "bind", "close" // from sinsp state set (network, files)
+	        // note: we expect the "read" syscall to not be erased
+	        "connect",
+	        "accept",
+	        "accept4",
+	        "umount2",
+	        "open",
+	        "ptrace",
+	        "mmap",
+	        "execve",
+	        "read",  // from ruleset
+	        "clone",
+	        "clone3",
+	        "fork",
+	        "vfork",  // from sinsp state set (spawned_process)
+	        "socket",
+	        "bind",
+	        "close"  // from sinsp state set (network, files)
 	});
 	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);

@@ -250,14 +297,14 @@ TEST(ConfigureInterestingSets, selection_allevents)
 	ASSERT_EQ(s3.selected_sc_set, union_set);
 }

-TEST(ConfigureInterestingSets, selection_generic_evts)
-{
+TEST_F(test_falco_engine, selection_generic_evts) {
 	falco::app::state s4;
 	// run app action with fake engine and without the `-A` option
 	s4.options.all_events = false;
 	auto filters = s_sample_filters;
 	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
-	s4.engine = mock_engine_from_filters(filters);
+	load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
+	s4.engine = m_engine;
 	auto result = falco::app::actions::configure_interesting_sets(s4);
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
@@ -266,14 +313,28 @@ TEST(ConfigureInterestingSets, selection_generic_evts)
 	ASSERT_GT(s4.selected_sc_set.size(), 1);
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s4.selected_sc_set);
 	auto expected_sc_names = strset_t({
-		// note: we expect the "read" syscall to not be erased
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset
-		"syncfs", "fanotify_init",  // from ruleset (generic events)
-		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
-		"socket", "bind", "close" // from sinsp state set (network, files)
+	        // note: we expect the "read" syscall to not be erased
+	        "connect",
+	        "accept",
+	        "accept4",
+	        "umount2",
+	        "open",
+	        "ptrace",
+	        "mmap",
+	        "execve",  // from ruleset
+	        "syncfs",
+	        "fanotify_init",  // from ruleset (generic events)
+	        "clone",
+	        "clone3",
+	        "fork",
+	        "vfork",  // from sinsp state set (spawned_process)
+	        "socket",
+	        "bind",
+	        "close"  // from sinsp state set (network, files)
 	});
 	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
-	auto unexpected_sc_names = libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
+	auto unexpected_sc_names =
+	        libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
 	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
 }

@@ -282,12 +343,13 @@ TEST(ConfigureInterestingSets, selection_generic_evts)
 //   (either default or custom positive set)
 // - events in the custom negative set are removed from the selected set
 // - if `-A` is not set, events from the IO set are removed from the selected set
-TEST(ConfigureInterestingSets, selection_custom_base_set)
-{
+TEST_F(test_falco_engine, selection_custom_base_set) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s5;
 	// run app action with fake engine and without the `-A` option
 	s5.options.all_events = true;
-	s5.engine = mock_engine_from_filters(s_sample_filters);
+	s5.engine = m_engine;
 	auto default_base_set = libsinsp::events::sinsp_state_sc_set();

 	// non-empty custom base set (both positive and negative)
@@ -297,17 +359,24 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s5.selected_sc_set);
-	auto expected_sc_names = strset_t({
-		// note: `syncfs` has been added due to the custom base set, and `accept`
-		// has been remove due to the negative base set.
-		// note: `read` is not ignored due to the "-A" option being set.
-		// note: `accept` is not included even though it is matched by the rules,
-		// which means that the custom negation base set has precedence over the
-		// final selection set as a whole
-		// note(jasondellaluce): "accept4" should be added, however old versions
-		// of the ACCEPT4 event are actually named "accept" in the event table
-		"connect", "umount2", "open", "ptrace", "mmap", "execve", "read", "syncfs", "procexit"
-	});
+	auto expected_sc_names =
+	        strset_t({// note: `syncfs` has been added due to the custom base set, and `accept`
+	                  // has been remove due to the negative base set.
+	                  // note: `read` is not ignored due to the "-A" option being set.
+	                  // note: `accept` is not included even though it is matched by the rules,
+	                  // which means that the custom negation base set has precedence over the
+	                  // final selection set as a whole
+	                  // note(jasondellaluce): "accept4" should be added, however old versions
+	                  // of the ACCEPT4 event are actually named "accept" in the event table
+	                  "connect",
+	                  "umount2",
+	                  "open",
+	                  "ptrace",
+	                  "mmap",
+	                  "execve",
+	                  "read",
+	                  "syncfs",
+	                  "procexit"});
 	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);

 	// non-empty custom base set (both positive and negative with collision)
@@ -327,10 +396,18 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
 	selected_sc_names = libsinsp::events::sc_set_to_event_names(s5.selected_sc_set);
-	expected_sc_names = strset_t({
-		// note: accept is not negated anymore
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "syncfs", "procexit"
-	});
+	expected_sc_names = strset_t({// note: accept is not negated anymore
+	                              "connect",
+	                              "accept",
+	                              "accept4",
+	                              "umount2",
+	                              "open",
+	                              "ptrace",
+	                              "mmap",
+	                              "execve",
+	                              "read",
+	                              "syncfs",
+	                              "procexit"});
 	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);

 	// non-empty custom base set (only negative)
@@ -340,8 +417,8 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
 	ASSERT_EQ(result.errstr, "");
 	selected_sc_names = libsinsp::events::sc_set_to_event_names(s5.selected_sc_set);
 	expected_sc_names = unordered_set_union(
-		libsinsp::events::sc_set_to_event_names(default_base_set),
-		strset_t({ "connect", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
+	        libsinsp::events::sc_set_to_event_names(default_base_set),
+	        strset_t({"connect", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
 	expected_sc_names.erase("accept");
 	// note(jasondellaluce): "accept4" should be included, however old versions
 	// of the ACCEPT4 event are actually named "accept" in the event table
@@ -355,22 +432,30 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
 	selected_sc_names = libsinsp::events::sc_set_to_event_names(s5.selected_sc_set);
-	expected_sc_names = strset_t({
-		// note: read is both part of the custom base set and the rules set,
-		// but we expect the unset -A option to take precedence
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "procexit"
-	});
+	expected_sc_names = strset_t({// note: read is both part of the custom base set and the rules
+	                              // set, but we expect the unset -A option to take precedence
+	                              "connect",
+	                              "accept",
+	                              "accept4",
+	                              "umount2",
+	                              "open",
+	                              "ptrace",
+	                              "mmap",
+	                              "execve",
+	                              "procexit"});
 	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
-	auto unexpected_sc_names = libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
+	auto unexpected_sc_names =
+	        libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
 	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
 }

-TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
-{
+TEST_F(test_falco_engine, selection_custom_base_set_repair) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s6;
 	// run app action with fake engine and without the `-A` option
 	s6.options.all_events = false;
-	s6.engine = mock_engine_from_filters(s_sample_filters);
+	s6.engine = m_engine;

 	// note: here we use file syscalls (e.g. open, openat) and have a custom
 	// positive set, so we expect syscalls such as "close" to be selected as
@@ -383,22 +468,35 @@ TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s6.selected_sc_set);
-	auto expected_sc_names = strset_t({
-		// note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "procexit", \
-		"bind", "socket", "clone3", "close", "setuid"
-	});
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
 	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
-	auto unexpected_sc_names = libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
+	auto unexpected_sc_names =
+	        libsinsp::events::sc_set_to_event_names(falco::app::ignored_sc_set());
 	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
 }

-TEST(ConfigureInterestingSets, selection_empty_custom_base_set_repair)
-{
+TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
 	falco::app::state s7;
 	// run app action with fake engine and with the `-A` option
 	s7.options.all_events = true;
-	s7.engine = mock_engine_from_filters(s_sample_filters);
+	s7.engine = m_engine;

 	// simulate empty custom set but repair option set.
 	s7.config->m_base_syscalls_custom_set = {};
@@ -408,23 +506,34 @@ TEST(ConfigureInterestingSets, selection_empty_custom_base_set_repair)
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
 	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
-	auto expected_sc_names = strset_t({
-		// note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls
-		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "procexit", \
-		"bind", "socket", "clone3", "close", "setuid"
-	});
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
 	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
 	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
 	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }

-TEST(ConfigureInterestingSets, ignored_set_expected_size)
-{
+TEST(ConfigureInterestingSets, ignored_set_expected_size) {
 	// unit test fence to make sure we don't have unexpected regressions
 	// in the ignored set, to be updated in the future
 	ASSERT_EQ(falco::app::ignored_sc_set().size(), 14);

 	// we don't expect to ignore any syscall in the default base set
-	ASSERT_EQ(falco::app::ignored_sc_set().intersect(libsinsp::events::sinsp_state_sc_set()).size(), 0);
+	ASSERT_EQ(falco::app::ignored_sc_set().intersect(libsinsp::events::sinsp_state_sc_set()).size(),
+	          0);
 }
--- a/unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp
+++ b/unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -17,13 +17,11 @@ limitations under the License.

 #include "app_action_helpers.h"

-TEST(ActionConfigureSyscallBufferNum, variable_number_of_CPUs)
-{
+TEST(ActionConfigureSyscallBufferNum, variable_number_of_CPUs) {
 	auto action = falco::app::actions::configure_syscall_buffer_num;

 	ssize_t online_cpus = sysconf(_SC_NPROCESSORS_ONLN);
-	if(online_cpus <= 0)
-	{
+	if(online_cpus <= 0) {
 		FAIL() << "cannot get the number of online CPUs from the system\n";
 	}

--- a/unit_tests/falco/app/actions/test_load_config.cpp
+++ b/unit_tests/falco/app/actions/test_load_config.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -19,10 +19,9 @@ limitations under the License.
 #include "falco_test_var.h"

 #ifndef __EMSCRIPTEN__
-TEST(ActionLoadConfig, check_engine_config_is_correctly_parsed)
-{
+TEST(ActionLoadConfig, check_kmod_engine_config) {
 	falco::app::state s = {};
-	s.options.conf_filename = NEW_ENGINE_CONFIG_CHANGED;
+	s.options.conf_filename = TEST_ENGINE_KMOD_CONFIG;
 	EXPECT_ACTION_OK(falco::app::actions::load_config(s));

 	// Check that the engine is the kmod
@@ -45,105 +44,25 @@ TEST(ActionLoadConfig, check_engine_config_is_correctly_parsed)

 	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
 	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
-
-	// Check that deprecated configs are always set since
-	EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6);
-	EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 7);
-	EXPECT_TRUE(s.config->m_syscall_drop_failed_exit);
 }

-// Equal to the one above but checks that the command line options are not parsed
-TEST(ActionLoadConfig, check_command_line_options_are_not_used)
-{
-	falco::app::state s;
-	s.options.modern_bpf = true;
-	s.options.conf_filename = NEW_ENGINE_CONFIG_CHANGED;
+TEST(ActionLoadConfig, check_modern_engine_config) {
+	falco::app::state s = {};
+	s.options.conf_filename = TEST_ENGINE_MODERN_CONFIG;
 	EXPECT_ACTION_OK(falco::app::actions::load_config(s));

-	// Check that the engine is the kmod
-	EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::KMOD);
+	// Check that the engine is the modern ebpf
+	EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::MODERN_EBPF);

-	// Check that kmod params are the ones specified in the config
-	EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 2);
-	EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
-
-	// Check that all other engine params are empty
-	EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
-	EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
-
-	EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0);
-	EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
-
-	EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
-
-	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
-	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
-
-	// Check that deprecated configs are always set since
-	EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6);
-	EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 7);
-	EXPECT_TRUE(s.config->m_syscall_drop_failed_exit);
-}
-
-TEST(ActionLoadConfig, check_kmod_with_syscall_configs)
-{
-	falco::app::state s;
-	s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED;
-	EXPECT_ACTION_OK(falco::app::actions::load_config(s));
-
-	// Check that the engine is the kmod
-	EXPECT_TRUE(s.config->m_engine_mode == engine_kind_t::KMOD);
-
-	// Kmod params should be populated with the syscall configs
-	// since the `engine` block is untouched.
-	EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6);
-	EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit);
-
-	// Check that all other engine params are empty
-	EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
-	EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
-
-	EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0);
-	EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
-
-	EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
-
-	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
-	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
-
-	// Check that deprecated configs are populated
-	EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6);
-	EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3);
-	EXPECT_TRUE(s.config->m_syscall_drop_failed_exit);
-}
-
-TEST(ActionLoadConfig, check_override_command_line_modern)
-{
-	falco::app::state s;
-	// The command line options should be correctly applied since the
-	// config is unchanged
-	s.options.modern_bpf = true;
-	s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED;
-	EXPECT_ACTION_OK(falco::app::actions::load_config(s));
-
-	// Check that the engine is the kmod
-	EXPECT_TRUE(s.is_modern_ebpf());
-
-	// Check that the modern ebpf engine uses the default syscall configs
-	// and not the ones in the `engine` block
-	EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 3);
-	EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 6);
+	// Check that modern ebpf params are the ones specified in the config
+	EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 1);
+	EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 4);
 	EXPECT_TRUE(s.config->m_modern_ebpf.m_drop_failed_exit);

-	// Kmod params should be always populated since the kmod is the default
-	EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6);
-	EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit);
-
 	// Check that all other engine params are empty
+	EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 0);
+	EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
+
 	EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
 	EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
 	EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
@@ -152,45 +71,6 @@ TEST(ActionLoadConfig, check_override_command_line_modern)

 	EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
 	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
-
-	// Check that deprecated configs are populated
-	EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6);
-	EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3);
-	EXPECT_TRUE(s.config->m_syscall_drop_failed_exit);
 }

-TEST(ActionLoadConfig, check_override_command_line_gvisor)
-{
-	falco::app::state s;
-	// The command line options should be correctly applied since the
-	// config is unchanged
-	s.options.gvisor_config = "config";
-	s.options.conf_filename = NEW_ENGINE_CONFIG_UNCHANGED;
-	EXPECT_ACTION_OK(falco::app::actions::load_config(s));
-
-	// Check that the engine is the kmod
-	EXPECT_TRUE(s.is_gvisor());
-	EXPECT_EQ(s.config->m_gvisor.m_config, "config");
-	EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
-
-	// Kmod params should be always populated since the kmod is the default
-	EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 6);
-	EXPECT_TRUE(s.config->m_kmod.m_drop_failed_exit);
-
-	// Check that all other engine params are empty
-	EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
-	EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
-
-	EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0);
-	EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0);
-	EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
-
-	EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
-
-	// Check that deprecated configs are populated
-	EXPECT_EQ(s.config->m_syscall_buf_size_preset, 6);
-	EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, 3);
-	EXPECT_TRUE(s.config->m_syscall_drop_failed_exit);
-}
 #endif
--- a/unit_tests/falco/app/actions/test_select_event_sources.cpp
+++ b/unit_tests/falco/app/actions/test_select_event_sources.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -17,85 +17,82 @@ limitations under the License.

 #include "app_action_helpers.h"

-TEST(ActionSelectEventSources, pre_post_conditions)
-{
-    auto action = falco::app::actions::select_event_sources;
+TEST(ActionSelectEventSources, pre_post_conditions) {
+	auto action = falco::app::actions::select_event_sources;

-    // requires sources to be already loaded
-    {
-        falco::app::state s;
-        EXPECT_ACTION_FAIL(action(s));
-    }
+	// requires sources to be already loaded
+	{
+		falco::app::state s;
+		EXPECT_ACTION_FAIL(action(s));
+	}

-    // ignore source selection in capture mode
-    {
-        falco::app::state s;
-        s.config->m_engine_mode = engine_kind_t::REPLAY;
-        EXPECT_TRUE(s.is_capture_mode());
-        EXPECT_ACTION_OK(action(s));
-    }
+	// ignore source selection in capture mode
+	{
+		falco::app::state s;
+		s.config->m_engine_mode = engine_kind_t::REPLAY;
+		EXPECT_TRUE(s.is_capture_mode());
+		EXPECT_ACTION_OK(action(s));
+	}

-    // enable all loaded sources by default, even with multiple calls
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        EXPECT_ACTION_OK(action(s));
-        EXPECT_EQ(s.loaded_sources.size(), s.enabled_sources.size());
-        for (const auto& v : s.loaded_sources)
-        {
-            ASSERT_TRUE(s.enabled_sources.find(v) != s.enabled_sources.end());
-        }
-        s.loaded_sources.push_back("another_source");
-        EXPECT_ACTION_OK(action(s));
-        EXPECT_EQ(s.loaded_sources.size(), s.enabled_sources.size());
-        for (const auto& v : s.loaded_sources)
-        {
-            ASSERT_TRUE(s.enabled_sources.find(v) != s.enabled_sources.end());
-        }
-    }
+	// enable all loaded sources by default, even with multiple calls
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.loaded_sources.size(), s.enabled_sources.size());
+		for(const auto& v : s.loaded_sources) {
+			ASSERT_TRUE(s.enabled_sources.find(v) != s.enabled_sources.end());
+		}
+		s.loaded_sources.push_back("another_source");
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.loaded_sources.size(), s.enabled_sources.size());
+		for(const auto& v : s.loaded_sources) {
+			ASSERT_TRUE(s.enabled_sources.find(v) != s.enabled_sources.end());
+		}
+	}

-    // enable only selected sources
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        s.options.enable_sources = {"syscall"};
-        EXPECT_ACTION_OK(action(s));
-        EXPECT_EQ(s.enabled_sources.size(), 1);
-        EXPECT_EQ(*s.enabled_sources.begin(), "syscall");
-    }
+	// enable only selected sources
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		s.options.enable_sources = {"syscall"};
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.enabled_sources.size(), 1);
+		EXPECT_EQ(*s.enabled_sources.begin(), "syscall");
+	}

-    // enable all loaded sources expect the disabled ones
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        s.options.disable_sources = {"syscall"};
-        EXPECT_ACTION_OK(action(s));
-        EXPECT_EQ(s.enabled_sources.size(), 1);
-        EXPECT_EQ(*s.enabled_sources.begin(), "some_source");
-    }
+	// enable all loaded sources expect the disabled ones
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		s.options.disable_sources = {"syscall"};
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.enabled_sources.size(), 1);
+		EXPECT_EQ(*s.enabled_sources.begin(), "some_source");
+	}

-    // enable unknown sources
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        s.options.enable_sources = {"some_other_source"};
-        EXPECT_ACTION_FAIL(action(s));
-    }
+	// enable unknown sources
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		s.options.enable_sources = {"some_other_source"};
+		EXPECT_ACTION_FAIL(action(s));
+	}

-    // disable unknown sources
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        s.options.disable_sources = {"some_other_source"};
-        EXPECT_ACTION_FAIL(action(s));
-    }
+	// disable unknown sources
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		s.options.disable_sources = {"some_other_source"};
+		EXPECT_ACTION_FAIL(action(s));
+	}

-    // mix enable and disable sources options
-    {
-        falco::app::state s;
-        s.loaded_sources = {"syscall", "some_source"};
-        s.options.disable_sources = {"syscall"};
-        s.options.enable_sources = {"syscall"};
-        EXPECT_ACTION_FAIL(action(s));
-    }
+	// mix enable and disable sources options
+	{
+		falco::app::state s;
+		s.loaded_sources = {"syscall", "some_source"};
+		s.options.disable_sources = {"syscall"};
+		s.options.enable_sources = {"syscall"};
+		EXPECT_ACTION_FAIL(action(s));
+	}
 }
--- a/unit_tests/falco/test_atomic_signal_handler.cpp
+++ b/unit_tests/falco/test_atomic_signal_handler.cpp
@@ -8,83 +8,68 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

-#include <gtest/gtest.h>
-#include <future>
-#include <thread>
-#include <vector>
-#include <memory>
-#include <chrono>
- 
 #include <falco/atomic_signal_handler.h>
-#include <falco/logger.h>
+#include <engine/logger.h>

-TEST(AtomicSignalHandler, lock_free_implementation)
-{
+#include <gtest/gtest.h>
+
+#include <chrono>
+#include <future>
+#include <memory>
+#include <vector>
+
+TEST(AtomicSignalHandler, lock_free_implementation) {
 	ASSERT_TRUE(falco::atomic_signal_handler().is_lock_free());
 }

-TEST(AtomicSignalHandler, handle_once_wait_consistency)
-{
+TEST(AtomicSignalHandler, handle_once_wait_consistency) {
 	constexpr const auto thread_num = 10;
-	constexpr const auto thread_wait_sec = 2;
-	constexpr const auto handler_wait_sec = 1;
+	constexpr const std::chrono::seconds thread_wait_sec{2};
+	constexpr const std::chrono::seconds handler_wait_sec{1};

 	// have a shared signal handler
 	falco::atomic_signal_handler handler;

 	// launch a bunch of threads all syncing on the same handler
-	typedef struct
-	{
+	struct task_result_t {
 		bool handled;
-		uint64_t duration_secs;
-	} task_result_t;
+		std::chrono::seconds duration_secs;
+	};
+
 	std::vector<std::future<task_result_t>> futures;
-	std::vector<std::unique_ptr<std::thread>> threads;
-	for (int i = 0; i < thread_num; i++)
-	{
-		std::packaged_task<task_result_t()> task([&handler, &thread_wait_sec]{
+	for(int i = 0; i < thread_num; i++) {
+		futures.emplace_back(std::async(std::launch::async, [&handler, thread_wait_sec]() {
 			auto start = std::chrono::high_resolution_clock::now();
 			task_result_t res;
 			res.handled = false;
-			while (!handler.handled())
-			{
-				if (handler.triggered())
-				{
-					res.handled = handler.handle([&thread_wait_sec]{
-						std::this_thread::sleep_for (std::chrono::seconds(thread_wait_sec));
-					});
+			while(!handler.handled()) {
+				if(handler.triggered()) {
+					res.handled = handler.handle(
+					        [thread_wait_sec]() { std::this_thread::sleep_for(thread_wait_sec); });
 				}
 			}
 			auto diff = std::chrono::high_resolution_clock::now() - start;
-			res.duration_secs = std::chrono::duration_cast<std::chrono::seconds>(diff).count();
+			res.duration_secs = std::chrono::duration_cast<std::chrono::seconds>(diff);
 			return res;
-		});
-		futures.push_back(task.get_future());
-		threads.emplace_back();
-		threads[i].reset(new std::thread(std::move(task)));
+		}));
 	}

 	// wait a bit, then trigger the signal handler from the main thread
 	auto total_handled = 0;
 	auto start = std::chrono::high_resolution_clock::now();
-	std::this_thread::sleep_for (std::chrono::seconds(handler_wait_sec));
+	std::this_thread::sleep_for(handler_wait_sec);
 	handler.trigger();
-	for (int i = 0; i < thread_num; i++)
-	{
-		// we need to check that all threads didn't quit before
-		// the handle() function finished executing
-		futures[i].wait();
-		threads[i]->join();
+	for(int i = 0; i < thread_num; i++) {
+		// wait for all threads to finish and get the results from the futures
 		auto res = futures[i].get();
-		if (res.handled)
-		{
+		if(res.handled) {
 			total_handled++;
 		}
 		ASSERT_GE(res.duration_secs, thread_wait_sec);
@@ -92,16 +77,15 @@ TEST(AtomicSignalHandler, handle_once_wait_consistency)

 	// check that the total time is consistent with the expectations
 	auto diff = std::chrono::high_resolution_clock::now() - start;
-	auto secs = std::chrono::duration_cast<std::chrono::seconds>(diff).count();
+	auto secs = std::chrono::duration_cast<std::chrono::seconds>(diff);
 	ASSERT_GE(secs, thread_wait_sec + handler_wait_sec);

 	// check that only one thread handled the signal
 	ASSERT_EQ(total_handled, 1);
 }

-TEST(AtomicSignalHandler, handle_and_reset)
-{
-	auto do_nothing = []{};
+TEST(AtomicSignalHandler, handle_and_reset) {
+	auto do_nothing = [] {};
 	falco::atomic_signal_handler handler;

 	ASSERT_FALSE(handler.triggered());
--- a/unit_tests/falco/test_configs/new_engine_config_unchanged.yaml
+++ b/unit_tests/falco/test_configs/new_engine_config_unchanged.yaml
@@ -20,16 +20,15 @@
 # Falco engine #
 ################

-# Unchanged
 engine:
  kind: kmod
  kmod:
-    buf_size_preset: 4
+    buf_size_preset: 2
    drop_failed_exit: false
  ebpf:
    probe: /path/to/probe.o
-    buf_size_preset: 4
-    drop_failed_exit: false
+    buf_size_preset: 7
+    drop_failed_exit: true
  modern_ebpf:
    cpus_for_each_buffer: 2
    buf_size_preset: 4
@@ -39,15 +38,3 @@ engine:
  gvisor:
    config: /path/to/gvisor_config.yaml
    root: ""
-
-#######################################
-# Falco performance tuning (advanced) #
-#######################################
-
-# The `engine` config is unchanged so these configs are used
-syscall_buf_size_preset: 6
-
-syscall_drop_failed_exit: true
-
-modern_bpf:
-  cpus_for_each_syscall_buffer: 3
--- a/unit_tests/falco/test_configs/new_engine_config_changed.yaml
+++ b/unit_tests/falco/test_configs/new_engine_config_changed.yaml
@@ -21,32 +21,20 @@
 ################

 engine:
-  kind: kmod
+  kind: modern_ebpf
  kmod:
-    buf_size_preset: 2 # changed default value
-    drop_failed_exit: false
+    buf_size_preset: 1
+    drop_failed_exit: true
  ebpf:
    probe: /path/to/probe.o
    buf_size_preset: 4
    drop_failed_exit: false
  modern_ebpf:
-    cpus_for_each_buffer: 2
-    buf_size_preset: 4
-    drop_failed_exit: false
+    cpus_for_each_buffer: 1
+    # missing `buf_size_preset` should be defaulted
+    drop_failed_exit: true
  replay:
    capture_file: /path/to/file.scap
  gvisor:
    config: /path/to/gvisor_config.yaml
    root: ""
-
-#######################################
-# Falco performance tuning (advanced) #
-#######################################
-
-# These configs should be ignored since we have changed the `engine` config
-syscall_buf_size_preset: 6
-
-syscall_drop_failed_exit: true
-
-modern_bpf:
-  cpus_for_each_syscall_buffer: 7
--- a/unit_tests/falco/test_configuration.cpp
+++ b/unit_tests/falco/test_configuration.cpp
@@ -8,7 +8,7 @@ You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

-Unless ASSERTd by applicable law or agreed to in writing, software
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
@@ -18,27 +18,20 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <falco/configuration.h>

-#ifdef _WIN32
-#define SET_ENV_VAR(env_var_name, env_var_value) _putenv_s(env_var_name, env_var_value)
-#else
-#define SET_ENV_VAR(env_var_name, env_var_value) setenv(env_var_name, env_var_value, 1)
-#endif
-
 static std::string sample_yaml =
-	"base_value:\n"
-	"    id: 1\n"
-	"    name: 'sample_name'\n"
-	"    subvalue:\n"
-	"      subvalue2:\n"
-	"        boolean: true\n"
-	"base_value_2:\n"
-	"  sample_list:\n"
-	"    - elem1\n"
-	"    - elem2\n"
-	"    - elem3\n";
+        "base_value:\n"
+        "    id: 1\n"
+        "    name: 'sample_name'\n"
+        "    subvalue:\n"
+        "      subvalue2:\n"
+        "        boolean: true\n"
+        "base_value_2:\n"
+        "  sample_list:\n"
+        "    - elem1\n"
+        "    - elem2\n"
+        "    - elem3\n";

-TEST(Configuration, configuration_exceptions)
-{
+TEST(Configuration, configuration_exceptions) {
 	yaml_helper conf;

 	/* Broken YAML */
@@ -49,8 +42,7 @@ TEST(Configuration, configuration_exceptions)
 	EXPECT_NO_THROW(conf.load_from_string(sample_yaml));
 }

-TEST(Configuration, configuration_reload)
-{
+TEST(Configuration, configuration_reload) {
 	yaml_helper conf;

 	/* Clear and reload config */
@@ -62,8 +54,7 @@ TEST(Configuration, configuration_reload)
 	ASSERT_TRUE(conf.is_defined("base_value"));
 }

-TEST(Configuration, read_yaml_fields)
-{
+TEST(Configuration, read_yaml_fields) {
 	yaml_helper conf;
 	conf.load_from_string(sample_yaml);

@@ -78,9 +69,12 @@ TEST(Configuration, read_yaml_fields)
 	ASSERT_EQ(conf.get_scalar<bool>("base_value.subvalue.subvalue2.boolean", false), true);

 	/* get list field elements */
-	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[0]", "none").c_str(), "elem1");
-	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[1]", "none").c_str(), "elem2");
-	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[2]", "none").c_str(), "elem3");
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[0]", "none").c_str(),
+	             "elem1");
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[1]", "none").c_str(),
+	             "elem2");
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[2]", "none").c_str(),
+	             "elem3");

 	/* get sequence */
 	std::vector<std::string> seq;
@@ -91,273 +85,100 @@ TEST(Configuration, read_yaml_fields)
 	ASSERT_STREQ(seq[2].c_str(), "elem3");
 }

-TEST(Configuration, modify_yaml_fields)
-{
+TEST(Configuration, modify_yaml_fields) {
 	std::string key = "base_value.subvalue.subvalue2.boolean";
 	yaml_helper conf;

-    /* Get original value */
-    conf.load_from_string(sample_yaml);
+	/* Get original value */
+	conf.load_from_string(sample_yaml);
 	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);

-    /* Modify the original value */
-    conf.set_scalar<bool>(key, false);
+	/* Modify the original value */
+	conf.set_scalar<bool>(key, false);
 	ASSERT_EQ(conf.get_scalar<bool>(key, true), false);

-    /* Modify it again */
-    conf.set_scalar<bool>(key, true);
+	/* Modify it again */
+	conf.set_scalar<bool>(key, true);
 	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);
 }

-TEST(Configuration, configuration_environment_variables)
-{
-    // Set an environment variable for testing purposes
-    std::string env_var_value = "envVarValue";
-    std::string env_var_name = "ENV_VAR";
-    SET_ENV_VAR(env_var_name.c_str(), env_var_value.c_str());
+TEST(Configuration, configuration_webserver_ip) {
+	falco_configuration falco_config;

-    std::string embedded_env_var_value = "${ENV_VAR}";
-    std::string embedded_env_var_name = "ENV_VAR_EMBEDDED";
-    SET_ENV_VAR(embedded_env_var_name.c_str(), embedded_env_var_value.c_str());
+	std::vector<std::string> valid_addresses = {"127.0.0.1",
+	                                            "1.127.0.1",
+	                                            "1.1.127.1",
+	                                            "1.1.1.127",
+	                                            "::",
+	                                            "::1",
+	                                            "1200:0000:AB00:1234:0000:2552:7777:1313",
+	                                            "1200::AB00:1234:0000:2552:7777:1313",
+	                                            "1200:0000:AB00:1234::2552:7777:1313",
+	                                            "21DA:D3:0:2F3B:2AA:FF:FE28:9C5A",
+	                                            "FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
+	                                            "0.0.0.0",
+	                                            "9.255.255.255",
+	                                            "11.0.0.0",
+	                                            "126.255.255.255",
+	                                            "129.0.0.0",
+	                                            "169.253.255.255",
+	                                            "169.255.0.0",
+	                                            "172.15.255.255",
+	                                            "172.32.0.0",
+	                                            "191.0.1.255",
+	                                            "192.88.98.255",
+	                                            "192.88.100.0",
+	                                            "192.167.255.255",
+	                                            "192.169.0.0",
+	                                            "198.17.255.255",
+	                                            "223.255.255.255"};

-    std::string bool_env_var_value = "true";
-    std::string bool_env_var_name = "ENV_VAR_BOOL";
-    SET_ENV_VAR(bool_env_var_name.c_str(), bool_env_var_value.c_str());
+	for(const std::string &address : valid_addresses) {
+		std::string option = "webserver.listen_address=";
+		option.append(address);

-    std::string int_env_var_value = "12";
-    std::string int_env_var_name = "ENV_VAR_INT";
-    SET_ENV_VAR(int_env_var_name.c_str(), int_env_var_value.c_str());
+		std::vector<std::string> cmdline_config_options;
+		cmdline_config_options.push_back(option);

-    std::string empty_env_var_value = "";
-    std::string empty_env_var_name = "ENV_VAR_EMPTY";
-    SET_ENV_VAR(empty_env_var_name.c_str(), empty_env_var_value.c_str());
+		EXPECT_NO_THROW(falco_config.init_from_content("", cmdline_config_options));

-    std::string default_value = "default";
-    std::string env_var_sample_yaml =
-        "base_value:\n"
-        "    id: $ENV_VAR\n"
-        "    name: '${ENV_VAR}'\n"
-        "    string: my_string\n"
-        "    invalid: $${ENV_VAR}\n"
-	"    invalid_env: $$ENV_VAR\n"
-	"    invalid_double_env: $${ENV_VAR}$${ENV_VAR}\n"
-	"    invalid_embedded_env: $${${ENV_VAR}}\n"
-	"    invalid_valid_env: $${ENV_VAR}${ENV_VAR}\n"
-        "    escaped: \"${ENV_VAR}\"\n"
-        "    subvalue:\n"
-        "        subvalue2:\n"
-        "            boolean: ${UNSED_XX_X_X_VAR}\n"
-        "base_value_2:\n"
-        "    sample_list:\n"
-        "        - ${ENV_VAR}\n"
-        "        - ' ${ENV_VAR}'\n"
-	"        - '${ENV_VAR} '\n"
-        "        - $UNSED_XX_X_X_VAR\n"
-        "paths:\n"
-	"    - ${ENV_VAR}/foo\n"
-	"    - $ENV_VAR/foo\n"
-	"    - /foo/${ENV_VAR}/\n"
-	"    - /${ENV_VAR}/${ENV_VAR}${ENV_VAR}/foo\n"
-	"    - ${ENV_VAR_EMBEDDED}/foo\n"
-	"is_test: ${ENV_VAR_BOOL}\n"
-	"num_test: ${ENV_VAR_INT}\n"
-	"empty_test: ${ENV_VAR_EMPTY}\n"
-	"plugins:\n"
-	"  - name: k8saudit\n"
-	"    library_path: /foo/${ENV_VAR}/libk8saudit.so\n"
-	"    open_params: ${ENV_VAR_INT}\n";
+		ASSERT_EQ(falco_config.m_webserver_config.m_listen_address, address);
+	}

-    yaml_helper conf;
-    conf.load_from_string(env_var_sample_yaml);
+	std::vector<std::string> invalid_addresses = {
+	        "327.0.0.1",
+	        "1.327.0.1",
+	        "1.1.327.1",
+	        "1.1.1.327",
+	        "12 7.0.0.1",
+	        "127. 0.0.1",
+	        "127.0. 0.1",
+	        "127.0.0. 1",
+	        "!27.0.0.1",
+	        "1200: 0000:AB00:1234:0000:2552:7777:1313",
+	        "1200:0000: AB00:1234:0000:2552:7777:1313",
+	        "1200:0000:AB00: 1234:0000:2552:7777:1313",
+	        "1200:0000:AB00:1234: 0000:2552:7777:1313",
+	        "1200:0000:AB00:1234:0000: 2552:7777:1313",
+	        "1200:0000:AB00:1234:0000:2552: 7777:1313",
+	        "1200:0000:AB00:1234:0000:2552:7777: 1313",
+	        "1200:0000:AB00:1234:0000:2552:7777:131G",
+	        "1200:0000:AB00:1234:0000:2552:77Z7:1313",
+	        "1200:0000:AB00:1234:0000:2G52:7777:1313",
+	        "1200:0000:AB00:1234:0O00:2552:7777:1313",
+	        "1200:0000:AB00:H234:0000:2552:7777:1313",
+	        "1200:0000:IB00:1234:0000:2552:7777:1313",
+	        "1200:0O00:AB00:1234:0000:2552:7777:1313",
+	        "12O0:0000:AB00:1234:0000:2552:7777:1313",
+	};

-    /* Check if the base values are defined */
-    ASSERT_TRUE(conf.is_defined("base_value"));
-    ASSERT_TRUE(conf.is_defined("base_value_2"));
-    ASSERT_TRUE(conf.is_defined("paths"));
-    ASSERT_FALSE(conf.is_defined("unknown_base_value"));
+	for(const std::string &address : invalid_addresses) {
+		std::string option = "webserver.listen_address=";
+		option.append(address);

-    /* Test fetching of a regular string without any environment variable */
-    auto base_value_string = conf.get_scalar<std::string>("base_value.string", default_value);
-    ASSERT_EQ(base_value_string, "my_string");
+		std::vector<std::string> cmdline_config_options;
+		cmdline_config_options.push_back(option);

-    /* Test fetching of escaped environment variable format. Should return the string as-is after stripping the leading `$` */
-    auto base_value_invalid = conf.get_scalar<std::string>("base_value.invalid", default_value);
-    ASSERT_EQ(base_value_invalid, "${ENV_VAR}");
-
-    /* Test fetching of invalid escaped environment variable format. Should return the string as-is */
-    auto base_value_invalid_env = conf.get_scalar<std::string>("base_value.invalid_env", default_value);
-    ASSERT_EQ(base_value_invalid_env, "$$ENV_VAR");
-
-    /* Test fetching of 2 escaped environment variables side by side. Should return the string as-is after stripping the leading `$` */
-    auto base_value_double_invalid = conf.get_scalar<std::string>("base_value.invalid_double_env", default_value);
-    ASSERT_EQ(base_value_double_invalid, "${ENV_VAR}${ENV_VAR}");
-
-    /*
-     * Test fetching of escaped environment variable format with inside an env variable.
-     * Should return the string as-is after stripping the leading `$` with the resolved env variable within
-     */
-    auto base_value_embedded_invalid = conf.get_scalar<std::string>("base_value.invalid_embedded_env", default_value);
-    ASSERT_EQ(base_value_embedded_invalid, "${" + env_var_value + "}");
-
-    /*
-     * Test fetching of an escaped env variable plus an env variable side by side.
-     * Should return the escaped one trimming the leading `$` plus the second one resolved.
-     */
-    auto base_value_valid_invalid = conf.get_scalar<std::string>("base_value.invalid_valid_env", default_value);
-    ASSERT_EQ(base_value_valid_invalid, "${ENV_VAR}" + env_var_value);
-
-    /* Test fetching of strings that contain environment variables */
-    auto base_value_id = conf.get_scalar<std::string>("base_value.id", default_value);
-    ASSERT_EQ(base_value_id, "$ENV_VAR"); // Does not follow the `${VAR}` format, so it should be treated as a regular string
-
-    auto base_value_name = conf.get_scalar<std::string>("base_value.name", default_value);
-    ASSERT_EQ(base_value_name, env_var_value); // Proper environment variable format
-
-    auto base_value_escaped = conf.get_scalar<std::string>("base_value.escaped", default_value);
-    ASSERT_EQ(base_value_escaped, env_var_value); // Environment variable within quotes
-
-    /* Test fetching of an undefined environment variable. Resolves to empty string. */
-    auto unknown_boolean = conf.get_scalar<std::string>("base_value.subvalue.subvalue2.boolean", default_value);
-    ASSERT_EQ(unknown_boolean, "");
-
-    /* Test fetching of environment variables from a list */
-    auto base_value_2_list_0 = conf.get_scalar<std::string>("base_value_2.sample_list[0]", default_value);
-    ASSERT_EQ(base_value_2_list_0, env_var_value); // Proper environment variable format
-
-    auto base_value_2_list_1 = conf.get_scalar<std::string>("base_value_2.sample_list[1]", default_value);
-    ASSERT_EQ(base_value_2_list_1, " " + env_var_value); // Environment variable preceded by a space, still extracted env var with leading space
-
-    auto base_value_2_list_2 = conf.get_scalar<std::string>("base_value_2.sample_list[2]", default_value);
-    ASSERT_EQ(base_value_2_list_2, env_var_value + " "); // Environment variable followed by a space, still extracted env var with trailing space
-
-    auto base_value_2_list_3 = conf.get_scalar<std::string>("base_value_2.sample_list[3]", default_value);
-    ASSERT_EQ(base_value_2_list_3, "$UNSED_XX_X_X_VAR"); // Does not follow the `${VAR}` format, so should be treated as a regular string
-
-    /* Test expansion of environment variables within strings */
-    auto path_list_0 = conf.get_scalar<std::string>("paths[0]", default_value);
-    ASSERT_EQ(path_list_0, env_var_value + "/foo"); // Even if env var is part of bigger string, it gets expanded
-
-    auto path_list_1 = conf.get_scalar<std::string>("paths[1]", default_value);
-    ASSERT_EQ(path_list_1, "$ENV_VAR/foo"); // Does not follow the `${VAR}` format, so should be treated as a regular string
-
-    auto path_list_2 = conf.get_scalar<std::string>("paths[2]", default_value);
-    ASSERT_EQ(path_list_2, "/foo/" + env_var_value + "/"); // Even when env var is in the middle of a string. it gets expanded
-
-    auto path_list_3 = conf.get_scalar<std::string>("paths[3]", default_value);
-    ASSERT_EQ(path_list_3, "/" + env_var_value + "/" + env_var_value + env_var_value + "/foo"); // Even when the string contains multiple env vars they are correctly expanded
-
-    auto path_list_4 = conf.get_scalar<std::string>("paths[4]", default_value);
-    ASSERT_EQ(path_list_4, env_var_value + "/foo"); // Even when the env var contains another env var, it gets correctly double-expanded
-
-    /* Check that variable expansion is type-aware */
-    auto boolean = conf.get_scalar<bool>("is_test", false);
-    ASSERT_EQ(boolean, true); // `true` can be parsed to bool.
-
-    auto boolean_as_str = conf.get_scalar<std::string>("is_test", "false");
-    ASSERT_EQ(boolean_as_str, "true"); // `true` can be parsed to string.
-
-    auto boolean_as_int = conf.get_scalar<int32_t>("is_test", 0);
-    ASSERT_EQ(boolean_as_int, 0); // `true` cannot be parsed to integer.
-
-    auto integer = conf.get_scalar<int32_t>("num_test", -1);
-    ASSERT_EQ(integer, 12);
-
-    // An env var that resolves to an empty string returns ""
-    auto empty_default_str = conf.get_scalar<std::string>("empty_test", default_value);
-    ASSERT_EQ(empty_default_str, "");
-
-    std::list<falco_configuration::plugin_config> plugins;
-    conf.get_sequence<std::list<falco_configuration::plugin_config>>(plugins, std::string("plugins"));
-    std::vector<falco_configuration::plugin_config> m_plugins{ std::make_move_iterator(std::begin(plugins)),
-							      std::make_move_iterator(std::end(plugins)) };
-    ASSERT_EQ(m_plugins[0].m_name, "k8saudit");
-    ASSERT_EQ(m_plugins[0].m_library_path, "/foo/" + env_var_value + "/libk8saudit.so");
-    ASSERT_EQ(m_plugins[0].m_open_params, "12");
-
-    /* Clear the set environment variables after testing */
-    SET_ENV_VAR(env_var_name.c_str(), "");
-    SET_ENV_VAR(embedded_env_var_name.c_str(), "");
-    SET_ENV_VAR(bool_env_var_name.c_str(), "");
-    SET_ENV_VAR(int_env_var_name.c_str(), "");
-    SET_ENV_VAR(empty_env_var_name.c_str(), "");
-}
-
-TEST(Configuration, configuration_webserver_ip)
-{
-    falco_configuration falco_config;
-
-    std::vector<std::string> valid_addresses = {"127.0.0.1",
-                                                "1.127.0.1",
-                                                "1.1.127.1",
-                                                "1.1.1.127",
-                                                "::",
-                                                "::1",
-                                                "1200:0000:AB00:1234:0000:2552:7777:1313",
-                                                "1200::AB00:1234:0000:2552:7777:1313",
-                                                "1200:0000:AB00:1234::2552:7777:1313",
-                                                "21DA:D3:0:2F3B:2AA:FF:FE28:9C5A",
-                                                "FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
-                                                "0.0.0.0",
-                                                "9.255.255.255",
-                                                "11.0.0.0",
-                                                "126.255.255.255",
-                                                "129.0.0.0",
-                                                "169.253.255.255",
-                                                "169.255.0.0",
-                                                "172.15.255.255",
-                                                "172.32.0.0",
-                                                "191.0.1.255",
-                                                "192.88.98.255",
-                                                "192.88.100.0",
-                                                "192.167.255.255",
-                                                "192.169.0.0",
-                                                "198.17.255.255",
-                                                "223.255.255.255"};
-
-    for (const std::string &address: valid_addresses) {
-        std::string option = "webserver.listen_address=";
-        option.append(address);
-
-        std::vector<std::string> cmdline_config_options;
-        cmdline_config_options.push_back(option);
-
-        EXPECT_NO_THROW(falco_config.init(cmdline_config_options));
-
-        ASSERT_EQ(falco_config.m_webserver_listen_address, address);
-    }
-
-    std::vector<std::string> invalid_addresses = {"327.0.0.1",
-                                                  "1.327.0.1",
-                                                  "1.1.327.1",
-                                                  "1.1.1.327",
-                                                  "12 7.0.0.1",
-                                                  "127. 0.0.1",
-                                                  "127.0. 0.1",
-                                                  "127.0.0. 1",
-                                                  "!27.0.0.1",
-                                                  "1200: 0000:AB00:1234:0000:2552:7777:1313",
-                                                  "1200:0000: AB00:1234:0000:2552:7777:1313",
-                                                  "1200:0000:AB00: 1234:0000:2552:7777:1313",
-                                                  "1200:0000:AB00:1234: 0000:2552:7777:1313",
-                                                  "1200:0000:AB00:1234:0000: 2552:7777:1313",
-                                                  "1200:0000:AB00:1234:0000:2552: 7777:1313",
-                                                  "1200:0000:AB00:1234:0000:2552:7777: 1313",
-                                                  "1200:0000:AB00:1234:0000:2552:7777:131G",
-                                                  "1200:0000:AB00:1234:0000:2552:77Z7:1313",
-                                                  "1200:0000:AB00:1234:0000:2G52:7777:1313",
-                                                  "1200:0000:AB00:1234:0O00:2552:7777:1313",
-                                                  "1200:0000:AB00:H234:0000:2552:7777:1313",
-                                                  "1200:0000:IB00:1234:0000:2552:7777:1313",
-                                                  "1200:0O00:AB00:1234:0000:2552:7777:1313",
-                                                  "12O0:0000:AB00:1234:0000:2552:7777:1313",};
-
-    for (const std::string &address: invalid_addresses) {
-        std::string option = "webserver.listen_address=";
-        option.append(address);
-
-        std::vector<std::string> cmdline_config_options;
-        cmdline_config_options.push_back(option);
-
-        EXPECT_ANY_THROW(falco_config.init(cmdline_config_options));
-    }
+		EXPECT_ANY_THROW(falco_config.init_from_content("", cmdline_config_options));
+	}
 }
--- a/Show More
+++ b/Show More