update(docs): changelog for version 0.32.2

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

.circleci/config.yml

@@ -1,8 +1,56 @@
-version: 2
+version: 2.1
 jobs:
+  "build-arm64":
+    machine:
+      enabled: true
+      image: ubuntu-2004:202101-01
+    resource_class: arm.medium
+    steps:
+      - checkout:
+          path: /tmp/source-arm64/falco
+      - run:
+          name: Prepare project
+          command: |
+            mkdir -p /tmp/build-arm64 && mkdir -p /tmp/build-arm64/release && \
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              cmake
+      - run:
+          name: Build
+          command: |
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              all
+      - run:
+          name: Run unit tests
+          command: |
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              tests
+      - run:
+          name: Build packages
+          command: |
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              package
+      - run:
+          name: Prepare Artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /tmp/build-arm64/release/*.deb /tmp/packages
+            cp /tmp/build-arm64/release/*.tar.gz /tmp/packages
+            cp /tmp/build-arm64/release/*.rpm /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - build-arm64/release
+            - source-arm64
   # Build a statically linked Falco release binary using musl
   # This build is 100% static, there are no host dependencies
-  "build/musl":
+  "build-musl":
     docker:
       - image: alpine:3.12
     steps:
@@ -48,137 +96,9 @@ jobs:
           paths:
             - build-static/release
             - source-static
-  # Build the minimal Falco
-  # This build only contains the Falco engine and the basic input/output.
-  "build/minimal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build-minimal
-            pushd build-minimal
-            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build-minimal
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build-minimal
-            make tests
-            popd
-  # Build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-focal-debug":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using Ubuntu Bionic Beaver (18.04)
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/ubuntu-bionic":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic pkg-config autoconf libtool libelf-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
   # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the Falco binary
-  "build/centos7":
+  "build-centos7":
     docker:
       - image: falcosecurity/falco-builder:latest
         environment:
@@ -213,30 +133,8 @@ jobs:
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
-  # Execute integration tests based on the build results coming from the "build/centos7" job
-  "tests/integration":
+  # Execute integration tests based on the build results coming from the "build-centos7" job
+  "tests-integration":
     docker:
       - image: falcosecurity/falco-tester:latest
         environment:
@@ -252,7 +150,7 @@ jobs:
           command: /usr/bin/entrypoint test
       - store_test_results:
           path: /build/release/integration-tests-xunit
-  "tests/integration-static":
+  "tests-integration-static":
     docker:
       - image: falcosecurity/falco-tester:latest
         environment:
@@ -270,7 +168,24 @@ jobs:
           command: /usr/bin/entrypoint test
       - store_test_results:
           path: /build-static/release/integration-tests-xunit
-  "tests/driver-loader/integration":
+  # Execute integration tests based on the build results coming from the "build-arm64" job
+  "tests-integration-arm64":
+    machine:
+      enabled: true
+      image: ubuntu-2004:202101-01
+    resource_class: arm.medium
+    steps:
+      - attach_workspace:
+          at: /tmp
+      - run:
+          name: Execute integration tests
+          command: |
+            docker run -e BUILD_TYPE="release" -e BUILD_DIR="/build" -e SOURCE_DIR="/source" -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-tester:latest \
+              test
+      - store_test_results:
+          path: /tmp/build-arm64/release/integration-tests-xunit
+  "tests-driver-loader-integration":
     machine:
       image: ubuntu-2004:202107-02
     steps:
@@ -280,7 +195,7 @@ jobs:
           name: Execute driver-loader integration tests
           command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
   # Code quality
-  "quality/static-analysis":
+  "quality-static-analysis":
     docker:
       - image: falcosecurity/falco-builder:latest
         environment:
@@ -307,7 +222,7 @@ jobs:
           path: /build/release/static-analysis-reports
           destination: /static-analysis-reports
   # Sign rpm packages
-  "rpm/sign":
+  "rpm-sign":
     docker:
       - image: falcosecurity/falco-builder:latest
     steps:
@@ -319,26 +234,39 @@ jobs:
             yum update -y
             yum install rpm-sign -y
       - run:
-          name: Sign rpm
+          name: Prepare
           command: |
             echo "%_signature gpg" > ~/.rpmmacros
             echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            cd /build/release/
-            echo '#!/usr/bin/expect -f' > sign
-            echo 'spawn rpmsign --addsign {*}$argv' >> sign
-            echo 'expect -exact "Enter pass phrase: "' >> sign
-            echo 'send -- "\n"' >> sign
-            echo 'expect eof' >> sign
-            chmod +x sign
+            echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
+            cat > ~/sign \<<EOF
+            #!/usr/bin/expect -f
+            spawn rpmsign --addsign {*}\$argv
+            expect -exact "Enter pass phrase: "
+            send -- "\n"
+            expect eof
+            EOF
+            chmod +x ~/sign
             echo $GPG_KEY | base64 -d | gpg --import
-            ./sign *.rpm
-            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
+      - run:
+          name: Sign rpm x86_64
+          command: |
+            cd /build/release/
+            ~/sign *.rpm
+            rpm --qf %{SIGPGP:pgpsig} -qp *.rpm | grep SHA256
+      - run:     
+          name: Sign rpm arm64
+          command: |
+            cd /build-arm64/release/
+            ~/sign *.rpm
+            rpm --qf %{SIGPGP:pgpsig} -qp *.rpm | grep SHA256
       - persist_to_workspace:
           root: /
           paths:
             - build/release/*.rpm
+            - build-arm64/release/*.rpm
   # Publish the dev packages
-  "publish/packages-dev":
+  "publish-packages-dev":
     docker:
       - image: docker.io/centos:7
     steps:
@@ -356,19 +284,20 @@ jobs:
           name: Publish rpm-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.rpm -r rpm-dev
       - run:
           name: Publish bin-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
+            /source/falco/scripts/publish-bin -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.tar.gz -r bin-dev -a aarch64
       - run:
           name: Publish bin-static-dev
           command: |
             FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
             /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin-dev -a x86_64
-  "publish/packages-deb-dev":
+  "publish-packages-deb-dev":
     docker:
       - image: docker.io/debian:stable
     steps:
@@ -385,80 +314,61 @@ jobs:
           name: Publish deb-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb-dev
+
   # Publish docker packages
-  "publish/docker-dev":
+  "publish-docker-dev":
     docker:
-      - image: docker:stable
+      - image: cimg/base:stable
+        user: root
     steps:
       - attach_workspace:
           at: /
       - checkout
-      - setup_remote_docker
+      - setup_remote_docker:
+          version: 20.10.12
+      - run:
+          name: Prepare env
+          command: |
+            docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+            docker context create falco-env
+            docker buildx create falco-env --driver docker-container --use
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            sudo apt update
+            sudo apt install groff less python3-pip
+            pip install awscli
+      - run:
+          name: Login to aws ECR
+          command: |
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
       - run:
           name: Build and publish no-driver-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
-            docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco-no-driver:master
-            docker push falcosecurity/falco:master-slim
+            docker buildx build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} --platform "arm64,amd64" --push \
+              -t falcosecurity/falco-no-driver:master \
+              -t falcosecurity/falco:master-slim \
+              -t public.ecr.aws/falcosecurity/falco-no-driver:master \
+              -t public.ecr.aws/falcosecurity/falco:master-slim \
+              docker/no-driver
       - run:
           name: Build and publish dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master
+            docker buildx build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} --platform "arm64,amd64" --push \
+              -t falcosecurity/falco:master \
+              -t public.ecr.aws/falcosecurity/falco:master \
+              docker/falco
       - run:
           name: Build and publish dev falco-driver-loader-dev
           command: |
-            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco-driver-loader:master
-  # Publish container images to AWS ECR Public
-  "publish/container-images-aws-dev":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish no-driver (dev) to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
-            docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
-            docker push "public.ecr.aws/falcosecurity/falco:master-slim"
-      - run:
-          name: Build and publish falco (dev) to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco:master"
-      - run:
-          name: Build and publish driver-loader (dev) to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
+            docker buildx build --build-arg FALCO_IMAGE_TAG=master --platform "arm64,amd64" --push \
+              -t falcosecurity/falco-driver-loader:master \
+              -t public.ecr.aws/falcosecurity/falco-driver-loader:master \
+              docker/driver-loader
+
   # Publish the packages
-  "publish/packages":
+  "publish-packages":
     docker:
       - image: docker.io/centos:7
     steps:
@@ -476,19 +386,20 @@ jobs:
           name: Publish rpm
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.rpm -r rpm
       - run:
           name: Publish bin
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
+            /source/falco/scripts/publish-bin -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.tar.gz -r bin -a aarch64
       - run:
           name: Publish bin-static
           command: |
             FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
             /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin -a x86_64
-  "publish/packages-deb":
+  "publish-packages-deb":
     docker:
       - image: docker.io/debian:stable
     steps:
@@ -505,111 +416,84 @@ jobs:
           name: Publish deb
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb
   # Publish docker packages
-  "publish/docker":
+  "publish-docker":
     docker:
-      - image: docker:stable
+      - image: cimg/base:stable
+        user: root
     steps:
       - attach_workspace:
           at: /
       - checkout
-      - setup_remote_docker
+      - setup_remote_docker:
+          version: 20.10.12
+      - run:
+          name: Prepare env
+          command: |
+            docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+            docker context create falco-env
+            docker buildx create falco-env --driver docker-container --use
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            sudo apt update
+            sudo apt install groff less python3-pip
+            pip install awscli
+      - run:
+          name: Login to aws ECR
+          command: |
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
       - run:
           name: Build and publish no-driver
           command: |
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco-no-driver:latest"
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "falcosecurity/falco:latest-slim"
+            docker buildx build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} --platform "arm64,amd64" --push \
+              -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" \
+              -t falcosecurity/falco-no-driver:latest \
+              -t "falcosecurity/falco:${CIRCLE_TAG}-slim" \
+              -t "falcosecurity/falco:latest-slim" \
+              -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" \
+              -t "public.ecr.aws/falcosecurity/falco-no-driver:latest" \
+              -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim" \
+              -t "public.ecr.aws/falcosecurity/falco:latest-slim" \
+              docker/no-driver
       - run:
           name: Build and publish falco
           command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco:latest"
+            docker buildx build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} --platform "arm64,amd64" --push \
+              -t "falcosecurity/falco:${CIRCLE_TAG}" \
+              -t "falcosecurity/falco:latest" \
+              -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" \
+              -t "public.ecr.aws/falcosecurity/falco:latest" \
+              docker/falco
       - run:
           name: Build and publish falco-driver-loader
           command: |
-            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
-            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco-driver-loader:latest"
-  # Publish container images to AWS ECR Public
-  "publish/container-images-aws":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish no-driver to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
-            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
-            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
-            docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
-            docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
-      - run:
-          name: Build and publish falco to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
-            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "public.ecr.aws/falcosecurity/falco:latest"
-      - run:
-          name: Build and publish falco-driver-loader to AWS
-          command: |
-            apk update
-            apk add --update groff less py-pip
-            pip install awscli
-            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
-            docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
-            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
+            docker buildx build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} --platform "arm64,amd64" --push \
+              -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" \
+              -t "falcosecurity/falco-driver-loader:latest" \
+              -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" \
+              -t "public.ecr.aws/falcosecurity/falco-driver-loader:latest" \
+              docker/driver-loader
+
 workflows:
-  version: 2
+  version: 2.1
   build_and_test:
     jobs:
-      - "build/musl"
-      - "build/minimal"
-      - "build/ubuntu-focal"
-      - "build/ubuntu-focal-debug"
-      - "build/ubuntu-bionic"
-      - "build/centos7"
-      - "build/centos7-debug"
-      - "tests/integration":
+      - "build-musl"
+      - "build-arm64"
+      - "build-centos7"
+      - "tests-integration":
           requires:
-            - "build/centos7"
-      - "tests/integration-static":
+            - "build-centos7"
+      - "tests-integration-arm64":
           requires:
-            - "build/musl"
-      - "tests/driver-loader/integration":
+            - "build-arm64"
+      - "tests-integration-static":
           requires:
-            - "build/centos7"
-      - "rpm/sign":
+            - "build-musl"
+      - "tests-driver-loader-integration":
+          requires:
+            - "build-centos7"
+      - "rpm-sign":
           context: falco
           filters:
             tags:
@@ -617,8 +501,9 @@ workflows:
             branches:
               only: master
           requires:
-            - "tests/integration"
-      - "publish/packages-dev":
+            - "tests-integration"
+            - "tests-integration-arm64"
+      - "publish-packages-dev":
           context:
             - falco
             - test-infra
@@ -628,9 +513,9 @@ workflows:
             branches:
               only: master
           requires:
-            - "rpm/sign"
-            - "tests/integration-static"
-      - "publish/packages-deb-dev":
+            - "rpm-sign"
+            - "tests-integration-static"
+      - "publish-packages-deb-dev":
           context:
             - falco
             - test-infra
@@ -640,90 +525,83 @@ workflows:
             branches:
               only: master
           requires:
-            - "tests/integration"
-      - "publish/docker-dev":
-          context: falco
+            - "tests-integration"
+            - "tests-integration-arm64"
+      - "publish-docker-dev":
+          context:
+            - falco
+            - test-infra
           filters:
             tags:
               ignore: /.*/
             branches:
               only: master
           requires:
-            - "publish/packages-dev"
-            - "publish/packages-deb-dev"
-            - "tests/driver-loader/integration"
-      - "publish/container-images-aws-dev":
-          context: test-infra # contains Falco AWS credentials
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - publish/docker-dev
+            - "publish-packages-dev"
+            - "publish-packages-deb-dev"
+            - "tests-driver-loader-integration"
       # - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526
   release:
     jobs:
-      - "build/musl":
+      - "build-musl":
           filters:
             tags:
               only: /.*/
             branches:
               ignore: /.*/
-      - "build/centos7":
+      - "build-centos7":
           filters:
             tags:
               only: /.*/
             branches:
               ignore: /.*/
-      - "rpm/sign":
+      - "build-arm64":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "rpm-sign":
           context: falco
           requires:
-            - "build/centos7"
+            - "build-centos7"
+            - "build-arm64"
           filters:
             tags:
               only: /.*/
             branches:
               ignore: /.*/
-      - "publish/packages":
+      - "publish-packages":
           context:
             - falco
             - test-infra
           requires:
-            - "build/musl"
-            - "rpm/sign"
+            - "build-musl"
+            - "rpm-sign"
           filters:
             tags:
               only: /.*/
             branches:
               ignore: /.*/
-      - "publish/packages-deb":
+      - "publish-packages-deb":
           context:
             - falco
             - test-infra
           requires:
-            - "build/centos7"
+            - "build-centos7"
+            - "build-arm64"
           filters:
             tags:
               only: /.*/
             branches:
               ignore: /.*/
-      - "publish/docker":
+      - "publish-docker":
           context:
             - falco
             - test-infra
           requires:
-            - "publish/packages"
-            - "publish/packages-deb"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/container-images-aws":
-          context: test-infra # contains Falco AWS credentials
-          requires:
-            - "publish/docker"
+            - "publish-packages"
+            - "publish-packages-deb"
           filters:
             tags:
               only: /.*/

.github/workflows/ci.yml

@@ -0,0 +1,170 @@
+name: CI Build
+on:
+  pull_request:
+    branches: [master]
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  build-minimal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build-minimal
+          pushd build-minimal
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build-minimal
+          make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build-minimal
+          make tests
+          popd
+
+  build-ubuntu-focal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-focal-debug:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-bionic:
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-$(uname -r) pkg-config autoconf libtool libelf-dev -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-centos7-debug:
+    runs-on: ubuntu-latest
+    container:
+      image: falcosecurity/falco-builder:latest
+      env:
+        BUILD_TYPE: "debug"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          path: falco
+
+      - name: Link falco repo to /source/falco
+        run: |
+          mkdir -p /source
+          ln -s "$GITHUB_WORKSPACE/falco" /source/falco
+  
+      - name: Prepare project
+        run: /usr/bin/entrypoint cmake
+
+      - name: Build
+        run: /usr/bin/entrypoint all
+
+      - name: Run unit tests
+        run: /usr/bin/entrypoint tests
+
+      - name: Build packages
+        run: /usr/bin/entrypoint package

CHANGELOG.md

@@ -1,5 +1,166 @@
 # Change Log
 
+## v0.32.2
+
+Released on 2022-08-09
+
+### Major Changes
+
+
+### Bug Fixes
+
+* fix: Added ARCH to bpf download URL [[#2142](https://github.com/falcosecurity/falco/pull/2142)] - [@eric-engberg](https://github.com/eric-engberg)
+
+
+## v0.32.1
+
+Released on 2022-07-11
+
+### Major Changes
+
+* new(falco): add gVisor support [[#2078](https://github.com/falcosecurity/falco/pull/2078)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docker,scripts): add multiarch images and ARM64 packages [[#1990](https://github.com/falcosecurity/falco/pull/1990)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [[#2044](https://github.com/falcosecurity/falco/pull/2044)] - [@vjjmiras](https://github.com/vjjmiras)
+* refactor(userspace/engine): drop macro source field in rules and rule loader [[#2094](https://github.com/falcosecurity/falco/pull/2094)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build: introduce `DRIVER_VERSION` that allows setting a driver version (which may differ from the falcosecurity/libs version) [[#2086](https://github.com/falcosecurity/falco/pull/2086)] - [@leogr](https://github.com/leogr)
+* update: add more info to `--version` output [[#2086](https://github.com/falcosecurity/falco/pull/2086)] - [@leogr](https://github.com/leogr)
+* build(scripts): publish deb repo has now a InRelease file [[#2060](https://github.com/falcosecurity/falco/pull/2060)] - [@FedeDP](https://github.com/FedeDP)
+* update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [[#2059](https://github.com/falcosecurity/falco/pull/2059)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): support libs logging [[#2093](https://github.com/falcosecurity/falco/pull/2093)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco): update libs to 0.7.0 [[#2119](https://github.com/falcosecurity/falco/pull/2119)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Bug Fixes
+
+* fix(userspace/falco): ensure that only rules files named with `-V` are loaded when validating rules files. [[#2088](https://github.com/falcosecurity/falco/pull/2088)] - [@mstemm](https://github.com/mstemm)
+* fix(rules): use exit event in reverse shell detection rule [[#2076](https://github.com/falcosecurity/falco/pull/2076)] - [@alacuku](https://github.com/alacuku)
+* fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [[#2057](https://github.com/falcosecurity/falco/pull/2057)] - [@FedeDP](https://github.com/FedeDP)
+* fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [[#2043](https://github.com/falcosecurity/falco/pull/2043)] - [@jepio](https://github.com/jepio)
+
+
+### Rule Changes
+
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [[#2092](https://github.com/falcosecurity/falco/pull/2092)] - [@leogr](https://github.com/leogr)
+* rule(Java Process Class Download): detect potential log4shell exploitation [[#2041](https://github.com/falcosecurity/falco/pull/2041)] - [@pirxthepilot](https://github.com/pirxthepilot)
+
+
+### Non user-facing changes
+
+* remove kaizhe from falco rule owner [[#2050](https://github.com/falcosecurity/falco/pull/2050)] - [@Kaizhe](https://github.com/Kaizhe)
+* docs(readme): added arm64 mention + packages + badge. [[#2101](https://github.com/falcosecurity/falco/pull/2101)] - [@FedeDP](https://github.com/FedeDP)
+* new(circleci): enable integration tests for arm64. [[#2099](https://github.com/falcosecurity/falco/pull/2099)] - [@FedeDP](https://github.com/FedeDP)
+* chore(cmake): bump plugins versions [[#2102](https://github.com/falcosecurity/falco/pull/2102)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(docker): fixed deb tester sub image. [[#2100](https://github.com/falcosecurity/falco/pull/2100)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [[#2075](https://github.com/falcosecurity/falco/pull/2075)] - [@vjjmiras](https://github.com/vjjmiras)
+* fix(tests): make tests run locally (take 2) [[#2089](https://github.com/falcosecurity/falco/pull/2089)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): creates ~/sign instead of ./sign [[#2072](https://github.com/falcosecurity/falco/pull/2072)] - [@vjjmiras](https://github.com/vjjmiras)
+* fix(ci): sign arm64 rpm packages. [[#2069](https://github.com/falcosecurity/falco/pull/2069)] - [@FedeDP](https://github.com/FedeDP)
+* update(falco_scripts): Change Flatcar dynlinker path [[#2066](https://github.com/falcosecurity/falco/pull/2066)] - [@jepio](https://github.com/jepio)
+* fix(scripts): fixed path in publish-deb script. [[#2062](https://github.com/falcosecurity/falco/pull/2062)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [[#2058](https://github.com/falcosecurity/falco/pull/2058)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): fixed publish-docker-dev job context. [[#2056](https://github.com/falcosecurity/falco/pull/2056)] - [@FedeDP](https://github.com/FedeDP)
+* Correct linting issue in rules [[#2055](https://github.com/falcosecurity/falco/pull/2055)] - [@stephanmiehe](https://github.com/stephanmiehe)
+* Fix falco compilation issues with new libs [[#2053](https://github.com/falcosecurity/falco/pull/2053)] - [@alacuku](https://github.com/alacuku)
+* fix(scripts): forcefully create packages dir for debian packages. [[#2054](https://github.com/falcosecurity/falco/pull/2054)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): removed leftover line in circleci config. [[#2052](https://github.com/falcosecurity/falco/pull/2052)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): fixed circleCI artifacts publish for arm64. [[#2051](https://github.com/falcosecurity/falco/pull/2051)] - [@FedeDP](https://github.com/FedeDP)
+* update(docker): updated falco-builder to fix multiarch support. [[#2049](https://github.com/falcosecurity/falco/pull/2049)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): use apt instead of apk when installing deps for aws ecr publish [[#2047](https://github.com/falcosecurity/falco/pull/2047)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): try to use root user for cimg/base [[#2045](https://github.com/falcosecurity/falco/pull/2045)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): avoid double build of docker images when pushing to aws ecr [[#2046](https://github.com/falcosecurity/falco/pull/2046)] - [@FedeDP](https://github.com/FedeDP)
+* chore(k8s_audit_plugin): bump k8s audit plugin version [[#2042](https://github.com/falcosecurity/falco/pull/2042)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(tests): make run_regression_tests.sh work locally [[#2020](https://github.com/falcosecurity/falco/pull/2020)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* Circle CI build job for ARM64 [[#1997](https://github.com/falcosecurity/falco/pull/1997)] - [@odidev](https://github.com/odidev)
+
+
+## v0.32.0
+
+Released on 2022-06-03
+
+### Major Changes
+
+
+* new: added new `watch_config_files` config option, to trigger a Falco restart whenever a change is detected in the rules or config files [[#1991](https://github.com/falcosecurity/falco/pull/1991)] - [@FedeDP](https://github.com/FedeDP)
+* new(rules): add rule to detect excessively capable container [[#1963](https://github.com/falcosecurity/falco/pull/1963)] - [@loresuso](https://github.com/loresuso)
+* new(rules): add rules to detect pods sharing host pid and IPC namespaces [[#1951](https://github.com/falcosecurity/falco/pull/1951)] - [@loresuso](https://github.com/loresuso)
+* new(image): add Falco image based on RedHat UBI [[#1943](https://github.com/falcosecurity/falco/pull/1943)] - [@araujof](https://github.com/araujof)
+* new(falco): add --markdown and --list-syscall-events [[#1939](https://github.com/falcosecurity/falco/pull/1939)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(build): updated plugins to latest versions. [[#2033](https://github.com/falcosecurity/falco/pull/2033)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [[#1953](https://github.com/falcosecurity/falco/pull/1953)] - [@mstemm](https://github.com/mstemm)
+* rules: out of the box ruleset for OKTA Falco Plugin [[#1955](https://github.com/falcosecurity/falco/pull/1955)] - [@darryk10](https://github.com/darryk10)
+* update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [[#2031](https://github.com/falcosecurity/falco/pull/2031)] - [@FedeDP](https://github.com/FedeDP)
+* update!: moving out plugins ruleset files [[#1995](https://github.com/falcosecurity/falco/pull/1995)] - [@leogr](https://github.com/leogr)
+* update: added `hostname` as a field in JSON output [[#1989](https://github.com/falcosecurity/falco/pull/1989)] - [@Milkshak3s](https://github.com/Milkshak3s)
+* refactor!: remove K8S audit logs from Falco [[#1952](https://github.com/falcosecurity/falco/pull/1952)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [[#1975](https://github.com/falcosecurity/falco/pull/1975)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor!: deprecate PSP regression tests and warn for unsafe usage of <NA> in k8s audit filters [[#1976](https://github.com/falcosecurity/falco/pull/1976)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(cmake): upgrade catch2 to 2.13.9 [[#1977](https://github.com/falcosecurity/falco/pull/1977)] - [@leogr](https://github.com/leogr)
+* refactor(userspace/engine): reduce memory usage for resolving evttypes [[#1965](https://github.com/falcosecurity/falco/pull/1965)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [[#1966](https://github.com/falcosecurity/falco/pull/1966)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [[#1970](https://github.com/falcosecurity/falco/pull/1970)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor: update definitions of falco_common [[#1967](https://github.com/falcosecurity/falco/pull/1967)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: improved Falco engine event processing performance [[#1944](https://github.com/falcosecurity/falco/pull/1944)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [[#1947](https://github.com/falcosecurity/falco/pull/1947)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [[#1920](https://github.com/falcosecurity/falco/pull/1920)] - [@mstemm](https://github.com/mstemm)
+* fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [[#2019](https://github.com/falcosecurity/falco/pull/2019)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rule(Launch Excessively Capable Container): fix typo in description [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro: known_shell_spawn_cmdlines): add `sh -c /usr/share/lighttpd/create-mime.conf.pl` to macro [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro net_miner_pool): additional syscall for detection [[#2011](https://github.com/falcosecurity/falco/pull/2011)] - [@beryxz](https://github.com/beryxz)
+* rule(macro truncate_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(macro modify_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [[#1969](https://github.com/falcosecurity/falco/pull/1969)] - [@darryk10](https://github.com/darryk10)
+* rule(k8s: secret): detect `get` attempts for both successful and unsuccessful attempts [[#1949](https://github.com/falcosecurity/falco/pull/1949)] - [@Dentrax](https://github.com/Dentrax)
+* rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [[#1973](https://github.com/falcosecurity/falco/pull/1973)] - [@darryk10](https://github.com/darryk10)
+* rule(Disallowed K8s User): exclude allowed EKS users [[#1960](https://github.com/falcosecurity/falco/pull/1960)] - [@darryk10](https://github.com/darryk10)
+* rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [[#1968](https://github.com/falcosecurity/falco/pull/1968)] - [@darryk10](https://github.com/darryk10)
+* rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [[#1930](https://github.com/falcosecurity/falco/pull/1930)] - [@mmoyerfigma](https://github.com/mmoyerfigma)
+* rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [[#1938](https://github.com/falcosecurity/falco/pull/1938)] - [@claudio-vellage](https://github.com/claudio-vellage)
+
+
+### Non user-facing changes
+
+* new: update plugins [[#2023](https://github.com/falcosecurity/falco/pull/2023)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs version for Falco 0.32.0 release. [[#2022](https://github.com/falcosecurity/falco/pull/2022)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [[#2024](https://github.com/falcosecurity/falco/pull/2024)] - [@FedeDP](https://github.com/FedeDP)
+* chore(userspace/falco): do not print error code in process_events.cpp [[#2030](https://github.com/falcosecurity/falco/pull/2030)] - [@alacuku](https://github.com/alacuku)
+* fix(falco-scripts): remove driver versions with `dkms-3.0.3` [[#2027](https://github.com/falcosecurity/falco/pull/2027)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): fix punctuation typo in output message when loading plugins [[#2026](https://github.com/falcosecurity/falco/pull/2026)] - [@alacuku](https://github.com/alacuku)
+* refactor(userspace): change falco engine design to properly support multiple sources [[#2017](https://github.com/falcosecurity/falco/pull/2017)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): improve falco termination [[#2012](https://github.com/falcosecurity/falco/pull/2012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/engine): introduce new `check_plugin_requirements` API [[#2009](https://github.com/falcosecurity/falco/pull/2009)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): improve rule loader source checks [[#2010](https://github.com/falcosecurity/falco/pull/2010)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix: split filterchecks per source-idx [[#1999](https://github.com/falcosecurity/falco/pull/1999)] - [@FedeDP](https://github.com/FedeDP)
+* new: port CI builds to github actions [[#2000](https://github.com/falcosecurity/falco/pull/2000)] - [@FedeDP](https://github.com/FedeDP)
+* build(userspace/engine): cleanup unused include dir [[#1987](https://github.com/falcosecurity/falco/pull/1987)] - [@leogr](https://github.com/leogr)
+* rule(Anonymous Request Allowed): exclude {/livez, /readyz} [[#1954](https://github.com/falcosecurity/falco/pull/1954)] - [@sledigabel](https://github.com/sledigabel)
+* chore(falco_scripts): Update `falco-driver-loader` cleaning phase [[#1950](https://github.com/falcosecurity/falco/pull/1950)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): use new plugin caps API [[#1982](https://github.com/falcosecurity/falco/pull/1982)] - [@FedeDP](https://github.com/FedeDP)
+* build: correct conffiles for DEB packages [[#1980](https://github.com/falcosecurity/falco/pull/1980)] - [@leogr](https://github.com/leogr)
+* Fix exception parsing regressions [[#1985](https://github.com/falcosecurity/falco/pull/1985)] - [@mstemm](https://github.com/mstemm)
+* Add codespell GitHub Action [[#1962](https://github.com/falcosecurity/falco/pull/1962)] - [@invidian](https://github.com/invidian)
+* build: components opt-in mechanism for packages [[#1979](https://github.com/falcosecurity/falco/pull/1979)] - [@leogr](https://github.com/leogr)
+* add gVisor to ADOPTERS.md [[#1974](https://github.com/falcosecurity/falco/pull/1974)] - [@kevinGC](https://github.com/kevinGC)
+* rules: whitelist GCP's container threat detection image [[#1959](https://github.com/falcosecurity/falco/pull/1959)] - [@clmssz](https://github.com/clmssz)
+* Fix some typos [[#1961](https://github.com/falcosecurity/falco/pull/1961)] - [@invidian](https://github.com/invidian)
+* chore(rules): remove leftover [[#1958](https://github.com/falcosecurity/falco/pull/1958)] - [@leogr](https://github.com/leogr)
+* docs: readme update and plugins [[#1940](https://github.com/falcosecurity/falco/pull/1940)] - [@leogr](https://github.com/leogr)
+
+
 ## v0.31.1
 
 Released on 2022-03-09

CMakeLists.txt

@@ -19,6 +19,14 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
+# gVisor is currently only supported on Linux x86_64
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+  option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
+  if (BUILD_FALCO_GVISOR)
+    add_definitions(-DHAS_GVISOR)
+  endif()
+endif()
+
 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
 if (${EP_UPDATE_DISCONNECTED})
@@ -102,6 +110,11 @@ set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
+
+if(NOT DEFINED FALCO_COMPONENT_NAME)
+    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+endif()
+
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -143,8 +156,8 @@ if(NOT MINIMAL_BUILD)
   # libcurl
   include(curl)
 
-  # civetweb
-  include(civetweb)
+  # cpp-httlib
+  include(cpp-httplib)
 endif()
 
 include(cxxopts)
@@ -164,7 +177,7 @@ if(NOT MINIMAL_BUILD)
 endif()
 
 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 
 if(NOT MINIMAL_BUILD)
   # Coverage

OWNERS

@@ -5,6 +5,7 @@ approvers:
   - mstemm
   - leogr
   - jasondellaluce
+  - fededp
 reviewers:
   - fntlnz
   - kaizhe
@@ -14,3 +15,4 @@ reviewers:
   - mstemm
   - leogr
   - jasondellaluce
+  - fededp

README.md

@@ -3,7 +3,7 @@
 
 <hr>
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
+[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
 
 Want to talk? Join us on the [#falco](https://kubernetes.slack.com/messages/falco) channel in the [Kubernetes Slack](https://slack.k8s.io).
 
@@ -49,11 +49,14 @@ Notes:
 
 -->
 
-|        | development                                                                                                                 | stable                                                                                                              |
-|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
-| deb    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
-| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
+|              | development                                                                                                                                                                                                                                                                                                                                                                                                                                                                | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| rpm          | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=aarch64)][1]          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
+| deb          | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=aarch64)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
+| binary       | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5]                                                     | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
+| rpm-arm64    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=x86_64)][1]           | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
+| deb-arm64    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=x86_64)][3]  | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
+| binary-arm64 | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Faarch64%2Ffalco-)][7]                                                    | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
 
 ---
 
@@ -160,3 +163,5 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [4]: https://download.falco.org/?prefix=packages/deb/stable/
 [5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
 [6]: https://download.falco.org/?prefix=packages/bin/x86_64/
+[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
+[8]: https://download.falco.org/?prefix=packages/bin/aarch64/

cmake/cpack/debian/conffiles

@@ -1,4 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/falco_rules.yaml
 /etc/falco/rules.available/application_rules.yaml
 /etc/falco/falco_rules.local.yaml

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,6 +25,17 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
+# Built packages will include only the following components
+set(CPACK_INSTALL_CMAKE_PROJECTS
+  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
+  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+)
+if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
+  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
+  )
+endif()
+
 if(NOT CPACK_GENERATOR)
     set(CPACK_GENERATOR DEB RPM TGZ)
 endif()

cmake/modules/civetweb.cmake

@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2021 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb-cpp.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-if (USE_BUNDLED_OPENSSL)
-    ExternalProject_Add(
-            civetweb
-            DEPENDS openssl
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCMAKE_INSTALL_LIBDIR=lib
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            -DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-            -DOPENSSL_USE_STATIC_LIBS:BOOL=TRUE
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-else()
-    ExternalProject_Add(
-            civetweb
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-endif()

cmake/modules/cpp-httplib.cmake

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# cpp-httplib (https://github.com/yhirose/cpp-httplib)
+#
+if(CPPHTTPLIB_INCLUDE)
+	# we already have cpp-httplib
+else()
+	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
+	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
+
+	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
+
+	ExternalProject_Add(cpp-httplib
+		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz"
+		URL_HASH "SHA256=7719ff9f309c807dd8a574048764836b6a12bcb7d6ae9e129e7e4289cfdb4bd4"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND "")	
+endif()

cmake/modules/driver-repo/CMakeLists.txt

@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+cmake_minimum_required(VERSION 3.5.1)
+
+project(driver-repo NONE)
+
+include(ExternalProject)
+message(STATUS "Driver version: ${DRIVER_VERSION}")
+
+ExternalProject_Add(
+  driver
+  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
+  URL_HASH "${DRIVER_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
+)

cmake/modules/driver.cmake

@@ -0,0 +1,48 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(DRIVER_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/driver-repo")
+set(DRIVER_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/driver-repo")
+
+file(MAKE_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+if(DRIVER_SOURCE_DIR)
+  set(DRIVER_VERSION "0.0.0-local")
+  message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
+else()
+  # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
+  # which contains the driver source code under the `/driver` directory.
+  # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
+  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DDRIVER_VERSION=dev ..`
+  if(NOT DRIVER_VERSION)
+    set(DRIVER_VERSION "2.0.0+driver")
+    set(DRIVER_CHECKSUM "SHA256=e616dfe27f95670a63150339ea2484937c5ce9b7e42d176de86c3f61481ae676")
+  endif()
+
+  # cd /path/to/build && cmake /path/to/source
+  execute_process(COMMAND "${CMAKE_COMMAND}" -DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+    ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+  # cmake --build .
+  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}")
+  set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
+endif()
+
+add_definitions(-D_GNU_SOURCE)
+
+set(DRIVER_NAME "falco")
+set(DRIVER_PACKAGE_NAME "falco")
+set(DRIVER_COMPONENT_NAME "falco-driver")
+
+add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver)

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -15,7 +15,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")
+message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
@@ -24,4 +24,5 @@ ExternalProject_Add(
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND "")
+  TEST_COMMAND ""
+)

cmake/modules/falcosecurity-libs.cmake

@@ -16,48 +16,51 @@ set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs
 
 file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 
+# explicitly disable the bundled driver, since we pull it separately
+set(USE_BUNDLED_DRIVER OFF CACHE BOOL "")
+
 if(FALCOSECURITY_LIBS_SOURCE_DIR)
-  set(FALCOSECURITY_LIBS_VERSION "local")
-  message(STATUS "Using local falcosecurity/libs in '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+  set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
+  message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
 else()
-  # The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
-  # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
-  # -DFALCOSECURITY_LIBS_VERSION=dev ..`
+  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
+  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "b19f87e8aee663e4987a3db54570725e071ed105")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=fd5888588796bf52848cf75434784770e61d9a79f344bf571fe495b61e92ddd3")
+    set(FALCOSECURITY_LIBS_VERSION "0.7.0")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=3adc1620c0e830554a54cdd486158dc2c0c40552e113785b70fbbc99edb7d96f")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
   execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
-                          ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
-
-  # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-  # execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-  # "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
+    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 
+  # cmake --build .
   execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
   set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
 endif()
 
+set(LIBS_PACKAGE_NAME "falcosecurity")
+
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+
 if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
-set(DRIVER_VERSION "${FALCOSECURITY_LIBS_VERSION}")
-set(DRIVER_NAME "falco")
-set(DRIVER_PACKAGE_NAME "falco")
 set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 
 if(NOT LIBSCAP_DIR)
   set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()
+
 set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 
+# configure gVisor support
+set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
+
 # explicitly disable the tests/examples of this dependency
 set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
 set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
@@ -70,13 +73,14 @@ list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 
 include(CheckSymbolExists)
 check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+
 if(HAVE_STRLCPY)
-	message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
-	add_definitions(-DHAVE_STRLCPY)
+  message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+  add_definitions(-DHAVE_STRLCPY)
 else()
-	message(STATUS "No strlcpy found, will use local definition")
+  message(STATUS "No strlcpy found, will use local definition")
 endif()
 
+include(driver)
 include(libscap)
-include(libsinsp)
-
+include(libsinsp)

cmake/modules/plugins.cmake

@@ -15,26 +15,77 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
 
-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
+if(NOT DEFINED PLUGINS_COMPONENT_NAME)
+    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
+endif()
+
+set(PLUGIN_K8S_AUDIT_VERSION "0.3.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_K8S_AUDIT_HASH "214915fc2a61d147d64aaf4cb29c3fc6a513eda621dad1dfe77f2fd7099b31e1")
+else() # aarch64
+    set(PLUGIN_K8S_AUDIT_HASH "d9b4610714df581043db76ecb4caf3a41aae5494cf61ab8740a3749bfac8457e")
+endif()
+
+ExternalProject_Add(
+  k8saudit-plugin
+  URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  k8saudit-rules
+  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=3913a8c6095794c7de6a97a2a64953a0fa4f87caab014d11b2c8f9221eb77591"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_CLOUDTRAIL_VERSION "0.5.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_CLOUDTRAIL_HASH "ca6c0d087b37090145ef0c92f10d1dd32bb2a08c7bae83cc6fb7a1ba712f3182")
+else() # aarch64
+    set(PLUGIN_CLOUDTRAIL_HASH "f6e12d3bd16ae0f504ed2bb56d13531d15b7d55beb1b63932cbe603cff941372")
+endif()
+
 ExternalProject_Add(
   cloudtrail-plugin
-  URL "https://download.falco.org/plugins/dev/cloudtrail-0.2.5-0.2.5-8%2B2c1bb25-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=eeefbeb639e41e37cd864042d8b4854e0af451e6b8b34a14c39332771e94ee5b"
+  URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  cloudtrail-rules
+  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=7f88fb6b530f8ee739b65d38a36c69cdc70398576299b90118bd7324dbdb5f46"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+  install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_JSON_VERSION "0.5.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_JSON_HASH "b422c4f08bb54ccd384a87c5922e120d5731028c87742ef657cacf936447c202")
+else() # aarch64
+    set(PLUGIN_JSON_HASH "8358f04325d8a9e9675f38fae8d13a250fb132dcf6741fd0f9830e8c39f48aed")
+endif()
 
-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
 ExternalProject_Add(
   json-plugin
-  URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-24%2B2c1bb25-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=181ac01d11defee24ad5947fcd836e256e13c61ca9475253fb82b60297164748"
+  URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

docker/builder/Dockerfile

@@ -10,6 +10,7 @@ ARG BUILD_BPF=OFF
 ARG BUILD_WARNINGS_AS_ERRORS=ON
 ARG MAKE_JOBS=4
 ARG FALCO_VERSION
+ARG CMAKE_VERSION=3.22.5
 
 ENV BUILD_TYPE=${BUILD_TYPE}
 ENV BUILD_DRIVER=${BUILD_DRIVER}
@@ -17,22 +18,22 @@ ENV BUILD_BPF=${BUILD_BPF}
 ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
 ENV MAKE_JOBS=${MAKE_JOBS}
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV CMAKE_VERSION=${CMAKE_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 
-ARG CMAKE_VERSION=3.6.3
-RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
-    cd /tmp && \
-    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
-    cd cmake-${CMAKE_VERSION} && \
-    ./bootstrap --system-curl && \
-    make -j${MAKE_JOBS} && \
-    make install && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}
+
+RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
+
+RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
+    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
+    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
 
 COPY ./root /
 

docker/builder/root/usr/bin/scl_enable

@@ -3,4 +3,4 @@
 #
 # This will make scl collection binaries work out of box.
 unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7
+source scl_source enable devtoolset-7 llvm-toolset-7.0

docker/falco/Dockerfile

@@ -4,6 +4,8 @@ LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 
+ARG TARGETARCH
+
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
 ENV VERSION_BUCKET=${VERSION_BUCKET}
@@ -29,45 +31,53 @@ RUN apt-get update \
 	jq \
 	libc6-dev \
 	libelf-dev \
-	libmpx2 \
 	libssl-dev \
 	llvm-7 \
 	netcat \
+	patchelf \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -99,10 +109,16 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
+
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/local/Dockerfile

@@ -1,8 +1,10 @@
-FROM debian:stable
+FROM debian:buster
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
+ARG TARGETARCH
+
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
@@ -37,43 +39,50 @@ RUN apt-get update \
 	libatomic1 \
 	liblsan0 \
 	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
 	libcc1-0 \
+	patchelf \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -90,8 +99,8 @@ RUN rm -rf /usr/bin/clang \
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601
 # output.
@@ -101,10 +110,15 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/no-driver/Dockerfile

@@ -11,10 +11,10 @@ RUN apt-get -y update && apt-get -y install gridsite-clients curl
 WORKDIR /
 
 RUN curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
     rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
@@ -32,4 +32,4 @@ ENV HOME /root
 
 COPY --from=ubuntu /falco /
 
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -4,17 +4,24 @@ LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
+ARG TARGETARCH
+
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
+RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
+    else curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
+    fi;
+
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 RUN pip install --user watchdog==0.10.2
 RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
+RUN tar -C /usr/bin -xvf grpcurl.tar.gz
 
 COPY ./root /
 

docker/tester/root/runners/deb.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms -y
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/rpm.Dockerfile

@@ -9,8 +9,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN yum update -y
 RUN yum install epel-release -y
 
-ADD falco-${FALCO_VERSION}-x86_64.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
+ADD falco-${FALCO_VERSION}-*.rpm /
+RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/tar.gz.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms curl -y
 
-ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+ADD falco-${FALCO_VERSION}-*.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/usr/bin/entrypoint

@@ -25,7 +25,7 @@ build_image() {
     BUILD_TYPE=$2
     FALCO_VERSION=$3
     PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
+    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
     if [ ! -f "$PACKAGE" ]; then
         echo "Package not found: ${PACKAGE}." >&2
         exit 1

docker/ubi/Dockerfile

@@ -35,8 +35,8 @@ RUN  dnf -y update && \
 RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
      tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
 
-RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
-     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
+     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
      rm -rf /deploy
 
 COPY ./docker-entrypoint.sh /

falco.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,10 +30,8 @@
 rules_file:
   - /etc/falco/falco_rules.yaml
   - /etc/falco/falco_rules.local.yaml
-  - /etc/falco/k8s_audit_rules.yaml
   - /etc/falco/rules.d
 
-
 #
 # Plugins that are available for use. These plugins are not loaded by
 # default, as they require explicit configuration to point to
@@ -44,13 +42,19 @@ rules_file:
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config:
+    #   maxEventSize: 262144
+    #   webhookMaxBatchSize: 12582912
+    #   sslCertificate: /etc/falco/falco.pem
+    open_params: "http://:9765/k8s-audit"
   - name: cloudtrail
     library_path: libcloudtrail.so
-    init_config: ""
-    open_params: ""
+    # see docs for init_config and open_params:
+    # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
   - name: json
     library_path: libjson.so
-    init_config: ""
 
 # Setting this list to empty ensures that the above plugins are *not*
 # loaded and enabled by default. If you want to use the above plugins,
@@ -59,6 +63,11 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []
 
+# Watch config file and rules files for modification.
+# When a file is modified, Falco will propagate new config,
+# by reloading itself.
+watch_config_files: true
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
@@ -89,6 +98,17 @@ log_syslog: true
 # "alert", "critical", "error", "warning", "notice", "info", "debug".
 log_level: info
 
+# Falco is capable of managing the logs coming from libs. If enabled,
+# the libs logger send its log records the same outputs supported by
+# Falco (stderr and syslog). Disabled by default.
+libs_logger:
+  enabled: false
+  # Minimum log severity to include in the libs logs. Note: this value is
+  # separate from the log level of the Falco logger and does not affect it.
+  # Can be one of "fatal", "critical", "error", "warning", "notice",
+  # "info", "debug", "trace".
+  severity: debug
+
 # Minimum rule priority level to load and run. All rules having a
 # priority more severe than this level will be loaded/run.  Can be one
 # of "emergency", "alert", "critical", "error", "warning", "notice",
@@ -218,7 +238,6 @@ stdout_output:
 webserver:
   enabled: true
   listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
   k8s_healthz_endpoint: /healthz
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem

rules/CMakeLists.txt

@@ -22,11 +22,10 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
   set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
   set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
   set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
-  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
-  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()
 
-if(DEFINED FALCO_COMPONENT)
+
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
   install(
     FILES falco_rules.yaml
     COMPONENT "${FALCO_COMPONENT}"
@@ -38,32 +37,24 @@ if(DEFINED FALCO_COMPONENT)
     COMPONENT "${FALCO_COMPONENT}"
     DESTINATION "${FALCO_ETC_DIR}"
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
-else()
+else() # Default Falco installation
   install(
     FILES falco_rules.yaml
     DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
   install(
     FILES falco_rules.local.yaml
     DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
-  install(
-    FILES k8s_audit_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_K8S_AUDIT_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
   install(
     FILES application_rules.yaml
     DESTINATION "${FALCO_ETC_DIR}/rules.available"
-    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_APP_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
-  install(
-    FILES aws_cloudtrail_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
-
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

rules/OWNERS

@@ -1,6 +1,5 @@
 approvers:
   - mstemm
-  - kaizhe
 reviewers:
   - leodido
   - fntlnz

rules/aws_cloudtrail_rules.yaml

@@ -1,442 +0,0 @@
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# All rules files related to plugins should require engine version 10
-- required_engine_version: 10
-
-# These rules can be read by cloudtrail plugin version 0.1.0, or
-# anything semver-compatible.
-- required_plugin_versions:
-  - name: cloudtrail
-    version: 0.2.3
-  - name: json
-    version: 0.2.2
-
-# Note that this rule is disabled by default. It's useful only to
-# verify that the cloudtrail plugin is sending events properly.  The
-# very broad condition evt.num > 0 only works because the rule source
-# is limited to aws_cloudtrail. This ensures that the only events that
-# are matched against the rule are from the cloudtrail plugin (or
-# a different plugin with the same source).
-- rule: All Cloudtrail Events
-  desc: Match all cloudtrail events.
-  condition:
-    evt.num > 0
-  output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error)
-  priority: DEBUG
-  tags:
-  - cloud
-  - aws
-  source: aws_cloudtrail
-  enabled: false
-
-- rule: Console Login Through Assume Role
-  desc: Detect a console login through Assume Role.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-  output:
-    Detected a console login through Assume Role
-    (principal=%ct.user.principalid,
-    assumedRole=%ct.user.arn,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region)
-  priority: WARNING
-  tags:
-  - cloud
-  - aws
-  - aws_console
-  - aws_iam
-  source: aws_cloudtrail
-
-- rule: Console Login Without MFA
-  desc: Detect a console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and json.value[/additionalEventData/MFAUsed]="No"
-  output:
-    Detected a console login without MFA
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Console Root Login Without MFA
-  desc: Detect root console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and json.value[/additionalEventData/MFAUsed]="No"
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and ct.user.identitytype="Root"
-  output:
-    Detected a root console login without MFA.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Deactivate MFA for Root User
-  desc: Detect deactivating MFA configuration for root.
-  condition:
-    ct.name="DeactivateMFADevice" and not ct.error exists
-    and ct.user.identitytype="Root"
-    and ct.request.username="AWS ROOT USER"
-  output:
-    Multi Factor Authentication configuration has been disabled for root
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     MFA serial number=%ct.request.serialnumber)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Create AWS user
-  desc: Detect creation of a new AWS user.
-  condition:
-    ct.name="CreateUser" and not ct.error exists
-  output:
-    A new AWS user has been created
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     new user created=%ct.request.username)
-  priority: INFO
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Create Group
-  desc: Detect creation of a new user group.
-  condition:
-    ct.name="CreateGroup" and not ct.error exists
-  output:
-    A new user group has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Delete Group
-  desc: Detect deletion of a user group.
-  condition:
-    ct.name="DeleteGroup" and not ct.error exists
-  output:
-    A user group has been deleted.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: ECS Service Created
-  desc: Detect a new service is created in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    ct.name="CreateService" and
-    not ct.error exists
-  output:
-    A new service has been created in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    service name=%ct.request.servicename,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
-- rule: ECS Task Run or Started
-  desc: Detect a new task is started in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    (ct.name="RunTask" or ct.name="StartTask") and
-    not ct.error exists
-  output:
-    A new task has been started in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
-- rule: Create Lambda Function
-  desc: Detect creation of a Lambda function.
-  condition:
-    ct.name="CreateFunction20150331" and not ct.error exists
-  output:
-    Lambda function has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Update Lambda Function Code
-  desc: Detect updates to a Lambda function code.
-  condition:
-    ct.name="UpdateFunctionCode20150331v2" and not ct.error exists
-  output:
-    The code of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Update Lambda Function Configuration
-  desc: Detect updates to a Lambda function configuration.
-  condition:
-    ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists
-  output:
-    The configuration of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Run Instances
-  desc: Detect launching of a specified number of instances.
-  condition:
-    ct.name="RunInstances" and not ct.error exists
-  output:
-    A number of instances have been launched.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
-# Only instances launched on regions in this list are approved.
-- list: approved_regions
-  items:
-    - us-east-0
-
-- rule: Run Instances in Non-approved Region
-  desc: Detect launching of a specified number of instances in a non-approved region.
-  condition:
-    ct.name="RunInstances" and not ct.error exists and
-    not ct.region in (approved_regions)
-  output:
-    A number of instances have been launched in a non-approved region.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid,
-     image id=%json.value[/responseElements/instancesSet/items/0/instanceId])
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
-- rule: Delete Bucket Encryption
-  desc: Detect deleting configuration to use encryption for bucket storage.
-  condition:
-    ct.name="DeleteBucketEncryption" and not ct.error exists
-  output:
-    A encryption configuration for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Delete Bucket Public Access Block
-  desc: Detect deleting blocking public access to bucket.
-  condition:
-    ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
-    json.value[/requestParameters/publicAccessBlock]="" and
-      (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
-  output:
-    A public access block for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: List Buckets
-  desc: Detect listing of all S3 buckets.
-  condition:
-    ct.name="ListBuckets" and not ct.error exists
-  output:
-    A list of all S3 buckets has been requested.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     host=%ct.request.host)
-  priority: WARNING
-  enabled: false
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Put Bucket ACL
-  desc: Detect setting the permissions on an existing bucket using access control lists.
-  condition:
-    ct.name="PutBucketAcl" and not ct.error exists
-  output:
-    The permissions on an existing bucket have been set using access control lists.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Put Bucket Policy
-  desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
-  condition:
-    ct.name="PutBucketPolicy" and not ct.error exists
-  output:
-    An Amazon S3 bucket policy has been applied to an Amazon S3 bucket.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket,
-     policy=%ct.request.policy)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: CloudTrail Trail Created
-  desc: Detect creation of a new trail.
-  condition:
-    ct.name="CreateTrail" and not ct.error exists
-  output:
-    A new trail has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     trail name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-
-- rule: CloudTrail Logging Disabled
-  desc: The CloudTrail logging has been disabled, this could be potentially malicious.
-  condition:
-    ct.name="StopLogging" and not ct.error exists
-  output:
-    The CloudTrail logging has been disabled.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     resource name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-

rules/falco_rules.yaml

@@ -1815,7 +1815,7 @@
           registry.access.redhat.com/sematext/agent,
           registry.access.redhat.com/sematext/logagent]
 
-# These container images are allowed to run with --privileged
+# These container images are allowed to run with --privileged and full set of capabilities
 - list: falco_privileged_images
   items: [
     docker.io/calico/node,
@@ -1903,6 +1903,31 @@
   priority: INFO
   tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
 
+# These capabilities were used in the past to escape from containers
+- macro: excessively_capable_container
+  condition: >
+    (thread.cap_permitted contains CAP_SYS_ADMIN
+    or thread.cap_permitted contains CAP_SYS_MODULE
+    or thread.cap_permitted contains CAP_SYS_RAWIO
+    or thread.cap_permitted contains CAP_SYS_PTRACE
+    or thread.cap_permitted contains CAP_SYS_BOOT
+    or thread.cap_permitted contains CAP_SYSLOG
+    or thread.cap_permitted contains CAP_DAC_READ_SEARCH
+    or thread.cap_permitted contains CAP_NET_ADMIN
+    or thread.cap_permitted contains CAP_BPF)
+
+- rule: Launch Excessively Capable Container
+  desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images.
+  condition: >
+    container_started and container
+    and excessively_capable_container
+    and not falco_privileged_containers
+    and not user_privileged_containers
+  output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)
+  priority: INFO
+  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
+
+
 # For now, only considering a full mount of /etc as
 # sensitive. Ideally, this would also consider all subdirectories
 # below /etc as well, but the globbing mechanism
@@ -2039,7 +2064,8 @@
     '"sh -c  -t -i"',
     '"sh -c openssl version"',
     '"bash -c id -Gn kafadmin"',
-    '"sh -c /bin/sh -c ''date +%%s''"'
+    '"sh -c /bin/sh -c ''date +%%s''"',
+    '"sh -c /usr/share/lighttpd/create-mime.conf.pl"'
     ]
 
 # This list allows for easy additions to the set of commands allowed
@@ -2569,26 +2595,28 @@
     WARNING
   tags: [process, mitre_persistence]
 
+# here `ash_history` will match both `bash_history` and `ash_history`
 - macro: modify_shell_history
   condition: >
     (modify and (
-      evt.arg.name contains "bash_history" or
+      evt.arg.name endswith "ash_history" or
       evt.arg.name endswith "zsh_history" or
       evt.arg.name contains "fish_read_history" or
       evt.arg.name endswith "fish_history" or
-      evt.arg.oldpath contains "bash_history" or
+      evt.arg.oldpath endswith "ash_history" or
       evt.arg.oldpath endswith "zsh_history" or
       evt.arg.oldpath contains "fish_read_history" or
       evt.arg.oldpath endswith "fish_history" or
-      evt.arg.path contains "bash_history" or
+      evt.arg.path endswith "ash_history" or
       evt.arg.path endswith "zsh_history" or
       evt.arg.path contains "fish_read_history" or
       evt.arg.path endswith "fish_history"))
 
+# here `ash_history` will match both `bash_history` and `ash_history`
 - macro: truncate_shell_history
   condition: >
     (open_write and (
-      fd.name contains "bash_history" or
+      fd.name endswith "ash_history" or
       fd.name endswith "zsh_history" or
       fd.name contains "fish_read_history" or
       fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
@@ -2811,7 +2839,7 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg, connect) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
 - macro: trusted_images_query_miner_domain_dns
   condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco))
@@ -2955,12 +2983,15 @@
 - macro: user_known_stand_streams_redirect_activities
   condition: (never_true)
 
+- macro: dup
+  condition: evt.type in (dup, dup2, dup3)
+
 - rule: Redirect STDOUT/STDIN to Network Connection in Container
   desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
-  condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
+  condition: dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
   output: >
     Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
-  priority: WARNING
+  priority: NOTICE
 
 # The two Container Drift rules below will fire when a new executable is created in a container.
 # There are two ways to create executables - file is created with execution permissions or permissions change of existing file.
@@ -3109,8 +3140,8 @@
 - macro: user_known_ingress_remote_file_copy_activities
   condition: (never_true)
 
--  macro: curl_download
-   condition: proc.name = curl and
+- macro: curl_download
+  condition: proc.name = curl and
               (proc.cmdline contains " -o " or
               proc.cmdline contains " --output " or
               proc.cmdline contains " -O " or
@@ -3140,6 +3171,29 @@
   priority: CRITICAL
   tags: [process, mitre_privilege_escalation]
 
+
+- rule: Detect release_agent File Container Escapes
+  desc: "This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container"
+  condition:
+    open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
+  output:
+    "Detect an attempt to exploit a container escape using release_agent file (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_effective=%thread.cap_effective)"
+  priority: CRITICAL
+  tags: [container, mitre_privilege_escalation, mitre_lateral_movement]
+
+# Rule for detecting potential Log4Shell (CVE-2021-44228) exploitation
+# Note: Not compatible with Java 17+, which uses read() syscalls
+- macro: java_network_read
+  condition: (evt.type=recvfrom and fd.type in (ipv4, ipv6) and proc.name=java)
+
+- rule: Java Process Class File Download
+  desc: Detected Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228)
+  condition: >
+        java_network_read and evt.buffer bcontains cafebabe
+  output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository)
+  priority: CRITICAL
+  tags: [mitre_initial_access]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

rules/k8s_audit_rules.yaml

@@ -1,704 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- required_engine_version: 2
-
-# Like always_true/always_false, but works with k8s audit events
-- macro: k8s_audit_always_true
-  condition: (jevt.rawtime exists)
-
-- macro: k8s_audit_never_true
-  condition: (jevt.rawtime=0)
-
-# Generally only consider audit events once the response has completed
-- list: k8s_audit_stages
-  items: ["ResponseComplete"]
-
-# Generally exclude users starting with "system:"
-- macro: non_system_user
-  condition: (not ka.user.name startswith "system:")
-
-# This macro selects the set of Audit Events used by the below rules.
-- macro: kevt
-  condition: (jevt.value[/stage] in (k8s_audit_stages))
-
-- macro: kevt_started
-  condition: (jevt.value[/stage]=ResponseStarted)
-
-# If you wish to restrict activity to a specific set of users, override/append to this list.
-# users created by kops are included
-- list: vertical_pod_autoscaler_users
-  items: ["vpa-recommender", "vpa-updater"]
-
-- list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    "kubernetes-admin",
-    vertical_pod_autoscaler_users,
-    cluster-autoscaler,
-    "system:addon-manager",
-    "cloud-controller-manager",
-    "system:kube-controller-manager"
-    ]
-
-- list: eks_allowed_k8s_users
-  items: [
-    "eks:node-manager",
-    "eks:certificate-controller",
-    "eks:fargate-scheduler",
-    "eks:k8s-metrics",
-    "eks:authenticator",
-    "eks:cluster-event-watcher",
-    "eks:nodewatcher",
-    "eks:pod-identity-mutating-webhook"
-    ]
--
-- rule: Disallowed K8s User
-  desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
-  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules file, you could override this macro to
-# explicitly enumerate the container images that you want to run in
-# your environment. In this main falco rules file, there isn't any way
-# to know all the containers that can run, so any container is
-# allowed, by using the always_true macro. In the overridden macro, the condition
-# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
-- macro: allowed_k8s_containers
-  condition: (k8s_audit_always_true)
-
-- macro: response_successful
-  condition: (ka.response.code startswith 2)
-
-- macro: kcreate
-  condition: ka.verb=create
-
-- macro: kmodify
-  condition: (ka.verb in (create,update,patch))
-
-- macro: kdelete
-  condition: ka.verb=delete
-
-- macro: pod
-  condition: ka.target.resource=pods and not ka.target.subresource exists
-
-- macro: pod_subresource
-  condition: ka.target.resource=pods and ka.target.subresource exists
-
-- macro: deployment
-  condition: ka.target.resource=deployments
-
-- macro: service
-  condition: ka.target.resource=services
-
-- macro: configmap
-  condition: ka.target.resource=configmaps
-
-- macro: namespace
-  condition: ka.target.resource=namespaces
-
-- macro: serviceaccount
-  condition: ka.target.resource=serviceaccounts
-
-- macro: clusterrole
-  condition: ka.target.resource=clusterroles
-
-- macro: clusterrolebinding
-  condition: ka.target.resource=clusterrolebindings
-
-- macro: role
-  condition: ka.target.resource=roles
-
-- macro: secret
-  condition: ka.target.resource=secrets
-
-- macro: health_endpoint
-  condition: ka.uri=/healthz
-
-- rule: Create Disallowed Pod
-  desc: >
-    Detect an attempt to start a pod with a container image outside of a list of allowed images.
-  condition: kevt and pod and kcreate and not allowed_k8s_containers
-  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: Create Privileged Pod
-  desc: >
-    Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
-  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: sensitive_vol_mount
-  condition: >
-    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
-
-- rule: Create Sensitive Mount Pod
-  desc: >
-    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
-    Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
-  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# These container images are allowed to run with hostnetwork=true
-- list: falco_hostnetwork_images
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/typha,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64
-    k8s.gcr.io/prometheus-to-sd,
-    ]
-
-# Corresponds to K8s CIS Benchmark 1.7.4
-- rule: Create HostNetwork Pod
-  desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
-  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- list: falco_hostpid_images
-  items: []
-
-- rule: Create HostPid Pod
-  desc: Detect an attempt to start a pod using the host pid namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
-  output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- list: falco_hostipc_images
-  items: []
-
-- rule: Create HostIPC Pod
-  desc: Detect an attempt to start a pod using the host ipc namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
-  output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: user_known_node_port_service
-  condition: (k8s_audit_never_true)
-
-- rule: Create NodePort Service
-  desc: >
-    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
-  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: contains_private_credentials
-  condition: >
-    (ka.req.configmap.obj contains "aws_access_key_id" or
-     ka.req.configmap.obj contains "aws-access-key-id" or
-     ka.req.configmap.obj contains "aws_s3_access_key_id" or
-     ka.req.configmap.obj contains "aws-s3-access-key-id" or
-     ka.req.configmap.obj contains "password" or
-     ka.req.configmap.obj contains "passphrase")
-
-- rule: Create/Modify Configmap With Private Credentials
-  desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
-  condition: kevt and configmap and kmodify and contains_private_credentials
-  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Corresponds to K8s CIS Benchmark, 1.1.1.
-- rule: Anonymous Request Allowed
-  desc: >
-    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
-  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
-# notifies an attempt to exec/attach to a privileged container.
-
-# Ideally, we'd add a more stringent rule that detects attaches/execs
-# to a privileged pod, but that requires the engine for k8s audit
-# events to be stateful, so it could know if a container named in an
-# attach request was created privileged or not. For now, we have a
-# less severe rule that detects attaches/execs to any pod.
-#
-# For the same reason, you can't use things like image names/prefixes,
-# as the event that creates the pod (which has the images) is a
-# separate event than the actual exec/attach to the pod.
-
-- macro: user_known_exec_pod_activities
-  condition: (k8s_audit_never_true)
-
-- rule: Attach/Exec Pod
-  desc: >
-    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
-  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: user_known_pod_debug_activities
-  condition: (k8s_audit_never_true)
-
-# Only works when feature gate EphemeralContainers is enabled
-- rule: EphemeralContainers Created
-  desc: >
-    Detect any ephemeral container created
-  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules fie, you can append to this list to add additional allowed namespaces
-- list: allowed_namespaces
-  items: [kube-system, kube-public, default]
-
-- rule: Create Disallowed Namespace
-  desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
-  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Only defined for backwards compatibility. Use the more specific
-# user_allowed_kube_namespace_image_list instead.
-- list: user_trusted_image_list
-  items: []
-
-- list: user_allowed_kube_namespace_image_list
-  items: [user_trusted_image_list]
-
-# Only defined for backwards compatibility. Use the more specific
-# allowed_kube_namespace_image_list instead.
-- list: k8s_image_list
-  items: []
-
-- list: allowed_kube_namespace_image_list
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/addon-resizer,
-    gke.gcr.io/heapster,
-    gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    gke.gcr.io/watcher-daemonset,
-    k8s.gcr.io/addon-resizer
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
-    kope/kube-apiserver-healthcheck,
-    k8s_image_list
-    ]
-
-- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
-
-# Detect any new pod created in the kube-system namespace
-- rule: Pod Created in Kube Namespace
-  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
-  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- list: user_known_sa_list
-  items: []
-
-- list: known_sa_list
-  items: [
-    coredns,
-    coredns-autoscaler,
-    cronjob-controller,
-    daemon-set-controller,
-    deployment-controller,
-    disruption-controller,
-    endpoint-controller,
-    endpointslice-controller,
-    endpointslicemirroring-controller,
-    generic-garbage-collector,
-    horizontal-pod-autoscaler,
-    job-controller,
-    namespace-controller,
-    node-controller,
-    persistent-volume-binder,
-    pod-garbage-collector,
-    pv-protection-controller,
-    pvc-protection-controller,
-    replicaset-controller,
-    resourcequota-controller,
-    root-ca-cert-publisher,
-    service-account-controller,
-    statefulset-controller
-    ]
-
-- macro: trusted_sa
-  condition: (ka.target.name in (known_sa_list, user_known_sa_list))
-
-# Detect creating a service account in the kube-system/kube-public namespace
-- rule: Service Account Created in Kube Namespace
-  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
-  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any modify/delete to any ClusterRole starting with
-# "system:". "system:coredns" is excluded as changes are expected in
-# normal operation.
-- rule: System ClusterRole Modified/Deleted
-  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
-             not ka.target.name in (system:coredns, system:managed-certificate-controller)
-  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-# (expand this to any built-in cluster role that does "sensitive" things)
-- rule: Attach to cluster-admin Role
-  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
-  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: ClusterRole With Wildcard Created
-  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
-  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: writable_verbs
-  condition: >
-    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
-
-- rule: ClusterRole With Write Privileges Created
-  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
-  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
-  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: ClusterRole With Pod Exec Created
-  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
-  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
-  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# The rules below this point are less discriminatory and generally
-# represent a stream of activity for a cluster. If you wish to disable
-# these events, modify the following macro.
-- macro: consider_activity_events
-  condition: (k8s_audit_always_true)
-
-- macro: kactivity
-  condition: (kevt and consider_activity_events)
-
-- rule: K8s Deployment Created
-  desc: Detect any attempt to create a deployment
-  condition: (kactivity and kcreate and deployment and response_successful)
-  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Deployment Deleted
-  desc: Detect any attempt to delete a deployment
-  condition: (kactivity and kdelete and deployment and response_successful)
-  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Service Created
-  desc: Detect any attempt to create a service
-  condition: (kactivity and kcreate and service and response_successful)
-  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Service Deleted
-  desc: Detect any attempt to delete a service
-  condition: (kactivity and kdelete and service and response_successful)
-  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s ConfigMap Created
-  desc: Detect any attempt to create a configmap
-  condition: (kactivity and kcreate and configmap and response_successful)
-  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s ConfigMap Deleted
-  desc: Detect any attempt to delete a configmap
-  condition: (kactivity and kdelete and configmap and response_successful)
-  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Namespace Created
-  desc: Detect any attempt to create a namespace
-  condition: (kactivity and kcreate and namespace and response_successful)
-  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Namespace Deleted
-  desc: Detect any attempt to delete a namespace
-  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
-  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Serviceaccount Created
-  desc: Detect any attempt to create a service account
-  condition: (kactivity and kcreate and serviceaccount and response_successful)
-  output: K8s Serviceaccount Created (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Serviceaccount Deleted
-  desc: Detect any attempt to delete a service account
-  condition: (kactivity and kdelete and serviceaccount and response_successful)
-  output: K8s Serviceaccount Deleted (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrole Created
-  desc: Detect any attempt to create a cluster role/role
-  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrole Deleted
-  desc: Detect any attempt to delete a cluster role/role
-  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrolebinding Created
-  desc: Detect any attempt to create a clusterrolebinding
-  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrolebinding Deleted
-  desc: Detect any attempt to delete a clusterrolebinding
-  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Secret Created
-  desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Secret Deleted
-  desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-# This rule generally matches all events, and as a result is disabled
-# by default. If you wish to enable these events, modify the
-# following macro.
-#  condition: (jevt.rawtime exists)
-- macro: consider_all_events
-  condition: (k8s_audit_never_true)
-
-- macro: kall
-  condition: (kevt and consider_all_events)
-
-- rule: All K8s Audit Events
-  desc: Match all K8s Audit Events
-  condition: kall
-  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
-  priority: DEBUG
-  source: k8s_audit
-  tags: [k8s]
-
-
-# This macro disables following rule, change to k8s_audit_never_true to enable it
-- macro: allowed_full_admin_users
-  condition: (k8s_audit_always_true)
-
-# This list includes some of the default user names for an administrator in several K8s installations
-- list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
-
-# This rules detect an operation triggered by an user name that is
-# included in the list of those that are default administrators upon
-# cluster creation. This may signify a permission setting too broader.
-# As we can't check for role of the user on a general ka.* event, this
-# may or may not be an administrator. Customize the full_admin_k8s_users
-# list to your needs, and activate at your discretion.
-
-# # How to test:
-# # Execute any kubectl command connected using default cluster user, as:
-# kubectl create namespace rule-test
-
-- rule: Full K8s Administrative Access
-  desc: Detect any k8s operation by a user name that may be an administrator with full access.
-  condition: >
-    kevt
-    and non_system_user
-    and ka.user.name in (full_admin_k8s_users)
-    and not allowed_full_admin_users
-  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: ingress
-  condition: ka.target.resource=ingresses
-
-- macro: ingress_tls
-  condition: (jevt.value[/requestObject/spec/tls] exists)
-
-# # How to test:
-# # Create an ingress.yaml file with content:
-# apiVersion: networking.k8s.io/v1beta1
-# kind: Ingress
-# metadata:
-#   name: test-ingress
-#   annotations:
-#     nginx.ingress.kubernetes.io/rewrite-target: /
-# spec:
-#   rules:
-#   - http:
-#       paths:
-#       - path: /testpath
-#         backend:
-#           serviceName: test
-#           servicePort: 80
-# # Execute: kubectl apply -f ingress.yaml
-
-- rule: Ingress Object without TLS Certificate Created
-  desc: Detect any attempt to create an ingress without TLS certification.
-  condition: >
-    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
-  output: >
-    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
-    namespace=%ka.target.namespace)
-  source: k8s_audit
-  priority: WARNING
-  tags: [k8s, network]
-
-- macro: node
-  condition: ka.target.resource=nodes
-
-- macro: allow_all_k8s_nodes
-  condition: (k8s_audit_always_true)
-
-- list: allowed_k8s_nodes
-  items: []
-
-# # How to test:
-# # Create a Falco monitored cluster with Kops
-# # Increase the number of minimum nodes with:
-# kops edit ig nodes
-# kops apply --yes
-
-- rule: Untrusted Node Successfully Joined the Cluster
-  desc: >
-    Detect a node successfully joined the cluster outside of the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
-  priority: ERROR
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
-  desc: >
-    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and not response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-

rules/okta_rules.yaml

@@ -1,177 +0,0 @@
-#Example Rule on login in to OKTA. Disabled by default since it might be noisy
-#- rule: User logged in to OKTA
-#  desc: Detect the user login in to OKTA
-#  condition: okta.evt.type = "user.session.start" 
-#  output: "A user has logged in toOKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-#       priority: NOTICE
-#  source: okta
-#  tags: [okta]
-
-- rule: User Changing password in to OKTA
-  desc: Detect a user change password in OKTA
-  condition: okta.evt.type = "user.account.update_password"
-  output: "A user has changed password from OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: Creating a new OKTA user account
-  desc: Detect a new OKTA user account created in the OKTA environment
-  condition: okta.evt.type = "user.lifecycle.create"
-  output: "A new OKTA user account created (user=%okta.actor.name, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User accessing app via single sign on OKTA
-  desc: Detect a user accessing an app via OKTA
-  condition: okta.evt.type = "user.authentication.sso"
-  output: "A user has accessed an app using OKTA (user=%okta.actor.name, app=%okta.app)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User has been locked out in OKTA
-  desc: Detect a user who has been locked out in OKTA
-  condition: okta.evt.type = "user.account.lock"
-  output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: User has been moved from suspended status in OKTA.
-  desc: Detect a user who has been moved from suspended status in OKTA
-  condition: okta.evt.type = "user.lifecycle.unsuspend"
-  output: "A user has been moved from suspended status in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User has been activated in OKTA
-  desc: Detect a user who has been activated in OKTA
-  condition: okta.evt.type = "user.lifecycle.activate"
-  output: "A user has been activated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User has been deactivated in OKTA
-  desc: Detect a user who has been deactivated in OKTA
-  condition: okta.evt.type = "user.lifecycle.deactivate"
-  output: "A user has been deactivated in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User has been suspended in OKTA
-  desc: Detect a user who has been suspended in OKTA
-  condition: okta.evt.type = "user.lifecycle.suspended"
-  output: "A user has been suspended in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: Admin permission has been assigned to a user in OKTA
-  desc: Detect an admin permission assigned to a user in OKTA
-  condition: okta.evt.type = "user.account.privilege.grant"
-  output: "A user has been locked out in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: Creating a new OKTA API token
-  desc: Detect a new OKTA API token created in the OKTA environment
-  condition: okta.evt.type = "system.api_token.create"
-  output: "A new OKTA API token has been created in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: User accessing OKTA admin section
-  desc: Detect a user accessing OKTA admin section of your OKTA instance
-  condition: okta.evt.type = "user.session.access_admin_app"
-  output: "A user accessed the OKTA admin section of your OKTA instance (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: Adding user in OKTA group
-  desc: Detect a new user added to an OKTA group
-  condition: okta.evt.type = "group.user_membership.add"
-  output: "A user has been added in an OKTA group (user=%okta.actor.name, target group=%okta.target.group.name, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: removing MFA factor from user in OKTA
-  desc: Detect a removing MFA activity on a user in OKTA
-  condition: okta.evt.type = "user.mfa.factor.deactivate"
-  output: "A user has removed MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: removing all MFA factor from user in OKTA
-  desc: Detect a removing MFA activity on a user in OKTA
-  condition: okta.evt.type = "user.mfa.factor.reset_all"
-  output: "A user has removed all MFA factor in the OKTA account (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: User password reset by OKTA admin
-  desc: Detect a password reset on a user done by OKTA Admin Account
-  condition: okta.evt.type = "user.account.reset_password"
-  output: "A user password has been reset by an OKTA Admin account (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: User hitting the rate limit on requests in OKTA
-  desc: Detect a user who hit the rate limit on requests in OKTA
-  condition: okta.evt.type = "system.org.rate_limit.violation"
-  output: "A user has hitted the rate limit on requests in OKTA (user=%okta.actor.name, ip=%okta.client.ip)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-- rule: Adding user to application membership in OKTA
-  desc: Detect a user who has been added o application membership in OKTA
-  condition: okta.evt.type = "application.user_membership.add"
-  output: "A user has been added to an application membership in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name, app=%okta.app)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false
-
-- rule: User initiating impersonation session in OKTA
-  desc: Detect a user who initiate an impersonation session in OKTA
-  condition: okta.evt.type = "user.session.impersonation.initiate"
-  output: "A user has initiated an impersonation session in OKTA (user=%okta.actor.name, ip=%okta.client.ip, target user=%okta.target.user.name)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-
-# This list allows easily whitelisting countries that are
-# expected to see OKTA logins from.
-- list: allowed_countries_list
-  items: []
-
-- macro: user_known_countries
-  condition: (okta.client.geo.country in (allowed_countries_list))
-
-- rule: Detecting unknown logins using geolocation
-  desc: Detect a logins event based on user geolocation
-  condition: okta.evt.type = "user.session.start" and not user_known_countries
-  output: "A user logged in OKTA from a suspicious country (user=%okta.actor.name, ip=%okta.client.ip, country=%okta.client.geo.country)"
-  priority: NOTICE
-  source: okta
-  tags: [okta]
-  enabled: false

scripts/CMakeLists.txt

@@ -33,5 +33,5 @@ configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
-		DESTINATION ${FALCO_BIN_DIR})
+		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

scripts/debian/postinst.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postrm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/prerm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,13 +17,8 @@
 #
 set -e
 
-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
-
 case "$1" in
 	remove|upgrade|deconfigure)
-		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
-			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
-		fi
+		/usr/bin/falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -135,12 +135,42 @@ get_target_id() {
 			TARGET_ID="ubuntu-generic"
 		fi
 		;;
+	("flatcar")
+		KERNEL_RELEASE="${VERSION_ID}"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
 	(*)
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
 }
 
+flatcar_relocate_tools() {
+	local -a tools=(
+		scripts/basic/fixdep
+		scripts/mod/modpost
+		tools/objtool/objtool
+	)
+	local -r hostld=$(ls /host/usr/lib64/ld-linux-*.so.*)
+	local -r kdir=/lib/modules/$(ls /lib/modules/)/build
+	echo "** Found host dl interpreter: ${hostld}"
+	for host_tool in ${tools[@]}; do
+		t=${host_tool}
+		tool=$(basename $t)
+		tool_dir=$(dirname $t)
+		host_tool=${kdir}/${host_tool}
+		if [ ! -f ${host_tool} ]; then
+			continue
+		fi
+		umount ${host_tool} 2>/dev/null || true
+		mkdir -p /tmp/${tool_dir}/
+		cp -a ${host_tool} /tmp/${tool_dir}/
+		echo "** Setting host dl interpreter for $host_tool"
+		patchelf --set-interpreter ${hostld} --set-rpath /host/usr/lib64 /tmp/${tool_dir}/${tool}
+		mount -o bind /tmp/${tool_dir}/${tool} ${host_tool}
+	done
+}
+
 load_kernel_module_compile() {
 	# Skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
@@ -153,6 +183,12 @@ load_kernel_module_compile() {
 		return
 	fi
 
+	if [ "${TARGET_ID}" == "flatcar" ]; then
+		KERNEL_RELEASE=$(uname -r)
+		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
+		flatcar_relocate_tools
+	fi
+
 	# Try to compile using all the available gcc versions
 	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
@@ -199,9 +235,7 @@ load_kernel_module_download() {
 	get_target_id
 
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-
-	local URL
-	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
+	local URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
 	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
@@ -219,43 +253,96 @@ load_kernel_module_download() {
 	fi
 }
 
-load_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
+print_clean_termination() {
+	echo
+	echo "[SUCCESS] Cleaning phase correctly terminated."
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+}
 
-	if ! hash modprobe > /dev/null 2>&1; then
-		>&2 echo "This program requires modprobe"
+clean_kernel_module() {
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod."
 		exit 1
 	fi
 
 	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
+		>&2 echo "This program requires rmmod."
 		exit 1
 	fi
 
-	echo "* Unloading ${DRIVER_NAME} module, if present"
-	rmmod "${DRIVER_NAME}" 2>/dev/null
-	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
-			break
-		fi
-		((++WAIT_TIME))
-		if (( WAIT_TIME % 5 == 0 )); then
-			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
-		fi
-		sleep 1
-	done
+	echo "* 1. Check if kernel module '${KMOD_NAME}' is still loaded:"
 
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
-		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
-		exit 0
+	if ! lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		echo "- OK! There is no '${KMOD_NAME}' module loaded."
+		echo
 	fi
 
+	# Wait 50s = MAX_RMMOD_WAIT * 5s
+	MAX_RMMOD_WAIT=10
+	# Remove kernel module if is still loaded.
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $MAX_RMMOD_WAIT -gt 0 ]; do
+		echo "- Kernel module '${KMOD_NAME}' is still loaded."
+		echo "- Trying to unload it with 'rmmod ${KMOD_NAME}'..."
+		if rmmod ${KMOD_NAME}; then
+			echo "- OK! Unloading '${KMOD_NAME}' module succeeded."
+			echo
+		else
+			echo "- Nothing to do...'falco-driver-loader' will wait until you remove the kernel module to have a clean termination."
+			echo "- Check that no process is using the kernel module with 'lsmod | grep ${KMOD_NAME}'."
+			echo "- Sleep 5 seconds..."
+			echo
+			((--MAX_RMMOD_WAIT))
+			sleep 5
+		fi
+	done
+
+	if [ ${MAX_RMMOD_WAIT} -eq 0 ]; then
+		echo "[WARNING] '${KMOD_NAME}' module is still loaded, you could have incompatibility issues."
+		echo
+	fi
+	
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "- Skipping dkms remove (dkms not found)."
+		print_clean_termination
+		return
+	fi
+
+	# Remove all versions of this module from dkms.
+	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
+	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
+	else
+		echo "- There are some versions of '${KMOD_NAME}' module in dkms."
+		echo
+		echo "* 3. Removing all the following versions from dkms:"
+		echo "${DRIVER_VERSIONS}"
+		echo
+	fi
+
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		echo "- Removing ${CURRENT_VER}..."
+		if dkms remove -m ${KMOD_NAME} -v "${CURRENT_VER}" --all; then
+			echo
+			echo "- OK! Removing '${CURRENT_VER}' succeeded."
+			echo
+		else
+			echo "[WARNING] Removing '${KMOD_NAME}' version '${CURRENT_VER}' failed."
+		fi
+	done
+
+	print_clean_termination
+}
+
+load_kernel_module() {
+	clean_kernel_module
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
@@ -290,48 +377,6 @@ load_kernel_module() {
 	exit 1
 }
 
-clean_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
-
-	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
-		exit 1
-	fi
-
-	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded"
-		else
-			echo "* Unloading ${DRIVER_NAME} module failed"
-		fi
-	else
-		echo "* There is no ${DRIVER_NAME} module loaded"
-	fi
-
-	if ! hash dkms >/dev/null 2>&1; then
-		echo "* Skipping dkms remove (dkms not found)"
-		return
-	fi
-
-	DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f1 | sed -e 's/^[[:space:]]*//')
-	if [ -z "${DRIVER_VERSIONS}" ]; then
-		echo "* There is no ${DRIVER_NAME} module in dkms"
-		return
-	fi
-	for CURRENT_VER in ${DRIVER_VERSIONS}; do
-		if dkms remove "${CURRENT_VER}" --all 2>/dev/null; then
-			echo "* Removing ${CURRENT_VER} succeeded"
-		else
-			echo "* Removing ${CURRENT_VER} failed"
-			exit 1
-		fi
-	done
-}
-
 load_bpf_probe_compile() {
 	local BPF_KERNEL_SOURCES_URL=""
 	local STRIP_COMPONENTS=1
@@ -448,7 +493,7 @@ load_bpf_probe_compile() {
 
 load_bpf_probe_download() {
 	local URL
-	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
 
 	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
 

scripts/publish-deb

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-    echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
+    echo "usage: $0 -f <package_x86_64.deb> -f <package_aarch64.deb> -r <deb|deb-dev>"
     exit 1
 }
 
@@ -14,6 +14,13 @@ check_program() {
   fi
 }
 
+# Used to get comma separated list of architectures
+join_arr() {
+  local IFS="$1"
+  shift
+  echo "$*"
+}
+
 # Add a package to the local DEB repository
 #
 # $1: path of the repository.
@@ -25,6 +32,26 @@ add_deb() {
     rm -f $(basename -- $3).asc
     gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $3)
     popd > /dev/null
+
+    # Get package architecture from dpkg
+    local arch=$(dpkg --info $3 |  awk '/Architecture/ {printf "%s", $2}')
+    # Store architecture in array
+    architectures+=("${arch}")
+}
+
+falco_arch_from_deb_arch() {
+    case "$1" in
+      "amd64")
+        echo -n "x86_64"
+        ;;
+      "arm64")
+        echo -n "aarch64"
+        ;;
+      *)
+        echo "Wrong arch."
+        exit 1
+        ;;
+    esac  
 }
 
 # Update the local DEB repository
@@ -32,26 +59,25 @@ add_deb() {
 # $1: path of the repository
 # $2: suite (eg. "stable")
 update_repo() {
-    # fixme(leogr): we cannot use apt-ftparchive --arch packages ...
-    # since our .deb files ends with "_x86_64" instead of "amd64".
-    # See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
-    #
-    # As a workaround, we temporarily stick here with "amd64" 
-    # (the only supported arch at the moment)
-    local arch=amd64
-
     local component=main
     local debs_dir=$2
     local release_dir=dists/$2
-    local packages_dir=${release_dir}/${component}/binary-${arch}
 
     pushd $1 > /dev/null
 
     # packages metadata
-    apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
-    gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
-    bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
-    
+    for arch in "${architectures[@]}"; do
+      local packages_dir=${release_dir}/${component}/binary-${arch}
+      mkdir -p ${packages_dir}
+      truncate -s 0 ${packages_dir}/Packages
+      # Find all ${arch} deb files.
+      # Note that debian uses {arm64,amd64}, while 
+      # Falco packages use {x86_64,aarch64}.
+      find ${debs_dir} -name "falco-*-$(falco_arch_from_deb_arch ${arch}).deb" -exec apt-ftparchive packages {} \; >> ${packages_dir}/Packages
+      gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
+      bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
+    done
+
     # release metadata
     apt-ftparchive release \
       -o APT::FTPArchive::Release::Origin=Falco \
@@ -59,13 +85,18 @@ update_repo() {
       -o APT::FTPArchive::Release::Suite=$2 \
       -o APT::FTPArchive::Release::Codename=$2 \
       -o APT::FTPArchive::Release::Components=${component} \
-      -o APT::FTPArchive::Release::Architectures=${arch} \
+      -o APT::FTPArchive::Release::Architectures="$(join_arr , "${architectures[@]}")" \
       ${release_dir} > ${release_dir}/Release
 
-    # release signature
+    # release signature - Release.gpg file
     gpg --detach-sign --digest-algo SHA256 --armor ${release_dir}/Release
     rm -f ${release_dir}/Release.gpg
     mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
+    
+    # release signature - InRelease file
+    gpg --armor --sign --clearsign --digest-algo SHA256 ${release_dir}/Release
+    rm -f ${release_dir}/InRelease
+    mv ${release_dir}/Release.asc ${release_dir}/InRelease
 
     popd > /dev/null
 }
@@ -74,7 +105,7 @@ update_repo() {
 while getopts ":f::r:" opt; do
     case "${opt}" in
         f )
-          file=${OPTARG}
+          files+=("${OPTARG}")
           ;;
         r )
           repo="${OPTARG}"
@@ -93,7 +124,7 @@ done
 shift $((OPTIND-1))
 
 # check options
-if [ -z "${file}" ] || [ -z "${repo}" ]; then
+if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
     usage
 fi
 
@@ -103,6 +134,7 @@ check_program gzip
 check_program bzip2
 check_program gpg
 check_program aws
+check_program dpkg
 
 # settings
 debSuite=stable
@@ -116,17 +148,23 @@ mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update the repo
-echo "Adding ${file}..."
-add_deb ${tmp_repo_path} ${debSuite} ${file}
+for file in "${files[@]}"; do
+  echo "Adding ${file}..."
+  add_deb ${tmp_repo_path} ${debSuite} ${file}
+done
 update_repo ${tmp_repo_path} ${debSuite}
 
 # publish
-package=$(basename -- ${file})
-echo "Publishing ${package} to ${s3_bucket_repo}..."
-aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
-aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
-aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
+for file in "${files[@]}"; do
+  package=$(basename -- ${file})
+  echo "Publishing ${package} to ${s3_bucket_repo}..."
+  aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
+  aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
 
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+done
+
+# sync dists
+aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
 aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

scripts/publish-rpm

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-    echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
+    echo "usage: $0 -f <package_x86_64.rpm> -f <package_aarch64.rpm> -r <rpm|rpm-dev>"
     exit 1
 }
 
@@ -42,7 +42,7 @@ update_repo() {
 while getopts ":f::r:" opt; do
     case "${opt}" in
         f )
-          file=${OPTARG}
+          files+=("${OPTARG}")
           ;;
         r )
           repo="${OPTARG}"
@@ -60,7 +60,7 @@ while getopts ":f::r:" opt; do
 done
 shift $((OPTIND-1))
 
-if [ -z "${file}" ] || [ -z "${repo}" ]; then
+if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
     usage
 fi
 
@@ -80,17 +80,23 @@ mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update the repo
-echo "Adding ${file}..."
-add_rpm ${tmp_repo_path} ${file}
+for file in "${files[@]}"; do
+  echo "Adding ${file}..."
+  add_rpm ${tmp_repo_path} ${file}
+done
 update_repo ${tmp_repo_path}
 
 # publish
-package=$(basename -- ${file})
-echo "Publishing ${package} to ${s3_bucket_repo}..."
-aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
-aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
-aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
+for file in "${files[@]}"; do
+  package=$(basename -- ${file})
+  echo "Publishing ${package} to ${s3_bucket_repo}..."
+  aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+  aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
 
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+done
+
+# sync repodata
+aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
 aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

scripts/rpm/postinstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/postuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/preuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,5 +15,4 @@
 # limitations under the License.
 #
 
-mod_version="@DRIVER_VERSION@"
-dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade
+/usr/bin/falco-driver-loader --clean

test/README.md

@@ -10,7 +10,6 @@ You can find instructions on how to run this test suite on the Falco website [he
 - [falco_traces](./falco_traces.yaml.in)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
-- [falco_tests_psp](./falco_tests_psp.yaml)
 
 ## Running locally
 
@@ -18,13 +17,7 @@ This step assumes you already built Falco.
 
 Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
 
-Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
-
-```console
-make test-trace-files
-```
-
-It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
+Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below).
 
 **Requirements**
 
@@ -117,7 +110,7 @@ In case you want to run all the test suites at once, you can directly use the `r
 
 ```console
 cd test
-./run_regression_tests.sh -v
+./run_regression_tests.sh -v -d ../build
 ```
 
 Just make sure you followed all the previous setup steps.

test/confs/plugins/k8s_audit.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: k8saudit
+    library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
+    init_config: ""
+    open_params: "" # to be filled out by each test case
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+load_plugins: [k8saudit, json]

test/confs/psp.yaml

@@ -1,171 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File(s) or Directories containing Falco rules, loaded at startup.
-# The name "rules_file" is only for backwards compatibility.
-# If the entry is a file, it will be read directly. If the entry is a directory,
-# every file in that directory will be read, in alphabetical order.
-#
-# falco_rules.yaml ships with the falco package and is overridden with
-# every new software version. falco_rules.local.yaml is only created
-# if it doesn't exist. If you want to customize the set of rules, add
-# your customizations to falco_rules.local.yaml.
-#
-# The files will be read in the order presented here, so make sure if
-# you have overrides they appear in later files.
-rules_file: []
-
-# If true, the times displayed in log messages and output messages
-# will be in ISO 8601. By default, times are displayed in the local
-# time zone, as governed by /etc/localtime.
-time_format_iso_8601: false
-
-# Whether to output events in json or text
-json_output: false
-
-# When using json output, whether or not to include the "output" property
-# itself (e.g. "File below a known binary directory opened for writing
-# (user=root ....") in the json output.
-json_include_output_property: true
-
-# When using json output, whether or not to include the "tags" property
-# itself in the json output. If set to true, outputs caused by rules
-# with no tags will have a "tags" field set to an empty array. If set to
-# false, the "tags" field will not be included in the json output at all.
-json_include_tags_property: true
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: true
-log_syslog: true
-
-# Minimum log level to include in logs. Note: these levels are
-# separate from the priority field of rules. This refers only to the
-# log level of falco's internal logging. Can be one of "emergency",
-# "alert", "critical", "error", "warning", "notice", "info", "debug".
-log_level: info
-
-# Minimum rule priority level to load and run. All rules having a
-# priority more severe than this level will be loaded/run.  Can be one
-# of "emergency", "alert", "critical", "error", "warning", "notice",
-# "info", "debug".
-priority: debug
-
-# Whether or not output to any of the output channels below is
-# buffered. Defaults to false
-buffered_outputs: false
-
-# Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
-# full and system calls have been dropped, it can take one or more of
-# the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
-#
-# The rate at which log/alert messages are emitted is governed by a
-# token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
-
-syscall_event_drops:
-  actions:
-    - log
-    - alert
-  rate: .03333
-  max_burst: 10
-
-# A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
-#  - rate: the number of tokens (i.e. right to send a notification)
-#    gained per second. Defaults to 1.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
-#
-# With these defaults, falco could send up to 1000 notifications after
-# an initial quiet period, and then up to 1 notification per second
-# afterward. It would gain the full burst back after 1000 seconds of
-# no activity.
-
-outputs:
-  rate: 1
-  max_burst: 1000
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: true
-
-# If keep_alive is set to true, the file will be opened once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the file will be re-opened
-# for each output message.
-#
-# Also, the file will be closed and reopened if falco is signaled with
-# SIGUSR1.
-
-file_output:
-  enabled: false
-  keep_alive: false
-  filename: ./events.txt
-
-stdout_output:
-  enabled: true
-
-# Falco contains an embedded webserver that can be used to accept K8s
-# Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is disabled).
-#
-# The ssl_certificate is a combination SSL Certificate and corresponding
-# key contained in a single file. You can generate a key/cert as follows:
-#
-# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
-# $ cat certificate.pem key.pem > falco.pem
-# $ sudo cp falco.pem /etc/falco/falco.pem
-
-webserver:
-  enabled: true
-  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
-  ssl_enabled: false
-  ssl_certificate: /etc/falco/falco.pem
-
-# Possible additional things you might want to do with program output:
-#   - send to a slack webhook:
-#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-#   - logging (alternate method than syslog):
-#         program: logger -t falco-test
-#   - send over a network connection:
-#         program: nc host.example.com 80
-
-# If keep_alive is set to true, the program will be started once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the program will be re-spawned
-# for each output message.
-#
-# Also, the program will be closed and reopened if falco is signaled with
-# SIGUSR1.
-program_output:
-  enabled: false
-  keep_alive: false
-  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-
-http_output:
-  enabled: false
-  url: http://some.url

test/falco_k8s_audit_tests.yaml

@@ -25,7 +25,8 @@ trace_files: !mux
       - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
     detect_counts:
       - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_allowed_pod:
     detect: False
@@ -33,7 +34,8 @@ trace_files: !mux
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_privileged_pod:
     detect: True
@@ -43,23 +45,26 @@ trace_files: !mux
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   compat_engine_v4_create_privileged_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   compat_engine_v4_create_unprivileged_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_hostnetwork_pod:
     detect: True
@@ -69,535 +74,591 @@ trace_files: !mux
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
     detect_counts:
       - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   compat_engine_v4_create_hostnetwork_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   user_outside_allowed_set:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
     detect_counts:
       - Disallowed K8s User: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   user_in_allowed_set:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   create_disallowed_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_only_apache_container.yaml
     detect_counts:
       - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_allowed_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_privileged_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   create_privileged_no_secctx_1st_container_2nd_container_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
 
   create_privileged_2nd_container_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
 
   create_privileged_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   create_unprivileged_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_unprivileged_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_sensitive_mount_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
 
   create_sensitive_mount_2nd_container_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
 
   create_sensitive_mount_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
 
   create_unsensitive_mount_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
 
   create_unsensitive_mount_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
 
   create_hostnetwork_pod:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   create_hostnetwork_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   create_nohostnetwork_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
 
   create_nohostnetwork_trusted_pod:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
 
   create_nodeport_service:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
       - Create NodePort Service: 1
-    trace_file: trace_files/k8s_audit/create_nginx_service_nodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json
 
   create_nonodeport_service:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json
 
   create_configmap_private_creds:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
       - Create/Modify Configmap With Private Credentials: 6
-    trace_file: trace_files/k8s_audit/create_configmap_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json
 
   create_configmap_no_private_creds:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json
 
   anonymous_user:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Anonymous Request Allowed: 1
-    trace_file: trace_files/k8s_audit/anonymous_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json
 
   pod_exec:
     detect: True
     detect_level: NOTICE
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/exec_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json
 
   pod_attach:
     detect: True
     detect_level: NOTICE
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/attach_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json
 
   namespace_outside_allowed_set:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
     detect_counts:
       - Create Disallowed Namespace: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   namespace_in_allowed_set:
     detect: False
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/minikube_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json
 
   create_pod_in_kube_system_namespace:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json
 
   create_pod_in_kube_public_namespace:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json
 
   create_serviceaccount_in_kube_system_namespace:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
 
   create_serviceaccount_in_kube_public_namespace:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
 
   system_clusterrole_deleted:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
 
   system_clusterrole_modified:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
 
   attach_cluster_admin_role:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach to cluster-admin Role: 1
-    trace_file: trace_files/k8s_audit/attach_cluster_admin_role.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json
 
   create_cluster_role_wildcard_resources:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
 
   create_cluster_role_wildcard_verbs:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
 
   create_writable_cluster_role:
     detect: True
     detect_level: NOTICE
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Write Privileges Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_write_privileges.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json
 
   create_pod_exec_cluster_role:
     detect: True
     detect_level: WARNING
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Pod Exec Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_pod_exec.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json
 
   create_deployment:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Created: 1
-    trace_file: trace_files/k8s_audit/create_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json
 
   delete_deployment:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json
 
   create_service:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Created: 1
-    trace_file: trace_files/k8s_audit/create_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json
 
   delete_service:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json
 
   create_configmap:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Created: 1
-    trace_file: trace_files/k8s_audit/create_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json
 
   delete_configmap:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json
 
   create_namespace:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
     detect_counts:
       - K8s Namespace Created: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   delete_namespace:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Namespace Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json
 
   create_serviceaccount:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Created: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json
 
   delete_serviceaccount:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json
 
   create_clusterrole:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json
 
   delete_clusterrole:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json
 
   create_clusterrolebinding:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json
 
   delete_clusterrolebinding:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json
 
   create_secret:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Secret Created: 1
-    trace_file: trace_files/k8s_audit/create_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json
 
   # Should *not* result in any event as the secret rules skip service account token secrets
   create_service_account_token_secret:
@@ -605,35 +666,38 @@ trace_files: !mux
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json
 
   create_kube_system_secret:
     detect: False
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json
 
   delete_secret:
     detect: True
     detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Secret Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json
 
   fal_01_003:
     detect: False
-    detect_level: INFO
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/fal_01_003.json
-    stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
+    stderr_contains: 'data not recognized as a k8s audit event'
 
   json_pointer_correct_parse:
     detect: True
@@ -642,4 +706,5 @@ trace_files: !mux
       - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
     detect_counts:
       - json_pointer_example: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

test/falco_test.py

@@ -44,9 +44,6 @@ class FalcoTest(Test):
 
         self.falcodir = self.params.get('falcodir', '/', default=build_dir)
 
-        self.psp_conv_path = os.path.join(build_dir, "falcoctl")
-        self.psp_conv_url = "https://github.com/falcosecurity/falcoctl/releases/download/v0.0.4/falcoctl-0.0.4-linux-amd64"
-
         self.stdout_is = self.params.get('stdout_is', '*', default='')
         self.stderr_is = self.params.get('stderr_is', '*', default='')
 
@@ -111,15 +108,8 @@ class FalcoTest(Test):
             if not isinstance(self.validate_rules_file, list):
                 self.validate_rules_file = [self.validate_rules_file]
 
-        self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
-
-        self.psp_file = self.params.get('psp_file', '*', default="")
-
         self.rules_args = ""
 
-        if self.psp_file != "":
-            self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
-
         for file in self.validate_rules_file:
             if not os.path.isabs(file):
                 file = os.path.join(self.basedir, file)
@@ -127,7 +117,7 @@ class FalcoTest(Test):
 
         for file in self.rules_file:
             if not os.path.isabs(file):
-                file = os.path.join(self.basedir, file)
+                file = os.path.join(self.basedir, file.replace("BUILD_DIR", build_dir))
             self.rules_args = self.rules_args + "-r " + file + " "
 
         self.conf_file = self.params.get(
@@ -593,32 +583,6 @@ class FalcoTest(Test):
         if self.trace_file:
             trace_arg = "-e {}".format(self.trace_file)
 
-        # Possibly run psp converter
-        if self.psp_file != "":
-
-            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(
-                    self.psp_conv_url, self.psp_conv_path))
-
-                urllib.request.urlretrieve(
-                    self.psp_conv_url, self.psp_conv_path)
-                os.chmod(self.psp_conv_path, stat.S_IEXEC)
-
-            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
-                self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
-
-            conv_proc = process.SubProcess(conv_cmd)
-
-            conv_res = conv_proc.run(timeout=180, sig=9)
-
-            if conv_res.exit_status != 0:
-                self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
-                    conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
-
-            with open(self.psp_rules_file, 'r') as myfile:
-                psp_rules = myfile.read()
-                self.log.debug("Converted Rules: {}".format(psp_rules))
-
         # Run falco
         cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format(
             self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,

test/falco_tests_plugins.yaml

@@ -24,7 +24,7 @@ trace_files: !mux
       - rules/plugins/cloudtrail_create_instances.yaml
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     addl_cmdline_opts: --list-plugins
-    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Type: source plugin.*Name: json.*Type: extractor plugin"
+    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Name: json.*"
 
   list_plugin_fields:
     check_detection_counts: False
@@ -54,35 +54,35 @@ trace_files: !mux
 
   multiple_source_plugins:
     exit_status: 1
-    stderr_contains: "Runtime error: Can not load multiple source plugins. cloudtrail already loaded. Exiting."
+    stderr_contains: "Can not load multiple plugins with event sourcing capability: 'cloudtrail' already loaded."
     conf_file: BUILD_DIR/test/confs/plugins/multiple_source_plugins.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompatible_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugin not compatible with event source aws_cloudtrail. Exiting."
+    stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any enabled event source"
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   overlap_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugins have overlapping compatible event source test_source. Exiting."
+    stderr_contains: "Plugin '.*' supports extraction of field 'test.field' that is overlapping for source 'test_source'"
     conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompat_plugin_api:
     exit_status: 1
-    stderr_contains: "Unsupported plugin required api version 10000000.0.0"
+    stderr_contains: "Plugin required API version '10000000.0.0' is not supported by the plugin API version of the framework '.*'"
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_plugin_api.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompat_plugin_rules_version:
     exit_status: 1
-    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
+    stderr_contains: "Plugin 'cloudtrail' version '.*' is not compatible with required plugin version '100000.0.0'"
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     rules_file:
       - rules/plugins/cloudtrail_incompat_plugin_version.yaml
@@ -103,13 +103,6 @@ trace_files: !mux
       - Cloudtrail Create Instance
     stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
 
-  no_plugins_unknown_source_macro:
-    detect: False
-    rules_file:
-      - rules/plugins/cloudtrail_macro.yaml
-    trace_file: trace_files/empty.scap
-    stderr_contains: "Macro Some Cloudtrail Macro: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
-
   no_plugins_unknown_source_rule_exception:
     detect: False
     rules_file:

test/falco_tests_psp.yaml

@@ -1,666 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-trace_files: !mux
-
-  privileged_detect_k8s_audit:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.json
-
-  privileged_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  privileged_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_pid_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_pid Violation (hostPID)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/host_pid.json
-
-  host_pid_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_ipc_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_ipc Violation (hostIPC)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/host_ipc.json
-
-  host_ipc_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_network Violation (hostNetwork)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/host_network.json
-
-  host_network_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_ports_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP host_ports_100_200_only Violation (hostPorts)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/host_network_ports.json
-
-  host_network_ports_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_secret_volumes Violation (volumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_host_paths_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_mount_host_usr Violation (allowedHostPaths)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  allowed_host_paths_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_flex_volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/flex_volumes.json
-
-  allowed_flex_volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_run_as_any:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_run_as_any_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/write_tmp_test.scap
-
-  read_only_root_fs_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/read_only_root_fs.json
-
-  user_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  user_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  user_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_container.json
-
-  user_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
-
-  user_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
-
-  user_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
-
-  user_must_run_as_non_root_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.json
-
-  user_must_run_as_non_root_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.scap
-
-  user_must_run_as_non_root_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_non_root_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
-
-  user_must_run_as_non_root_no_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_non_root_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
-
-  user_must_run_as_non_root_no_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
-
-  group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  group_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_may_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_may_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_may_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_may_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_may_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_may_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  supplemental_groups_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_must_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_may_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  privilege_escalation_privilege_escalation_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privilege_escalation.yaml
-    trace_file: trace_files/psp/privilege_escalation.json
-
-  allowed_capabilities_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_time.json
-
-  allowed_capabilities_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_capabilities_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_nice.json
-
-  allowed_proc_mount_types_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_unmasked.json
-
-  allowed_proc_mount_types_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_proc_mount_types_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_default.json
-
-  psp_name_with_dashes:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_dashes.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  psp_name_with_spaces:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_spaces.yaml
-    trace_file: trace_files/psp/privileged.scap

test/falco_traces.yaml.in

@@ -164,3 +164,12 @@ traces: !mux
     detect_level: ERROR
     detect_counts:
       - "Write below rpm database": 1
+
+  # This generates two notices starting from https://github.com/falcosecurity/falco/pull/2092
+  # When a new version of the scap files is generated this should then become "traces-positive"
+  docker-compose:
+    trace_file: traces-negative/docker-compose.scap
+    detect: True
+    detect_level: NOTICE
+    detect_counts:
+      - "Redirect STDOUT/STDIN to Network Connection in Container": 2

test/plugins/test_extract.cpp

@@ -20,14 +20,13 @@ limitations under the License.
 #include <plugin_info.h>
 
 static const char *pl_required_api_version = "1.0.0";
-static uint32_t    pl_type                 = TYPE_EXTRACTOR_PLUGIN;
 static const char *pl_name_base            = "test_extract";
 static char pl_name[1024];
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
 static const char *pl_contact              = "github.com/falcosecurity/falco";
 static const char *pl_version              = "0.1.0";
 static const char *pl_extract_sources      = "[\"test_source\"]";
-static const char *pl_fields               = "[]";
+static const char *pl_fields               = "[{\"type\": \"uint64\", \"name\": \"test.field\", \"desc\": \"Describing test field\"}]";
 
 // This struct represents the state of a plugin. Just has a placeholder string value.
 typedef struct plugin_state
@@ -40,18 +39,12 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }
 
-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 const char* plugin_get_name()
 {
 	// Add a random-ish suffix to the end, as some tests load
 	// multiple copies of this plugin
-	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld\n", pl_name_base, random());
+	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld", pl_name_base, random());
 	return pl_name;
 }
 

test/plugins/test_source.cpp

@@ -21,7 +21,6 @@ limitations under the License.
 #include <plugin_info.h>
 
 static const char *pl_required_api_version = "1.0.0";
-static uint32_t    pl_type                 = TYPE_SOURCE_PLUGIN;
 static uint32_t    pl_id                   = 999;
 static const char *pl_name                 = "test_source";
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
@@ -45,12 +44,6 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }
 
-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 uint32_t plugin_get_id()
 {

test/psps/allowed_capabilities.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_capability_sys_nice
-spec:
-  allowedCapabilities:
-    - SYS_NICE
-

test/psps/allowed_host_paths.yaml

@@ -1,11 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_mount_host_usr
-spec:
-  allowedHostPaths:
-    - pathPrefix: /usr
-      readOnly: true
-

test/psps/allowed_proc_mount_types.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_default_proc_mount_type
-spec:
-  allowedProcMountTypes:
-    - Default
-

test/psps/flex_volumes.yaml

@@ -1,13 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_lvm_cifs_flex_volumes
-spec:
-  volumes:
-    - flexVolume
-  allowedFlexVolumes:
-    - driver: example/lvm
-    - driver: example/cifs
-

test/psps/fs_group_may_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_may_run_as_30
-spec:
-  fsGroup:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/fs_group_must_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_must_run_as_30
-spec:
-  fsGroup:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/fs_group_run_as_any.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_run_as_any
-spec:
-  fsGroup:
-    rule: "RunAsAny"
-

test/psps/group_may_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: group_may_run_as_30
-spec:
-  runAsGroup:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/group_must_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: group_must_run_as_30
-spec:
-  runAsGroup:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/host_ipc.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_ipc
-spec:
-  hostIPC: false

test/psps/host_network.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_network
-spec:
-  hostNetwork: false

test/psps/host_network_ports.yaml

@@ -1,11 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: host_ports_100_200_only
-spec:
-  hostNetwork: true
-  hostPorts:
-    - min: 100
-      max: 200

test/psps/host_pid.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_host_pid
-spec:
-  hostPID: false

test/psps/privilege_escalation.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_privilege_escalation
-spec:
-  allowPrivilegeEscalation: false

test/psps/privileged.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no_privileged
-spec:
-  privileged: false

test/psps/privileged_name_with_dashes.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no-privileged
-spec:
-  privileged: false

test/psps/privileged_name_with_spaces.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: no privileged
-spec:
-  privileged: false

test/psps/read_only_root_fs.yaml

@@ -1,8 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: read_only_root_fs
-spec:
-  readOnlyRootFilesystem: true

test/psps/supplemental_groups_may_run_as_10_20.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_10
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 10
-        max: 20

test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml

@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 10
-        max: 40
-      - min: 10
-        max: 20

test/psps/supplemental_groups_may_run_as_30_40.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml

@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_may_run_as_30_10
-spec:
-  supplementalGroups:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40
-      - min: 10
-        max: 15

test/psps/supplemental_groups_must_run_as_10_20.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_10
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 10
-        max: 20

test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml

@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 10
-        max: 40
-      - min: 10
-        max: 20

test/psps/supplemental_groups_must_run_as_30_40.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml

@@ -1,14 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: supplemental_groups_must_run_as_30_10
-spec:
-  supplementalGroups:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40
-      - min: 10
-        max: 15

test/psps/user_must_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: user_must_run_as_30
-spec:
-  runAsUser:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/user_must_run_as_non_root.yaml

@@ -1,9 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: user_must_run_as_non_root
-spec:
-  runAsUser:
-    rule: "MustRunAsNonRoot"

test/psps/volumes.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_secret_volumes
-spec:
-  volumes:
-    - secret
-

test/requirements.txt

@@ -6,7 +6,7 @@ idna==2.9
 pathtools==0.1.2
 pbr==5.4.5
 PyYAML==5.4
-requests==2.23.0
+requests==2.26.0
 six==1.14.0
 stevedore==1.32.0
 urllib3==1.26.5

test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml

@@ -257,7 +257,7 @@
 
 - rule: ClusterRole With Wildcard Created
   desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
+  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
   output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -265,11 +265,11 @@
 
 - macro: writable_verbs
   condition: >
-    (ka.req.role.rules.verbs contains create or
-     ka.req.role.rules.verbs contains update or
-     ka.req.role.rules.verbs contains patch or
-     ka.req.role.rules.verbs contains delete or
-     ka.req.role.rules.verbs contains deletecollection)
+    (ka.req.role.rules.verbs intersects (create) or
+     ka.req.role.rules.verbs intersects (update) or
+     ka.req.role.rules.verbs intersects (patch) or
+     ka.req.role.rules.verbs intersects (delete) or
+     ka.req.role.rules.verbs intersects (deletecollection))
 
 - rule: ClusterRole With Write Privileges Created
   desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions

test/rules/plugins/cloudtrail_macro.yaml

@@ -1,4 +0,0 @@
-- macro: Some Cloudtrail Macro
-  condition: aws.user=bob
-  source: aws_cloudtrail
-

test/run_regression_tests.sh

@@ -100,13 +100,14 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
 
     if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
         suites+=($SCRIPTDIR/falco_tests_package.yaml)
     fi
 
     if [ "$SKIP_PLUGINS_TESTS" = false ] ; then
+        suites+=($SCRIPTDIR/falco_k8s_audit_tests.yaml)
         suites+=($SCRIPTDIR/falco_tests_plugins.yaml)
     fi
     

test/trace_files/CMakeLists.txt

@@ -1,5 +1,4 @@
 add_subdirectory(k8s_audit)
-add_subdirectory(psp)
 add_subdirectory(plugins)
 
 include(copy_files_to_build_dir)

test/trace_files/psp/CMakeLists.txt

@@ -1,8 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/*.json"
-	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
-
-copy_files_to_build_dir("${test_trace_files}" psp)

test/trace_files/psp/capability_add_sys_nice.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/capability_add_sys_time.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/create_vanilla_nginx_deployment.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:49Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:49Z","auditID":"7c8b2603-6a87-4764-b166-49dd7fa46f4c","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78f5d695bd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78f5d695bd-nxqz5","generateName":"nginx-deployment-78f5d695bd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78f5d695bd-nxqz5","uid":"a2ad81ba-d85f-11e8-88b6-080027728ac4","resourceVersion":"237324","creationTimestamp":"2018-10-25T14:09:49Z","labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:49.750328Z","stageTimestamp":"2018-10-25T14:09:49.761315Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/flex_volumes.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"68be6685-eca7-462a-ab53-ae65960ba638","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5575fc4cfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5575fc4cfd-95vmv","generateName":"nginx-deployment-5575fc4cfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5575fc4cfd-95vmv","uid":"bbde0eec-9459-11e9-9dc6-080027cac2d9","resourceVersion":"7185","creationTimestamp":"2019-06-21T19:21:13Z","labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}},{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"},{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T19:21:13.637829Z","stageTimestamp":"2019-06-21T19:21:13.648070Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/fs_group.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80e45c71-0618-4e6a-af42-fa13b83f8d03","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6fc66bd775-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6fc66bd775-z6txl","generateName":"nginx-deployment-6fc66bd775-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6fc66bd775-z6txl","uid":"90c2433c-9462-11e9-9dc6-080027cac2d9","resourceVersion":"8201","creationTimestamp":"2019-06-21T20:24:26Z","labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T20:24:26.783217Z","stageTimestamp":"2019-06-21T20:24:26.790787Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/host_ipc.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"e2c061fc-7b81-4e1e-b1d2-a54b5ee93920","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-755c58cb7c-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-755c58cb7c-vrx4n","generateName":"nginx-deployment-755c58cb7c-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-755c58cb7c-vrx4n","uid":"cd67586f-9232-11e9-b061-08002760e39e","resourceVersion":"1628","creationTimestamp":"2019-06-19T01:37:30Z","labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:37:30.360992Z","stageTimestamp":"2019-06-19T01:37:30.365019Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/host_network.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"f7c424ca-5028-4e01-9d95-199caaae240d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5dc5447c47-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5dc5447c47-fp5m4","generateName":"nginx-deployment-5dc5447c47-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5dc5447c47-fp5m4","uid":"3558a533-944d-11e9-993f-080027cac2d9","resourceVersion":"619","creationTimestamp":"2019-06-21T17:51:33Z","labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T17:51:33.989119Z","stageTimestamp":"2019-06-21T17:51:33.994788Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/host_network_ports.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"ff8f799f-6d31-43e8-a55c-95497daca0f2","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-84ffbbb976-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-84ffbbb976-5tnlg","generateName":"nginx-deployment-84ffbbb976-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-84ffbbb976-5tnlg","uid":"87447a8c-944f-11e9-993f-080027cac2d9","resourceVersion":"1841","creationTimestamp":"2019-06-21T18:08:10Z","labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T18:08:10.423301Z","stageTimestamp":"2019-06-21T18:08:10.432566Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/host_pid.json

@@ -1,2 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
-

test/trace_files/psp/mount_etc_using_host_path.json

@@ -1 +0,0 @@
-{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}

test/trace_files/psp/privilege_escalation.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"eaf82da5-32c1-4acf-83f1-6da93c5242f0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78d8d6bdfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78d8d6bdfd-tps4s","generateName":"nginx-deployment-78d8d6bdfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78d8d6bdfd-tps4s","uid":"550fa465-986c-11e9-81be-080027f777c0","resourceVersion":"15688","creationTimestamp":"2019-06-26T23:44:26Z","labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T23:44:26.246566Z","stageTimestamp":"2019-06-26T23:44:26.252565Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}

test/trace_files/psp/privileged.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:12Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:12Z","auditID":"a362d22b-db3c-4590-9505-23782f12925f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5cdcc99dbf-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5cdcc99dbf-rgw6z","generateName":"nginx-deployment-5cdcc99dbf-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5cdcc99dbf-rgw6z","uid":"8c845395-d85f-11e8-88b6-080027728ac4","resourceVersion":"237252","creationTimestamp":"2018-10-25T14:09:12Z","labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:12.572676Z","stageTimestamp":"2018-10-25T14:09:12.581541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}