Use url-safe characters in falco version

In some cases, you might want to host falco packages in a way where they're directly accessible via http. The '+' character that separates the version and the git hash ends up breaking naive solutions that don't properly url-escape the package name before doing the http fetch. Of course, clients can properly url-escape, but switching to a tilde is url safe and I think still preserves the idea of separating the version and hash. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Pocteo as an adopter
2026-03-25 14:13:41 +00:00 · 2021-03-11 14:41:35 -08:00 · 2021-03-11 16:58:59 +01:00 · 2021-03-10 18:00:52 +01:00 · 2021-03-05 12:22:47 +01:00 · 2021-03-05 12:22:47 +01:00
17 changed files with 361 additions and 63 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -462,7 +462,19 @@ jobs:
      - checkout
      - setup_remote_docker
      - run:
-          name: Build and publish falco to AWS
+          name: Build and publish no-driver (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
+            docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
+            docker push "public.ecr.aws/falcosecurity/falco:master-slim"
+      - run:
+          name: Build and publish falco (dev) to AWS
          command: |
            apk update
            apk add --update groff less py-pip
@@ -471,6 +483,15 @@ jobs:
            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:master"
+      - run:
+          name: Build and publish driver-loader (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
  # Publish the packages
  "publish/packages":
    docker:
@@ -546,6 +567,21 @@ jobs:
          at: /
      - checkout
      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
      - run:
          name: Build and publish falco to AWS
          command: |
@@ -557,6 +593,17 @@ jobs:
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
            docker push "public.ecr.aws/falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
 workflows:
  version: 2
  build_and_test:
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -15,6 +15,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/

+* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
+
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/

@@ -26,5 +28,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.

-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.

+* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
+
+* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -27,7 +27,7 @@ if(NOT FALCO_VERSION)
      set(FALCO_VERSION "0.0.0")
    endif()
    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    string(REPLACE "-g" "~" FALCO_VERSION "${FALCO_VERSION}")
  else()
    # A tag has been found: use it as the Falco version
    set(FALCO_VERSION "${FALCO_TAG}")
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -45,7 +45,7 @@ else ()
    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
    ExternalProject_Add(
            jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,17 +1,16 @@
 # Falco Dockerfiles

-This directory contains various ways to package Falco as a container and related tools. 
+This directory contains various ways to package Falco as a container and related tools.

 ## Currently Supported Images

 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

 > Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
-
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -18,10 +18,12 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
@@ -39,15 +41,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -56,13 +58,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -96,10 +98,10 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -48,15 +48,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml

 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=$(pip show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

 cat <<EOF
--- a/falco.yaml
+++ b/falco.yaml
@@ -152,11 +152,14 @@ stdout_output:
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
-
+#
+# It also exposes a healthy endpoint that can be used to check if Falco is up and running
+# By default the endpoint is /healthz
 webserver:
  enabled: true
  listen_port: 8765
  k8s_audit_endpoint: /k8s-audit
+  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

--- a/proposals/2021019-libraries-donation.md
+++ b/proposals/2021019-libraries-donation.md
@@ -0,0 +1,167 @@
+# OSS Libraries Donation Plan
+
+## Summary
+
+Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
+
+This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
+
+This plan aims to describe and clarify the terms and goals to get the donation done.
+
+## Motivation
+
+There are two main OSS projects using the libraries and drivers that we are aware of:
+
+- [sysdig](https://github.com/draios/sysdig)  the command line tool
+- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
+
+Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
+
+Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
+
+This change is win-win for both parties because of the following reasons:
+
+- The Falco community owns the source code of the three most important parts of the software it distributes.
+  - Right now it is "only" an engine on top of the libraries. This **donation** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
+
+- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
+
+- Sysdig (the company) can now focus on the user experience and user space features
+
+- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
+
+- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
+
+## Goals
+
+There are many sub-projects and each of them interacts in a different way in this donation.
+
+Let's see the goals per sub-project.
+
+### libsinsp
+
+1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the donation is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
+
+19. Document the API
+
+### libscap
+
+1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the donation is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libscap  release process for the build
+
+19. Document the API
+
+### Drivers: Kernel module and eBPF probe
+
+1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the Makefiles and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
+
+9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+10. Every other additional change will need to have its own process with a proposal
+
+11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
+
+    - Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
+
+12. This project will go already "Official support" once the migration is completed.
+
+### Falco
+
+1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
+
+2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
+
+### Driverkit
+
+1. Change the source location for the drivers to point to the new driver repository
+
+### pdig
+
+1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -201,7 +201,7 @@
 # The explicit quotes are needed to avoid the - characters being
 # interpreted by the filter expression.
 - list: rpm_binaries
-  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
+  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, rhsmcertd, subscription-ma,
          repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
          abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]

@@ -211,7 +211,7 @@
 - list: deb_binaries
  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
    frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
-    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache
+    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache, apt.systemd.dai
    ]

 # The truncated dpkg-preconfigu is intentional, process names are
@@ -1724,6 +1724,25 @@
       container.image.repository endswith /prometheus-node-exporter or
       container.image.repository endswith /image-inspector))

+# 602401143452.dkr.ecr is official AWS EKS registry. AWS has different ECR repo per region
+# 602401143452.dkr.ecr.eu-west-1.amazonaws.com/eks/kube-proxy
+# 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/kube-proxy
+# For this reason we use two macro to match all regions 
+- macro: allowed_aws_eks_registry_root
+  condition: >
+        (container.image.repository startswith "602401143452.dkr.ecr")
+
+- macro: aws_eks_image
+  condition: >
+        (allowed_aws_eks_registry_root and
+        (container.image.repository endswith ".amazonaws.com/amazon-k8s-cni" or
+        container.image.repository endswith ".amazonaws.com/eks/kube-proxy"))
+
+- macro: aws_eks_image_sensitive_mount
+  condition: >
+        (allowed_aws_eks_registry_root and container.image.repository endswith ".amazonaws.com/amazon-k8s-cni")
+
+
 # These images are allowed both to run with --privileged and to mount
 # sensitive paths from the host filesystem.
 #
@@ -1780,7 +1799,7 @@
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
    docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
-    amazon/amazon-ecs-agent
+    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
    ]

 # These container images are allowed to run with hostnetwork=true
@@ -1811,6 +1830,7 @@
    container_started and container
    and container.privileged=true
    and not openshift_image
+    and not aws_eks_image
  exceptions:
    - name: image_repo
      fields: container.image.repository
@@ -1865,6 +1885,7 @@
    container_started and container
    and sensitive_mount
    and not user_sensitive_mount_containers
+    and not aws_eks_image_sensitive_mount
  exceptions:
    - name: image_repo
      fields: container.image.repository
@@ -2334,6 +2355,13 @@
  tags: [network, container, mitre_discovery]


+# Containers from IBM Cloud
+- list: ibm_cloud_containers
+  items:
+    - icr.io/ext/sysdig/agent
+    - registry.ng.bluemix.net/armada-master/metrics-server-amd64
+    - registry.ng.bluemix.net/armada-master/olm
+
 # In a local/user rules file, list the namespace or container images that are
 # allowed to contact the K8s API Server from within a container. This
 # might cover cases where the K8s infrastructure itself is running
@@ -2343,7 +2371,10 @@
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco, 
+     fluent/fluentd-kubernetes-daemonset, prom/prometheus,
+     ibm_cloud_containers)
+     or (k8s.ns.name = "kube-system"))

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -3114,7 +3145,17 @@
  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, process]
+  
+#This rule helps detect CVE-2021-3156:
+#A privilege escalation to root through heap-based buffer overflow
+- rule: Sudo Potential Privilege Escalation
+  desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
+  priority: CRITICAL
+  tags: [filesystem, mitre_privilege_escalation]

 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
+
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -50,7 +50,9 @@
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
    "system:addon-manager",
-    "cloud-controller-manager"
+    "cloud-controller-manager",
+    "eks:node-manager",
+    "system:kube-controller-manager"
    ]

 - rule: Disallowed K8s User
@@ -345,7 +347,9 @@
  tags: [k8s]

 - list: user_known_sa_list
-  items: []
+  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector", 
+          "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
+          "endpoint-controller"]

 - macro: trusted_sa
  condition: (ka.target.name in (user_known_sa_list))
--- a/test/README.md
+++ b/test/README.md
@@ -2,7 +2,7 @@

 This folder contains the Regression tests suite for Falco.

-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).

 ## Test suites

@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he

 This step assumes you already built Falco.

-Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.

 Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:

--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -34,6 +34,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_listen_port(8765),
 	m_webserver_k8s_audit_endpoint("/k8s-audit"),
+	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_config(NULL)
 {
@@ -193,6 +194,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
 	m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
 	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
+	m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
 	m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");

--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -216,6 +216,7 @@ public:
 	bool m_webserver_enabled;
 	uint32_t m_webserver_listen_port;
 	std::string m_webserver_k8s_audit_endpoint;
+	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
 	std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
--- a/userspace/falco/webserver.cpp
+++ b/userspace/falco/webserver.cpp
@@ -34,6 +34,15 @@ k8s_audit_handler::~k8s_audit_handler()
 {
 }

+bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
+{
+	const std::string status_body = "{\"status\": \"ok\"}";
+	mg_send_http_ok(conn, "application/json", status_body.size());
+	mg_printf(conn, "%s", status_body.c_str());
+
+	return true;
+}
+
 bool k8s_audit_handler::accept_data(falco_engine *engine,
 				    falco_outputs *outputs,
 				    std::string &data,
@@ -148,7 +157,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
 		return true;
 	}

-	std::string ok_body = "<html><body>Ok</body></html>";
+	const std::string ok_body = "<html><body>Ok</body></html>";
 	mg_send_http_ok(conn, "text/html", ok_body.size());
 	mg_printf(conn, "%s", ok_body.c_str());

@@ -233,6 +242,8 @@ void falco_webserver::start()

 	m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
 	m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
+	m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
+	m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
 }

 void falco_webserver::stop()
@@ -241,5 +252,6 @@ void falco_webserver::stop()
 	{
 		m_server = NULL;
 		m_k8s_audit_handler = NULL;
+		m_k8s_healthz_handler = NULL;
 	}
 }
--- a/userspace/falco/webserver.h
+++ b/userspace/falco/webserver.h
@@ -41,6 +41,20 @@ private:
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };

+class k8s_healthz_handler : public CivetHandler
+{
+public:
+	k8s_healthz_handler()
+	{
+	}
+
+	virtual ~k8s_healthz_handler()
+	{
+	}
+
+	bool handleGet(CivetServer *server, struct mg_connection *conn);
+};
+
 class falco_webserver
 {
 public:
@@ -60,4 +74,5 @@ private:
 	falco_outputs *m_outputs;
 	unique_ptr<CivetServer> m_server;
 	unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
+	unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
 };
Author	SHA1	Message	Date
Mark Stemm	09ac4b9ff6	Use url-safe characters in falco version In some cases, you might want to host falco packages in a way where they're directly accessible via http. The '+' character that separates the version and the git hash ends up breaking naive solutions that don't properly url-escape the package name before doing the http fetch. Of course, clients can properly url-escape, but switching to a tilde is url safe and I think still preserves the idea of separating the version and hash. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2021-03-11 14:41:35 -08:00
POCTEO	34bbe2984f	Pocteo as an adopter Signed-off-by: Walid DRIDI <contact@pocteo.co>	2021-03-11 16:58:59 +01:00
Leonardo Grasso	825e6caf2d	build: fetch build deps from download.falco.org Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2021-03-10 18:00:52 +01:00
jonahjon	96ad761308	adding falco-slim build/push Signed-off-by: jonahjon <jonahjones094@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	bb7ce37159	fix(.circleci): correctly publish the falco-driver-loader container image from master to AWS ECR gallery Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	c66d056f67	fix(.circleci): the falco-driver-loader container images requires FALCO_IMAGE_TAG build arg (release to AWS ECR gallery) Signed-off-by: Leonardo Di Donato	2021-03-05 12:22:47 +01:00
Leo Di Donato	6a2759fe94	update(.circleci): tag falco-no-driver:<tag> image as falco-no-driver:latest, falco:<tag>-slim, and falco:latest-slim And publish them too. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	b91c5b613a	update(.circleci): falco-no-driver:latest from bin bucket Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
Leo Di Donato	6fe9f8da0b	fix(.circleci): falco-no-driver container images grabs Falco from the bin[-dev] bucket Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-03-05 12:22:47 +01:00
jonahjon	e888a1d354	adding other alternate AWS builds to circleCI Signed-off-by: jonahjon <jonahjones094@gmail.com>	2021-03-05 12:22:47 +01:00
Isaac Rivera	6e746d71ba	fixing typo Signed-off-by: Isaac Rivera <irivera007@yahoo.com>	2021-03-05 12:16:33 +01:00
Isaac Rivera	2de8176c88	adding shapesecurity to adopters Signed-off-by: Isaac Rivera <irivera007@yahoo.com>	2021-03-05 12:16:33 +01:00
Shane Lawrence	74164b1ef8	Use default pip version to get avocado version. Signed-off-by: Shane Lawrence <shane@lawrence.dev>	2021-03-05 10:50:27 +01:00
Shane Lawrence	da8f054043	Fix broken links to docs. Signed-off-by: Shane Lawrence <shane@lawrence.dev>	2021-03-05 10:48:21 +01:00
Bart van der Schans	05545f228d	Add flex and bison to docker for building bpf module on recent amazon linux2 Signed-off-by: Bart van der Schans <bart@vanderschans.nl>	2021-03-05 10:46:10 +01:00
Spencer Krum	b3693a0b75	chore(rules): Add ibmcloud operator lifecycle manager Signed-off-by: Spencer Krum <nibz@spencerkrum.com>	2021-02-19 12:35:30 +01:00
Spencer Krum	a54f946135	chore(rules): Rule exceptions for ibm cloud Whitelist ibm images for connecting to k8s api server IBM Observability by Sysdig has a vendored sysdig/agent image. IBM's Kubernetes Service ships with an operator manager. Example: 19:12:45.090908160: Notice Unexpected connection to K8s API Server from container (command=catalog -namespace ibm-system -configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1 k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1 connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0 IBM's Kubernetes service also ships with a metrics collecting agent Signed-off-by: Spencer Krum <nibz@spencerkrum.com>	2021-02-19 12:35:30 +01:00
Leonardo Grasso	85db1aa997	fix(rules): correct indentation Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2021-02-19 09:24:55 +01:00
ismail yenigul	37a6caae12	remove commercial images to unblock PR add endpoint-controller to user_known_sa_list related event: { "output": "05:19:25.557989888: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=endpoint-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-16T05:19:25.557989888Z", "output_fields": { "jevt.time": "05:19:25.557989888", "ka.target.name": "endpoint-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>	2021-02-19 09:24:55 +01:00
ismail yenigul	2d962dfcb0	rebase to master update user_known_sa_list with k8s internal sa in kube-system { "output": "10:27:56.539783936: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=replicaset-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-15T10:27:56.539783936Z", "output_fields": { "jevt.time": "10:27:56.539783936", "ka.target.name": "replicaset-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } { "output": "17:06:18.267429888: Warning Service account created in kube namespace (user=system:kube-controller-manager serviceaccount=deployment-controller ns=kube-system)", "priority": "Warning", "rule": "Service Account Created in Kube Namespace", "time": "2021-02-15T17:06:18.267429888Z", "output_fields": { "jevt.time": "17:06:18.267429888", "ka.target.name": "deployment-controller", "ka.target.namespace": "kube-system", "ka.user.name": "system:kube-controller-manager" } } and more.. Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>	2021-02-19 09:24:55 +01:00
Petr Michalec	541845156f	rhsm cert updates Signed-off-by: Petr Michalec <epcim@apealive.net> Signed-off-by: Petr Michalec <pmichalec@ves.io>	2021-02-18 15:42:06 +01:00
darryk5	0879523776	update: add review suggestions for Rule Sudo Potential Privilege Escalation Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2021-02-17 21:36:51 +01:00
darryk5	81e880b486	Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156) See #1540 Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Lorenzo Fontana <lo@linux.com>	2021-02-17 21:36:51 +01:00
Carlos Panato	f140cdfd68	falco: add healthz endpoint Signed-off-by: Carlos Panato <ctadeu@gmail.com>	2021-02-11 20:29:07 +01:00
Matteo Baiguini	6408270476	Added Swissblock to list of adopters Signed-off-by: Matteo Baiguini <mbaiguini@swissblock.net>	2021-02-05 11:46:07 +01:00
Carlos Panato	5a6cbb190c	docs: update link for building from source Signed-off-by: Carlos Panato <ctadeu@gmail.com>	2021-02-04 17:37:57 +01:00
ismail yenigul	959811a503	add eks:node-manager to allowed_k8s_users list eks:node-manager is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate. Reference: https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/logging-monitoring.md Related falco log ``` {"output":"10:56:31.181308928: Warning K8s Operation performed by user not in allowed list of users (user=eks:node-manager target=aws-auth/configmaps verb=get uri=/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s resp=200)","priority":"Warning","rule":"Disallowed K8s User","time":"2021-01-26T10:56:31.181308928Z", "output_fields": {"jevt.time":"10:56:31.181308928","ka.response.code":"200","ka.target.name":"aws-auth","ka.target.resource":"configmaps","ka.uri":"/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s","ka.user.name":"eks:node-manager","ka.verb":"get"}} ``` Signed-off-by: ismailyenigul <ismailyenigul@gmail.com>	2021-02-04 17:33:54 +01:00
Leonardo Di Donato	19fe7240e2	new(proposals): libraries donation Donate: - libsinsp - libscap - the kernel module driver - the eBPF driver sources by moving them to the Falco project. Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2021-02-04 17:29:42 +01:00