adding changes for laptop

feat(debug): More debug for testing in GKE
Signed-off-by: Kris Nova <kris@nivenly.com>
2026-03-25 06:02:18 +00:00 · 2020-06-16 11:17:16 -07:00 · 2020-06-10 21:26:06 -07:00 · 2020-06-10 19:06:24 -07:00
171 changed files with 3086 additions and 8145 deletions
--- a/.circleci/OWNERS
+++ b/.circleci/OWNERS
@@ -1,4 +0,0 @@
 approvers:
  - jonahjon
 reviewers:
  - jonahjon
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,85 +1,5 @@
 version: 2
 jobs:
  # Build a statically linked Falco release binary using musl
  # This build is 100% static, there are no host dependencies
  "build/musl":
    docker:
      - image: alpine:3.12
    steps:
      - checkout:
          path: /source-static/falco
      - run:
          name: Update base image
          command: apk update
      - run:
          name: Install build dependencies
          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
      - run:
          name: Prepare project
          command: |
            mkdir -p /build-static/release
            cd /build-static/release
            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
      - run:
          name: Build
          command: |
            cd /build-static/release
            make -j4 all
      - run:
          name: Package
          command: |
            cd /build-static/release
            make -j4 package
      - run:
          name: Run unit tests
          command: |
            cd /build-static/release
            make tests
      - run:
          name: Prepare artifacts
          command: |
            mkdir -p /tmp/packages
            cp /build-static/release/*.tar.gz /tmp/packages
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
      - persist_to_workspace:
          root: /
          paths:
            - build-static/release
            - source-static
  # Build the minimal Falco
  # This build only contains the Falco engine and the basic input/output.
  "build/minimal":
    docker:
      - image: ubuntu:focal
    steps:
      - checkout
      - run:
          name: Update base image
          command: apt update -y
      - run:
          name: Install dependencies
          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
      - run:
          name: Prepare project
          command: |
            mkdir build-minimal
            pushd build-minimal
            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
            popd
      - run:
          name: Build
          command: |
            pushd build-minimal
            make -j4 all
            popd
      - run:
          name: Run unit tests
          command: |
            pushd build-minimal
            make tests
            popd
  # Build using ubuntu LTS
  # This build is dynamic, most dependencies are taken from the OS
  "build/ubuntu-focal":
@@ -144,72 +64,8 @@ jobs:
            pushd build
            make tests
            popd
  # Build using Ubuntu Bionic Beaver (18.04)
  # This build is static, dependencies are bundled in the Falco binary
  "build/ubuntu-bionic":
    docker:
      - image: ubuntu:bionic
    steps:
      - checkout
      - run:
          name: Update base image
          command: apt update -y
      - run:
          name: Install dependencies
          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
          command: |
            pushd build
            make tests
            popd
  # Build using CentOS 8
  # This build is static, dependencies are bundled in the Falco binary
  "build/centos8":
    docker:
      - image: centos:8
    steps:
      - checkout
      - run:
          name: Update base image
          command: dnf update -y
      - run:
          name: Install dependencies
          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
          command: |
            pushd build
            make tests
            popd
  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
+  # This build is static, dependencies are bundled in the falco binary
  "build/centos7":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -246,7 +102,7 @@ jobs:
          path: /tmp/packages
          destination: /packages
  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
+  # This build is static, dependencies are bundled in the falco binary
  "build/centos7-debug":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -282,25 +138,6 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
      - store_test_results:
          path: /build/release/integration-tests-xunit
  "tests/integration-static":
    docker:
      - image: falcosecurity/falco-tester:latest
        environment:
          SOURCE_DIR: "/source-static"
          BUILD_DIR: "/build-static"
          BUILD_TYPE: "release"
          SKIP_PACKAGES_TESTS: "true"
    steps:
      - setup_remote_docker
      - attach_workspace:
          at: /
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
      - store_test_results:
          path: /build-static/release/integration-tests-xunit
  "tests/driver-loader/integration":
    machine:
      image: ubuntu-1604:202004-01
@@ -310,33 +147,6 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
  # Code quality
  "quality/static-analysis":
    docker:
      - image: falcosecurity/falco-builder:latest
        environment:
          BUILD_TYPE: "release"
    steps:
      - run:
          name: Install cppcheck
          command: |
            yum update -y
            yum install epel-release -y
            yum install cppcheck cppcheck-htmlreport -y
      - checkout:
          path: /source/falco
      - run:
          name: Prepare project
          command: /usr/bin/entrypoint cmake
      - run:
          name: cppcheck
          command: /usr/bin/entrypoint cppcheck
      - run:
          name: cppcheck html report
          command: /usr/bin/entrypoint cppcheck_htmlreport
      - store_artifacts:
          path: /build/release/static-analysis-reports
          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -393,34 +203,10 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish bin-dev
+          name: Publish tgz-dev
          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
  # Clenup the Falco development release packages
  "cleanup/packages-dev":
    docker:
      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
    steps:
      - checkout:
          path: /source/falco
      - run:
          name: Prepare env
          command: |
            apk add --no-cache --update
            apk add curl jq
      - run:
          name: Only keep the 10 most recent Falco development release tarballs
          command: |
            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
      - run:
          name: Only keep the 50 most recent Falco development release RPMs
          command: |
            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
      - run:
          name: Only keep the 50 most recent Falco development release DEBs
          command: |
            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
  # Publish docker packages
  "publish/docker-dev":
    docker:
@@ -452,25 +238,6 @@ jobs:
            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco-driver-loader:master
  # Publish container images to AWS ECR Public
  "publish/container-images-aws-dev":
    docker:
      - image: docker:stable
    steps:
      - attach_workspace:
          at: /
      - checkout
      - setup_remote_docker
      - run:
          name: Build and publish falco to AWS
          command: |
            apk update
            apk add --update groff less py-pip
            pip install awscli
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:master"
  # Publish the packages
  "publish/packages":
    docker:
@@ -496,10 +263,10 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish bin
+          name: Publish tgz
          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
  # Publish docker packages
  "publish/docker":
    docker:
@@ -537,44 +304,17 @@ jobs:
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
            docker push "falcosecurity/falco-driver-loader:latest"
  # Publish container images to AWS ECR Public
  "publish/container-images-aws":
    docker:
      - image: docker:stable
    steps:
      - attach_workspace:
          at: /
      - checkout
      - setup_remote_docker
      - run:
          name: Build and publish falco to AWS
          command: |
            apk update
            apk add --update groff less py-pip
            pip install awscli
            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
            docker push "public.ecr.aws/falcosecurity/falco:latest"
 workflows:
  version: 2
  build_and_test:
    jobs:
      - "build/musl"
      - "build/minimal"
      - "build/ubuntu-focal"
      - "build/ubuntu-focal-debug"
      - "build/ubuntu-bionic"
      - "build/centos8"
      - "build/centos7"
      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
      - "tests/integration-static":
          requires:
            - "build/musl"
      - "tests/driver-loader/integration":
          requires:
            - "build/centos7"
@@ -596,16 +336,6 @@ workflows:
              only: master
          requires:
            - "rpm/sign"
            - "tests/integration-static"
      - "cleanup/packages-dev":
          context: falco
          filters:
            tags:
              ignore: /.*/
            branches:
              only: master
          requires:
            - "publish/packages-dev"
      - "publish/docker-dev":
          context: falco
          filters:
@@ -616,24 +346,8 @@ workflows:
          requires:
            - "publish/packages-dev"
            - "tests/driver-loader/integration"
      - "publish/container-images-aws-dev":
          context: test-infra # contains Falco AWS credentials
          filters:
            tags:
              ignore: /.*/
            branches:
              only: master
          requires:
            - publish/docker-dev
      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
  release:
    jobs:
      - "build/musl":
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
      - "build/centos7":
          filters:
            tags:
@@ -652,7 +366,6 @@ workflows:
      - "publish/packages":
          context: falco
          requires:
            - "build/musl"
            - "rpm/sign"
          filters:
            tags:
@@ -668,12 +381,3 @@ workflows:
              only: /.*/
            branches:
              ignore: /.*/
      - "publish/container-images-aws":
          context: test-infra # contains Falco AWS credentials
          requires:
            - "publish/docker"
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,19 @@
 # Number of days of inactivity before an issue becomes stale
 daysUntilStale: 60
 # Number of days of inactivity before a stale issue is closed
 daysUntilClose: 7
 # Issues with these labels will never be considered stale
 exemptLabels:
  - cncf
  - roadmap
  - enhancement
  - "help wanted"
 # Label to use when marking an issue as stale
 staleLabel: wontfix
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
 # Comment to post when closing a stale issue. Set to `false` to disable
 closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 *~
 *.pyc
 test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
 test/traces-info
@@ -10,6 +11,8 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build
 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
--- a/.luacheckrc
+++ b/.luacheckrc
@@ -1,6 +1,7 @@
 std = "min"
 cache = true
 include_files = {
    "userspace/falco/lua/*.lua",
    "userspace/engine/lua/*.lua",
    "userspace/engine/lua/lyaml/*.lua",
    "*.luacheckrc"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -8,12 +8,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
-* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
 * [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
@@ -26,5 +21,5 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,276 +1,10 @@
 # Change Log
-## v0.27.0
+This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 Released on 2021-01-18
 ### Major Changes
 * new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
 * BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
 * new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
 * new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
 * new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
 ### Minor Changes
 * build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
 * rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
 * docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
 * docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
 * docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
 * docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
 * docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
 * docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
 * rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
 * rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
 * docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
 * update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
 * macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
 ### Bug Fixes
 * fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
 * fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
 * fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
 * fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
 * fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
 ### Rule Changes
 * rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
 * rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
 * rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
 * rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
 ### Non user-facing changes
 * chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
 * remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
 * chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
 * chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
 * build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
 * build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
 * build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
 * further improvements outputs impl.  [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
 * fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
 * Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
 ## v0.26.2
 Released on 2020-11-10
 ### Major Changes
 * update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
 ## v0.26.1
 Released on 2020-10-01
 ### Major Changes
 * new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
 ### Rule Changes
 * rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
 * rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
 ## v0.26.0
 Released on 2020-24-09
 ### Major Changes
 * new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
 * new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
 * new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
 * new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
 ### Minor Changes
 * update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
 * update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
 * update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
 * docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
 * docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
 ### Rule Changes
 * rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
 * rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
 * rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
 * rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
 * rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
 ## v0.25.0
 Released on 2020-08-25
 ### Major Changes
 * new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
 * new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
 ### Minor Changes
 * docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
 * update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
 * update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
 ### Bug Fixes
 * fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
 * fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
 ### Rule Changes
 * rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
 * rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
 * rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
 * rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
 * rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
 ## v0.24.0
 Released on 2020-07-16
 ### Major Changes
 * new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
 * BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
 * new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
 * BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
 * new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
 * new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
 ### Minor Changes
 * update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
 * update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
 * docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
 * update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
 * update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
 * update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
 * docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
 ### Bug Fixes
 * fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
 * fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
 * fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
 * fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
 * fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
 * fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
 ### Rule Changes
 * rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
 * rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
 * rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
 * rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
 * rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
 * rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
 * rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
 * rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
 * rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
 * rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
 * rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
 * rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
 * rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
 * rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
 * rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
 * rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
 * rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
 * rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
 * rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
 * rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
 * rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
 * rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
 * rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
 * rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
 ## v0.23.0
-Released on 2020-05-18
+Released on 2020-18-05
 ### Major Changes
@@ -312,7 +46,7 @@ Released on 2020-05-18
 ## v0.22.1
-Released on 2020-04-17
+Released on 2020-17-04
 ### Major Changes
@@ -332,7 +66,7 @@ Released on 2020-04-17
 ## v0.22.0
-Released on 2020-04-16
+Released on 2020-16-04
 ### Major Changes
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,17 +16,6 @@ project(falco)
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
 if (${EP_UPDATE_DISCONNECTED})
  set_property(
    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
 endif()
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -61,15 +50,7 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
-if(MINIMAL_BUILD)
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
 endif()
 if(MUSL_OPTIMIZED_BUILD)
  set(MUSL_FLAGS "-static -Os")
 endif()
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 if(BUILD_WARNINGS_AS_ERRORS)
  set(CMAKE_SUPPRESSED_WARNINGS
@@ -92,7 +73,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://download.falco.org/driver")
+set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -112,7 +93,7 @@ message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
 set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
  njson
-  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+  URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
@@ -124,31 +105,83 @@ set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-# b64
+# libb64
-include(b64)
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
 message(STATUS "Using bundled b64 in '${B64_SRC}'")
 set(B64_INCLUDE "${B64_SRC}/include")
 set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
  b64
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  INSTALL_COMMAND "")
 # yaml-cpp
 include(yaml-cpp)
-if(NOT MINIMAL_BUILD)
+# OpenSSL
-  # OpenSSL
+include(OpenSSL)
  include(OpenSSL)
-  # libcurl
+# libcurl
-  include(cURL)
+include(cURL)
 endif()
 # LuaJIT
-include(luajit)
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
 message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
 set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
  luajit
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  INSTALL_COMMAND "")
 # Lpeg
-include(lpeg)
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
 set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
 message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
 set(LPEG_DEPENDENCIES "")
 list(APPEND LPEG_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lpeg
  DEPENDS ${LPEG_DEPENDENCIES}
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
  BUILD_IN_SOURCE 1
  CONFIGURE_COMMAND ""
  INSTALL_COMMAND "")
 # libyaml
-include(libyaml)
+find_library(LIBYAML_LIB NAMES libyaml.so)
 if(LIBYAML_LIB)
  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
 else()
  message(FATAL_ERROR "Couldn't find system libyaml")
 endif()
 # lyaml
-include(lyaml)
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
 set(LYAML_DEPENDENCIES "")
 list(APPEND LYAML_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lyaml
  DEPENDS ${LYAML_DEPENDENCIES}
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
  INSTALL_COMMAND sh -c
                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 # One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
@@ -167,31 +200,26 @@ ExternalProject_Add(
  BUILD_BYPRODUCTS ${TBB_LIB}
  INSTALL_COMMAND "")
-if(NOT MINIMAL_BUILD)
+# civetweb
-  # civetweb
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+ExternalProject_Add(
-  ExternalProject_Add(
+  civetweb
-    civetweb
+  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+  BUILD_IN_SOURCE 1
-    BUILD_IN_SOURCE 1
+  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
    BUILD_BYPRODUCTS ${CIVETWEB_LIB}
    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 endif()
 #string-view-lite
 include(DownloadStringViewLite)
-if(NOT MINIMAL_BUILD)
+# gRPC
-  # gRPC
+include(gRPC)
  include(gRPC)
 endif()
 # sysdig
 include(sysdig)
@@ -199,13 +227,11 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
-if(NOT MINIMAL_BUILD)
+# Coverage
-  # Coverage
+include(Coverage)
  include(Coverage)
-  # Tests
+# Tests
-  add_subdirectory(test)
+add_subdirectory(test)
 endif()
 # Rules
 add_subdirectory(rules)
@@ -216,9 +242,6 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 # Static analysis
 include(static-analysis)
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
@@ -226,7 +249,6 @@ set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 add_subdirectory(scripts)
 add_subdirectory(userspace/libhawk)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,38 @@
 # CNCF Community Code of Conduct v1.0
 ## Contributor Code of Conduct
 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
 through reporting issues, posting feature requests, updating documentation,
 submitting pull requests or patches, and other activities.
 We are committed to making participation in this project a harassment-free experience for
 everyone, regardless of level of experience, gender, gender identity and expression,
 sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
 religion, or nationality.
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery
 * Personal attacks
 * Trolling or insulting/derogatory comments
 * Public or private harassment
 * Publishing other's private information, such as physical or electronic addresses,
 without explicit permission
 * Other unethical or unprofessional conduct.
 Project maintainers have the right and responsibility to remove, edit, or reject
 comments, commits, code, wiki edits, issues, and other contributions that are not
 aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
 commit themselves to fairly and consistently applying these principles to every aspect
 of managing this project. Project maintainers who do not follow or enforce the Code of
 Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
 This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,150 @@
 # Contributing to Falco
 - [Contributing to Falco](#contributing-to-falco)
  - [Code of Conduct](#code-of-conduct)
  - [Issues](#issues)
    - [Triage issues](#triage-issues)
      - [More about labels](#more-about-labels)
    - [Slack](#slack)
  - [Pull Requests](#pull-requests)
    - [Commit convention](#commit-convention)
      - [Rule type](#rule-type)
  - [Coding Guidelines](#coding-guidelines)
    - [C++](#c)
    - [Unit testing](/tests/README.md)
  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
 ## Code of Conduct
 Falco has a
 [Code of Conduct](CODE_OF_CONDUCT.md)
 to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
 ## Issues
 Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
 - Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
 creating an issue with the **bug report template** is the best way to do so.
 - Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
 - Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
 The best way to get **involved** in the project is through issues, you can help in many ways:
 - Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
 sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
 - Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
 ### Triage issues
 We need help in categorizing issues. Thus any help is welcome!
 When you triage an issue, you:
 * assess whether it has merit or not
 * quickly close it by correctly answering a question
 * point the reporter to a resource or documentation answering the issue
 * tag it via labels, projects, or milestones
 * take ownership submitting a PR for it, in case you want 😇
 #### More about labels
 These guidelines are not set in stone and are subject to change.
 Anyway a `kind/*` label for any issue is mandatory.
 This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
 You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
 The commands available are the following ones:
 ```
 /[remove-](area|kind|priority|triage|label)
 ```
 Some examples:
 * `/area rules`
 * `/remove-area rules`
 * `/kind kernel-module`
 * `/label good-first-issue`
 * `/triage duplicate`
 * `/triage unresolved`
 * `/triage not-reproducible`
 * `/triage support`
 * ...
 ### Slack
 Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
 ## Pull Requests
 Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
 In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
 need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
 The list of labels is [here](https://github.com/falcosecurity/falco/labels).
 Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
 Once your reviewer is happy, they will say `/lgtm` which will apply the
 `lgtm` label, and will apply the `approved` label if they are an
 [owner](/OWNERS).
 Your PR will be automatically merged once it has the `lgtm` and `approved`
 labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
 ### Commit convention
 As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
 of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
 #### Rule type
 Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
 Example:
 ```
 rule(Write below monitored dir): make sure monitored dirs are monitored.
 ```
 Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
 If you are changing only a macro, the commit will look like this:
 ```
 rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
 ```
 ## Coding Guidelines
 ### C++
 * File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
 ## Developer Certificate Of Origin
 The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
 Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
 ```
 This is my commit message
 Signed-off-by: John Poiana <jpoiana@falco.org>
 ```
 Git even has a `-s` command line option to append this automatically to your commit message:
 ```
 $ git commit -s -m 'This is my commit message'
 ```
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -0,0 +1,55 @@
 # Process for becoming a maintainer
 * Express interest to the existing maintainers that you or your organization is interested in becoming a
  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
  organization.
 * We will expect you to start contributing increasingly complicated PRs, under the guidance
  of the existing maintainers.
 * We may ask you to do some PRs from our backlog.
 * As you gain experience with the code base and our standards, we will ask you to do code reviews
  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
  community reviews).
 * After a period of approximately 2-3 months of working together and making sure we see eye to eye,
  the existing maintainers will confer and decide whether to grant maintainer status or not.
  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
  goal.
 ## Maintainer responsibilities
 * Monitor Slack (delayed response is perfectly acceptable).
 * Triage GitHub issues and perform pull request reviews for other maintainers and the community.
 * During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
  is somewhat subjective so just use your best judgment.
 * Make sure that ongoing PRs are moving forward at the right pace or closing them.
 * Participate when called upon in the security releases. Note that although this should be a rare
  occurrence, if a serious vulnerability is found, the process may take up to several full days of
  work to implement. This reality should be taken into account when discussing time commitment
  obligations with employers.
 * In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
  business days per week).
 ## When does a maintainer lose maintainer status
 If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
 should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
 the maintainers per the voting process below.
 # Conflict resolution and voting
 In general, we prefer that technical issues and maintainer membership are amicably worked out
 between the persons involved. If a dispute cannot be decided independently, the maintainers can be
 called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
 be resolved by voting. The voting process is a simple majority in which each senior maintainer
 receives two votes and each normal maintainer receives one vote.
 # Adding new projects to the falcosecurity GitHub organization
 New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
 existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
 days but depending on the volume of conversation), the maintainers of *the project where the issue
 was opened* (since different projects in the organization may have different maintainers) will
 decide whether the new project should be added. See the section above on voting if the maintainers
 cannot easily decide.
--- a/2
+++ b/2
@@ -3,7 +3,6 @@ approvers:
  - kris-nova
  - leodido
  - mstemm
  - leogr
 reviewers:
  - fntlnz
  - kaizhe
@@ -11,4 +10,3 @@ reviewers:
  - leodido
  - mfdii
  - mstemm
  - leogr
--- a/README.md
+++ b/README.md
@@ -3,11 +3,11 @@
 <hr>
 # The Falco Project
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
-Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+#### Latest releases
 ### Latest releases
 Read the [change log](CHANGELOG.md).
@@ -19,89 +19,66 @@ Read the [change log](CHANGELOG.md).
 ---
-The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
 Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
 Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
 If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
-### Installing Falco
+Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
+#### What kind of behaviors can Falco detect?
-##### Kubernetes
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
-| Tool     | Link                                                                                       | Note                                                               |
+- A shell is running inside a container.
 |----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
 | Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
 | Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
 | Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
 | GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
 ### Developing
 Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
 Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
 The Falco Project supports various SDKs for this endpoint.
 ##### SDKs
 | Language | Repository                                              |
 |----------|---------------------------------------------------------|
 | Go       | [client-go](https://github.com/falcosecurity/client-go) |
 | Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
 | Python   | [client-py](https://github.com/falcosecurity/client-py) |
 ### What can Falco detect?
 Falco can detect and alert on any behavior that involves making Linux system calls.
 Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
 For example, Falco can easily detect incidents including but not limited to:
 - A shell is running inside a container or pod in Kubernetes.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
 - A privileged pod is started in a Kubernetes cluster.
 ### Documentation
-The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
+### Installing Falco
-### Join the Community
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
 Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
 #### How do you compare Falco with other security tools?
 One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
 Documentation
 ---
 See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
 Join the Community
 ---
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
-How to reach out?
+License Terms
 ---
- - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
 - [Read the Falco documentation](https://falco.org/docs/)
 Contributing
 ---
-### Contributing
+See the [CONTRIBUTING.md](./CONTRIBUTING.md).
-See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
+Security
 ---
 ### Security Audit
 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
 ### Reporting security vulnerabilities
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
 ### License Terms
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
 [4]: https://dl.bintray.com/falcosecurity/deb/stable
 [5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,43 +2,39 @@
 Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
-A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 ## Pre-Release Checklist
 Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
 ### 1. Release notes
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
 ### 2. Milestones
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
-
+- Close the completed milestone
 ### 3. Release PR
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` updates itself automatically
+    - Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md:
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
-    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Add the lastest changes on top the previous `CHANGELOG.md`
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
 - Close the completed milestone as soon as the PR is merged
 ## Release
-Now assume `x.y.z` is the new version.
+Let `x.y.z` the new version.
 ### 1. Create a tag
@@ -56,49 +52,25 @@ Now assume `x.y.z` is the new version.
 - Wait for the CI to complete
 ### 2. Update the GitHub release
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
    ```
-    <!-- Substitute x.y.z with the current release version -->
+    <!-- Copy the relevant part of the changelog here -->
    | Packages | Download                                                                                                                                               |
    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
    | Images                                                                      |
    | --------------------------------------------------------------------------- |
    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
    ### Statistics
-    | Merged PRs      | Number |
+    | Merged PRs        | Number  |
-    | --------------- | ------ |
+    |-------------------|---------|
-    | Not user-facing | x      |
+    | Not user-facing   | x       |
-    | Release note    | x      |
+    | Release note      | x       |
-    | Total           | x      |
+    | Total             | x       |
    <!-- Calculate stats and fill the above table -->
    ```
 - Finally, publish the release!
 ### 3. Update the meeting notes
 For each release we archive the meeting notes in git for historical purposes.
 - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
    - Note: There may be other notes from working groups that can optionally be added as well as needed.
 - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
 - Open up a pull request with the new change.
 ## Post-Release tasks
 Announce the new release to the world!
--- a/brand/README.md
+++ b/brand/README.md
@@ -15,21 +15,6 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 ### Colors
 | Name      | PMS  | RGB         |
 |-----------|------|-------------|
 | Teal      | 3125 |   0 174 199 |
 | Cool Gray |   11 |  83  86  90 |
 | Black     |      |   0   0   0 |
 | Blue-Gray | 7700 |  22 92 125  |
 | Gold      | 1375 | 255 158  27 |
 | Orange    |  171 | 255  92  57 |
 | Emerald   | 3278 |   0 155 119 |
 | Green     |  360 | 108 194  74 |
 The primary colors are those in the first two rows.
 ### Slogan
 > Cloud Native Runtime Security
--- a/brand/teal-logo.png
+++ b/brand/teal-logo.png
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -25,29 +25,19 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
-if(NOT CPACK_GENERATOR)
+set(CPACK_GENERATOR DEB RPM TGZ)
    set(CPACK_GENERATOR DEB RPM TGZ)
 endif()
 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
 message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-
+set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 endif()
 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
 endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -15,7 +15,7 @@ include(ExternalProject)
 set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
 set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
+message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
 ExternalProject_Add(
  string-view-lite
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -10,7 +10,6 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 mark_as_advanced(OPENSSL_BINARY)
 if(NOT USE_BUNDLED_DEPS)
  find_package(OpenSSL REQUIRED)
  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -21,8 +20,6 @@ if(NOT USE_BUNDLED_DEPS)
    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
  endif()
 else()
  mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
    OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
@@ -35,10 +32,10 @@ else()
  ExternalProject_Add(
    openssl
    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
+    URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
+    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
    BUILD_COMMAND ${CMD_MAKE}
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND ${CMD_MAKE} install)
--- a/cmake/modules/b64.cmake
+++ b/cmake/modules/b64.cmake
@@ -1,27 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
 message(STATUS "Using bundled b64 in '${B64_SRC}'")
 set(B64_INCLUDE "${B64_SRC}/include")
 set(B64_LIB "${B64_SRC}/src/libb64.a")
 externalproject_add(
  b64
  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  BUILD_BYPRODUCTS ${B64_LIB}
  INSTALL_COMMAND ""
 )
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -19,15 +19,19 @@ else()
  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+  if(NOT USE_BUNDLED_OPENSSL)
-  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+    set(CURL_SSL_OPTION "--with-ssl")
-  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+  else()
    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
  endif()
  externalproject_add(
    curl
    DEPENDS openssl
    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
+    URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
    CONFIGURE_COMMAND
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -22,7 +22,6 @@ if(NOT USE_BUNDLED_DEPS)
  endif()
  # c-ares
  mark_as_advanced(CARES_INCLUDE CARES_LIB)
  find_path(CARES_INCLUDE NAMES ares.h)
  find_library(CARES_LIB NAMES libcares.so)
  if(CARES_INCLUDE AND CARES_LIB)
@@ -32,7 +31,6 @@ if(NOT USE_BUNDLED_DEPS)
  endif()
  # protobuf
  mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
  find_program(PROTOC NAMES protoc)
  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
@@ -45,7 +43,6 @@ if(NOT USE_BUNDLED_DEPS)
  endif()
  # gpr
  mark_as_advanced(GPR_LIB)
  find_library(GPR_LIB NAMES gpr)
  if(GPR_LIB)
@@ -55,16 +52,12 @@ if(NOT USE_BUNDLED_DEPS)
  endif()
  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
  mark_as_advanced(GRPC_INCLUDE GRPC_SRC
    GRPC_LIB GRPC_LIBS_ABSOLUTE  GRPCPP_LIB GRPC_CPP_PLUGIN)
  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
  if(GRPCXX_INCLUDE)
    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
    unset(GRPCXX_INCLUDE CACHE)
  else()
    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
    unset(GRPCPP_INCLUDE CACHE)
    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
  endif()
  find_library(GRPC_LIB NAMES grpc)
@@ -103,17 +96,12 @@ else()
  # that zlib will be very outdated
  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
  # that c-ares will be very outdated
  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
  message(
    STATUS
      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
@@ -122,8 +110,8 @@ else()
    grpc
    DEPENDS openssl
    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.32.0
+    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
    BUILD_IN_SOURCE 1
    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
    INSTALL_COMMAND ""
@@ -133,8 +121,6 @@ else()
      HAS_SYSTEM_ZLIB=false
      HAS_SYSTEM_PROTOBUF=false
      HAS_SYSTEM_CARES=false
      HAS_EMBEDDED_OPENSSL_ALPN=false
      HAS_SYSTEM_OPENSSL_ALPN=true
      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
      PATH=${PROTOC_DIR}:$ENV{PATH}
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -10,45 +10,26 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-mark_as_advanced(JQ_INCLUDE JQ_LIB)
+if(NOT USE_BUNDLED_DEPS)
-if (NOT USE_BUNDLED_DEPS)
+  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+  find_library(JQ_LIB NAMES jq)
-    find_library(JQ_LIB NAMES jq)
+  if(JQ_INCLUDE AND JQ_LIB)
-    if (JQ_INCLUDE AND JQ_LIB)
+    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+  else()
-    else ()
+    message(FATAL_ERROR "Couldn't find system jq")
-        message(FATAL_ERROR "Couldn't find system jq")
+  endif()
-    endif ()
+else()
-else ()
+  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-    message(STATUS "Using bundled jq in '${JQ_SRC}'")
+  set(JQ_INCLUDE "${JQ_SRC}")
-    set(JQ_INCLUDE "${JQ_SRC}/target/include")
+  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
+  ExternalProject_Add(
-    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
+    jq
-    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
+    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
-
+    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    # Why we mirror jq here?
+    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    #
+    BUILD_IN_SOURCE 1
-    # In their readme, jq claims that you don't have
+    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    # to do autoreconf -fi when downloading a released tarball.
+    INSTALL_COMMAND "")
-    #
+endif()
    # However, they forgot to push the released makefiles
    # into their release tarbal.
    #
    # For this reason, we have to mirror their release after
    # doing the configuration ourselves.
    #
    # This is needed because many distros do not ship the right
    # version of autoreconf, making virtually impossible to build Falco on them.
    # Read more about it here:
    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
    ExternalProject_Add(
            jq
            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
            BUILD_IN_SOURCE 1
            INSTALL_COMMAND ${CMD_MAKE} install)
 endif ()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -1,27 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
 externalproject_add(
  libyaml
  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  BUILD_BYPRODUCTS ${LIBYAML_LIB}
  INSTALL_COMMAND ${CMD_MAKE} install
 )
--- a/cmake/modules/lpeg.cmake
+++ b/cmake/modules/lpeg.cmake
@@ -1,28 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
 set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
 message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
 set(LPEG_DEPENDENCIES "")
 list(APPEND LPEG_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lpeg
  DEPENDS ${LPEG_DEPENDENCIES}
  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
  BUILD_IN_SOURCE 1
  BUILD_BYPRODUCTS ${LPEG_LIB}
  CONFIGURE_COMMAND ""
  INSTALL_COMMAND "")
--- a/cmake/modules/luajit.cmake
+++ b/cmake/modules/luajit.cmake
@@ -1,27 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
 message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
 set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 externalproject_add(
  luajit
  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  BUILD_BYPRODUCTS ${LUAJIT_LIB}
  INSTALL_COMMAND ""
 )
--- a/cmake/modules/lyaml.cmake
+++ b/cmake/modules/lyaml.cmake
@@ -1,28 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
 externalproject_add(
  lyaml
  DEPENDS luajit libyaml
  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  BUILD_BYPRODUCTS ${LYAML_LIB}
  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
  INSTALL_COMMAND sh -c
  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua"
 )
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -1,43 +0,0 @@
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
 # cppcheck
 mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
 find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
 if(NOT CPPCHECK)
  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
 else()
  message(STATUS "cppcheck found at: ${CPPCHECK}")
  # we are aware that cppcheck can be run
  # along with the software compilation in a single step
  # using the CMAKE_CXX_CPPCHECK variables.
  # However, for practical needs we want to keep the
  # two things separated and have a specific target for it.
  # Our cppcheck target reads the compilation database produced by CMake
  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
  add_custom_target(
      cppcheck
      COMMAND ${CPPCHECK}
      "--enable=all"
      "--force"
      "--inconclusive"
      "--inline-suppr" # allows to specify suppressions directly in source code
      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
      "--quiet"
      "--xml" # we want to generate a report
      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
  )
 endif() # CPPCHECK
 if(NOT CPPCHECK_HTMLREPORT)
  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
 else()
  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
  add_custom_target(
    cppcheck_htmlreport
    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
 endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,4 +25,4 @@ ExternalProject_Add(
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch && patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/luajit.patch)
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -1,8 +1,8 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index 6f51588e..5f9ea84e 100644
+index e9faea51..a1b3b501 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
-@@ -55,7 +55,7 @@ limitations under the License.
+@@ -52,7 +52,7 @@ limitations under the License.
 //#define NDEBUG
 #include <assert.h>
@@ -11,16 +11,7 @@ index 6f51588e..5f9ea84e 100644
 //
 // Probe version string size
-@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
 static uint32_t get_max_consumers()
 {
 	uint32_t max;
 -	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
 +	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
 	if(pfile != NULL)
 	{
 		int w = fscanf(pfile, "%"PRIu32, &max);
@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
 				return NULL;
 			}
@@ -29,16 +20,7 @@ index 6f51588e..5f9ea84e 100644
 			bpf_probe = buf;
 		}
 	}
-@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
 				else if(errno == EBUSY)
 				{
 					uint32_t curr_max_consumers = get_max_consumers();
 -					snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
 +					snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
 				}
 				else
 				{
@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
 const char* scap_get_host_root()
 {
--- a/cmake/modules/sysdig-repo/patch/luajit.patch
+++ b/cmake/modules/sysdig-repo/patch/luajit.patch
@@ -1,57 +0,0 @@
 diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
 index 0a6e3cf8..0c2e255a 100644
 --- a/userspace/libsinsp/chisel.cpp
 +++ b/userspace/libsinsp/chisel.cpp
@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
 // Lua callbacks
 ///////////////////////////////////////////////////////////////////////////////
 #ifdef HAS_LUA_CHISELS
 -const static struct luaL_reg ll_sysdig [] =
 +const static struct luaL_Reg ll_sysdig [] =
 {
 	{"set_filter", &lua_cbacks::set_global_filter},
 	{"set_snaplen", &lua_cbacks::set_snaplen},
@@ -134,7 +134,7 @@ const static struct luaL_reg ll_sysdig [] =
 	{NULL,NULL}
 };
 -const static struct luaL_reg ll_chisel [] =
 +const static struct luaL_Reg ll_chisel [] =
 {
 	{"request_field", &lua_cbacks::request_field},
 	{"set_filter", &lua_cbacks::set_filter},
@@ -146,7 +146,7 @@ const static struct luaL_reg ll_chisel [] =
 	{NULL,NULL}
 };
 -const static struct luaL_reg ll_evt [] =
 +const static struct luaL_Reg ll_evt [] =
 {
 	{"field", &lua_cbacks::field},
 	{"get_num", &lua_cbacks::get_num},
 diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
 index 0e26617d..78810d96 100644
 --- a/userspace/libsinsp/lua_parser.cpp
 +++ b/userspace/libsinsp/lua_parser.cpp
@@ -32,7 +32,7 @@ extern "C" {
 #include "lauxlib.h"
 }
 -const static struct luaL_reg ll_filter [] =
 +const static struct luaL_Reg ll_filter [] =
 {
 	{"rel_expr", &lua_parser_cbacks::rel_expr},
 	{"bool_op", &lua_parser_cbacks::bool_op},
 diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
 index c89e9126..c3d8008a 100644
 --- a/userspace/libsinsp/lua_parser_api.cpp
 +++ b/userspace/libsinsp/lua_parser_api.cpp
@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
 					string err = "Got non-table as in-expression operand\n";
 					throw sinsp_exception("parser API error");
 				}
 -				int n = luaL_getn(ls, 4);  /* get size of table */
 +				int n = lua_objlen (ls, 4);  /* get size of table */
 				for (i=1; i<=n; i++)
 				{
 					lua_rawgeti(ls, 4, i);
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -17,26 +17,23 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
  # explicitly force this dependency to use the bundled OpenSSL
-  if(NOT MINIMAL_BUILD)
+  set(USE_BUNDLED_OPENSSL ON)
    set(USE_BUNDLED_OPENSSL ON)
  endif()
  set(USE_BUNDLED_JQ ON)
 endif()
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
+# The sysdig git reference (branch name, commit hash, or tag)
-# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
+# To update sysdig version for the next release, change the default below
-# -DSYSDIG_VERSION=dev ..`
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
+  set(SYSDIG_VERSION "96bd9bc560f67742738eb7255aeb4d03046b8045")
-  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
+  set(SYSDIG_CHECKSUM "SHA256=766e8952a36a4198fd976b9d848523e6abe4336612188e4fc911e217d8e8a00d")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
@@ -57,10 +54,6 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
 add_definitions(-DNOCURSESUI)
 if(MUSL_OPTIMIZED_BUILD)
  add_definitions(-DMUSL_OPTIMIZED)
 endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
 # Add libsinsp directory
@@ -71,8 +64,5 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)
 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap jq)
+  add_dependencies(scap grpc curl jq)
  if(NOT MINIMAL_BUILD)
    add_dependencies(scap curl grpc)
  endif()
 endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -10,7 +10,6 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
 mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
  find_library(YAMLCPP_LIB NAMES yaml-cpp)
--- a/docker/build/install-falco.yaml
+++ b/docker/build/install-falco.yaml
@@ -0,0 +1,45 @@
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
  name: falco
  namespace: falco
  labels:
    app: falco
 spec:
  selector:
    matchLabels:
      app: falco
  template:
    metadata:
      labels:
        app: falco
    spec:
      tolerations:
        - operator: Exists
      hostPID: true
      hostNetwork: true
 containers:
  - name: falco-init
    image: alpine
    imagePullPolicy: Always
    securityContext:
      privileged: true
 lifecycle:
  preStop:
    exec:
      command:
        - "nsenter"
        - "-t"
        - "1"
        - "-m"
        - "--"
        - "/bin/sh"
        - "-c"
        - |
          #!/bin/bash
          curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
          echo "deb https://dl.bintray.com/falcosecurity/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
          apt-get update -y
          apt-get -y install linux-headers-$(uname -r)
          apt-get install -y falco
          exit 0
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -34,7 +34,6 @@ case "$CMD" in
    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DBUILD_DRIVER="$BUILD_DRIVER" \
    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
    -DBUILD_BPF="$BUILD_BPF" \
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ENV HOST_ROOT /host
 ENV HOME /root
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:stable
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,14 +16,10 @@
 # limitations under the License.
 #
 # todo(leogr): remove deprecation notice within a couple of releases
 if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
 fi
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"
    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,9 +17,9 @@
 #
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"
    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -1,5 +1,7 @@
 FROM ubuntu:18.04 as ubuntu
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
@@ -10,23 +12,49 @@ WORKDIR /
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN apt-get update -y && \
    apt-get install -y libyaml-0-2 binutils && \
    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+    strip falco/usr/bin/falco && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 FROM scratch
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
    /lib/x86_64-linux-gnu/libc.so.6 \
    /lib/x86_64-linux-gnu/libdl.so.2 \
    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
    /lib/x86_64-linux-gnu/libm.so.6 \
    /lib/x86_64-linux-gnu/libnsl.so.1 \
    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
    /lib/x86_64-linux-gnu/libnss_files.so.2 \
    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
    /lib/x86_64-linux-gnu/libpthread.so.0 \
    /lib/x86_64-linux-gnu/librt.so.1 \
    /lib/x86_64-linux-gnu/libz.so.1 \
    /lib/x86_64-linux-gnu/
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-# NOTE: for the "least privileged" use case, please refer to the official documentation
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-ENV HOST_ROOT /host
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-ENV HOME /root
+    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
 COPY --from=ubuntu /etc/ld.so.cache \
    /etc/nsswitch.conf \
    /etc/ld.so.cache \
    /etc/passwd \
    /etc/group \
    /etc/
 COPY --from=ubuntu /etc/default/nss /etc/default/nss
 COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
 COPY --from=ubuntu /falco /
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -1,20 +1,16 @@
 FROM fedora:31
 LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 RUN pip install --user watchdog==0.10.2
 RUN pip install --user pathtools==0.1.2
 RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
 COPY ./root /
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
-RUN apt install dkms -y
+RUN apt install dkms libyaml-0-2 -y
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
-RUN apt install dkms curl -y
+RUN apt install dkms libyaml-0-2 curl -y
 ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
 RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,15 +1,12 @@
 #!/usr/bin/env bash
-BUILD_DIR=${BUILD_DIR:-/build}
+set -eu -o pipefail
 SOURCE_DIR=${SOURCE_DIR:-/source}
 SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
 SOURCE_DIR=/source
 BUILD_DIR=/build
 CMD=${1:-test}
 shift
 # Stop the execution if a command in the pipeline has an error, from now on
 set -e -u -o pipefail
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -50,8 +47,7 @@ case "$CMD" in
 "test")
    if [ -z "$FALCO_VERSION" ]; then
        echo "Automatically figuring out Falco version."
-        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
@@ -60,11 +56,9 @@ case "$CMD" in
    fi
    # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
    fi
    # check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -75,14 +69,12 @@ case "$CMD" in
    # run tests
    echo "Running regression tests ..."
    cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
    # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+    clean_image "deb"
-        clean_image "deb"
+    clean_image "rpm"
-        clean_image "rpm"
+    clean_image "tar.gz"
        clean_image "tar.gz"
    fi
    ;;
 "bash")
    CMD=/bin/bash
--- a/falco.yaml
+++ b/falco.yaml
@@ -28,7 +28,10 @@
 # The files will be read in the order presented here, so make sure if
 # you have overrides they appear in later files.
 rules_file:
-  - /tmp/falco
+  - /etc/falco/falco_rules.yaml
  - /etc/falco/falco_rules.local.yaml
  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
@@ -84,23 +87,6 @@ syscall_event_drops:
  rate: .03333
  max_burst: 10
 # Falco continuously monitors outputs performance. When an output channel does not allow
 # to deliver an alert within a given deadline, an error is reported indicating
 # which output is blocking notifications.
 # The timeout error will be reported to the log according to the above log_* settings.
 # Note that the notification will not be discarded from the output queue; thus,
 # output channels may indefinitely remain blocked.
 # An output timeout error indeed indicate a misconfiguration issue or I/O problems
 # that cannot be recovered by Falco and should be fixed by the user.
 #
 # The "output_timeout" value specifies the duration in milliseconds to wait before
 # considering the deadline exceed.
 #
 # With a 2000ms default, the notification consumer can block the Falco output
 # for up to 2 seconds without reaching the timeout.
 output_timeout: 2000
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:
@@ -153,7 +139,7 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
+  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem
@@ -196,8 +182,7 @@ http_output:
 # grpc:
 #   enabled: true
 #   bind_address: "0.0.0.0:5060"
-#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
+#   threadiness: 8
 #   threadiness: 0
 #   private_key: "/etc/falco/certs/server.key"
 #   cert_chain: "/etc/falco/certs/server.crt"
 #   root_certs: "/etc/falco/certs/ca.crt"
@@ -206,8 +191,7 @@ http_output:
 grpc:
  enabled: false
  bind_address: "unix:///var/run/falco.sock"
-  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 8
  threadiness: 0
 # gRPC output service.
 # By default it is off.
@@ -215,14 +199,3 @@ grpc:
 # Make sure to have a consumer for them or leave this disabled.
 grpc_output:
  enabled: false
 # todo(fntlnz): provide a default implementation
 # so that users can avoid to input this configuration
 # if they don't need to change the default Falco behavior
 #extensions:
 #  - myextension.so
 # Rules provider
 # Specify a non-default provider.
 # Default value is "internal"
 rules_provider: internal
--- a/proposals/20190826-grpc-outputs.md
+++ b/proposals/20190826-grpc-outputs.md
@@ -1,4 +1,4 @@
-# Falco gRPC Outputs
+# gRPC Falco Output
 <!-- toc -->
@@ -25,7 +25,7 @@ An alert is an "output" when it goes over a transport, and it is emitted by Falc
 At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.
-For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://slack.k8s.io) if we can find a more consumable way to implement Falco outputs in an extensible way.
+For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://sysdig.slack.com) if we can find a more consumable way to implement Falco outputs in an extensible way.
 The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
@@ -39,10 +39,7 @@ The motivation behind this proposal is to design a new output implementation tha
 - To continue supporting the old output formats by implementing their same interface
 - To be secure by default (**mutual TLS** authentication)
 - To be **asynchronous** and **non-blocking**
- To provide a connection over unix socket (no authentication)
+- To implement a Go SDK
 - To implement a Go client
 - To implement a Rust client
 - To implement a Python client
 ### Non-Goals
@@ -80,25 +77,26 @@ syntax = "proto3";
 import "google/protobuf/timestamp.proto";
 import "schema.proto";
-package falco.outputs;
+package falco.output;
-option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
+option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
-// This service defines the RPC methods
+// The `subscribe` service defines the RPC call
-// to `request` a stream of output `response`s.
+// to perform an output `request` which will lead to obtain an output `response`.
 service service {
-  // Subscribe to a stream of Falco outputs by sending a stream of requests.
+  rpc subscribe(request) returns (stream response);
  rpc sub(stream request) returns (stream response);
  // Get all the Falco outputs present in the system up to this call.
  rpc get(request) returns (stream response);
 }
 // The `request` message is the logical representation of the request model.
-// It is the input of the `output.service` service.
+// It is the input of the `subscribe` service.
 // It is used to configure the kind of subscription to the gRPC streaming server.
 message request {
  bool keepalive = 1;
  // string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
  // repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
 }
-// The `response` message is the representation of the output model.
+// The `response` message is the logical representation of the output model.
 // It contains all the elements that Falco emits in an output along with the
 // definitions for priorities and source.
 message response {
@@ -108,7 +106,7 @@ message response {
  string rule = 4;
  string output = 5;
  map<string, string> output_fields = 6;
-  string hostname = 7;
+  // repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
 }
 ```
--- a/proposals/20200506-artifacts-scope-part-1.md
+++ b/proposals/20200506-artifacts-scope-part-1.md
@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
-## Summary
+## Summary 
 As a project we would like to support the following artifacts.
@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.
 ## Terms
-**falco**
+**falco** 
 *The Falco binary*
@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.
 **package**
-*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*
+*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
 **image**
 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
-
+ 
 # Packages
@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be
 ### repository
-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.
-
+    
 ### Action Items
 Here are SOME of the items that would need to be done, for example:
--- a/proposals/20200818-artifacts-storage.md
+++ b/proposals/20200818-artifacts-storage.md
@@ -1,83 +0,0 @@
 # Falco Artifacts Storage
 This document reflects the way we store the Falco artifacts.
 ## Terms & Definitions
 - [Falco artifacts](./20200506-artifacts-scope-part-1.md)
 - Bintray: artifacts distribution platform
 ## Packages
 The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
 - a pull request gets merged into the master branch (**Falco development releases**)
 - a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
 The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
 As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
 - DEB
 - RPM
 - Tarball
 Thus, we have three repositories for the Falco stable releases:
 - https://bintray.com/falcosecurity/deb
 - https://bintray.com/falcosecurity/rpm
 - https://bintray.com/falcosecurity/bin
 And three repositories for the Falco development releases:
 - https://bintray.com/falcosecurity/deb-dev
 - https://bintray.com/falcosecurity/rpm-dev
 - https://bintray.com/falcosecurity/bin-dev
 ## Drivers
 The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
 This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
 Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
 Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
 The driver versions we ship prebuilt drivers for are:
 - the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
 - the driver version associated with the penultimate Falco stable version
 The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
 You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
 ### Notice
 The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
 Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
 Nevertheless, this process is an open, auditable, and transparent one.
 So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
 Some pull-requests you can look at to create your own are:
 - https://github.com/falcosecurity/test-infra/pull/165
 - https://github.com/falcosecurity/test-infra/pull/163
 - https://github.com/falcosecurity/test-infra/pull/162
 While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
 ## Container images
 As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
 These images are built and published in two cases:
 - a pull request gets merged into the master branch (**Falco development releases**)
 - a new Falco release (git tag) happens (**Falco stable releases**)
 For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).
--- a/proposals/20200828-structured-exception-handling.md
+++ b/proposals/20200828-structured-exception-handling.md
@@ -1,240 +0,0 @@
 # Proposal for First Class Structured Exceptions in Falco Rules
 ## Summary
 ## Motivation
 Almost all Falco Rules have cases where the behavior detected by the
 rule should be allowed. For example, The rule Write Below Binary Dir
 has exceptions for specific programs that are known to write below
 these directories as a part of software installation/management:
 ```yaml
 - rule: Write below binary dir
  desc: an attempt to write to any file below a set of binary directories
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
 ...
 ```
 In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
 ```yaml
 - macro: package_mgmt_procs
  condition: proc.name in (package_mgmt_binaries)
 ```
 The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
 A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
 ```
 ...
    and not sed_temporary_file
    and not exe_running_docker_save
    and not ansible_running_python
    and not python_running_denyhosts
    and not fluentd_writing_conf_files
    and not user_known_write_etc_conditions
    and not run_by_centrify
    and not run_by_adclient
    and not qualys_writing_conf_files
    and not git_writing_nssdb
 ...
 ```
 The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
 ### Using Appends/Overwrites to Customize Rules
 An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
 ```yaml
 - list: package_mgmt_binaries
  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
 - macro: package_mgmt_procs
  condition: proc.name in (package_mgmt_binaries)
 - macro: user_known_update_package_registry
  condition: (never_true)
 - rule: Update Package Repository
  desc: Detect package repositories get updated
  condition: >
    ((open_write and access_repositories) or (modify and modify_repositories))
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not user_known_update_package_registry
 ```
 If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
 ```yaml
 - list: package_mgmt_binaries
  items: [puppet]
  append: true
 - macro: package_mgmt_procs
  condition: and not proc.pname=chef
  append: true
 - macro: user_known_update_package_registry
  condition: (proc.name in (npm))
  append: false
 ```
 This adds an 3 different exceptions:
 * an additional binary to package_mgmt_binaries (because append is true),
 * adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
 * overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
 ### Problems with Appends/Overrides to Define Exceptions
 Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
 * Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
 ```yaml
 rule: my_rule
 condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
 rule: my_rule
 condition: or fd.name=/tmp/baz
 append: true
 ```
 Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
 * A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
 * Appends and overrides can get confusing if you try to apply them multiple times. For example:
 ```yaml
 macro: allowed_files
 condition: fd.name=/tmp/foo
 ...
 macro: allowed_files
 condition: and fd.name=/tmp/bar
 append: true
 ```
 If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
 ## Solution: Exceptions as first class objects
 To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
 ```yaml
 - rule: Write below binary dir
  desc: an attempt to write to any file below a set of binary directories
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
  exceptions:
   - name: proc_writer
     fields: [proc.name, fd.directory]
   - name: container_writer
     fields: [container.image.repository, fd.directory]
     comps: [=, startswith]
   - name: proc_filenames
     fields: [proc.name, fd.name]
     comps: [=, in]
   - name: filenames
     fields: fd.filename
     comps: in
 ```
 This rule defines four kinds of exceptions:
  * proc_writer: uses a combination of proc.name and fd.directory
  * container_writer: uses a combination of container.image.repository and fd.directory
  * proc_filenames: uses a combination of process and list of filenames.
  * filenames: uses a list of filenames
 The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
 proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
 proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
 filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
 Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
 Exception values will most commonly be defined in rules with append: true. Here's an example:
 ```yaml
 - list: apt_files
  items: [/bin/ls, /bin/rm]
 - rule: Write below binary dir
  exceptions:
  - name: proc_writer
    values:
    - [apk, /usr/lib/alpine]
    - [npm, /usr/node/bin]
  - name: container_writer
    values:
    - [docker.io/alpine, /usr/libexec/alpine]
  - name: proc_filenames
    values:
    - [apt, apt_files]
    - [rpm, [/bin/cp, /bin/pwd]]
  - name: filenames
    values: [python, go]
 ```
 A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
 Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
 Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
 ### Implementation
 For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
 When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
 ```
 (<Write below binary dir condition>) and not (
    (proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
 	(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
 	(proc.name=apt and fd.name in (apt_files))) or
 	(fd.filename in (python, go))))
 ```
 The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
 ### Advantages
 Adding Exception objects as described here has several advantages:
 * All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
 * The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
 * With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
 ## Backwards compatibility
 To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
 This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
 This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
 However, there are a few changes we'll have to make to Falco rules file parsing:
 * Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
 * Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.
--- a/proposals/20200901-artifacts-cleanup.md
+++ b/proposals/20200901-artifacts-cleanup.md
@@ -1,102 +0,0 @@
 # Falco Artifacts Cleanup
 This document reflects when and how we clean up the Falco artifacts from their storage location.
 ## Motivation
 The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
 They also kindly granted us an additional 5GB of free space.
 ## Goal
 Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
 ## Status
 To be implemented.
 ## Packages
 ### Tarballs from Falco master
 At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
 Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
 This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
 ### DEB from Falco master
 At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
 Historically, every Falco release is composed by less than 50 merges (upper limit).
 So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
 This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
 ### RPM from Falco master
 At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
 For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
 This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
 ### Stable releases
 This document proposes to retain all the stable releases.
 This means that all the Falco packages present in the Falco stable release repositories will be kept.
 The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
 This means it grows in space of ~50MB each month.
 The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
 This means it grows in space of ~5MB each month.
 The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
 This means it grows in space of ~4.3MB each month.
 ### Considerations
 Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
 Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
 ### Implementation
 The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
 This job will be triggered after the `publish/packages-dev` completed successfully.
 ## Drivers
 As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
 Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
 This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
 At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
 Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
 This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
 This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
 Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
 ### Archivation
 Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
 The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
 ### Implementation
 The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
 will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
 This job will be triggered after the `drivers/publish` completed successfully on the master branch.
--- a/proposals/20201025-drivers-storage-s3.md
+++ b/proposals/20201025-drivers-storage-s3.md
@@ -1,137 +0,0 @@
 # Falco Drivers Storage S3
 Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
 Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
 ## Introduction
 In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
 This does not only interrupt the workflow of our users but also the workflow of the contributors, since without bintray most of our container images and CMake files can’t download the dependencies we mirror.
 ### What is the cause?
 We had a spike in adoption apparently, either a user with many nodes or an increased number of users. We don’t know this detail specifically yet because bintray does not give us very fine-grained statistics on this.
 This is the 30-days history:
 ![A spike on driver downloads the last ten days](20201025-drivers-storage-s3_downloads.png)
 As you can see, we can only see that they downloaded the latest kernel module driver version, however we can’t see if:
 * It’s a single source or many different users
 * What is the kernel/OS they are using
 ### What do we host on Bintray?
 * RPM packages: high traffic but very manageable ~90k downloads a month
 * Deb packages:low traffic ~5k downloads a month
 * Pre-built image Dependencies: low traffic, will eventually disappear in the future
 * Kernel modules: very high traffic, 700k downloads in 10 days, this is what is causing the current problems. They are primarily used by users of our container images.
 * eBPF probes: low traffic ~5k downloads a month
 ### Motivations to go to S3 instead of Bintray for the Drivers
 Bintray does an excellent service at building the rpm/deb structures for us, however we also use them for S3-like storage for the drivers. We have ten thousand files hosted there and the combinations are infinite.
 Before today, we had many issues with storage even without the spike in users we are seeing since the last ten days.
 ## Context on AWS
 Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).
 ## Interactions with other teams and the CNCF
 * The setup on the AWS account side already done, this is all technical work.
 * We need to open a CNCF service account ticket for the download.falco.org subdomain to point to the S3 bucket we want to use
 ## The Plan
 We want to propose to move the drivers and the container dependencies to S3.
 #### Moving means:
 * We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
 * We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
 * We move the current content keeping the same web server directory structure
 * We change the Falco Dockerfiles and driver loader script accordingly
 * We update test-infra to push the drivers to S3
 * Once we have the drivers in S3, we can ask bintray to relax the limits for this month so that our users are able to download the other packages we keep there. Otherwise they will have to wait until November 1st. We only want to do that after the moving because otherwise we will hit the limits pretty quickly.
 #### The repositories we want to move are:
 * [https://bintray.com/falcosecurity/driver](https://bintray.com/falcosecurity/driver) will become https://download.falco.org/driver
 * [https://bintray.com/falcosecurity/dependencies](https://bintray.com/falcosecurity/dependencies) will become https://download.falco.org/dependencies
 #### Changes in Falco
 * [Search for bintray ](https://github.com/falcosecurity/falco/search?p=2&q=bintray)on the Falco repo and replace the URL for the CMake and Docker files.
 * It’s very important to change the DRIVERS_REPO environment variable [here](https://github.com/falcosecurity/falco/blob/0a33f555eb8e019806b46fea8b80a6302a935421/CMakeLists.txt#L86) - this is what updates the falco-driver-loader scripts that the users and container images use to fetch the module
 #### Changes in Test Infra
 * We need to use the S3 cli instead of jfrog cli to upload to the s3 bucket after building [here](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml)
 * We can probably remove jfrog from that repo since it only deals with drivers and drivers are being put on S3 now
 * Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver)
    * `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`
 #### Changes to Falco website
 * Changes should not be necessary, we are not updating the way people install Falco but only the driver. The driver is managed by a script we can change.
 ## Mitigation and next steps for the users
 * **The average users should be good to go now, Bintray raised our limits and we have some room to do this without requiring manual steps on your end**
 * **Users that can’t wait for us to have the S3 setup done: **can setup an S3 as driver repo themselves, push the drivers they need to it after compiling them (they can use [Driverkit](https://github.com/falcosecurity/driverkit) for that) Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver).
 * **Users that can’t wait but don’t want to setup a webserver themselves**: the falco-driver-loader script can also compile the module for you. Make sure to install the kernel-headers on your nodes.
 * **Users that can wait** we will approve this document and act on the plan described here by providing the DRIVERS_REPO at  [https://download.falco.org/driver](https://download.falco.org/driver) that then you can use
 ### How to use an alternative DRIVERS_REPO ?
 **On bash:**
 export DRIVERS_REPO=https://your-url-here
 **Docker**
 Pass it as environment variable using the docker run flag -e - for example:
 docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)
 **Kubernetes**
 spec:
  containers:
  - env:
    - name: DRIVERS_REPO
      value: https://your-url-here
 ## Release
 Next release is on December 1st, we want to rollout a hotfix 0.26.2 release that only contains the updated script before that date so that users don’t get confused and we can just tell them "update Falco" to get the thing working again.
--- a/proposals/20201025-drivers-storage-s3_downloads.png
+++ b/proposals/20201025-drivers-storage-s3_downloads.png
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -37,7 +37,8 @@ if(DEFINED FALCO_COMPONENT)
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+
  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
  install(
    FILES falco_rules.yaml
@@ -56,8 +57,8 @@ else()
  install(
    FILES application_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}/rules.available"
+    DESTINATION "/etc/falco/rules.available"
    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
 endif()
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
- required_engine_version: 8
+- required_engine_version: 2
 # Like always_true/always_false, but works with k8s audit events
 - macro: k8s_audit_always_true
@@ -45,22 +45,13 @@
 - list: allowed_k8s_users
  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
+    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy",
    "kubernetes-admin",
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
    "system:addon-manager",
    "cloud-controller-manager"
    ]
 - rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user
+  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
  exceptions:
    - name: user_names
      fields: ka.user.name
      comps: in
      values: [allowed_k8s_users]
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
@@ -127,10 +118,6 @@
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
  exceptions:
    - name: image_repos
      fields: ka.req.pod.containers.image.repository
      comps: in
  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
@@ -139,12 +126,7 @@
 - rule: Create Privileged Pod
  desc: >
    Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
  exceptions:
    - name: image_repos
      fields: ka.req.pod.containers.image.repository
      comps: in
      values: [falco_privileged_images]
  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
@@ -158,12 +140,7 @@
  desc: >
    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
    Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
  exceptions:
    - name: image_repos
      fields: ka.req.pod.containers.image.repository
      comps: in
      values: [falco_sensitive_mount_images]
  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
  priority: WARNING
  source: k8s_audit
@@ -172,27 +149,16 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
  desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
  exceptions:
    - name: image_repos
      fields: ka.req.pod.containers.image.repository
      comps: in
      values: [falco_hostnetwork_images]
  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: user_known_node_port_service
  condition: (k8s_audit_never_true)
 - rule: Create NodePort Service
  desc: >
    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
+  condition: kevt and service and kcreate and ka.req.service.type=NodePort
  exceptions:
    - name: services
      fields: [ka.target.namespace, ka.target.name]
  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
  priority: WARNING
  source: k8s_audit
@@ -211,9 +177,6 @@
  desc: >
     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
  condition: kevt and configmap and kmodify and contains_private_credentials
  exceptions:
    - name: configmaps
      fields: [ka.target.namespace, ka.req.configmap.name]
  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
  priority: WARNING
  source: k8s_audit
@@ -223,11 +186,7 @@
 - rule: Anonymous Request Allowed
  desc: >
    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
+  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision!=reject and not health_endpoint
  exceptions:
    - name: user_names
      fields: ka.user.name
      comps: in
  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
  priority: WARNING
  source: k8s_audit
@@ -241,122 +200,41 @@
 # events to be stateful, so it could know if a container named in an
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.
 #
 # For the same reason, you can't use things like image names/prefixes,
 # as the event that creates the pod (which has the images) is a
 # separate event than the actual exec/attach to the pod.
 - macro: user_known_exec_pod_activities
  condition: (k8s_audit_never_true)
 - rule: Attach/Exec Pod
  desc: >
    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
+  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach)
  exceptions:
    - name: user_names
      fields: ka.user.name
      comps: in
  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]
 - macro: user_known_pod_debug_activities
  condition: (k8s_audit_never_true)
 # Only works when feature gate EphemeralContainers is enabled
 # Definining empty exceptions just to avoid warnings. There isn't any
 #  great exception for this kind of object, as you'd expect the images
 #  to vary wildly.
 - rule: EphemeralContainers Created
  desc: >
    Detect any ephemeral container created
  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
  exceptions:
  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
  items: [kube-system, kube-public, default]
 - rule: Create Disallowed Namespace
  desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate
+  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
  exceptions:
    - name: services
      fields: ka.target.name
      comps: in
      values: [allowed_namespaces]
  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Only defined for backwards compatibility. Use the more specific
 # user_allowed_kube_namespace_image_list instead.
 - list: user_trusted_image_list
  items: []
 - list: user_allowed_kube_namespace_image_list
  items: [user_trusted_image_list]
 # Only defined for backwards compatibility. Use the more specific
 # allowed_kube_namespace_image_list instead.
 - list: k8s_image_list
  items: []
 - list: allowed_kube_namespace_image_list
  items: [
    gcr.io/google-containers/prometheus-to-sd,
    gcr.io/projectcalico-org/node,
    gke.gcr.io/addon-resizer,
    gke.gcr.io/heapster,
    gke.gcr.io/gke-metadata-server,
    k8s.gcr.io/ip-masq-agent-amd64,
    k8s.gcr.io/kube-apiserver,
    gke.gcr.io/kube-proxy,
    gke.gcr.io/netd-amd64,
    k8s.gcr.io/addon-resizer
    k8s.gcr.io/prometheus-to-sd,
    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
    k8s.gcr.io/k8s-dns-kube-dns-amd64,
    k8s.gcr.io/k8s-dns-sidecar-amd64,
    k8s.gcr.io/metrics-server-amd64,
    kope/kube-apiserver-healthcheck,
    k8s_image_list
    ]
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  exceptions:
    - name: images
      fields: ka.req.pod.containers.image.repository
      comps: in
      values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - list: user_known_sa_list
  items: []
 - macro: trusted_sa
  condition: (ka.target.name in (user_known_sa_list))
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
  exceptions:
    - name: accounts
      fields: [ka.target.namespace, ka.target.name]
  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
  priority: WARNING
  source: k8s_audit
@@ -367,11 +245,7 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
             not ka.target.name in (system:coredns, system:managed-certificate-controller)
  exceptions:
    - name: roles
      fields: [ka.target.namespace, ka.target.name]
  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
  priority: WARNING
  source: k8s_audit
@@ -382,10 +256,6 @@
 - rule: Attach to cluster-admin Role
  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
  exceptions:
    - name: subjects
      fields: ka.req.binding.subjects
      comps: in
  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
  priority: WARNING
  source: k8s_audit
@@ -394,10 +264,6 @@
 - rule: ClusterRole With Wildcard Created
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  exceptions:
    - name: roles
      fields: ka.target.name
      comps: in
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
@@ -410,10 +276,6 @@
 - rule: ClusterRole With Write Privileges Created
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
  exceptions:
    - name: roles
      fields: ka.target.name
      comps: in
  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: NOTICE
  source: k8s_audit
@@ -422,10 +284,6 @@
 - rule: ClusterRole With Pod Exec Created
  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
  exceptions:
    - name: roles
      fields: ka.target.name
      comps: in
  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
@@ -437,16 +295,12 @@
 - macro: consider_activity_events
  condition: (k8s_audit_always_true)
 # Activity events don't have exceptions. They do define an empty
 # exceptions property just to avoid warnings when loading rules.
 - macro: kactivity
  condition: (kevt and consider_activity_events)
 - rule: K8s Deployment Created
  desc: Detect any attempt to create a deployment
  condition: (kactivity and kcreate and deployment and response_successful)
  exceptions:
  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -455,7 +309,6 @@
 - rule: K8s Deployment Deleted
  desc: Detect any attempt to delete a deployment
  condition: (kactivity and kdelete and deployment and response_successful)
  exceptions:
  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -464,7 +317,6 @@
 - rule: K8s Service Created
  desc: Detect any attempt to create a service
  condition: (kactivity and kcreate and service and response_successful)
  exceptions:
  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -473,7 +325,6 @@
 - rule: K8s Service Deleted
  desc: Detect any attempt to delete a service
  condition: (kactivity and kdelete and service and response_successful)
  exceptions:
  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -482,7 +333,6 @@
 - rule: K8s ConfigMap Created
  desc: Detect any attempt to create a configmap
  condition: (kactivity and kcreate and configmap and response_successful)
  exceptions:
  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -491,7 +341,6 @@
 - rule: K8s ConfigMap Deleted
  desc: Detect any attempt to delete a configmap
  condition: (kactivity and kdelete and configmap and response_successful)
  exceptions:
  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -500,7 +349,6 @@
 - rule: K8s Namespace Created
  desc: Detect any attempt to create a namespace
  condition: (kactivity and kcreate and namespace and response_successful)
  exceptions:
  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -509,7 +357,6 @@
 - rule: K8s Namespace Deleted
  desc: Detect any attempt to delete a namespace
  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
  exceptions:
  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -518,7 +365,6 @@
 - rule: K8s Serviceaccount Created
  desc: Detect any attempt to create a service account
  condition: (kactivity and kcreate and serviceaccount and response_successful)
  exceptions:
  output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -527,7 +373,6 @@
 - rule: K8s Serviceaccount Deleted
  desc: Detect any attempt to delete a service account
  condition: (kactivity and kdelete and serviceaccount and response_successful)
  exceptions:
  output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -536,7 +381,6 @@
 - rule: K8s Role/Clusterrole Created
  desc: Detect any attempt to create a cluster role/role
  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
  exceptions:
  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -545,7 +389,6 @@
 - rule: K8s Role/Clusterrole Deleted
  desc: Detect any attempt to delete a cluster role/role
  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
  exceptions:
  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -554,7 +397,6 @@
 - rule: K8s Role/Clusterrolebinding Created
  desc: Detect any attempt to create a clusterrolebinding
  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
  exceptions:
  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -563,7 +405,6 @@
 - rule: K8s Role/Clusterrolebinding Deleted
  desc: Detect any attempt to delete a clusterrolebinding
  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
  exceptions:
  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -572,7 +413,6 @@
 - rule: K8s Secret Created
  desc: Detect any attempt to create a secret. Service account tokens are excluded.
  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  exceptions:
  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -581,7 +421,6 @@
 - rule: K8s Secret Deleted
  desc: Detect any attempt to delete a secret Service account tokens are excluded.
  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  exceptions:
  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
@@ -600,7 +439,6 @@
 - rule: All K8s Audit Events
  desc: Match all K8s Audit Events
  condition: kall
  exceptions:
  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
  priority: DEBUG
  source: k8s_audit
@@ -615,11 +453,11 @@
 - list: full_admin_k8s_users
  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
-# This rules detect an operation triggered by an user name that is
+# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon
+# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader.
+# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this
+# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users
+# may or may not be an administrator. Customize the full_admin_k8s_users 
 # list to your needs, and activate at your discrection.
 # # How to test:
@@ -629,19 +467,17 @@
 - rule: Full K8s Administrative Access
  desc: Detect any k8s operation by a user name that may be an administrator with full access.
  condition: >
-    kevt
+    kevt 
-    and non_system_user
+    and non_system_user 
-    and ka.user.name in (full_admin_k8s_users)
+    and ka.user.name in (admin_k8s_users) 
    and not allowed_full_admin_users
  exceptions:
    - name: user_names
      fields: ka.user.name
      comps: in
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: ingress
  condition: ka.target.resource=ingresses
@@ -670,16 +506,15 @@
  desc: Detect any attempt to create an ingress without TLS certification.
  condition: >
    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
  exceptions:
    - name: ingresses
      fields: [ka.target.namespace, ka.target.name]
  output: >
    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
    namespace=%ka.target.namespace)
-  source: k8s_audit
+  source: k8s_audit    
  priority: WARNING
  tags: [k8s, network]
 - macro: node
  condition: ka.target.resource=nodes
@@ -699,15 +534,11 @@
  desc: >
    Detect a node successfully joined the cluster outside of the list of allowed nodes.
  condition: >
-    kevt and node
+    kevt and node 
-    and kcreate
+    and kcreate 
-    and response_successful
+    and response_successful 
-    and not allow_all_k8s_nodes
+    and not allow_all_k8s_nodes 
-  exceptions:
+    and not ka.target.name in (allowed_k8s_nodes)
    - name: nodes
      fields: ka.target.name
      comps: in
      values: [allowed_k8s_nodes]
  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
  priority: ERROR
  source: k8s_audit
@@ -717,15 +548,11 @@
  desc: >
    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
  condition: >
-    kevt and node
+    kevt and node 
-    and kcreate
+    and kcreate 
-    and not response_successful
+    and not response_successful 
-    and not allow_all_k8s_nodes
+    and not allow_all_k8s_nodes 
-  exceptions:
+    and not ka.target.name in (allowed_k8s_nodes)
    - name: nodes
      fields: ka.target.name
      comps: in
      values: [allowed_k8s_nodes]
  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
  priority: WARNING
  source: k8s_audit
--- a/scripts/cleanup
+++ b/scripts/cleanup
@@ -1,61 +0,0 @@
 #!/usr/bin/env bash
 usage() {
    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
    exit 1
 }
 user=poiana
 # Get the versions to delete.
 #
 # $1: repository to lookup
 # $2: number of versions to skip.
 get_versions() {
    # The API endpoint returns the Falco package versions sort by most recent.
    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
 }
 # Remove all the versions (${all[@]} array).
 #
 # $1: repository containing the versions.
 rem_versions() {
    for i in "${!all[@]}";
    do
        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
    done
 }
 while getopts ":p::r:" opt; do
    case "${opt}" in
        p )
          pass=${OPTARG}
          ;;
        r )
          repo="${OPTARG}"
          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
          ;;
        : )
          echo "invalid option: ${OPTARG} requires an argument" 1>&2
          exit 1
          ;;
        \?)
          echo "invalid option: ${OPTARG}" 1>&2
          exit 1
          ;;
    esac
 done
 shift $((OPTIND-1))
 if [ -z "${pass}" ] || [ -z "${repo}" ]; then
    usage
 fi
 skip=51
 if [[ "${repo}" == "bin-dev" ]]; then
    skip=11
 fi
 get_versions "${repo}" ${skip}
 echo "number of versions to delete: ${#all[@]}"
 rem_versions "${repo}"
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -143,41 +143,33 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-		return
+	else
-	fi
+		if hash dkms &>/dev/null; then
-
+				echo "* Trying to dkms install ${DRIVER_NAME} module"
-	if ! hash dkms &>/dev/null; then
+			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-		echo "* Skipping dkms install (dkms not found)"
+				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
-		return
+				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-	fi
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-
+					exit 0
-	# try to compile using all the available gcc versions
+				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
-		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
+					exit 0
-		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
+				else
-		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
+					echo "* Unable to insmod ${DRIVER_NAME} module"
-		chmod +x /tmp/falco-dkms-make
+				fi
 		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
 			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
 			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
 			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
 				exit 0
 			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
+				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
 				if [ -f "${DKMS_LOG}" ]; then
 					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
 					cat "${DKMS_LOG}"
 				else
 					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
 				fi
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+			echo "* Skipping dkms install (dkms not found)"
 			if [ -f "${DKMS_LOG}" ]; then
 				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
 				cat "${DKMS_LOG}"
 			else
 				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
 			fi
 		fi
-	done
+	fi
 }
 load_kernel_module_download() {
@@ -220,7 +212,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do 
+	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -232,7 +224,7 @@ load_kernel_module() {
 		sleep 1
 	done
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
+	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
 		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi
@@ -481,8 +473,9 @@ else
 	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi
-if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+MAX_RMMOD_WAIT=60
-	MAX_RMMOD_WAIT=60
+if [[ $# -ge 1 ]]; then
 	MAX_RMMOD_WAIT=$1
 fi
 DRIVER_VERSION="@PROBE_VERSION@"
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,4 +1 @@
 add_subdirectory(trace_files)
 add_custom_target(test-trace-files ALL)
 add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)
--- a/test/README.md
+++ b/test/README.md
@@ -7,25 +7,13 @@ You can find instructions on how to run this test suite on the Falco website [he
 ## Test suites
 - [falco_tests](./falco_tests.yaml)
- [falco_traces](./falco_traces.yaml.in)
+- [falco_traces](./falco_traces.yaml)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
 - [falco_tests_psp](./falco_tests_psp.yaml)
 ## Running locally
 This step assumes you already built Falco.
 Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
 Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
 ```console
 make test-trace-files
 ```
 It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
 Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
 ```console
@@ -44,72 +32,8 @@ In case you want to only execute a specific test case, use the `--mux-filter-onl
 BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
 ```
-To obtain the path of all the available variants for a given test suite, execute:
+To obtain the path of all the available variants, execute:
 ```console
-avocado variants --mux-yaml falco_tests.yaml
+avocado variants --mux-yaml falco_test.yaml
-```
+```
 ### falco_traces
 The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
 1. Ensure you have `unzip` and `xargs` utilities
 2. Prepare the test suite with the following command:
    ```console
    bash run_regression_tests.sh -p -v
    ```
 ### falco_tests_package
 The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
 In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
 1. Ensure you have `docker` up and running
 2. Ensure you build Falco (with bundled deps)
    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
    ```console
    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
    ```
 3. Ensure you build the Falco packages from the Falco above:
    ```console
    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
    ```
 4. Ensure you build the runners:
    ```console
    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
    mkdir -p /tmp/runners-rootfs
    cp -R ./test/rules /tmp/runners-rootfs
    cp -R ./test/trace_files /tmp/runners-rootfs
    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
    ```
 5. Run the `falco_tests_package.yaml` test suite from the `test` directory
    ```console
    cd test
    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
    ```
 ### Execute all the test suites
 In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
 ```console
 cd test
 ./run_regression_tests.sh -v
 ```
 Just make sure you followed all the previous setup steps.
--- a/test/confs/grpc_unix_socket.yaml
+++ b/test/confs/grpc_unix_socket.yaml
@@ -1,38 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # Whether to output events in json or text.
 json_output: false
 # Send information logs to stderr and/or syslog
 # Note these are *not* security notification logs!
 # These are just Falco lifecycle (and possibly error) logs.
 log_stderr: false
 log_syslog: false
 # Where security notifications should go.
 stdout_output:
  enabled: false
 # gRPC server using an unix socket.
 grpc:
    enabled: true
    bind_address: "unix:///tmp/falco/falco.sock"
    threadiness: 8
 grpc_output:
  enabled: true
--- a/test/confs/program_output.yaml
+++ b/test/confs/program_output.yaml
@@ -41,4 +41,4 @@ stdout_output:
 program_output:
  enabled: true
-  program: cat >> /tmp/falco_outputs/program_output.txt
+  program: cat > /tmp/falco_outputs/program_output.txt
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@@ -136,7 +136,7 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
+  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem
--- a/test/confs/stdout_output.yaml
+++ b/test/confs/stdout_output.yaml
@@ -1,42 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # File containing Falco rules, loaded at startup.
 rules_file: /etc/falco_rules.yaml
 # Whether to output events in json or text
 json_output: false
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: false
 log_syslog: false
 # Where security notifications should go.
 # Multiple outputs can be enabled.
 syslog_output:
  enabled: false
 file_output:
  enabled: false
 stdout_output:
  enabled: true
 program_output:
  enabled: false
--- a/test/driver-loader/run_test.sh
+++ b/test/driver-loader/run_test.sh
@@ -20,17 +20,17 @@ set -euo pipefail
 BUILD_DIR=$1
 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname "$SCRIPT")
+SCRIPTDIR=$(dirname $SCRIPT)
 RUNNERDIR="${SCRIPTDIR}/runner"
 FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"
 cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd "${RUNNERDIR}"
+pushd ${RUNNERDIR}
 docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
    -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
+    -f "${RUNNERDIR}/Dockerfile" ${RUNNERDIR}
 popd
 rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"
--- a/test/driver-loader/runner/Dockerfile
+++ b/test/driver-loader/runner/Dockerfile
@@ -10,6 +10,7 @@ ENV HOST_ROOT=/host
 RUN apt-get update -y
 RUN apt-get install -y --no-install-recommends \
 	ca-certificates \
 	libyaml-0-2 \
 	dkms \
 	curl \
 	gcc \
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+ #!/usr/bin/env python
 #
 # Copyright (C) 2019 The Falco Authors.
 #
@@ -28,9 +28,6 @@ import urllib.request
 from avocado import Test
 from avocado import main
 from avocado.utils import process
 from watchdog.observers import Observer
 from watchdog.events import PatternMatchingEventHandler
 class FalcoTest(Test):
@@ -50,20 +47,17 @@ class FalcoTest(Test):
        self.stdout_is = self.params.get('stdout_is', '*', default='')
        self.stderr_is = self.params.get('stderr_is', '*', default='')
-        self.stdout_contains = self.params.get(
+        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
            'stdout_contains', '*', default='')
        if not isinstance(self.stdout_contains, list):
            self.stdout_contains = [self.stdout_contains]
-        self.stderr_contains = self.params.get(
+        self.stderr_contains = self.params.get('stderr_contains', '*', default='')
            'stderr_contains', '*', default='')
        if not isinstance(self.stderr_contains, list):
            self.stderr_contains = [self.stderr_contains]
-        self.stdout_not_contains = self.params.get(
+        self.stdout_not_contains = self.params.get('stdout_not_contains', '*', default='')
            'stdout_not_contains', '*', default='')
        if not isinstance(self.stdout_not_contains, list):
            if self.stdout_not_contains == '':
@@ -71,8 +65,7 @@ class FalcoTest(Test):
            else:
                self.stdout_not_contains = [self.stdout_not_contains]
-        self.stderr_not_contains = self.params.get(
+        self.stderr_not_contains = self.params.get('stderr_not_contains', '*', default='')
            'stderr_not_contains', '*', default='')
        if not isinstance(self.stderr_not_contains, list):
            if self.stderr_not_contains == '':
@@ -88,18 +81,15 @@ class FalcoTest(Test):
            self.trace_file = os.path.join(build_dir, "test", self.trace_file)
        self.json_output = self.params.get('json_output', '*', default=False)
-        self.json_include_output_property = self.params.get(
+        self.json_include_output_property = self.params.get('json_include_output_property', '*', default=True)
            'json_include_output_property', '*', default=True)
        self.all_events = self.params.get('all_events', '*', default=False)
        self.priority = self.params.get('priority', '*', default='debug')
-        self.rules_file = self.params.get(
+        self.rules_file = self.params.get('rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
        if not isinstance(self.rules_file, list):
            self.rules_file = [self.rules_file]
-        self.validate_rules_file = self.params.get(
+        self.validate_rules_file = self.params.get('validate_rules_file', '*', default=False)
            'validate_rules_file', '*', default=False)
        if self.validate_rules_file == False:
            self.validate_rules_file = []
@@ -126,15 +116,13 @@ class FalcoTest(Test):
                file = os.path.join(self.basedir, file)
            self.rules_args = self.rules_args + "-r " + file + " "
-        self.conf_file = self.params.get(
+        self.conf_file = self.params.get('conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
        if not os.path.isabs(self.conf_file):
            self.conf_file = os.path.join(self.basedir, self.conf_file)
        self.run_duration = self.params.get('run_duration', '*', default='')
-        self.disabled_rules = self.params.get(
+        self.disabled_rules = self.params.get('disabled_rules', '*', default='')
            'disabled_rules', '*', default='')
        if self.disabled_rules == '':
            self.disabled_rules = []
@@ -147,8 +135,7 @@ class FalcoTest(Test):
        for rule in self.disabled_rules:
            self.disabled_args = self.disabled_args + "-D " + rule + " "
-        self.detect_counts = self.params.get(
+        self.detect_counts = self.params.get('detect_counts', '*', default=False)
            'detect_counts', '*', default=False)
        if self.detect_counts == False:
            self.detect_counts = {}
        else:
@@ -158,8 +145,7 @@ class FalcoTest(Test):
                    detect_counts[key] = value
            self.detect_counts = detect_counts
-        self.rules_warning = self.params.get(
+        self.rules_warning = self.params.get('rules_warning', '*', default=False)
            'rules_warning', '*', default=False)
        if self.rules_warning == False:
            self.rules_warning = set()
        else:
@@ -184,11 +170,9 @@ class FalcoTest(Test):
        self.package = self.params.get('package', '*', default='None')
-        self.addl_docker_run_args = self.params.get(
+        self.addl_docker_run_args = self.params.get('addl_docker_run_args', '*', default='')
            'addl_docker_run_args', '*', default='')
-        self.copy_local_driver = self.params.get(
+        self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
            'copy_local_driver', '*', default=False)
        # Used by possibly_copy_local_driver as well as docker run
        self.module_dir = os.path.expanduser("~/.falco")
@@ -211,60 +195,17 @@ class FalcoTest(Test):
                        os.makedirs(filedir)
            self.outputs = outputs
        self.output_strictly_contains = self.params.get(
            'output_strictly_contains', '*', default='')
        if self.output_strictly_contains == '':
            self.output_strictly_contains = {}
        else:
            output_strictly_contains = []
            for item in self.output_strictly_contains:
                for key, value in list(item.items()):
                    output = {}
                    output['actual'] = key
                    output['expected'] = value
                    output_strictly_contains.append(output)
                    if not output['actual'] == 'stdout':
                        # Clean up file from previous tests, if any
                        if os.path.exists(output['actual']):
                            os.remove(output['actual'])
                        # Create the parent directory for the file if it doesn't exist.
                        filedir = os.path.dirname(output['actual'])
                        if not os.path.isdir(filedir):
                            os.makedirs(filedir)
            self.output_strictly_contains = output_strictly_contains
        self.grpcurl_res = None
        self.grpc_observer = None
        self.grpc_address = self.params.get(
            'address', 'grpc/*', default='/var/run/falco.sock')
        if self.grpc_address.startswith("unix://"):
            self.is_grpc_using_unix_socket = True
            self.grpc_address = self.grpc_address[len("unix://"):]
        else:
            self.is_grpc_using_unix_socket = False
        self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
        self.grpc_service = self.params.get('service', 'grpc/*', default='')
        self.grpc_method = self.params.get('method', 'grpc/*', default='')
        self.grpc_results = self.params.get('results', 'grpc/*', default='')
        if self.grpc_results == '':
            self.grpc_results = []
        else:
            if type(self.grpc_results) == str:
                self.grpc_results = [self.grpc_results]
        self.disable_tags = self.params.get('disable_tags', '*', default='')
        if self.disable_tags == '':
-            self.disable_tags = []
+            self.disable_tags=[]
        self.run_tags = self.params.get('run_tags', '*', default='')
        if self.run_tags == '':
-            self.run_tags = []
+            self.run_tags=[]
-        self.time_iso_8601 = self.params.get(
+        self.time_iso_8601 = self.params.get('time_iso_8601', '*', default=False)
            'time_iso_8601', '*', default=False)
    def tearDown(self):
        if self.package != 'None':
@@ -283,8 +224,7 @@ class FalcoTest(Test):
        self.log.debug("Actual warning rules: {}".format(found_warning))
        if found_warning != self.rules_warning:
-            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
+            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(self.rules_warning, found_warning))
                self.rules_warning, found_warning))
    def check_rules_events(self, res):
@@ -295,60 +235,50 @@ class FalcoTest(Test):
            events = set(match.group(2).split(","))
            found_events[rule] = events
-        self.log.debug(
+        self.log.debug("Expected events for rules: {}".format(self.rules_events))
            "Expected events for rules: {}".format(self.rules_events))
        self.log.debug("Actual events for rules: {}".format(found_events))
        for rule in list(found_events.keys()):
            if found_events.get(rule) != self.rules_events.get(rule):
-                self.fail("rule {}: expected events {} differs from actual events {}".format(
+                self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
                    rule, self.rules_events.get(rule), found_events.get(rule)))
    def check_detections(self, res):
        # Get the number of events detected.
        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
        if match is None:
-            self.fail(
+            self.fail("Could not find a line 'Events detected: <count>' in falco output")
                "Could not find a line 'Events detected: <count>' in falco output")
        events_detected = int(match.group(1))
        if not self.should_detect and events_detected > 0:
-            self.fail("Detected {} events when should have detected none".format(
+            self.fail("Detected {} events when should have detected none".format(events_detected))
                events_detected))
        if self.should_detect:
            if events_detected == 0:
-                self.fail("Detected {} events when should have detected > 0".format(
+                self.fail("Detected {} events when should have detected > 0".format(events_detected))
                    events_detected))
            for level in self.detect_level:
                level_line = '(?i){}: (\d+)'.format(level)
                match = re.search(level_line, res.stdout.decode("utf-8"))
                if match is None:
-                    self.fail(
+                    self.fail("Could not find a line '{}: <count>' in falco output".format(level))
                        "Could not find a line '{}: <count>' in falco output".format(level))
                    events_detected = int(match.group(1))
                    if not events_detected > 0:
-                        self.fail("Detected {} events at level {} when should have detected > 0".format(
+                        self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
                            events_detected, level))
    def check_detections_by_rule(self, res):
        # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)',
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
                          res.stdout.decode("utf-8"), re.DOTALL)
        if match is None:
-            self.fail(
+            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
                "Could not find a block 'Triggered rules by rule name: ...' in falco output")
        triggered_rules = match.group(1)
        for rule, count in list(self.detect_counts.items()):
-            expected = '\s{}: (\d+)'.format(
+            expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
                re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
            match = re.search(expected, triggered_rules)
            if match is None:
@@ -357,11 +287,9 @@ class FalcoTest(Test):
                actual_count = int(match.group(1))
            if actual_count != count:
-                self.fail("Different counts for rule {}: expected={}, actual={}".format(
+                self.fail("Different counts for rule {}: expected={}, actual={}".format(rule, count, actual_count))
                    rule, count, actual_count))
            else:
-                self.log.debug(
+                self.log.debug("Found expected count for rule {}: {}".format(rule, count))
                    "Found expected count for rule {}: {}".format(rule, count))
    def check_outputs(self):
        for output in self.outputs:
@@ -376,8 +304,7 @@ class FalcoTest(Test):
                    found = True
            if found == False:
-                self.fail("Could not find a line '{}' in file '{}'".format(
+                self.fail("Could not find a line '{}' in file '{}'".format(output['line'], output['file']))
                    output['line'], output['file']))
        return True
@@ -394,27 +321,7 @@ class FalcoTest(Test):
                        attrs = ['time', 'rule', 'priority']
                    for attr in attrs:
                        if not attr in obj:
-                            self.fail(
+                            self.fail("Falco JSON object {} does not contain property \"{}\"".format(line, attr))
                                "Falco JSON object {} does not contain property \"{}\"".format(line, attr))
    def check_output_strictly_contains(self, res):
        for output in self.output_strictly_contains:
            # Read the expected output (from a file) and actual output (either from a file or the stdout),
            # then check if the actual one strictly contains the expected one.
            expected = open(output['expected']).read()
            if output['actual'] == 'stdout':
                actual = res.stdout.decode("utf-8")
            else:
                actual = open(output['actual']).read()
            if expected not in actual:
                self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
                    output['actual'], output['expected']))
                return False
        return True
    def install_package(self):
@@ -433,39 +340,35 @@ class FalcoTest(Test):
                                         self.module_dir, self.addl_docker_run_args, image)
        elif self.package.endswith(".deb"):
-            self.falco_binary_path = '/usr/bin/falco'
+            self.falco_binary_path = '/usr/bin/falco';
            package_glob = "{}/{}".format(self.falcodir, self.package)
            matches = glob.glob(package_glob)
            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
                          package_glob, ",".join(matches))
            package_path = matches[0]
            cmdline = "dpkg -i {}".format(package_path)
-            self.log.debug(
+            self.log.debug("Installing debian package via \"{}\"".format(cmdline))
                "Installing debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)
        elif self.package.endswith(".rpm"):
-            self.falco_binary_path = '/usr/bin/falco'
+            self.falco_binary_path = '/usr/bin/falco';
            package_glob = "{}/{}".format(self.falcodir, self.package)
            matches = glob.glob(package_glob)
            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
                          package_glob, ",".join(matches))
            package_path = matches[0]
            cmdline = "rpm -i --nodeps --noscripts {}".format(package_path)
-            self.log.debug(
+            self.log.debug("Installing centos package via \"{}\"".format(cmdline))
                "Installing centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)
    def uninstall_package(self):
@@ -475,29 +378,25 @@ class FalcoTest(Test):
        elif self.package.endswith(".rpm"):
            cmdline = "rpm -e --noscripts --nodeps falco"
-            self.log.debug(
+            self.log.debug("Uninstalling centos package via \"{}\"".format(cmdline))
                "Uninstalling centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)
        elif self.package.endswith(".deb"):
            cmdline = "dpkg --purge falco"
-            self.log.debug(
+            self.log.debug("Uninstalling debian package via \"{}\"".format(cmdline))
                "Uninstalling debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)
    def possibly_copy_driver(self):
        # Remove the contents of ~/.falco regardless of copy_local_driver.
        self.log.debug("Checking for module dir {}".format(self.module_dir))
        if os.path.isdir(self.module_dir):
-            self.log.info(
+            self.log.info("Removing files below directory {}".format(self.module_dir))
                "Removing files below directory {}".format(self.module_dir))
            for rmfile in glob.glob(self.module_dir + "/*"):
                self.log.debug("Removing file {}".format(rmfile))
                os.remove(rmfile)
        if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output(
+            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
                [self.falco_binary_path, "--version"]).splitlines()]
            verstr = verlines[0].decode("utf-8")
            self.log.info("verstr {}".format(verstr))
            falco_version = verstr.split(" ")[2]
@@ -509,70 +408,22 @@ class FalcoTest(Test):
            # falco-driver-loader has a more comprehensive set of ways to
            # find the config hash. We only look at /boot/config-<kernel release>
-            md5_output = subprocess.check_output(
+            md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
                ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
            config_hash = md5_output.split(" ")[0]
-            probe_filename = "falco-{}-{}-{}-{}.ko".format(
+            probe_filename = "falco-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
                falco_version, arch, kernel_release, config_hash)
            driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
            module_path = os.path.join(self.module_dir, probe_filename)
            self.log.debug("Copying {} to {}".format(driver_path, module_path))
            shutil.copyfile(driver_path, module_path)
    def init_grpc_handler(self):
        self.grpcurl_res = None
        if len(self.grpc_results) > 0:
            if not self.is_grpc_using_unix_socket:
                self.fail("This test suite supports gRPC with unix socket only")
            cmdline = "grpcurl -format text -import-path ../userspace/falco " \
                "-proto {} -plaintext -unix {} " \
                "{}/{}".format(self.grpc_proto, self.grpc_address,
                               self.grpc_service, self.grpc_method)
            that = self
            class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
                def on_created(self, event):
                    # that.log.info("EVENT: {}", event)
                    that.grpcurl_res = process.run(cmdline)
            path = os.path.dirname(self.grpc_address)
            process.run("mkdir -p {}".format(path))
            event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
                                                       ignore_directories=True)
            self.grpc_observer = Observer()
            self.grpc_observer.schedule(event_handler, path, recursive=False)
            self.grpc_observer.start()
    def check_grpc(self):
        if self.grpc_observer is not None:
            self.grpc_observer.stop()
            self.grpc_observer = None
            if self.grpcurl_res is None:
                self.fail("gRPC responses not found")
            for exp_result in self.grpc_results:
                found = False
                for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
                    if exp_result in line:
                        found = True
                        break
                if found == False:
                    self.fail(
                        "Could not find a line with '{}' in gRPC responses (protobuf text".format(exp_result))
    def test(self):
        self.log.info("Trace file %s", self.trace_file)
-        self.falco_binary_path = '{}/userspace/falco/falco'.format(
+        self.falco_binary_path = '{}/userspace/falco/falco'.format(self.falcodir)
            self.falcodir)
        self.possibly_copy_driver()
        self.init_grpc_handler()
        if self.package != 'None':
            # This sets falco_binary_path as a side-effect.
            self.install_package()
@@ -586,11 +437,9 @@ class FalcoTest(Test):
        if self.psp_file != "":
            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(
+                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
                    self.psp_conv_url, self.psp_conv_path))
-                urllib.request.urlretrieve(
+                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
                    self.psp_conv_url, self.psp_conv_path)
                os.chmod(self.psp_conv_path, stat.S_IEXEC)
            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -608,6 +457,7 @@ class FalcoTest(Test):
                psp_rules = myfile.read()
                self.log.debug("Converted Rules: {}".format(psp_rules))
        # Run falco
        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
@@ -643,26 +493,22 @@ class FalcoTest(Test):
        for pattern in self.stderr_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is None:
-                self.fail(
+                self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
                    "Stderr of falco process did not contain content matching {}".format(pattern))
        for pattern in self.stdout_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
                    res.stdout.decode("utf-8"), pattern))
        for pattern in self.stderr_not_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is not None:
-                self.fail(
+                self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
                    "Stderr of falco process contained content matching {} when it should have not".format(pattern))
        for pattern in self.stdout_not_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
                    res.stdout.decode("utf-8"), pattern))
        if res.exit_status != self.exit_status:
            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
@@ -675,14 +521,11 @@ class FalcoTest(Test):
        self.check_rules_warnings(res)
        if len(self.rules_events) > 0:
            self.check_rules_events(res)
-        if len(self.validate_rules_file) == 0:
+        self.check_detections(res)
            self.check_detections(res)
        if len(self.detect_counts) > 0:
            self.check_detections_by_rule(res)
        self.check_json_output(res)
        self.check_outputs()
        self.check_output_strictly_contains(res)
        self.check_grpc()
        pass
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2016-2018 The Falco Authors..
 #
 # This file is part of falco.
 #
@@ -262,7 +262,6 @@ trace_files: !mux
  invalid_not_yaml:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rules content is not yaml
      ---
      This is not yaml
@@ -274,7 +273,6 @@ trace_files: !mux
  invalid_not_array:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rules content is not yaml array of objects
      ---
      foo: bar
@@ -286,7 +284,6 @@ trace_files: !mux
  invalid_array_item_not_object:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Unexpected element of type string. Each element should be a yaml associative array.
      ---
      - foo
@@ -295,10 +292,20 @@ trace_files: !mux
      - rules/invalid_array_item_not_object.yaml
    trace_file: trace_files/cat_write.scap
  invalid_unexpected object:
    exit_status: 1
    stdout_is: |+
      Unknown rule object: {foo="bar"}
      ---
      - foo: bar
      ---
    validate_rules_file:
      - rules/invalid_unexpected_object.yaml
    trace_file: trace_files/cat_write.scap
  invalid_engine_version_not_number:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Value of required_engine_version must be a number
      ---
      - required_engine_version: not-a-number
@@ -310,7 +317,6 @@ trace_files: !mux
  invalid_yaml_parse_error:
    exit_status: 1
    stdout_is: |+
      1 errors:
      mapping values are not allowed in this context
      ---
      this : is : not : yaml
@@ -322,7 +328,6 @@ trace_files: !mux
  invalid_list_without_items:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List must have property items
      ---
      - list: bad_list
@@ -335,7 +340,6 @@ trace_files: !mux
  invalid_macro_without_condition:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro must have property condition
      ---
      - macro: bad_macro
@@ -348,7 +352,6 @@ trace_files: !mux
  invalid_rule_without_output:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule must have property output
      ---
      - rule: no output rule
@@ -356,8 +359,6 @@ trace_files: !mux
        condition: evt.type=fork
        priority: INFO
      ---
      1 warnings:
      Rule no output rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/invalid_rule_without_output.yaml
    trace_file: trace_files/cat_write.scap
@@ -365,8 +366,7 @@ trace_files: !mux
  invalid_append_rule_without_condition:
    exit_status: 1
    stdout_is: |+
-      1 errors:
+      Rule must have property condition
      Rule must have exceptions or condition property
      ---
      - rule: no condition rule
        append: true
@@ -378,7 +378,6 @@ trace_files: !mux
  invalid_append_macro_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro dangling append has 'append' key but no macro by that name already exists
      ---
      - macro: dangling append
@@ -392,7 +391,6 @@ trace_files: !mux
  invalid_list_append_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List my_list has 'append' key but no list by that name already exists
      ---
      - list: my_list
@@ -406,15 +404,12 @@ trace_files: !mux
  invalid_rule_append_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule my_rule has 'append' key but no rule by that name already exists
      ---
      - rule: my_rule
        condition: evt.type=open
        append: true
      ---
      1 warnings:
      Rule my_rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/rule_append_failure.yaml
    trace_file: trace_files/cat_write.scap
@@ -423,8 +418,7 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_macro.yaml: Ok
-      .*invalid_overwrite_macro.yaml: 1 errors:
+      .*invalid_overwrite_macro.yaml: Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      ---
      - macro: some macro
        condition: foo
@@ -439,8 +433,7 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_macro.yaml: Ok
-      .*invalid_append_macro.yaml: 1 errors:
+      .*invalid_append_macro.yaml: Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      ---
      - macro: some macro
        condition: evt.type=execve
@@ -457,7 +450,6 @@ trace_files: !mux
  invalid_overwrite_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      ---
      - macro: some macro
@@ -471,7 +463,6 @@ trace_files: !mux
  invalid_append_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      ---
      - macro: some macro
@@ -489,8 +480,7 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_rule.yaml: Ok
-      .*invalid_overwrite_rule.yaml: 1 errors:
+      .*invalid_overwrite_rule.yaml: Undefined macro 'bar' used in filter.
      Undefined macro 'bar' used in filter.
      ---
      - rule: some rule
        desc: some desc
@@ -508,8 +498,7 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_rule.yaml: Ok
-      .*invalid_append_rule.yaml: 1 errors:
+      .*invalid_append_rule.yaml: Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
      ---
      - rule: some rule
        desc: some desc
@@ -532,7 +521,6 @@ trace_files: !mux
  invalid_overwrite_rule_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Undefined macro 'bar' used in filter.
      ---
      - rule: some rule
@@ -542,9 +530,6 @@ trace_files: !mux
        priority: INFO
        append: false
      ---
      2 warnings:
      Rule some rule: consider adding an exceptions property to define supported exceptions fields
      Rule some rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/invalid_overwrite_rule_multiple_docs.yaml
    trace_file: trace_files/cat_write.scap
@@ -567,9 +552,6 @@ trace_files: !mux
        priority: INFO
        append: true
      ---
      2 warnings:
      Rule some rule: consider adding an exceptions property to define supported exceptions fields
      Rule some rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/invalid_append_rule_multiple_docs.yaml
    trace_file: trace_files/cat_write.scap
@@ -577,7 +559,6 @@ trace_files: !mux
  invalid_missing_rule_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule name is empty
      ---
      - rule:
@@ -592,7 +573,6 @@ trace_files: !mux
  invalid_missing_list_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List name is empty
      ---
      - list:
@@ -605,7 +585,6 @@ trace_files: !mux
  invalid_missing_macro_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro name is empty
      ---
      - macro:
@@ -617,19 +596,8 @@ trace_files: !mux
  invalid_rule_output:
    exit_status: 1
-    stdout_is: |+
+    stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
-      1 errors:
+    rules_file:
      Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
      ---
      - rule: rule_with_invalid_output
        desc: A rule with an invalid output field
        condition: evt.type=open
        output: "An open was seen %not_a_real_field"
        priority: WARNING
      ---
      1 warnings:
      Rule rule_with_invalid_output: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/invalid_rule_output.yaml
    trace_file: trace_files/cat_write.scap
@@ -684,79 +652,25 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
-  stdout_output_strict:
+  file_output:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/stdout_output.yaml
    trace_file: trace_files/cat_write.scap
    time_iso_8601: true
    output_strictly_contains:
      - stdout: output_files/single_rule_with_cat_write.txt
  stdout_output_json_strict:
    json_output: True
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/stdout_output.yaml
    trace_file: trace_files/cat_write.scap
    time_iso_8601: true
    output_strictly_contains:
      - stdout: output_files/single_rule_with_cat_write.json
  file_output_strict:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/file_output.yaml
    trace_file: trace_files/cat_write.scap
-    time_iso_8601: true
+    outputs:
-    output_strictly_contains:
+      - /tmp/falco_outputs/file_output.txt: Warning An open was seen
      - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt
-  program_output_strict:
+  program_output:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/program_output.yaml
    trace_file: trace_files/cat_write.scap
-    time_iso_8601: true
+    outputs:
-    output_strictly_contains:
+      - /tmp/falco_outputs/program_output.txt: Warning An open was seen
      - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt
  grpc_unix_socket_outputs:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/grpc_unix_socket.yaml
    trace_file: trace_files/cat_write.scap
    run_duration: 5
    time_iso_8601: true
    grpc:
      address: unix:///tmp/falco/falco.sock
      proto: outputs.proto
      service: falco.outputs.service
      method: get
      # protobuf text format
      results:
        - "seconds:1470327477 nanos:881781397"
        - "priority: WARNING"
        - "rule: \"open_from_cat\""
        - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
        # output fields
        - "key: \"evt.time.iso8601\""
        - "value: \"2016-08-04T16:17:57.881781397+0000\""
        - "key: \"proc.cmdline\""
        - "value: \"cat /dev/null\""
        # For the hostname, since we don't know that beforehand,
        # only check the field presence
        - "hostname: "
  detect_counts:
    detect: True
@@ -1149,7 +1063,7 @@ trace_files: !mux
  skip_unknown_noevt:
    detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
+    stdout_contains: Skipping rule "Contains Unknown Event And Skipping" that contains unknown filter proc.nobody
    rules_file:
      - rules/skip_unknown_evt.yaml
    trace_file: trace_files/cat_write.scap
@@ -1162,33 +1076,14 @@ trace_files: !mux
  skip_unknown_error:
    exit_status: 1
-    stderr_contains: |+
+    stderr_contains: Rule "Contains Unknown Event And Not Skipping" contains unknown filter proc.nobody. Exiting.
      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
      ---
      - rule: Contains Unknown Event And Not Skipping
        desc: Contains an unknown event
        condition: proc.nobody=cat
        output: Never
        skip-if-unknown-filter: false
        priority: INFO
      ---
    rules_file:
      - rules/skip_unknown_error.yaml
    trace_file: trace_files/cat_write.scap
  skip_unknown_unspec_error:
    exit_status: 1
-    stderr_contains: |+
+    stderr_contains: Rule "Contains Unknown Event And Unspecified" contains unknown filter proc.nobody. Exiting.
      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
      ---
      - rule: Contains Unknown Event And Unspecified
        desc: Contains an unknown event
        condition: proc.nobody=cat
        output: Never
        priority: INFO
      ---
    rules_file:
      - rules/skip_unknown_unspec.yaml
    trace_file: trace_files/cat_write.scap
--- a/test/falco_tests_exceptions.yaml
+++ b/test/falco_tests_exceptions.yaml
@@ -1,323 +0,0 @@
 #
 # Copyright (C) 2016-2020 The Falco Authors..
 #
 # This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 trace_files: !mux
  rule_exception_no_fields:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: must have fields property with a list of fields
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_no_fields.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_no_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item must have name property
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - fields: [proc.name, fd.filename]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_no_name.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_no_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item must have name property
      ---
      - rule: My Rule
        exceptions:
          - values:
              - [nginx, /tmp/foo]
        append: true
      ---
    validate_rules_file:
      - rules/exceptions/append_item_no_name.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_unknown_fields:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: field name not.exist is not a supported filter field
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [not.exist]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_unknown_fields.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_comps_fields_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: fields and comps lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            comps: [=]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_comps_fields_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_unknown_comp:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            comps: [=, no-comp]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_unknown_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_fields_values_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Exception item ex1: fields and values lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            values:
              - [nginx]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_fields_values_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_fields_values_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Exception item ex1: fields and values lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
        priority: error
      - rule: My Rule
        exceptions:
          - name: ex1
            values:
              - [nginx]
        append: true
      ---
    validate_rules_file:
      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_item_not_in_rule:
    exit_status: 0
    stderr_contains: |+
      1 warnings:
      Rule My Rule with append=true: no set of fields matching name ex2
    validate_rules_file:
      - rules/exceptions/append_item_not_in_rule.yaml
    trace_file: trace_files/cat_write.scap
  rule_without_exception:
    exit_status: 0
    stderr_contains: |+
      1 warnings:
      Rule My Rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/exceptions/rule_without_exception.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_no_values:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_no_values.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_one_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_one_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_one_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_one_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_second_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_second_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_second_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_second_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_second_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_second_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_second_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_second_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_third_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_third_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_third_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_third_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_quoted:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_quoted.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_multiple_values:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_multiple.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_comp:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_comp:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_listref:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_listref.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_listref_noparens:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_listref_noparens.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_list:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_list.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_single_field:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_single_field.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_single_field_append:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_single_field_append.yaml
    trace_file: trace_files/cat_write.scap
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/test/output_files/single_rule_with_cat_write.json
+++ b/test/output_files/single_rule_with_cat_write.json
@@ -1,8 +0,0 @@
 {"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
 {"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
--- a/test/output_files/single_rule_with_cat_write.txt
+++ b/test/output_files/single_rule_with_cat_write.txt
@@ -1,8 +0,0 @@
 2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)
 2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)
--- a/test/requirements.txt
+++ b/test/requirements.txt
@@ -3,11 +3,9 @@ avocado-framework-plugin-varianter-yaml-to-mux==69.0
 certifi==2020.4.5.1
 chardet==3.0.4
 idna==2.9
 pathtools==0.1.2
 pbr==5.4.5
 PyYAML==5.3.1
 requests==2.23.0
 six==1.14.0
 stevedore==1.32.0
 urllib3==1.25.9
 watchdog==0.10.2
--- a/test/rules/detect_connect_using_in.yaml
+++ b/test/rules/detect_connect_using_in.yaml
@@ -18,5 +18,5 @@
  desc: Detect any connect to the localhost network, using fd.net and the in operator
  condition: evt.type=connect and fd.net in ("127.0.0.1/24")
  output: Program connected to localhost network
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
+    (user=%user.name command=%proc.cmdline connection=%fd.name)
  priority: INFO
--- a/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
@@ -1,31 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - name: ex1
      values:
        - [nginx]
  append: true
--- a/test/rules/exceptions/append_item_no_name.yaml
+++ b/test/rules/exceptions/append_item_no_name.yaml
@@ -1,30 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - values:
        - [nginx, /tmp/foo]
  append: true
--- a/test/rules/exceptions/append_item_not_in_rule.yaml
+++ b/test/rules/exceptions/append_item_not_in_rule.yaml
@@ -1,31 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - name: ex2
      values:
        - [apache, /tmp]
  append: true
--- a/test/rules/exceptions/item_comps_fields_len_mismatch.yaml
+++ b/test/rules/exceptions/item_comps_fields_len_mismatch.yaml
@@ -1,25 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      comps: [=]
  priority: error
--- a/test/rules/exceptions/item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/item_fields_values_len_mismatch.yaml
@@ -1,26 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      values:
        - [nginx]
  priority: error
--- a/test/rules/exceptions/item_no_fields.yaml
+++ b/test/rules/exceptions/item_no_fields.yaml
@@ -1,23 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
  priority: error
--- a/test/rules/exceptions/item_no_name.yaml
+++ b/test/rules/exceptions/item_no_name.yaml
@@ -1,23 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - fields: [proc.name, fd.filename]
  priority: error
--- a/test/rules/exceptions/item_unknown_comp.yaml
+++ b/test/rules/exceptions/item_unknown_comp.yaml
@@ -1,25 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      comps: [=, no-comp]
  priority: error
--- a/test/rules/exceptions/item_unknown_fields.yaml
+++ b/test/rules/exceptions/item_unknown_fields.yaml
@@ -1,24 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [not.exist]
  priority: error
--- a/test/rules/exceptions/rule_exception_append_comp.yaml
+++ b/test/rules/exceptions/rule_exception_append_comp.yaml
@@ -1,38 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_contains
      fields: [proc.name]
      comps: [contains]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_contains
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_multiple.yaml
+++ b/test/rules/exceptions/rule_exception_append_multiple.yaml
@@ -1,42 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
  append: true
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_one_value.yaml
@@ -1,37 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_item.yaml
@@ -1,41 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
      values:
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      values:
        - [not-cat, "cat /dev/null", bash]
  append: true
--- a/test/rules/exceptions/rule_exception_append_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_value.yaml
@@ -1,36 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_cmdline
      values:
        - [not-cat, not-cat]
        - [cat, "cat /dev/null"]
  append: true
--- a/test/rules/exceptions/rule_exception_append_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_third_item.yaml
@@ -1,41 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
      values:
        - [not-cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      values:
        - [cat, "cat /dev/null", bash]
  append: true
--- a/test/rules/exceptions/rule_exception_comp.yaml
+++ b/test/rules/exceptions/rule_exception_comp.yaml
@@ -1,34 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_contains
      fields: [proc.name]
      comps: [contains]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_no_values.yaml
+++ b/test/rules/exceptions/rule_exception_no_values.yaml
@@ -1,28 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_one_value.yaml
@@ -1,30 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_quoted.yaml
+++ b/test/rules/exceptions/rule_exception_quoted.yaml
@@ -1,36 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_cmdline
      values:
        - [not-cat, not-cat]
        - [cat, '"cat /dev/null"']
  append: true
--- a/test/rules/exceptions/rule_exception_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_second_item.yaml
@@ -1,34 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [not-cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [not-cat, "cat /dev/null", bash]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_second_value.yaml
@@ -1,32 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [not-cat, not-cat]
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_single_field.yaml
+++ b/test/rules/exceptions/rule_exception_single_field.yaml
@@ -1,30 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_cmdline
      fields: proc.cmdline
      comps: in
      values:
        - cat /dev/zero
        - "cat /dev/null"
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_single_field_append.yaml
+++ b/test/rules/exceptions/rule_exception_single_field_append.yaml
@@ -1,37 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_cmdline
      fields: proc.cmdline
      comps: in
      values:
        - cat /dev/zero
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_cmdline
      values:
        - "cat /dev/null"
  append: true
--- a/test/rules/exceptions/rule_exception_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_third_item.yaml
@@ -1,34 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [not-cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [not-cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [cat, "cat /dev/null", bash]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_list.yaml
+++ b/test/rules/exceptions/rule_exception_values_list.yaml
@@ -1,29 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, [cat /dev/zero, "cat /dev/null"]]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_listref.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref.yaml
@@ -1,32 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - list: cat_cmdlines
  items: [cat /dev/zero, "cat /dev/null"]
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, (cat_cmdlines)]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
@@ -1,32 +0,0 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - list: cat_cmdlines
  items: [cat /dev/zero, "cat /dev/null"]
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, cat_cmdlines]
  priority: WARNING
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kris Nova	258103be08	adding changes for laptop	2020-06-16 11:17:16 -07:00
Kris Nova	f35cc98126	feat(debug): More debug for testing in GKE Signed-off-by: Kris Nova <kris@nivenly.com>	2020-06-10 21:26:06 -07:00
Kris Nova	94149e4b00	feat(debug): Just pushing my work up so I can go work from the couch I will squash this and most of this is throw away code anyway. Signed-off-by: Kris Nova <kris@nivenly.com>	2020-06-10 19:06:24 -07:00