chore(userpsace/engine): update fields checksum

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Skip EPF_TABLE_ONLY fields with --list -N
2026-03-20 19:52:08 +00:00 · 2022-01-17 17:36:57 +01:00 · 2022-01-17 17:29:16 +01:00 · 2022-01-17 17:20:33 +01:00 · 2022-01-17 17:20:33 +01:00 · 2022-01-17 17:20:33 +01:00
202 changed files with 9051 additions and 4611 deletions
--- a/.circleci/OWNERS
+++ b/.circleci/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+  - jonahjon
+reviewers:
+  - jonahjon
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,7 +13,7 @@ jobs:
          command: apk update
      - run:
          name: Install build dependencies
-          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+          command: apk add g++ gcc cmake cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
      - run:
          name: Prepare project
          command: |
@@ -60,7 +60,7 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
      - run:
          name: Prepare project
          command: |
@@ -92,7 +92,7 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
      - run:
          name: Prepare project
          command: |
@@ -124,7 +124,7 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
      - run:
          name: Prepare project
          command: |
@@ -156,7 +156,7 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic pkg-config autoconf libtool libelf-dev -y
      - run:
          name: Prepare project
          command: |
@@ -188,7 +188,7 @@ jobs:
          command: dnf update -y
      - run:
          name: Install dependencies
-          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
      - run:
          name: Prepare project
          command: |
@@ -282,6 +282,8 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
  "tests/integration-static":
    docker:
      - image: falcosecurity/falco-tester:latest
@@ -290,6 +292,7 @@ jobs:
          BUILD_DIR: "/build-static"
          BUILD_TYPE: "release"
          SKIP_PACKAGES_TESTS: "true"
+          SKIP_PLUGINS_TESTS: "true"
    steps:
      - setup_remote_docker
      - attach_workspace:
@@ -297,9 +300,11 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
  "tests/driver-loader/integration":
    machine:
-      image: ubuntu-1604:202004-01
+      image: ubuntu-2004:202107-02
    steps:
      - attach_workspace:
          at: /tmp/ws
@@ -364,59 +369,49 @@ jobs:
          root: /
          paths:
            - build/release/*.rpm
-  # Publish the packages
+  # Publish the dev packages
  "publish/packages-dev":
    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/centos:7
    steps:
      - attach_workspace:
          at: /
      - run:
-          name: Create versions
+          name: Setup
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+            yum install epel-release -y
+            yum update -y
+            yum install createrepo gpg python python-pip -y
+            pip install awscli==1.19.47
+            echo $GPG_KEY | base64 -d | gpg --import
      - run:
          name: Publish rpm-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
      - run:
          name: Publish bin-dev
          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Clenup the Falco development release packages
-  "cleanup/packages-dev":
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
+  "publish/packages-deb-dev":
    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/debian:stable
    steps:
-      - checkout:
-          path: /source/falco
+      - attach_workspace:
+          at: /
      - run:
-          name: Prepare env
+          name: Setup
          command: |
-            apk add --no-cache --update
-            apk add curl jq
+            apt update -y
+            apt-get install apt-utils bzip2 gpg python python3-pip -y
+            pip install awscli
+            echo $GPG_KEY | base64 -d | gpg --import
      - run:
-          name: Only keep the 10 most recent Falco development release tarballs
+          name: Publish deb-dev
          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release RPMs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release DEBs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
  # Publish docker packages
  "publish/docker-dev":
    docker:
@@ -448,35 +443,89 @@ jobs:
            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco-driver-loader:master
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
+            docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
+            docker push "public.ecr.aws/falcosecurity/falco:master-slim"
+      - run:
+          name: Build and publish falco (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:master"
+      - run:
+          name: Build and publish driver-loader (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
  # Publish the packages
  "publish/packages":
    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/centos:7
    steps:
      - attach_workspace:
          at: /
      - run:
-          name: Create versions
+          name: Setup
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+            yum install epel-release -y
+            yum update -y
+            yum install createrepo gpg python python-pip -y
+            pip install awscli==1.19.47
+            echo $GPG_KEY | base64 -d | gpg --import
      - run:
          name: Publish rpm
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
      - run:
          name: Publish bin
          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
+  "publish/packages-deb":
+    docker:
+      - image: docker.io/debian:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Setup
+          command: |
+            apt update -y
+            apt-get install apt-utils bzip2 gpg python python3-pip -y
+            pip install awscli
+            echo $GPG_KEY | base64 -d | gpg --import
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
  # Publish docker packages
  "publish/docker":
    docker:
@@ -514,6 +563,52 @@ jobs:
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
            docker push "falcosecurity/falco-driver-loader:latest"
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
 workflows:
  version: 2
  build_and_test:
@@ -545,7 +640,9 @@ workflows:
          requires:
            - "tests/integration"
      - "publish/packages-dev":
-          context: falco
+          context:
+            - falco
+            - test-infra
          filters:
            tags:
              ignore: /.*/
@@ -554,15 +651,17 @@ workflows:
          requires:
            - "rpm/sign"
            - "tests/integration-static"
-      - "cleanup/packages-dev":
-          context: falco
+      - "publish/packages-deb-dev":
+          context:
+            - falco
+            - test-infra
          filters:
            tags:
              ignore: /.*/
            branches:
              only: master
          requires:
-            - "publish/packages-dev"
+            - "tests/integration"
      - "publish/docker-dev":
          context: falco
          filters:
@@ -572,8 +671,18 @@ workflows:
              only: master
          requires:
            - "publish/packages-dev"
+            - "publish/packages-deb-dev"
            - "tests/driver-loader/integration"
-      - "quality/static-analysis"
+      - "publish/container-images-aws-dev":
+          context: test-infra # contains Falco AWS credentials
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - publish/docker-dev
+      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
  release:
    jobs:
      - "build/musl":
@@ -598,19 +707,43 @@ workflows:
            branches:
              ignore: /.*/
      - "publish/packages":
-          context: falco
+          context:
+            - falco
+            - test-infra
          requires:
-            - "build/musl"
            - "rpm/sign"
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
-      - "publish/docker":
-          context: falco
+      - "publish/packages-deb":
+          context:
+            - falco
+            - test-infra
          requires:
-            - "publish/packages"
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/docker":
+          context:
+            - falco
+            - test-infra
+          requires:
+            - "publish/packages"
+            - "publish/packages-deb"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/container-images-aws":
+          context: test-infra # contains Falco AWS credentials
+          requires:
+            - "publish/docker"
          filters:
            tags:
              only: /.*/
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,6 +1,6 @@
 <!--  Thanks for sending a pull request!  Here are some tips for you:

-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
 2. Please label this pull request according to what type of issue you are addressing.
 3. . Please add a release note!
 4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -1,20 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
-  Please refer to a maintainer to get such label added if you think this should be kept open.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 *~
 *.pyc

-test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
 test/traces-info
@@ -11,11 +10,8 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build

-userspace/engine/lua/lyaml
-userspace/engine/lua/lyaml.lua
-
 .vscode/*

 .luacheckcache

-*.idea*
+*.idea*
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -1,23 +1,55 @@
 # Adopters

+Known end users with notable contributions to the project include:
+* AWS
+* IBM
+* Red Hat
+
+Falco is being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:
+* Equinix Metal
+* IEEE
+* Lowes
+* Reckrut
+* Yellow Pepper
+* CTx
+* Utikal
+* Discrete Events
+* Agritech Infra
+
 This is a list of production adopters of Falco (in alphabetical order):

+* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
+
 * [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.

 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.

 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.

+* [Giant Swarm](https://www.giantswarm.io/) - Giant Swarm manages Kubernetes clusters and infrastructure for enterprises across multiple cloud providers as well as several flavors of on-premises data centers. Our platform provisions and monitors pure "vanilla" Kubernetes clusters which can be augmented with managed solutions to many common Kubernetes challenges, including security. We use Falco for anomaly detection as part of our collection of entirely open-source tools for securing our own clusters, and offer the same capabilities to our customers as part of our [managed security offering](https://docs.giantswarm.io/app-platform/apps/security/).
+
 * [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.

-* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.

 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/

+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).  
+
+* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
+
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/

+* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicous behaviors in our clusters.
+
+* [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects.
+
+* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers' environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
+
+* [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platform’s Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco.
+
 * [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.

 * [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
@@ -26,5 +58,20 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.

-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.

+* [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
+
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
+* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+
+## Projects that use Falco libs
+
+* [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
+
+* [SysFlow](https://sysflow.io) SysFlow is a cloud-native system telemetry framework that focuses on data abstraction, behavioral analytics, and noise reduction. At its core, SysFlow exposes a compact open telemetry format that records workload behaviors by connecting event and flow representations of process control flows, file interactions, and network communications. The resulting abstraction encodes a graph structure that enables provenance reasoning on host and container environments, and fast retrieval of security-relevant information.
+
+## Adding a name
+
+If you would like to add your name to this file, submit a pull request with your change.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,307 @@
 # Change Log

+## v0.30.0
+
+Released on 2021-10-01
+
+### Major Changes
+
+* new: add `--k8s-node` command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [[#1671](https://github.com/falcosecurity/falco/pull/1671)] - [@leogr](https://github.com/leogr)
+* new(outputs): expose rule tags and event source in gRPC and json outputs [[#1714](https://github.com/falcosecurity/falco/pull/1714)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(userspace/falco): add customizable metadata fetching params [[#1667](https://github.com/falcosecurity/falco/pull/1667)] - [@zuc](https://github.com/zuc)
+
+
+### Minor Changes
+
+* update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [[#1744](https://github.com/falcosecurity/falco/pull/1744)] - [@zuc](https://github.com/zuc)
+* docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [[#1738](https://github.com/falcosecurity/falco/pull/1738)] - [@leodido](https://github.com/leodido)
+* update(outputs): add configuration option for tags in json outputs [[#1733](https://github.com/falcosecurity/falco/pull/1733)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [[#1697](https://github.com/falcosecurity/falco/pull/1697)] - [@chirabino](https://github.com/chirabino)
+* fix(scripts): correct lookup order when trying multiple `gcc` versions in the `falco-driver-loader` script [[#1716](https://github.com/falcosecurity/falco/pull/1716)] - [@Spartan-65](https://github.com/Spartan-65)
+
+
+### Rule Changes
+
+* rule(list miner_domains): add new miner domains [[#1729](https://github.com/falcosecurity/falco/pull/1729)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+* rule(list https_miner_domains): add new miner domains [[#1729](https://github.com/falcosecurity/falco/pull/1729)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+
+
+### Non user-facing changes
+
+* add Qonto as adopter [[#1717](https://github.com/falcosecurity/falco/pull/1717)] - [@Issif](https://github.com/Issif)
+* docs(proposals): proposal for a libs plugin system [[#1637](https://github.com/falcosecurity/falco/pull/1637)] - [@ldegio](https://github.com/ldegio)
+* build: remove unused `ncurses` dependency [[#1658](https://github.com/falcosecurity/falco/pull/1658)] - [@leogr](https://github.com/leogr)
+* build(.circleci): use new Debian 11 package names for python-pip [[#1712](https://github.com/falcosecurity/falco/pull/1712)] - [@zuc](https://github.com/zuc)
+* build(docker): adding libssl-dev, upstream image reference pinned to `debian:buster` [[#1719](https://github.com/falcosecurity/falco/pull/1719)] - [@michalschott](https://github.com/michalschott)
+* fix(test): avoid output_strictly_contains failures [[#1724](https://github.com/falcosecurity/falco/pull/1724)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* Remove duplicate allowed ecr registry rule [[#1725](https://github.com/falcosecurity/falco/pull/1725)] - [@TomKeyte](https://github.com/TomKeyte)
+* docs(RELEASE.md): switch to 3 releases per year [[#1711](https://github.com/falcosecurity/falco/pull/1711)] - [@leogr](https://github.com/leogr)
+
+
+## v0.29.1
+
+Released on 2021-06-29
+
+### Minor Changes
+
+* update: bump the Falco engine version to version 9 [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Rule Changes
+
+* rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Non user-facing changes
+
+* docs(release.md): update steps [[#1684](https://github.com/falcosecurity/falco/pull/1684)] - [@maxgio92](https://github.com/maxgio92)
+
+
+## v0.29.0
+
+Released on 2021-06-21
+
+### Minor Changes
+
+* update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [[#1669](https://github.com/falcosecurity/falco/pull/1669)] - [@leogr](https://github.com/leogr)
+
+### Rule Changes
+
+* rule(list miner_domains): add rx.unmineable.com for anti-miner detection [[#1676](https://github.com/falcosecurity/falco/pull/1676)] - [@fntlnz](https://github.com/fntlnz)
+* rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [[#1632](https://github.com/falcosecurity/falco/pull/1632)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [[#1659](https://github.com/falcosecurity/falco/pull/1659)] - [@sboschman](https://github.com/sboschman)
+* rule(Non sudo setuid): check user id as well in case user name info is not available [[#1665](https://github.com/falcosecurity/falco/pull/1665)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Debugfs Launched in Privileged Container): fix typo in description [[#1657](https://github.com/falcosecurity/falco/pull/1657)] - [@Kaizhe](https://github.com/Kaizhe)
+
+### Non user-facing changes
+
+* Fix link to CONTRIBUTING.md in the Pull Request Template [[#1679](https://github.com/falcosecurity/falco/pull/1679)] - [@tspearconquest](https://github.com/tspearconquest)
+* fetch libs and drivers from the new repo [[#1552](https://github.com/falcosecurity/falco/pull/1552)] - [@leogr](https://github.com/leogr)
+* build(test): upgrade urllib3 to 1.26.5 [[#1666](https://github.com/falcosecurity/falco/pull/1666)] - [@leogr](https://github.com/leogr)
+* revert: add notes for 0.28.2 release [[#1663](https://github.com/falcosecurity/falco/pull/1663)] - [@maxgio92](https://github.com/maxgio92)
+* changelog: add notes for 0.28.2 release [[#1661](https://github.com/falcosecurity/falco/pull/1661)] - [@maxgio92](https://github.com/maxgio92)
+* docs(release.md): add blog announcement to post-release tasks [[#1652](https://github.com/falcosecurity/falco/pull/1652)] - [@maxgio92](https://github.com/maxgio92)
+* add Yahoo!Japan as an adopter [[#1651](https://github.com/falcosecurity/falco/pull/1651)] - [@ukitazume](https://github.com/ukitazume)
+* Add Replicated to adopters [[#1649](https://github.com/falcosecurity/falco/pull/1649)] - [@diamonwiggins](https://github.com/diamonwiggins)
+* docs(proposals): fix libs contribution name [[#1641](https://github.com/falcosecurity/falco/pull/1641)] - [@leodido](https://github.com/leodido)
+
+
+## v0.28.1
+
+Released on 2021-05-07
+
+### Major Changes
+
+* new: `--support` output now includes info about the Falco engine version [[#1581](https://github.com/falcosecurity/falco/pull/1581)] - [@mstemm](https://github.com/mstemm)
+* new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
+* new: configuration field `syscall_event_timeouts.max_consecutive` to configure after how many consecutive timeouts without an event Falco must alert [[#1622](https://github.com/falcosecurity/falco/pull/1622)] - [@leodido](https://github.com/leodido)
+
+### Minor Changes
+
+* build: enforcing hardening flags by default [[#1604](https://github.com/falcosecurity/falco/pull/1604)] - [@leogr](https://github.com/leogr)
+
+### Bug Fixes
+
+* fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [[#1617](https://github.com/falcosecurity/falco/pull/1617)] - [@fntlnz](https://github.com/fntlnz)
+
+### Rule Changes
+
+* rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [[#1640](https://github.com/falcosecurity/falco/pull/1640)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(list `falco_privileged_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
+* rule(list `falco_sensitive_mount_images`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
+* rule(macro `k8s_containers`): remove deprecated Falco's OCI image repositories [[#1634](https://github.com/falcosecurity/falco/pull/1634)] - [@maxgio92](https://github.com/maxgio92)
+* rule(macro: python_running_sdchecks): macro removed [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
+* rule(Change thread namespace): remove python_running_sdchecks exception [[#1620](https://github.com/falcosecurity/falco/pull/1620)] - [@leogr](https://github.com/leogr)
+
+### Non user-facing changes
+
+* urelease/docs: fix link and small refactor in the text [[#1636](https://github.com/falcosecurity/falco/pull/1636)] - [@cpanato](https://github.com/cpanato)
+* Add Secureworks to adopters [[#1629](https://github.com/falcosecurity/falco/pull/1629)] - [@dwindsor-scwx](https://github.com/dwindsor-scwx)
+* regression test for malformed k8s audit input (FAL-01-003) [[#1624](https://github.com/falcosecurity/falco/pull/1624)] - [@leodido](https://github.com/leodido)
+* Add mathworks to adopterlist [[#1621](https://github.com/falcosecurity/falco/pull/1621)] - [@natchaphon-r](https://github.com/natchaphon-r)
+* adding known users [[#1623](https://github.com/falcosecurity/falco/pull/1623)] - [@danpopSD](https://github.com/danpopSD)
+* docs: update link for HackMD community call notes [[#1614](https://github.com/falcosecurity/falco/pull/1614)] - [@leodido](https://github.com/leodido)
+
+
+## v0.28.0
+
+Released on 2021-04-12
+
+### Major Changes
+
+* BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
+* BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
+* BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
+* new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [[#1427](https://github.com/falcosecurity/falco/pull/1427)] - [@mstemm](https://github.com/mstemm)
+* new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
+* new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
+* new: add healthz endpoint to the webserver [[#1546](https://github.com/falcosecurity/falco/pull/1546)] - [@cpanato](https://github.com/cpanato)
+* new: introduce a new configuration field `syscall_event_drops.threshold` to tune the drop noisiness [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
+* new: falco-driver-loader know the Falco version [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
+
+
+### Minor Changes
+
+* docs(proposals): libraries and drivers donation [[#1530](https://github.com/falcosecurity/falco/pull/1530)] - [@leodido](https://github.com/leodido)
+* docs(docker): update links to the new Falco website URLs [[#1545](https://github.com/falcosecurity/falco/pull/1545)] - [@cpanato](https://github.com/cpanato)
+* docs(test): update links to new Falco website URLs [[#1563](https://github.com/falcosecurity/falco/pull/1563)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* build: now Falco packages are published at https://download.falco.org [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
+* update: lower the `syscall_event_drops.max_burst` default value to 1 [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
+* docs(test): document the prerequisites for running the integration test suite locally [[#1609](https://github.com/falcosecurity/falco/pull/1609)] - [@fntlnz](https://github.com/fntlnz)
+* update: Debian/RPM package migrated from init to systemd [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [[#1601](https://github.com/falcosecurity/falco/pull/1601)] - [@mstemm](https://github.com/mstemm)
+* fix(docker/falco): add flex and bison dependency to container image [[#1562](https://github.com/falcosecurity/falco/pull/1562)] - [@schans](https://github.com/schans)
+* fix: ignore action can not be used with log and alert ones (`syscall_event_drops` config) [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* fix(userspace/engine): allows fields starting with numbers to be parsed properly [[#1598](https://github.com/falcosecurity/falco/pull/1598)] - [@mstemm](https://github.com/mstemm)
+
+
+### Rule Changes
+
+* rule(Write below monitored dir): improve rule description [[#1588](https://github.com/falcosecurity/falco/pull/1588)] - [@stevenshuang](https://github.com/stevenshuang)
+* rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro aws_eks_image): match aws image repository for eks [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro aws_eks_image_sensitive_mount): match aws cni images [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Launch Privileged Container): exclude aws_eks_image [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Debugfs Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Mount Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_ssh_directory): using glob operator [[#1560](https://github.com/falcosecurity/falco/pull/1560)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [[#1337](https://github.com/falcosecurity/falco/pull/1337)] - [@nibalizer](https://github.com/nibalizer)
+* rule(list rpm_binaries): add rhsmcertd [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
+* rule(list deb_binaries): add apt.systemd.daily [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
+* rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk10](https://github.com/darryk10)
+* rule(list allowed_k8s_users): add `eks:node-manager` [[#1536](https://github.com/falcosecurity/falco/pull/1536)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(list mysql_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list db_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_ansible_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_bro_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_python_running_denyhosts): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_linux_image_upgrade_script): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_java_running_echo): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_scripting_running_builds): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_Xvfb_running_xkbcomp): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_nginx_running_serf): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_node_running_npm): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_java_running_sbt): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list known_container_shell_spawn_cmdlines): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list known_shell_spawn_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro run_by_puppet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro user_privileged_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list rancher_images): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list images_allow_network_outside_subnet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_python_running_sdchecks): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro trusted_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list authorized_server_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Non user-facing changes
+
+* chore(test): replace bucket url with official distribution url [[#1608](https://github.com/falcosecurity/falco/pull/1608)] - [@fntlnz](https://github.com/fntlnz)
+* adding asapp as an adopter [[#1611](https://github.com/falcosecurity/falco/pull/1611)] - [@Stuxend](https://github.com/Stuxend)
+* update: fixtures URLs [[#1603](https://github.com/falcosecurity/falco/pull/1603)] - [@leogr](https://github.com/leogr)
+* cleanup publishing jobs [[#1596](https://github.com/falcosecurity/falco/pull/1596)] - [@leogr](https://github.com/leogr)
+* fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [[#1595](https://github.com/falcosecurity/falco/pull/1595)] - [@leodido](https://github.com/leodido)
+* fix(.circleci): tar must be present in the image [[#1594](https://github.com/falcosecurity/falco/pull/1594)] - [@leogr](https://github.com/leogr)
+* fix: publishing jobs [[#1591](https://github.com/falcosecurity/falco/pull/1591)] - [@leogr](https://github.com/leogr)
+* Pocteo as an adopter [[#1574](https://github.com/falcosecurity/falco/pull/1574)] - [@pocteo-labs](https://github.com/pocteo-labs)
+* build: fetch build deps from download.falco.org [[#1572](https://github.com/falcosecurity/falco/pull/1572)] - [@leogr](https://github.com/leogr)
+* adding shapesecurity to adopters [[#1566](https://github.com/falcosecurity/falco/pull/1566)] - [@irivera007](https://github.com/irivera007)
+* Use default pip version to get avocado version [[#1565](https://github.com/falcosecurity/falco/pull/1565)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* Added Swissblock to list of adopters [[#1551](https://github.com/falcosecurity/falco/pull/1551)] - [@bygui86](https://github.com/bygui86)
+* Fix various typos in markdown files. [[#1514](https://github.com/falcosecurity/falco/pull/1514)] - [@didier-durand](https://github.com/didier-durand)
+* docs: move governance to falcosecurity/.github [[#1524](https://github.com/falcosecurity/falco/pull/1524)] - [@leogr](https://github.com/leogr)
+* ci: fix missing infra context to publish stable Falco packages [[#1615](https://github.com/falcosecurity/falco/pull/1615)] - [@leodido](https://github.com/leodido)
+
+
+## v0.27.0
+
+Released on 2021-01-18
+
+### Major Changes
+
+* new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
+* BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
+* new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
+* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
+* docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
+* docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
+* docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
+* docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
+* fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
+* fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
+* fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
+* fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
+* rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
+* rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
+* rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
+
+
+### Non user-facing changes
+
+* chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
+* remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
+* chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
+* build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
+* build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
+* further improvements outputs impl.  [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
+* fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
+* Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
+
+
+
+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
 ## v0.26.1

 Released on 2020-10-01
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -19,6 +19,15 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)

+# We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
+option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
+if (${EP_UPDATE_DISCONNECTED})
+  set_property(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+endif()
+
+
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this

@@ -57,10 +66,17 @@ if(MINIMAL_BUILD)
 endif()

 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os")
+  set(MUSL_FLAGS "-static -Os -fPIE -pie")
 endif()

-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+# explicitly set hardening flags
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
+if(CMAKE_BUILD_TYPE STREQUAL "release")
+  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+endif()
+
+set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")

 if(BUILD_WARNINGS_AS_ERRORS)
  set(CMAKE_SUPPRESSED_WARNINGS
@@ -83,7 +99,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -94,6 +110,12 @@ set(CMD_MAKE make)

 include(ExternalProject)

+# libs
+include(falcosecurity-libs)
+
+# LuaJit provided by libs
+include(luajit)
+
 # jq
 include(jq)

@@ -109,131 +131,46 @@ ExternalProject_Add(
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

-# curses
-# We pull this in because libsinsp won't build without it
-set(CURSES_NEED_NCURSES TRUE)
-find_package(Curses REQUIRED)
-message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-
-# libb64
-
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
-  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+# b64
+include(b64)

 # yaml-cpp
 include(yaml-cpp)

 if(NOT MINIMAL_BUILD)
  # OpenSSL
-  include(OpenSSL)
+  include(openssl)

  # libcurl
-  include(cURL)
+  include(curl)
+
+  # civetweb
+  include(civetweb)
 endif()

-# LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
-  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
-
 # Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
+include(lpeg)

 # libyaml
 include(libyaml)

 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-ExternalProject_Add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+include(lyaml)

 # One TBB
-set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
-
-message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-
-set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
-set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
-ExternalProject_Add(
-  tbb
-  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
-  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${TBB_LIB}
-  INSTALL_COMMAND "")
-
-if(NOT MINIMAL_BUILD)
-  # civetweb
-  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-  ExternalProject_Add(
-    civetweb
-    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-    BUILD_IN_SOURCE 1
-    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
-endif()
+include(tbb)

 #string-view-lite
 include(DownloadStringViewLite)

 if(NOT MINIMAL_BUILD)
+  include(zlib)
+  include(cares)
+  include(protobuf)
  # gRPC
-  include(gRPC)
+  include(grpc)
 endif()

-# sysdig
-include(sysdig)
-
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

@@ -260,6 +197,7 @@ include(static-analysis)
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
+set(FALCO_PLUGINS_DIR ${FALCO_SHARE_DIR}/plugins)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)

@@ -268,5 +206,7 @@ add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)

+include(plugins)
+
 # Packages configuration
 include(CPackConfig)
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,55 +0,0 @@
-# Process for becoming a maintainer
-
-* Express interest to the existing maintainers that you or your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
-  organization.
-* We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing maintainers.
-* We may ask you to do some PRs from our backlog.
-* As you gain experience with the code base and our standards, we will ask you to do code reviews
-  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
-  community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Maintainer responsibilities
-
-* Monitor Slack (delayed response is perfectly acceptable).
-* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
-* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
-  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment.
-* Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare
-  occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment
-  obligations with employers.
-* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
-  business days per week).
-
-## When does a maintainer lose maintainer status
-
-If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
-should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
-the maintainers per the voting process below.
-
-# Conflict resolution and voting
-
-In general, we prefer that technical issues and maintainer membership are amicably worked out
-between the persons involved. If a dispute cannot be decided independently, the maintainers can be
-called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
-be resolved by voting. The voting process is a simple majority in which each senior maintainer
-receives two votes and each normal maintainer receives one vote.
-
-# Adding new projects to the falcosecurity GitHub organization
-
-New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
-existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
-days but depending on the volume of conversation), the maintainers of *the project where the issue
-was opened* (since different projects in the organization may have different maintainers) will
-decide whether the new project should be added. See the section above on voting if the maintainers
-cannot easily decide.
--- a/2
+++ b/2
@@ -4,6 +4,7 @@ approvers:
  - leodido
  - mstemm
  - leogr
+  - jasondellaluce
 reviewers:
  - fntlnz
  - kaizhe
@@ -12,3 +13,4 @@ reviewers:
  - mfdii
  - mstemm
  - leogr
+  - jasondellaluce
--- a/README.md
+++ b/README.md
@@ -5,41 +5,81 @@

 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-#### Latest releases
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+
+### Latest releases

 Read the [change log](CHANGELOG.md).

+<!-- 
+Badges in the following table are constructed by using the
+https://img.shields.io/badge/dynamic/xml endpoint.
+
+Parameters are configured for fetching packages from S3 before 
+(filtered by prefix, sorted in ascending order) and for picking 
+the latest package by using an XPath selector after.
+
+- Common query parameters:
+
+color=#300aec7
+style=flat-square
+label=Falco
+
+- DEB packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
+query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+
+- RPM packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
+query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+
+- BIN packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
+query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
+
+Notes:
+ - if more than 1000 items are present under as S3 prefix, 
+   the actual latest package will be not picked;
+   see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
+ - for `-dev` packages, the S3 prefix is modified accordingly
+ - finally, all parameters are URL encoded and appended to the badge endpoint
+
+-->
+
 |        | development                                                                                                                 | stable                                                                                                              |
 |--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
-| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
-| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
+| rpm    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
+| deb    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
+| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |

 ---

 The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
 Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
-Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
 If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

 ### Installing Falco

-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).

 ##### Kubernetes

 | Tool     | Link                                                                                       | Note                                                               |
 |----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
 | Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |

 ### Developing

 Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.

-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
 The Falco Project supports various SDKs for this endpoint.

 ##### SDKs
@@ -63,6 +103,7 @@ For example, Falco can easily detect incidents including but not limited to:
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
+- A privileged pod is started in a Kubernetes cluster.

 ### Documentation

@@ -72,6 +113,13 @@ The [Official Documentation](https://falco.org/docs/) is the best resource to le

 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

+How to reach out?
+
+ - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
+ - [Read the Falco documentation](https://falco.org/docs/)
+
+
 ### Contributing

 See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
@@ -89,9 +137,9 @@ Please report security vulnerabilities following the community process documente
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.


-[1]: https://dl.bintray.com/falcosecurity/rpm-dev
-[2]: https://dl.bintray.com/falcosecurity/rpm
-[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
-[4]: https://dl.bintray.com/falcosecurity/deb/stable
-[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[1]: https://download.falco.org/?prefix=packages/rpm-dev/
+[2]: https://download.falco.org/?prefix=packages/rpm/
+[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
+[4]: https://download.falco.org/?prefix=packages/deb/stable/
+[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
+[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -4,7 +4,9 @@ Our release process is mostly automated, but we still need some manual steps to

 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.

-A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
+
+Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).

 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.

@@ -13,12 +15,12 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.

 ### 1. Release notes
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
-    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing

 ### 2. Milestones

@@ -28,9 +30,10 @@ Before cutting a release we need to do some homework in the Falco repository. Th

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+    - Versions table in the `README.md` updates itself automatically
+- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
+    - Execute `rn2md -o falcosecurity -m <version> -r falco`
+    - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
@@ -51,7 +54,7 @@ Now assume `x.y.z` is the new version.
    git push origin x.y.z
    ```

-> **N.B.**: do NOT use an annotated tag
+> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging

 - Wait for the CI to complete

@@ -65,17 +68,20 @@ Now assume `x.y.z` is the new version.

    | Packages | Download                                                                                                                                               |
    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |

-    | Images                                                          |
-    | --------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |

-    <!-- Copy the relevant part of the changelog here -->
+    <changelog>
+
+    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->

    ### Statistics

@@ -86,6 +92,10 @@ Now assume `x.y.z` is the new version.
    | Total           | x      |

    <!-- Calculate stats and fill the above table -->
+
+    #### Release Manager <github handle>
+
+    <!-- Substitute Github handle with the release manager's one -->
    ```

 - Finally, publish the release!
@@ -94,7 +104,7 @@ Now assume `x.y.z` is the new version.

 For each release we archive the meeting notes in git for historical purposes.

- - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
    - Note: There may be other notes from working groups that can optionally be added as well as needed.
 - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
 - Open up a pull request with the new change.
@@ -104,5 +114,7 @@ For each release we archive the meeting notes in git for historical purposes.

 Announce the new release to the world!

+- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
+- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
@@ -1,14 +1,13 @@
 if(CPACK_GENERATOR MATCHES "DEB")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()

 if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()

 if(CPACK_GENERATOR MATCHES "TGZ")
 	set(CPACK_SET_DESTDIR "ON")
-	set(CPACK_STRIP_FILES "OFF")
 endif()
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -30,9 +30,15 @@ if(NOT CPACK_GENERATOR)
 endif()

 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
-
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
@@ -40,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -53,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
    /etc
    /usr
    /usr/bin
-    /usr/share
-    /etc/rc.d
-    /etc/rc.d/init.d)
+    /usr/share)
 set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")

 include(CPack)
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -14,8 +14,8 @@ include(ExternalProject)

 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)

-set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
+set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.9.tar.gz URL_HASH
+                        SHA256=dc4ee7b17a84c959019b92c20fce6dc9426e9e170b6edf84db6cb2e188520cd7)

 ExternalProject_Add(
  fakeit-external
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -21,7 +21,7 @@ if(NOT FALCO_VERSION)
  git_get_exact_tag(FALCO_TAG)
  if(NOT FALCO_TAG)
    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
+    git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
    # Fallback version
    if(FALCO_VERSION MATCHES "NOTFOUND$")
      set(FALCO_VERSION "0.0.0")
@@ -31,29 +31,33 @@ if(NOT FALCO_VERSION)
  else()
    # A tag has been found: use it as the Falco version
    set(FALCO_VERSION "${FALCO_TAG}")
-    # Remove the starting "v" in case there is one
-    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
-  endif()
-  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
-  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                       "${FALCO_VERSION}")
-  string(
-    REGEX
-    REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-      "\\5"
-      FALCO_VERSION_PRERELEASE
-      "${FALCO_VERSION}")
-  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_PRERELEASE "")
-  endif()
-  if(NOT FALCO_VERSION_BUILD)
-    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
-  endif()
-  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_BUILD "")
  endif()
 endif()
+
+# Remove the starting "v" in case there is one
+string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
+
+# TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
+string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                     "${FALCO_VERSION}")
+string(
+  REGEX
+  REPLACE
+    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+    "\\5"
+    FALCO_VERSION_PRERELEASE
+    "${FALCO_VERSION}")
+
+if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_PRERELEASE "")
+endif()
+if(NOT FALCO_VERSION_BUILD)
+  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+endif()
+if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_BUILD "")
+endif()
+
 message(STATUS "Falco version: ${FALCO_VERSION}")
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -1,42 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if(NOT USE_BUNDLED_DEPS)
-  find_package(OpenSSL REQUIRED)
-  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-  find_program(OPENSSL_BINARY openssl)
-  if(NOT OPENSSL_BINARY)
-    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
-  else()
-    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
-  endif()
-else()
-  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
-  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
-
-  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-  ExternalProject_Add(
-    openssl
-    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
-    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
-    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND ${CMD_MAKE} install)
-endif()
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -1,76 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  find_package(CURL REQUIRED)
-  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
-else()
-  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-
-  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-
-  externalproject_add(
-    curl
-    DEPENDS openssl
-    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
-    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
-    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    CONFIGURE_COMMAND
-      ./configure
-      ${CURL_SSL_OPTION}
-      --disable-shared
-      --enable-optimize
-      --disable-curldebug
-      --disable-rt
-      --enable-http
-      --disable-ftp
-      --disable-file
-      --disable-ldap
-      --disable-ldaps
-      --disable-rtsp
-      --disable-telnet
-      --disable-tftp
-      --disable-pop3
-      --disable-imap
-      --disable-smb
-      --disable-smtp
-      --disable-gopher
-      --disable-sspi
-      --disable-ntlm-wb
-      --disable-tls-srp
-      --without-winssl
-      --without-darwinssl
-      --without-polarssl
-      --without-cyassl
-      --without-nss
-      --without-axtls
-      --without-ca-path
-      --without-ca-bundle
-      --without-libmetalink
-      --without-librtmp
-      --without-winidn
-      --without-libidn2
-      --without-libpsl
-      --without-nghttp2
-      --without-libssh2
-      --disable-threaded-resolver
-      --without-brotli
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()
--- a/cmake/modules/civetweb.cmake
+++ b/cmake/modules/civetweb.cmake
@@ -0,0 +1,52 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb.a")
+SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb-cpp.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+if (USE_BUNDLED_OPENSSL)
+    ExternalProject_Add(
+            civetweb
+            DEPENDS openssl
+            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
+            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
+            INSTALL_DIR ${CIVETWEB_SRC}/install
+            CMAKE_ARGS
+            -DBUILD_TESTING=off
+            -DCIVETWEB_BUILD_TESTING=off
+            -DCIVETWEB_ENABLE_CXX=on
+            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
+            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
+            -DCIVETWEB_SERVE_NO_FILES=on
+            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
+            -DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
+            -DOPENSSL_USE_STATIC_LIBS:BOOL=TRUE
+            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
+else()
+    ExternalProject_Add(
+            civetweb
+            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
+            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
+            INSTALL_DIR ${CIVETWEB_SRC}/install
+            CMAKE_ARGS
+            -DBUILD_TESTING=off
+            -DCIVETWEB_BUILD_TESTING=off
+            -DCIVETWEB_ENABLE_CXX=on
+            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
+            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
+            -DCIVETWEB_SERVE_NO_FILES=on
+            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
+            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
+endif()
--- a/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
+++ b/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -12,17 +12,16 @@
 #
 cmake_minimum_required(VERSION 3.5.1)

-project(sysdig-repo NONE)
+project(falcosecurity-libs-repo NONE)

 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")

 ExternalProject_Add(
-  sysdig
-  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  falcosecurity-libs
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  TEST_COMMAND "")
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -0,0 +1,87 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
+set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
+
+file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+if(FALCOSECURITY_LIBS_SOURCE_DIR)
+  set(FALCOSECURITY_LIBS_VERSION "local")
+  message(STATUS "Using local falcosecurity/libs in '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+else()
+  # The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
+  # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
+  # -DFALCOSECURITY_LIBS_VERSION=dev ..`
+  if(NOT FALCOSECURITY_LIBS_VERSION)
+    set(FALCOSECURITY_LIBS_VERSION "4de7ad2857fb55439eb10455aacd1d262b70551b")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=3769e410fc0e31d5c7c37f33a7a73dfe52418a850d8f166fbafc67a723c619b6")
+  endif()
+
+  # cd /path/to/build && cmake /path/to/source
+  execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+                          ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+  # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
+
+  # execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
+  # "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
+
+  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
+  set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
+endif()
+
+add_definitions(-D_GNU_SOURCE)
+add_definitions(-DHAS_CAPTURE)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+set(PROBE_VERSION "${FALCOSECURITY_LIBS_VERSION}")
+set(PROBE_NAME "falco")
+set(DRIVER_PACKAGE_NAME "falco")
+set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
+set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
+
+if(NOT LIBSCAP_DIR)
+  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+endif()
+set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+
+# explicitly disable the tests/examples of this dependency
+set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
+set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
+
+# todo(leogr): although Falco does not actually depend on chisels, we need this for the lua_parser. 
+# Hopefully, we can switch off this in the future
+set(WITH_CHISEL ON CACHE BOOL "")
+
+set(USE_BUNDLED_TBB ON CACHE BOOL "")
+set(USE_BUNDLED_B64 ON CACHE BOOL "")
+set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
+set(USE_BUNDLED_LUAJIT ON CACHE BOOL "")
+
+list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
+
+include(CheckSymbolExists)
+check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+if(HAVE_STRLCPY)
+	message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+	add_definitions(-DHAVE_STRLCPY)
+else()
+	message(STATUS "No strlcpy found, will use local definition")
+endif()
+
+include(libscap)
+include(libsinsp)
+
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -1,138 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  # zlib
-  include(FindZLIB)
-  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
-  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
-
-  if(ZLIB_INCLUDE AND ZLIB_LIB)
-    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
-  endif()
-
-  # c-ares
-  find_path(CARES_INCLUDE NAMES ares.h)
-  find_library(CARES_LIB NAMES libcares.so)
-  if(CARES_INCLUDE AND CARES_LIB)
-    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system c-ares")
-  endif()
-
-  # protobuf
-  find_program(PROTOC NAMES protoc)
-  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
-  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
-  if(PROTOC
-     AND PROTOBUF_INCLUDE
-     AND PROTOBUF_LIB)
-    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system protobuf")
-  endif()
-
-  # gpr
-  find_library(GPR_LIB NAMES gpr)
-
-  if(GPR_LIB)
-    message(STATUS "Found gpr lib: ${GPR_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system gpr")
-  endif()
-
-  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
-  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-  if(GRPCXX_INCLUDE)
-    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-  else()
-    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-  endif()
-  find_library(GRPC_LIB NAMES grpc)
-  find_library(GRPCPP_LIB NAMES grpc++)
-  if(GRPC_INCLUDE
-     AND GRPC_LIB
-     AND GRPCPP_LIB)
-    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system grpc")
-  endif()
-  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-  if(NOT GRPC_CPP_PLUGIN)
-    message(FATAL_ERROR "System grpc_cpp_plugin not found")
-  endif()
-
-else()
-  find_package(PkgConfig)
-    if(NOT PKG_CONFIG_FOUND)
-      message(FATAL_ERROR "pkg-config binary not found")
-  endif()
-  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
-  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-  set(GRPC_INCLUDE "${GRPC_SRC}/include")
-  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
-  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
-  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
-  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
-
-  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
-  # likely that protobuf will be very outdated
-  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
-  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
-  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
-  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that zlib will be very outdated
-  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
-  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that c-ares will be very outdated
-  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
-  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
-
-  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
-  message(
-    STATUS
-      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
-  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
-
-  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-  ExternalProject_Add(
-    grpc
-    DEPENDS openssl
-    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
-    BUILD_IN_SOURCE 1
-    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
-    INSTALL_COMMAND ""
-    CONFIGURE_COMMAND ""
-    BUILD_COMMAND
-      CFLAGS=-Wno-implicit-fallthrough
-      HAS_SYSTEM_ZLIB=false
-      HAS_SYSTEM_PROTOBUF=false
-      HAS_SYSTEM_CARES=false
-      HAS_EMBEDDED_OPENSSL_ALPN=false
-      HAS_SYSTEM_OPENSSL_ALPN=true
-      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
-      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
-      PATH=${PROTOC_DIR}:$ENV{PATH}
-      make
-      static_cxx
-      static_c
-      grpc_cpp_plugin)
-endif()
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if (NOT USE_BUNDLED_DEPS)
-    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-    find_library(JQ_LIB NAMES jq)
-    if (JQ_INCLUDE AND JQ_LIB)
-        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-    else ()
-        message(FATAL_ERROR "Couldn't find system jq")
-    endif ()
-else ()
-    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-    message(STATUS "Using bundled jq in '${JQ_SRC}'")
-    set(JQ_INCLUDE "${JQ_SRC}/target/include")
-    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
-    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
-    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
-    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-
-    # Why we mirror jq here?
-    #
-    # In their readme, jq claims that you don't have
-    # to do autoreconf -fi when downloading a released tarball.
-    #
-    # However, they forgot to push the released makefiles
-    # into their release tarbal.
-    #
-    # For this reason, we have to mirror their release after
-    # doing the configuration ourselves.
-    #
-    # This is needed because many distros do not ship the right
-    # version of autoreconf, making virtually impossible to build Falco on them.
-    # Read more about it here:
-    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
-    ExternalProject_Add(
-            jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
-            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
-            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
-            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-            BUILD_IN_SOURCE 1
-            INSTALL_COMMAND ${CMD_MAKE} install)
-endif ()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -15,12 +15,13 @@ set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
-libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
-BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
-
+externalproject_add(
+  libyaml
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
+  INSTALL_COMMAND ${CMD_MAKE} install
+)
--- a/cmake/modules/lpeg.cmake
+++ b/cmake/modules/lpeg.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LPEG_LIB}
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")
--- a/cmake/modules/lyaml.cmake
+++ b/cmake/modules/lyaml.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LYAML_ROOT "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml")
+set(LYAML_LIB "${LYAML_ROOT}/ext/yaml/.libs/yaml.a")
+set(LYAML_LUA_DIR "${LYAML_ROOT}/lib")
+message(STATUS "Using bundled lyaml in '${LYAML_ROOT}'")
+externalproject_add(
+  lyaml
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LYAML_LIB}
+  INSTALL_COMMAND ""
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+)
--- a/cmake/modules/plugins.cmake
+++ b/cmake/modules/plugins.cmake
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+ExternalProject_Add(
+  cloudtrail-plugin
+  URL "https://download.falco.org/plugins/stable/cloudtrail-0.2.0-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=917ebc5c3b1ad78d959372baa73ac2e9b18b38f51e1e42bd0974166dc04a964c"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+
+ExternalProject_Add(
+  json-plugin
+  URL "https://download.falco.org/plugins/stable/json-0.2.0-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=250f0b04db7ab08f3bfa5ecd90cc9b39a6992fc2e96b887ed6f319a6ba156fd7"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}")
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -3,6 +3,7 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)

 # cppcheck
+mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
 find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)

--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -1,31 +0,0 @@
-diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
--- a/userspace/libscap/scap.c
-+++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
- //#define NDEBUG
- #include <assert.h>
- 
-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
-+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
- 
- //
- // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
- 				return NULL;
- 			}
- 
-			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
-+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
- 			bpf_probe = buf;
- 		}
- 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
- 
- const char* scap_get_host_root()
- {
-	char* p = getenv("SYSDIG_HOST_ROOT");
-+	char* p = getenv("HOST_ROOT");
- 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
- 	static bool inited = false;
- 	if (! inited) {
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -1,77 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
-set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
-
-# this needs to be here at the top
-if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the bundled OpenSSL
-  if(NOT MINIMAL_BUILD)
-    set(USE_BUNDLED_OPENSSL ON)
-  endif()
-  set(USE_BUNDLED_JQ ON)
-endif()
-
-file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
-# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
-# -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
-# cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
-                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-# "${SYSDIG_CMAKE_SOURCE_DIR}")
-
-execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
-set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
-
-# jsoncpp
-set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
-
-# Add driver directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
-
-# Add libscap directory
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
-if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
-
-# Add libsinsp directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
-add_dependencies(sinsp tbb b64 luajit)
-
-# explicitly disable the tests of this dependency
-set(CREATE_TEST_TARGETS OFF)
-
-if(USE_BUNDLED_DEPS)
-  add_dependencies(scap jq)
-  if(NOT MINIMAL_BUILD)
-    add_dependencies(scap curl grpc)
-  endif()
-endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
  find_library(YAMLCPP_LIB NAMES yaml-cpp)
@@ -27,6 +28,7 @@ else()
    yamlcpp
    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND "")
 endif()
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,17 +1,16 @@
 # Falco Dockerfiles

-This directory contains various ways to package Falco as a container and related tools. 
+This directory contains various ways to package Falco as a container and related tools.

 ## Currently Supported Images

 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

 > Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
-
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -20,11 +20,11 @@ ENV FALCO_VERSION=${FALCO_VERSION}

 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
    rpm -V $INSTALL_PKGS

-ARG CMAKE_VERSION=3.5.1
+ARG CMAKE_VERSION=3.6.3
 RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
    cd /tmp && \
    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -34,7 +34,6 @@ case "$CMD" in
    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
    -DBUILD_BPF="$BUILD_BPF" \
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
--- a/docker/builder/root/usr/bin/usage
+++ b/docker/builder/root/usr/bin/usage
@@ -18,7 +18,7 @@ How to use.
    * docker run -ti falcosecurity/falco-builder bash

    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings)
+    - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling)

    Optionally, you can also bind-mount the build directory.
    So, you can execute it from the Falco root directory as follows.
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"

 ENV HOST_ROOT /host
 ENV HOME /root
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -1,8 +1,8 @@
-FROM debian:stable
+FROM debian:buster

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"

 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
@@ -18,16 +18,19 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
 	libc6-dev \
 	libelf-dev \
 	libmpx2 \
+	libssl-dev \
 	llvm-7 \
 	netcat \
 	xz-utils \
@@ -39,15 +42,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -56,13 +59,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -76,7 +79,7 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc

 RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
@@ -96,10 +99,10 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -16,14 +16,9 @@
 # limitations under the License.
 #

-# todo(leogr): remove deprecation notice within a couple of releases
-if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
-fi
-
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -48,15 +48,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml

 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -1,26 +1,34 @@
 FROM ubuntu:18.04 as ubuntu

-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin

 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}

+RUN apt-get -y update && apt-get -y install gridsite-clients curl
+
 WORKDIR /

-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-
-RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader

 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

-FROM scratch
+FROM debian:11-slim
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+ENV HOST_ROOT /host
+ENV HOME /root

 COPY --from=ubuntu /falco /

--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=$(pip show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

 cat <<EOF
--- a/falco.yaml
+++ b/falco.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,6 +33,32 @@ rules_file:
  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d

+
+#
+# Plugins that are available for use. These plugins are not loaded by
+# default, as they require explicit configuration to point to
+# cloudtrail log files.
+#
+
+# To learn more about the supported formats for
+# init_config/open_params for the cloudtrail plugin, see the README at
+# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
+plugins:
+  - name: cloudtrail
+    library_path: libcloudtrail.so
+    init_config: ""
+    open_params: ""
+  - name: json
+    library_path: libjson.so
+    init_config: ""
+
+# Setting this list to empty ensures that the above plugins are *not*
+# loaded and enabled by default. If you want to use the above plugins,
+# set a meaningful init_config/open_params for the cloudtrail plugin
+# and then change this to:
+# load_plugins: [cloudtrail, json]
+load_plugins: []
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
@@ -46,6 +72,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true

+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
@@ -68,24 +100,69 @@ priority: debug
 buffered_outputs: false

 # Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
+# system call information. When Falco detects that this buffer is
 # full and system calls have been dropped, it can take one or more of
 # the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
+#   - ignore: do nothing (default when list of actions is empty)
+#   - log: log a DEBUG message noting that the buffer was full
+#   - alert: emit a Falco alert noting that the buffer was full
+#   - exit: exit Falco with a non-zero rc
+#
+# Notice it is not possible to ignore and log/alert messages at the same time.
 #
 # The rate at which log/alert messages are emitted is governed by a
 # token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
+# with a burst of one message (by default).
+#
+# The messages are emitted when the percentage of dropped system calls
+# with respect the number of events in the last second
+# is greater than the given threshold (a double in the range [0, 1]).
+#
+# For debugging/testing it is possible to simulate the drops using
+# the `simulate_drops: true`. In this case the threshold does not apply.

 syscall_event_drops:
+  threshold: .1
  actions:
    - log
    - alert
  rate: .03333
-  max_burst: 10
+  max_burst: 1
+
+# Falco uses a shared buffer between the kernel and userspace to receive
+# the events (eg., system call information) in userspace.
+#
+# Anyways, the underlying libraries can also timeout for various reasons.
+# For example, there could have been issues while reading an event.
+# Or the particular event needs to be skipped.
+# Normally, it's very unlikely that Falco does not receive events consecutively.
+#
+# Falco is able to detect such uncommon situation.
+#
+# Here you can configure the maximum number of consecutive timeouts without an event
+# after which you want Falco to alert.
+# By default this value is set to 1000 consecutive timeouts without an event at all.
+# How this value maps to a time interval depends on the CPU frequency.
+
+syscall_event_timeouts:
+  max_consecutives: 1000
+
+# Falco continuously monitors outputs performance. When an output channel does not allow
+# to deliver an alert within a given deadline, an error is reported indicating
+# which output is blocking notifications.
+# The timeout error will be reported to the log according to the above log_* settings.
+# Note that the notification will not be discarded from the output queue; thus,
+# output channels may indefinitely remain blocked.
+# An output timeout error indeed indicate a misconfiguration issue or I/O problems
+# that cannot be recovered by Falco and should be fixed by the user.
+#
+# The "output_timeout" value specifies the duration in milliseconds to wait before
+# considering the deadline exceed.
+#
+# With a 2000ms default, the notification consumer can block the Falco output
+# for up to 2 seconds without reaching the timeout.
+
+output_timeout: 2000

 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
@@ -135,11 +212,14 @@ stdout_output:
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
-
+#
+# It also exposes a healthy endpoint that can be used to check if Falco is up and running
+# By default the endpoint is /healthz
 webserver:
  enabled: true
  listen_port: 8765
  k8s_audit_endpoint: /k8s-audit
+  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

@@ -201,3 +281,9 @@ grpc:
 # Make sure to have a consumer for them or leave this disabled.
 grpc_output:
  enabled: false
+
+# Container orchestrator metadata fetching params
+metadata_download:
+  max_mb: 100
+  chunk_wait_us: 1000
+  watch_freq_sec: 1
--- a/proposals/20200828-structured-exception-handling.md
+++ b/proposals/20200828-structured-exception-handling.md
@@ -0,0 +1,240 @@
+# Proposal for First Class Structured Exceptions in Falco Rules
+
+## Summary
+
+## Motivation
+
+Almost all Falco Rules have cases where the behavior detected by the
+rule should be allowed. For example, The rule Write Below Binary Dir
+has exceptions for specific programs that are known to write below
+these directories as a part of software installation/management:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+...
+```
+In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
+
+```yaml
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+```
+
+The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
+
+A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
+
+```
+...
+    and not sed_temporary_file
+    and not exe_running_docker_save
+    and not ansible_running_python
+    and not python_running_denyhosts
+    and not fluentd_writing_conf_files
+    and not user_known_write_etc_conditions
+    and not run_by_centrify
+    and not run_by_adclient
+    and not qualys_writing_conf_files
+    and not git_writing_nssdb
+...
+```
+
+The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
+
+### Using Appends/Overwrites to Customize Rules
+
+An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+
+- macro: user_known_update_package_registry
+  condition: (never_true)
+
+- rule: Update Package Repository
+  desc: Detect package repositories get updated
+  condition: >
+    ((open_write and access_repositories) or (modify and modify_repositories))
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not user_known_update_package_registry
+```
+
+If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [puppet]
+  append: true
+
+- macro: package_mgmt_procs
+  condition: and not proc.pname=chef
+  append: true
+
+- macro: user_known_update_package_registry
+  condition: (proc.name in (npm))
+  append: false
+```
+
+This adds an 3 different exceptions:
+* an additional binary to package_mgmt_binaries (because append is true),
+* adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
+* overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
+
+### Problems with Appends/Overrides to Define Exceptions
+
+Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
+
+* Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
+
+```yaml
+rule: my_rule
+condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
+
+rule: my_rule
+condition: or fd.name=/tmp/baz
+append: true
+```
+
+Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
+
+* A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
+
+* Appends and overrides can get confusing if you try to apply them multiple times. For example:
+
+```yaml
+macro: allowed_files
+condition: fd.name=/tmp/foo
+
+...
+
+macro: allowed_files
+condition: and fd.name=/tmp/bar
+append: true
+```
+
+If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
+
+## Solution: Exceptions as first class objects
+
+To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+  exceptions:
+   - name: proc_writer
+     fields: [proc.name, fd.directory]
+   - name: container_writer
+     fields: [container.image.repository, fd.directory]
+     comps: [=, startswith]
+   - name: proc_filenames
+     fields: [proc.name, fd.name]
+     comps: [=, in]
+   - name: filenames
+     fields: fd.filename
+     comps: in
+```
+
+This rule defines four kinds of exceptions:
+  * proc_writer: uses a combination of proc.name and fd.directory
+  * container_writer: uses a combination of container.image.repository and fd.directory
+  * proc_filenames: uses a combination of process and list of filenames.
+  * filenames: uses a list of filenames
+
+The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
+
+proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
+
+proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
+
+filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
+
+Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
+
+Exception values will most commonly be defined in rules with append: true. Here's an example:
+
+```yaml
+- list: apt_files
+  items: [/bin/ls, /bin/rm]
+
+- rule: Write below binary dir
+  exceptions:
+  - name: proc_writer
+    values:
+    - [apk, /usr/lib/alpine]
+    - [npm, /usr/node/bin]
+  - name: container_writer
+    values:
+    - [docker.io/alpine, /usr/libexec/alpine]
+  - name: proc_filenames
+    values:
+    - [apt, apt_files]
+    - [rpm, [/bin/cp, /bin/pwd]]
+  - name: filenames
+    values: [python, go]
+```
+
+A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
+
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
+
+Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
+
+### Implementation
+
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+
+When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
+
+```
+(<Write below binary dir condition>) and not (
+    (proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
+	(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
+	(proc.name=apt and fd.name in (apt_files))) or
+	(fd.filename in (python, go))))
+```
+
+The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
+
+### Advantages
+
+Adding Exception objects as described here has several advantages:
+
+* All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
+* The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
+* With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
+
+## Backwards compatibility
+
+To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
+
+This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
+
+This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
+
+However, there are a few changes we'll have to make to Falco rules file parsing:
+
+* Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
+* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.
+
+
--- a/proposals/20200901-artifacts-cleanup.md
+++ b/proposals/20200901-artifacts-cleanup.md
@@ -2,6 +2,8 @@

 This document reflects when and how we clean up the Falco artifacts from their storage location.

+**Superseeded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
+
 ## Motivation

 The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
@@ -94,9 +96,19 @@ Since the process of building drivers is time and resource consuming, this docum

 The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.

+#### Notice
+
+The current mechanism the Falco community uses to store the Falco drivers is explained by the [drivers-storage-s3](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md) proposal.
+
 ### Implementation

 The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
 will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.

-This job will be triggered after the `drivers/publish` completed successfully on the master branch.
+This job will be triggered after the `drivers/publish` completed successfully on the master branch.
+
+#### Notice
+
+At the moment of writing (2021 09 28) the `drivers/cleanup` job is no more in place.
+
+Pragmatically, this means that the older Falco drivers will remain available in their [S3 bucket](https://download.falco.org/?prefix=driver/).
--- a/proposals/20201025-drivers-storage-s3.md
+++ b/proposals/20201025-drivers-storage-s3.md
@@ -1,5 +1,9 @@
 # Falco Drivers Storage S3

+Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
+
+Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
+
 ## Introduction

 In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
@@ -41,7 +45,7 @@ Before today, we had many issues with storage even without the spike in users we

 ## Context on AWS

-Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow). 
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).

 ## Interactions with other teams and the CNCF

@@ -55,7 +59,7 @@ We want to propose to move the drivers and the container dependencies to S3.

 #### Moving means:

-* We create a public S3 bucket with[ stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+* We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)

 * We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain

@@ -113,7 +117,7 @@ export DRIVERS_REPO=https://your-url-here

 Pass it as environment variable using the docker run flag -e - for example:

-docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here) 
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)

 **Kubernetes**

--- a/proposals/20210119-libraries-contribution.md
+++ b/proposals/20210119-libraries-contribution.md
@@ -0,0 +1,167 @@
+# OSS Libraries Contribution Plan
+
+## Summary
+
+Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
+
+This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
+
+This plan aims to describe and clarify the terms and goals to get the contribution done.
+
+## Motivation
+
+There are two main OSS projects using the libraries and drivers that we are aware of:
+
+- [sysdig](https://github.com/draios/sysdig)  the command line tool
+- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
+
+Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
+
+Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
+
+This change is win-win for both parties because of the following reasons:
+
+- The Falco community owns the source code of the three most important parts of the software it distributes.
+  - Right now it is "only" an engine on top of the libraries. This **contribution** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
+
+- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
+
+- Sysdig (the company) can now focus on the user experience and user space features
+
+- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
+
+- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
+
+## Goals
+
+There are many sub-projects and each of them interacts in a different way in this contribution.
+
+Let's see the goals per sub-project.
+
+### libsinsp
+
+1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the contribution is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
+
+19. Document the API
+
+### libscap
+
+1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the contribution is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libscap  release process for the build
+
+19. Document the API
+
+### Drivers: Kernel module and eBPF probe
+
+1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the Makefiles and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
+
+9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+10. Every other additional change will need to have its own process with a proposal
+
+11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
+
+    - Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
+
+12. This project will go already "Official support" once the migration is completed.
+
+### Falco
+
+1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
+
+2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
+
+### Driverkit
+
+1. Change the source location for the drivers to point to the new driver repository
+
+### pdig
+
+1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location
--- a/proposals/20210501-plugin-system.md
+++ b/proposals/20210501-plugin-system.md
@@ -0,0 +1,613 @@
+# Plugin System
+
+## Summary
+
+This is a proposal to create an infrastructure to extend the functionality of the Falco libraries via plugins.
+
+Plugins will allow users to easily extend the functionality of the libraries and, as a consequence, of Falco and any other tool based on the libraries.
+
+This proposal, in particular, focuses on two types of plugins: source plugins and extractor plugins.
+
+## Motivation
+
+[libscap](https://github.com/falcosecurity/libs/tree/master/userspace/libscap) and [libsinsp](https://github.com/falcosecurity/libs/tree/master/userspace/libsinsp) provide a powerful data capture framework, with a rich set of features that includes:
+
+- data capture
+- trace files management
+- enrichment
+- filtering
+- formatting and screen rendering
+- Lua scripting (chisels)
+
+These features have been designed with one specific input in mind: system calls. However, they are generically adaptable to a broad set of inputs, such as cloud logs.
+
+With this proposal, we want to dramatically extend the scope of what the libraries, Falco and other tools can be applied to. We want to do it in a way that is easy, efficient and empowers anyone in the community to write a plugin.
+
+## Goals
+
+- To design and implement a plugin framework that makes the libraries more modular and extensible
+- To have a framework that is easy to use
+- To support dynamic loading of plugins, so that the libraries can be extended without having to be recompiled and relinked
+- To enable users to write plugins in any language, with a particular focus on Go, C and C++
+- To have an efficient plugin framework so that, performance-wise, writing a plugin is as close as possible as extending the libraries internal source code
+- To make it possible to write plugins for Linux, MacOS and Windows
+
+## Non-Goals
+
+- To implement plugins other than source and extractor: to be approached as separate task
+- To document the plugin framework and interface: to be approached as separate task
+
+## Proposal
+
+### Plugin Common Information
+
+Both source and extractor plugins have the following:
+
+- A required api version, to ensure compatibility with the plugin framework.
+- A name
+- A description
+- A version
+- A contact field for the plugin authors (website, github repo, twitter, etc).
+- Functions to initialize and destroy the plugin internal state.
+
+### Plugin types
+
+Initially, we will implement support for two types of plugins: source plugins and extractor plugins.
+
+#### Source Plugin
+
+A source plugin implements a new sinsp/scap event source. It has the ability to "open" and "close" a session that provides events. It also has the ability to return an event to the plugin framework via a next() method. Events returned by source plugins have an "event source", which describes the information in the event. This is distinct from the plugin name to allow for multiple kinds of plugins to generate the same kind of events. For example, there might be plugins gke-audit-bridge, eks-audit-bridge, ibmcloud-audit-bridge, etc. that all fetch [K8s Audit](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) information. The plugins would have different names but would have the same event source "k8s_audit".
+
+Source plugins also have the ability to extract information from events based on fields. For example, a field proc.name extracts a process name from a syscall event. The plugin returns a set of supported fields, and there are functions to extract a value given an event and field. The plugin framework can then build filtering expressions/Falco rule conditions based on these fields combined with relational and/or logical operators. For example, given an expression "ct.name=root and ct.region=us-east-1", the plugin framework handles parsing the expression, calling the plugin to extract values for a given event, and determining the result of the expression. In a Falco output string like "An EC2 Node was created (name=%ec2.name region=%ct.region)", the plugin framework handles parsing the output string, calling the plugin to extract values for a given event, and building the resolved string.
+
+Source plugins also provide an "id", which is globally unique and is used in capture files (see below).
+
+#### Extractor Plugin
+
+An extractor plugin focuses only on field extraction from events generated by other plugins, or by the core libraries. It does *not* provide an event source, but can extract fields from other event sources. An example is json field extraction, where a plugin might be able to extract fields from arbitrary json payloads.
+
+An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the exctractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
+
+### Support for Plugin Events in Capture Files.
+
+libscap will define a new event type called "pluginevent" that contains two fields:
+
+* "plugin ID": This uniquely identifies the plugin that generated this event.
+* "event_data": This is a variable-length data buffer containing the event data, as returned by the plugin.
+
+Defining an event for plugins allows creating capture files from plugins. These capture files can be saved, read, filtered, etc, like any other capture file, allowing for later analysis/display/etc.
+
+### Plugins format
+
+Plugins are dynamic libraries (.so files in Unix, .dll files in windows) that export a minimum set of functions that the libraries will recognize.
+
+Plugins are versioned using semantic versioning to minimize regressions and compatibility issues.
+
+Plugins can be written in any language, as long as they export the required functions. Go, however, is the preferred language to write plugins, followed by C/C++.
+
+### Protecting from plugin issues
+
+The libraries will do everything possible to validate the data coming from the plugins and protect Falco and the other consumers from corrupted data. However, for performance reasons, plugins will be "trusted": they will run in the same thread and address space as Falco and they could crash the program. We assume that the user will be in control of plugin loading and will make sure only trusted plugins are loaded/packaged with Falco.
+
+### Plugin/Event Source registries
+
+Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unuambiguosly recognize their dependencies.
+
+To facilitate the allocation and distribution of plugin IDs, we will require that plugin developers request IDs for their plugins to the Falco organization. The mechanism used for plugin allocation is not determined yet and will be discussed in the future.
+
+Similarly, plugin developers must register event sources with the Falco organization. This allows coordination between plugins that wish to provide compatible payloads, and to allow extractor plugins to know what data format is associated with a given event source.
+
+### golang plugin SDK
+
+To facilitate the development of plugins written in go, an SDK has been developed. We intend this SDK (and future SDKs for other languages) to be part of the Falco organization. For this reason, we submitted the following incubation request: https://github.com/falcosecurity/evolution/issues/62
+
+### Proposed API (subject to change)
+
+```c
+// This struct represents an event returned by the plugin, and is used
+// below in next()/next_batch().
+// - data: pointer to a memory buffer pointer. The plugin will set it
+//   to point to the memory containing the next event. Once returned,
+//   the memory is owned by the plugin framework and will be freed via
+//   a call to free().
+// - datalen: pointer to a 32bit integer. The plugin will set it the size of the
+//   buffer pointed by data.
+// - ts: the event timestamp. Can be (uint64_t)-1, in which case the engine will
+//   automatically fill the event time with the current time.
+typedef struct ss_plugin_event
+{
+	uint8_t *data;
+	uint32_t datalen;
+	uint64_t ts;
+} ss_plugin_event;
+
+//
+// This is the opaque pointer to the state of a plugin.
+// It points to any data that might be needed plugin-wise. It is
+// allocated by init() and must be destroyed by destroy().
+// It is defined as void because the engine doesn't care what it is
+// and it treats is as opaque.
+//
+typedef void ss_plugin_t;
+
+//
+// This is the opaque pointer to the state of an open instance of the source
+// plugin.
+// It points to any data that is needed while a capture is running. It is
+// allocated by open() and must be destroyed by close().
+// It is defined as void because the engine doesn't care what it is
+// and it treats is as opaque.
+//
+typedef void ss_instance_t;
+
+//
+// Interface for a sinsp/scap source plugin
+//
+//
+// NOTE: For all functions below that return a char *, the memory
+// pointed to by the char * must be allocated by the plugin using
+// malloc() and should be freed by the caller using free().
+//
+// For each function below, the exported symbol from the dynamic
+// library should have a prefix of "plugin_"
+// (e.g. plugin_get_required_api_version, plugin_init, etc.)
+//
+typedef struct
+{
+	//
+	// Return the version of the plugin API used by this plugin.
+	// Required: yes
+	// Return value: the API version string, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// NOTE: to ensure correct interoperability between the engine and the plugins,
+	//       we use a semver approach. Plugins are required to specify the version
+	//       of the API they run against, and the engine will take care of checking
+	//       and enforcing compatibility.
+	//
+	char* (*get_required_api_version)();
+	//
+	// Return the plugin type.
+	// Required: yes
+	// Should return TYPE_SOURCE_PLUGIN. It still makes sense to
+	// have a function get_type() as the plugin interface will
+	// often dlsym() functions from shared libraries, and can't
+	// inspect any C struct type.
+	//
+	uint32_t (*get_type)();
+	//
+	// Initialize the plugin and, if needed, allocate its state.
+	// Required: yes
+	// Arguments:
+	// - config: a string with the plugin configuration. The format of the
+	//   string is chosen by the plugin itself.
+	// - rc: pointer to an integer that will contain the initialization result,
+	//   as a SCAP_* value (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: pointer to the plugin state that will be treated as opaque
+	//   by the engine and passed to the other plugin functions.
+	//   If rc is SCAP_FAILURE, this function should return NULL.
+	//
+	ss_plugin_t* (*init)(char* config, int32_t* rc);
+	//
+	// Destroy the plugin and, if plugin state was allocated, free it.
+	// Required: yes
+	//
+	void (*destroy)(ss_plugin_t* s);
+	//
+	// Return a string with the error that was last generated by
+	// the plugin.
+        // Required: yes
+	//
+	// In cases where any other api function returns an error, the
+	// plugin should be prepared to return a human-readable error
+	// string with more context for the error. The plugin manager
+	// calls get_last_error() to access that string.
+	//
+	char* (*get_last_error)(ss_plugin_t* s);
+	//
+	// Return the unique ID of the plugin.
+	// Required: yes
+	// EVERY SOURCE PLUGIN (see get_type()) MUST OBTAIN AN OFFICIAL ID FROM THE
+	// FALCOSECURITY ORGANIZATION, OTHERWISE IT WON'T PROPERLY COEXIST WITH OTHER PLUGINS.
+	//
+	uint32_t (*get_id)();
+	//
+	// Return the name of the plugin, which will be printed when displaying
+	// information about the plugin.
+	// Required: yes
+	//
+	char* (*get_name)();
+	//
+	// Return the descriptions of the plugin, which will be printed when displaying
+	// information about the plugin or its events.
+	// Required: yes
+	//
+	char* (*get_description)();
+	//
+	// Return a string containing contact info (url, email, twitter, etc) for
+	// the plugin authors.
+	// Required: yes
+	//
+	char* (*get_contact)();
+	//
+	// Return the version of this plugin itself
+	// Required: yes
+	// Return value: a string with a version identifier, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// This differs from the api version in that this versions the
+	// plugin itself, as compared to the plugin interface. When
+	// reading capture files, the major version of the plugin that
+	// generated events must match the major version of the plugin
+	// used to read events.
+	//
+	char* (*get_version)();
+	//
+	// Return a string describing the events generated by this source plugin.
+	// Required: yes
+	// Example event sources would be strings like "syscall",
+	// "k8s_audit", etc.  The source can be used by extractor
+	// plugins to filter the events they receive.
+	//
+	char* (*get_event_source)();
+	//
+	// Return the list of extractor fields exported by this plugin. Extractor
+	// fields can be used in Falco rule conditions and sysdig filters.
+	// Required: no
+	// Return value: a string with the list of fields encoded as a json
+	//   array.
+	//   Each field entry is a json object with the following properties:
+	//     "type": one of "string", "uint64"
+	//     "name": a string with a name for the field
+	//     "desc": a string with a description of the field
+	// Example return value:
+	// [
+	//    {"type": "string", "name": "field1", "desc": "Describing field 1"},
+	//    {"type": "uint64", "name": "field2", "desc": "Describing field 2"}
+	// ]
+	char* (*get_fields)();
+	//
+	// Open the source and start a capture.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin state returned by init()
+	// - params: the open parameters, as a string. The format is defined by the plugin
+	//   itsef
+	// - rc: pointer to an integer that will contain the open result, as a SCAP_* value
+	//   (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: a pointer to the open context that will be passed to next(),
+	//   close(), event_to_string() and extract_*.
+	//
+	ss_instance_t* (*open)(ss_plugin_t* s, char* params, int32_t* rc);
+	//
+	// Close a capture.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin context, returned by init(). Can be NULL.
+	// - h: the capture context, returned by open(). Can be NULL.
+	//
+	void (*close)(ss_plugin_t* s, ss_instance_t* h);
+	//
+	// Return the next event.
+	// Required: yes
+	// Arguments:
+	// - s: the plugin context, returned by init(). Can be NULL.
+	// - h: the capture context, returned by open(). Can be NULL.
+	//
+        // - evt: pointer to a ss_plugin_event pointer. The plugin should
+        //   allocate a ss_plugin_event struct using malloc(), as well as
+	//   allocate the data buffer within the ss_plugin_event struct.
+	//   Both the struct and data buffer are owned by the plugin framework
+	//   and will free them using free().
+	//
+	// Return value: the status of the operation (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1,
+	//   SCAP_TIMEOUT=-1)
+	//
+	int32_t (*next)(ss_plugin_t* s, ss_instance_t* h, ss_plugin_event **evt);
+	//
+	// Return the read progress.
+	// Required: no
+	// Arguments:
+	// - progress_pct: the read progress, as a number between 0 (no data has been read)
+	//   and 10000 (100% of the data has been read). This encoding allows the engine to
+	//   print progress decimals without requiring to deal with floating point numbers
+	//   (which could cause incompatibility problems with some languages).
+	// Return value: a string representation of the read
+	//   progress. This might include the progress percentage
+	//   combined with additional context added by the plugin. If
+	//   NULL, progress_pct should be used.
+	// NOTE: reporting progress is optional and in some case could be impossible. However,
+	//       when possible, it's recommended as it provides valuable information to the
+	//       user.
+	//
+	char* (*get_progress)(ss_plugin_t* s, ss_instance_t* h, uint32_t* progress_pct);
+	//
+	// Return a text representation of an event generated by this source plugin.
+	// Required: yes
+	// Arguments:
+	// - data: the buffer from an event produced by next().
+	// - datalen: the length of the buffer from an event produced by next().
+	// Return value: the text representation of the event. This is used, for example,
+	//   by sysdig to print a line for the given event.
+	//
+	char *(*event_to_string)(ss_plugin_t *s, const uint8_t *data, uint32_t datalen);
+	//
+	// Extract a filter field value from an event.
+	// We offer multiple versions of extract(), differing from each other only in
+	// the type of the value they return (string, integer...).
+	// Required: no
+	// Arguments:
+	// - evtnum: the number of the event that is bein processed
+	// - id: the numeric identifier of the field to extract. It corresponds to the
+	//   position of the field in the array returned by get_fields().
+	// - arg: the field argument, if an argument has been specified for the field,
+	//   otherwise it's NULL. For example:
+	//    * if the field specified by the user is foo.bar[pippo], arg will be the
+	//      string "pippo"
+	//    * if the field specified by the user is foo.bar, arg will be NULL
+	// - data: the buffer produced by next().
+	// - datalen: the length of the buffer produced by next().
+	// - field_present: nonzero if the field is present for the given event.
+	// Return value: the produced value of the filter field. For extract_str(), a
+	//   NULL return value means that the field is missing for the given event.
+	//
+	char *(*extract_str)(ss_plugin_t *s, uint64_t evtnum, const char * field, const char *arg, uint8_t *data, uint32_t datalen);
+	uint64_t (*extract_u64)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen, uint32_t *field_present);
+	//
+	// This is an optional, internal, function used to speed up event capture by
+	// batching the calls to next().
+	// On success:
+	//   - nevts will be filled in with the number of events.
+        //   - evts: pointer to an ss_plugin_event pointer. The plugin should
+        //     allocate an array of contiguous ss_plugin_event structs using malloc(),
+	//     as well as allocate each data buffer within each ss_plugin_event
+	//     struct using malloc(). Both the array of structs and each data buffer are
+	//     owned by the plugin framework and will free them using free().
+	// Required: no
+	//
+	int32_t (*next_batch)(ss_plugin_t* s, ss_instance_t* h, uint32_t *nevts, ss_plugin_event **evts);
+	//
+	// This is an optional, internal, function used to speed up value extraction
+	// Required: no
+	//
+	int32_t (*register_async_extractor)(ss_plugin_t *s, async_extractor_info *info);
+
+	//
+	// The following members are PRIVATE for the engine and should not be touched.
+	//
+	ss_plugin_t* state;
+	ss_instance_t* handle;
+	uint32_t id;
+	char *name;
+} source_plugin_info;
+
+//
+// Interface for a sinsp/scap extractor plugin
+//
+//
+// NOTE: For all functions below that return a char *, the memory
+// pointed to by the char * must be allocated by the plugin using
+// malloc() and should be freed by the caller using free().
+//
+typedef struct
+{
+	//
+	// Return the version of the plugin API used by this plugin.
+	// Required: yes
+	// Return value: the API version string, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// NOTE: to ensure correct interoperability between the engine and the plugins,
+	//       we use a semver approach. Plugins are required to specify the version
+	//       of the API they run against, and the engine will take care of checking
+	//       and enforcing compatibility.
+	//
+	char* (*get_required_api_version)();
+	//
+	// Return the plugin type.
+	// Required: yes
+	// Should return TYPE_EXTRACTOR_PLUGIN. It still makes sense to
+	// have a function get_type() as the plugin interface will
+	// often dlsym() functions from shared libraries, and can't
+	// inspect any C struct type.
+	//
+	uint32_t (*get_type)();
+	//
+	// Initialize the plugin and, if needed, allocate its state.
+	// Required: yes
+	// Arguments:
+	// - config: a string with the plugin configuration. The format of the
+	//   string is chosen by the plugin itself.
+	// - rc: pointer to an integer that will contain the initialization result,
+	//   as a SCAP_* value (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
+	// Return value: pointer to the plugin state that will be treated as opaque
+	//   by the engine and passed to the other plugin functions.
+	//
+	ss_plugin_t* (*init)(char* config, int32_t* rc);
+	//
+	// Destroy the plugin and, if plugin state was allocated, free it.
+	// Required: yes
+	//
+	void (*destroy)(ss_plugin_t* s);
+	//
+	// Return a string with the error that was last generated by
+	// the plugin.
+        // Required: yes
+	//
+	// In cases where any other api function returns an error, the
+	// plugin should be prepared to return a human-readable error
+	// string with more context for the error. The plugin manager
+	// calls get_last_error() to access that string.
+	//
+	char* (*get_last_error)(ss_plugin_t* s);
+	//
+	// Return the name of the plugin, which will be printed when displaying
+	// information about the plugin.
+	// Required: yes
+	//
+	char* (*get_name)();
+	//
+	// Return the descriptions of the plugin, which will be printed when displaying
+	// information about the plugin or its events.
+	// Required: yes
+	//
+	char* (*get_description)();
+	//
+	// Return a string containing contact info (url, email, twitter, etc) for
+	// the plugin author.
+	// Required: yes
+	//
+	char* (*get_contact)();
+	//
+	// Return the version of this plugin itself
+	// Required: yes
+	// Return value: a string with a version identifier, in the following format:
+	//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+	// This differs from the api version in that this versions the
+	// plugin itself, as compared to the plugin interface. When
+	// reading capture files, the major version of the plugin that
+	// generated events must match the major version of the plugin
+	// used to read events.
+	//
+	char* (*get_version)();
+	//
+	// Return a string describing the event sources that this
+	// extractor plugin can consume.
+	// Required: no
+	// Return value: a json array of strings containing event
+	//   sources returned by a source plugin's get_event_source()
+	//   function.
+	// This function is optional--if NULL then the exctractor
+	// plugin will receive every event.
+	//
+	char* (*get_extract_event_sources)();
+	//
+	// Return the list of extractor fields exported by this plugin. Extractor
+	// fields can be used in Falco rules and sysdig filters.
+	// Required: yes
+	// Return value: a string with the list of fields encoded as a json
+	//   array.
+	//
+	char* (*get_fields)();
+	//
+	// Extract a filter field value from an event.
+	// We offer multiple versions of extract(), differing from each other only in
+	// the type of the value they return (string, integer...).
+	// Required: for plugins of type TYPE_EXTRACTOR_PLUGIN only
+	// Arguments:
+	// - evtnum: the number of the event that is being processed
+	// - id: the numeric identifier of the field to extract. It corresponds to the
+	//   position of the field in the array returned by get_fields().
+	// - arg: the field argument, if an argument has been specified for the field,
+	//   otherwise it's NULL. For example:
+	//    * if the field specified by the user is foo.bar[pippo], arg will be the
+	//      string "pippo"
+	//    * if the field specified by the user is foo.bar, arg will be NULL
+	// - data: the buffer produced by next().
+	// - datalen: the length of the buffer produced by next().
+	// - field_present: nonzero if the field is present for the given event.
+	// Return value: the produced value of the filter field. For extract_str(), a
+	// NULL return value means that the field is missing for the given event.
+	//
+	char *(*extract_str)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen);
+	uint64_t (*extract_u64)(ss_plugin_t *s, uint64_t evtnum, const char *field, const char *arg, uint8_t *data, uint32_t datalen, uint32_t *field_present);
+} extractor_plugin_info;
+
+```
+
+### Event Sources and Falco Rules
+
+Falco rules already have the notion of a "source", using the source property in rules objects, and there are currently two kinds of event sources: "syscall" and "k8s_audit". We will use the source property in Falco rules to map a given rule to the event source on which the rule runs.
+
+For example, given a plugin with source "aws_cloudtrail", and a Falco rule with source "aws_cloudtrail", the rule will be evaluated for any events generated by the plugin.
+
+Similarly, an extractor plugin that includes "aws_cloudtrail" in its set of event sources will have the opportunity to extract information from aws_cloudtrail events if a matching field is found in the rule's condition, exception, or output properties.
+
+This, combined with the restrictions below, allows a set of loaded rules files to contain a mix of rules for plugins as well as "core" syscall/k8s_audit events.
+
+We will also make a change to compile rules/macros/lists selectively based on the set of loaded plugins (specifically, their event sources), instead of unconditionally as Falco is started. This is especially important for macros, which do not contain a source property, but might contain fields that are only implemented by a given plugin.
+
+### Handling Duplicate/Overlapping Fields in Plugins/Libraries Core
+
+At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts managable.
+
+Remember that field extraction is always done in the context of an event, and each event can be mapped back to an event source. So we only need to ensure that filtercheck fields are distinct for a given event source. For example, it's perfectly valid for an AWS Cloudtrail plugin to define a proc.name field, as the events generated by that plugin are wholly separate from syscall events. For syscall events, the AWS Cloudtrail plugin is not involved and the core libraries extract the process name for the tid performing a syscall. For AWS Cloudtrail events, the core libraries are not involved in field extraction and is performed by the AWS Cloudtrail plugin instead.
+
+We only need to ensure the following:
+
+* That only one plugin is loaded at a time that exports a given event source. For example, the libraries can load either a gke-audit-bridge plugin with event source k8s_audit, or eks-audit-bridge with event source k8s_audit, but not both.
+* That for a mix of source and extractor plugins having the same event source, that the fields are distinct. For example, a source plugin with source k8s_audit can export ka.* fields, and an extractor plugin with event source k8s_audit can export a jevt.value[/...] field, and the appropriate plugin will be used to extract fields from k8s_audit events as fields are parsed from condition expressions/output format strings.
+
+### Plugin Versions and Falco Rules
+
+To allow rules files to document the plugin versions they are compatible with, we will add a new top-level field `required_plugin_versions` to the Falco rules file format. The field is optional, and if not provided no plugin compatibility checks will be performed. The syntax of `required_plugin_versions` will be the following:
+
+```yaml
+- required_plugin_versions:
+  - name: <plugin_name>
+    version: x.y.z
+  ...
+```
+
+Below required_plugin_versions is a list of objects, where each object has `name` and `version` properties. If a plugin is loaded, and if an entry in `required_plugin_versions` has a matching name, then the loaded plugin version must be semver compatible with the version property.
+
+Falco can load multiple rules files, and each file may contain its own `required_plugin_versions` property. In this case, name+version pairs across all files will be merged, and in the case of duplicate names all provided versions must be compatible.
+
+### Loading the plugins
+
+The mechanics of loading a plugin are implemented in the libraries and leverage the dynamic library functionality of the operating system (dlopen/dlsym in unix, LoadLibrary/GetProcAddress in Windows). The plugin loading code also ensures that:
+
+- the plugin is valid, i.e. that it exports the set of expected symbols
+- the plugin has an api version number that is compatible with the libraries instance
+- that only one source plugin is loaded at a time for a given event source
+- if a mix of source and extractor plugins are loaded for a given event source, that the exported fields have unique names that don't overlap across plugins
+
+#### Loading plugins in falcosecurity/libs
+
+At the libraries level, loading plugins is handled via the static method:
+
+```c++
+void sinsp_plugin::register_plugin(sinsp* inspector, string filepath, char* config, ...)
+```
+
+filepath points to a dynamic library containing code that exports plugin API functions. config contains arbitrary config content which is passed to init().
+
+Note that the code using the libraries is responsible for determining the location of plugin libraries and their configuration.
+
+#### Loading plugins in falcosecurity/falco
+
+Falco will control/configure loading plugins via the new "plugins" property in falco.yaml. Here's an example:
+
+```yaml
+plugins:
+  - name: aws_cloudtrail
+    library_path: aws_cloudtrail/plugin.so
+    init_config: "..."
+    open_params: "..."
+  - name: http_json
+    library_path: http_json/plugin.so
+    init_config_file: http_json/config.txt
+    open_params_file: http_json/params.txt
+
+# Optional
+load_plugins: [aws_cloudtrail]
+```
+
+A new "plugins" property in falco.yaml will define the set of plugins that can be loaded by Falco. The property contains a list of objects, with the following properties:
+
+* name: Only used for load_plugins, but by convention should be the same as the value returned by the name() api function.
+* library_path: a path to the shared library. The path can be relative, in which case it is relative to Falco's "share" directory under a "plugins" subdirectory e.g. /usr/share/falco/plugins.
+* init_config: If present, the exact configuration text that will be provided as an argument to the init() function.
+* init_config_file: If present, the provided file will be read and the contents will be provided as an argument to the init() function.
+* open_params: If present, the exact params text that will be provided as an argument to the open() function.
+* open_params_file: If present, the provided file will be read and the contents will be provided as an argument to the open() function.
+
+For a given yaml object in the plugins list, only one of init_config/init_config_file and one of open_params/open_params_file can be provided at a time.
+
+A new "load_plugins" property in falco.yaml will allow for loading a subset of the plugins defined in plugins. If present, only the plugins with the provided names will be loaded.
+
+### Examples
+
+We have an initial version working, consisting of:
+
+* A version of falcosecurity/libs that supports the [plugin framework](https://github.com/falcosecurity/libs/tree/new/plugin-system-api-additions)
+* Support code and examples for [writing plugins in go](https://github.com/mstemm/libsinsp-plugin-sdk-go/tree/new/plugin-system-api-additions)
+* A [cloudtrail](https://github.com/mstemm/plugins/tree/new/plugin-system-api-additions) plugin that can generate events from cloudtrail logs and extract fields from those events.
+* A version of Falco that uses all of the above to [load and evaluate rules with plugins](https://github.com/leogr/falco/tree/new/plugin-system-api-additions)
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -23,6 +23,7 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
+  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()

 if(DEFINED FALCO_COMPONENT)
@@ -59,5 +60,10 @@ else()
    DESTINATION "${FALCO_ETC_DIR}/rules.available"
    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")

+  install(
+    FILES aws_cloudtrail_rules.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
+
  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()
--- a/rules/aws_cloudtrail_rules.yaml
+++ b/rules/aws_cloudtrail_rules.yaml
@@ -0,0 +1,440 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# All rules files related to plugins should require engine version 10
+- required_engine_version: 10
+
+# These rules can be read by cloudtrail plugin version 0.1.0, or
+# anything semver-compatible.
+- required_plugin_versions:
+  - name: cloudtrail
+    version: 0.1.0
+
+# Note that this rule is disabled by default. It's useful only to
+# verify that the cloudtrail plugin is sending events properly.  The
+# very broad condition evt.num > 0 only works because the rule source
+# is limited to aws_cloudtrail. This ensures that the only events that
+# are matched against the rule are from the cloudtrail plugin (or
+# a different plugin with the same source).
+- rule: All Cloudtrail Events
+  desc: Match all cloudtrail events.
+  condition:
+    evt.num > 0
+  output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error)
+  priority: DEBUG
+  tags:
+  - cloud
+  - aws
+  source: aws_cloudtrail
+  enabled: false
+
+- rule: Console Login Through Assume Role
+  desc: Detect a console login through Assume Role.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and ct.user.identitytype="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+  output:
+    Detected a console login through Assume Role
+    (principal=%ct.user.principalid,
+    assumedRole=%ct.user.arn,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region)
+  priority: WARNING
+  tags:
+  - cloud
+  - aws
+  - aws_console
+  - aws_iam
+  source: aws_cloudtrail
+
+- rule: Console Login Without MFA
+  desc: Detect a console login without MFA.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and ct.user.identitytype!="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+    and json.value[/additionalEventData/MFAUsed]="No"
+  output:
+    Detected a console login without MFA
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_console
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Console Root Login Without MFA
+  desc: Detect root console login without MFA.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and json.value[/additionalEventData/MFAUsed]="No"
+    and ct.user.identitytype!="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+    and ct.user.identitytype="Root"
+  output:
+    Detected a root console login without MFA.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_console
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Deactivate MFA for Root User
+  desc: Detect deactivating MFA configuration for root.
+  condition:
+    ct.name="DeactivateMFADevice" and not ct.error exists
+    and ct.user.identitytype="Root"
+    and ct.request.username="AWS ROOT USER"
+  output:
+    Multi Factor Authentication configuration has been disabled for root
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     MFA serial number=%ct.request.serialnumber)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Create AWS user
+  desc: Detect creation of a new AWS user.
+  condition:
+    ct.name="CreateUser" and not ct.error exists
+  output:
+    A new AWS user has been created
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     new user created=%ct.request.username)
+  priority: INFO
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Create Group
+  desc: Detect creation of a new user group.
+  condition:
+    ct.name="CreateGroup" and not ct.error exists
+  output:
+    A new user group has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     group name=%ct.request.groupname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Delete Group
+  desc: Detect deletion of a user group.
+  condition:
+    ct.name="DeleteGroup" and not ct.error exists
+  output:
+    A user group has been deleted.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     group name=%ct.request.groupname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: ECS Service Created
+  desc: Detect a new service is created in ECS.
+  condition:
+    ct.src="ecs.amazonaws.com" and
+    ct.name="CreateService" and
+    not ct.error exists
+  output:
+    A new service has been created in ECS
+    (requesting user=%ct.user,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region,
+    cluster=%ct.request.cluster,
+    service name=%ct.request.servicename,
+    task definition=%ct.request.taskdefinition)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ecs
+    - aws_fargate
+  source: aws_cloudtrail
+
+- rule: ECS Task Run or Started
+  desc: Detect a new task is started in ECS.
+  condition:
+    ct.src="ecs.amazonaws.com" and
+    (ct.name="RunTask" or ct.name="StartTask") and
+    not ct.error exists
+  output:
+    A new task has been started in ECS
+    (requesting user=%ct.user,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region,
+    cluster=%ct.request.cluster,
+    task definition=%ct.request.taskdefinition)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ecs
+    - aws_fargate
+  source: aws_cloudtrail
+
+- rule: Create Lambda Function
+  desc: Detect creation of a Lambda function.
+  condition:
+    ct.name="CreateFunction20150331" and not ct.error exists
+  output:
+    Lambda function has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Update Lambda Function Code
+  desc: Detect updates to a Lambda function code.
+  condition:
+    ct.name="UpdateFunctionCode20150331v2" and not ct.error exists
+  output:
+    The code of a Lambda function has been updated.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Update Lambda Function Configuration
+  desc: Detect updates to a Lambda function configuration.
+  condition:
+    ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists
+  output:
+    The configuration of a Lambda function has been updated.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Run Instances
+  desc: Detect launching of a specified number of instances.
+  condition:
+    ct.name="RunInstances" and not ct.error exists
+  output:
+    A number of instances have been launched.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     availability zone=%ct.request.availabilityzone,
+     subnet id=%ct.response.subnetid,
+     reservation id=%ct.response.reservationid)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ec2
+  source: aws_cloudtrail
+
+# Only instances launched on regions in this list are approved.
+- list: approved_regions
+  items:
+    - us-east-0
+
+- rule: Run Instances in Non-approved Region
+  desc: Detect launching of a specified number of instances in a non-approved region.
+  condition:
+    ct.name="RunInstances" and not ct.error exists and
+    not ct.region in (approved_regions)
+  output:
+    A number of instances have been launched in a non-approved region.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     availability zone=%ct.request.availabilityzone,
+     subnet id=%ct.response.subnetid,
+     reservation id=%ct.response.reservationid,
+     image id=%json.value[/responseElements/instancesSet/items/0/instanceId])
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ec2
+  source: aws_cloudtrail
+
+- rule: Delete Bucket Encryption
+  desc: Detect deleting configuration to use encryption for bucket storage.
+  condition:
+    ct.name="DeleteBucketEncryption" and not ct.error exists
+  output:
+    A encryption configuration for a bucket has been deleted
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket=%s3.bucket)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Delete Bucket Public Access Block
+  desc: Detect deleting blocking public access to bucket.
+  condition:
+    ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
+    json.value[/requestParameters/publicAccessBlock]="" and
+      (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
+  output:
+    A pulic access block for a bucket has been deleted
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket=%s3.bucket)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: List Buckets
+  desc: Detect listing of all S3 buckets.
+  condition:
+    ct.name="ListBuckets" and not ct.error exists
+  output:
+    A list of all S3 buckets has been requested.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     host=%ct.request.host)
+  priority: WARNING
+  enabled: false
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Put Bucket ACL
+  desc: Detect setting the permissions on an existing bucket using access control lists.
+  condition:
+    ct.name="PutBucketAcl" and not ct.error exists
+  output:
+    The permissions on an existing bucket have been set using access control lists.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket name=%s3.bucket)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Put Bucket Policy
+  desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
+  condition:
+    ct.name="PutBucketPolicy" and not ct.error exists
+  output:
+    An Amazon S3 bucket policy has been applied to an Amazon S3 bucket.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket name=%s3.bucket,
+     policy=%ct.request.policy)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: CloudTrail Trail Created
+  desc: Detect creation of a new trail.
+  condition:
+    ct.name="CreateTrail" and not ct.error exists
+  output:
+    A new trail has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     trail name=%ct.request.name)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_cloudtrail
+  source: aws_cloudtrail
+
+- rule: CloudTrail Logging Disabled
+  desc: The CloudTrail logging has been disabled, this could be potentially malicious.
+  condition:
+    ct.name="StopLogging" and not ct.error exists
+  output:
+    The CloudTrail logging has been disabled.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     resource name=%ct.request.name)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_cloudtrail
+  source: aws_cloudtrail
+
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -15,15 +15,10 @@
 # limitations under the License.
 #

-# See xxx for details on falco engine and rules versioning. Currently,
-# this specific rules file is compatible with engine version 0
-# (e.g. falco releases <= 0.13.1), so we'll keep the
-# required_engine_version lines commented out, so maintain
-# compatibility with older falco releases. With the first incompatible
-# change to this rules file, we'll uncomment this line and set it to
-# the falco engine version in use at the time.
-#
- required_engine_version: 7
+# The latest Falco Engine version is 9.
+# Starting with version 8, the Falco engine supports exceptions.
+# However the Falco rules file does not use them by default.
+- required_engine_version: 9

 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -34,13 +29,13 @@
 #   condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))

 - macro: open_write
-  condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0
+  condition: evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0

 - macro: open_read
-  condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
+  condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0

 - macro: open_directory
-  condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0
+  condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0

 - macro: never_true
  condition: (evt.num=0)
@@ -186,15 +181,9 @@
 - list: db_server_binaries
  items: [mysqld, postgres, sqlplus]

- list: mysql_mgmt_binaries
-  items: [mysql_install_d, mysql_ssl_rsa_s]
-
 - list: postgres_mgmt_binaries
  items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster]

- list: db_mgmt_binaries
-  items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
-
 - list: nosql_server_binaries
  items: [couchdb, memcached, redis-server, rabbitmq-server, mongod]

@@ -214,7 +203,7 @@
 # The explicit quotes are needed to avoid the - characters being
 # interpreted by the filter expression.
 - list: rpm_binaries
-  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
+  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, rhsmcertd, subscription-ma,
          repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
          abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]

@@ -227,11 +216,11 @@
 - list: deb_binaries
  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
    frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
-    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache
+    apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache, apt.systemd.dai
    ]

 # The truncated dpkg-preconfigu is intentional, process names are
-# truncated at the sysdig level.
+# truncated at the falcosecurity-libs level.
 - list: package_mgmt_binaries
  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]

@@ -344,7 +333,7 @@
 # for efficiency.
 - macro: inbound_outbound
  condition: >
-    ((((evt.type in (accept,listen,connect) and evt.dir=<)) or
+    ((((evt.type in (accept,listen,connect) and evt.dir=<)) and
     (fd.typechar = 4 or fd.typechar = 6)) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS))
@@ -549,60 +538,6 @@
 - macro: system_users
  condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)

-# These macros will be removed soon. Only keeping them to maintain
-# compatiblity with some widely used rules files.
-# Begin Deprecated
- macro: parent_ansible_running_python
-  condition: (proc.pname in (python, pypy, python3) and proc.pcmdline contains ansible)
-
- macro: parent_bro_running_python
-  condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
-
- macro: parent_python_running_denyhosts
-  condition: >
-    (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
-     (proc.pname=python and
-     (proc.pcmdline contains /usr/sbin/denyhosts or
-      proc.pcmdline contains /usr/local/bin/denyhosts.py)))
-
- macro: parent_python_running_sdchecks
-  condition: >
-    (proc.pname in (python, python2.7) and
-    (proc.pcmdline contains /opt/draios/bin/sdchecks))
-
- macro: python_running_sdchecks
-  condition: >
-    (proc.name in (python, python2.7) and
-    (proc.cmdline contains /opt/draios/bin/sdchecks))
-
- macro: parent_linux_image_upgrade_script
-  condition: proc.pname startswith linux-image-
-
- macro: parent_java_running_echo
-  condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
-
- macro: parent_scripting_running_builds
-  condition: >
-    (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
-       proc.cmdline startswith "sh -c git" or
-       proc.cmdline startswith "sh -c date" or
-       proc.cmdline startswith "sh -c /usr/bin/g++" or
-       proc.cmdline startswith "sh -c /usr/bin/gcc" or
-       proc.cmdline startswith "sh -c gcc" or
-       proc.cmdline startswith "sh -c if type gcc" or
-       proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or
-       proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or
-       proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
-       proc.cmdline startswith "sh -c make parent" or
-       proc.cmdline startswith "node /jenkins/tools" or
-       proc.cmdline startswith "sh -c '/usr/bin/node'" or
-       proc.cmdline startswith "sh -c stty -a |" or
-       proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
-       proc.pcmdline startswith "node /usr/local/bin/yarn" or
-       proc.pcmdline startswith "node /root/.config/yarn" or
-       proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
-
-
 - macro: httpd_writing_ssl_conf
  condition: >
    (proc.pname=run-httpd and
@@ -612,28 +547,6 @@
 - macro: userhelper_writing_etc_security
  condition: (proc.name=userhelper and fd.name startswith /etc/security)

- macro: parent_Xvfb_running_xkbcomp
-  condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
-
- macro: parent_nginx_running_serf
-  condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
-
- macro: parent_node_running_npm
-  condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
-              proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
-              proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
-
- macro: parent_java_running_sbt
-  condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
-
- list: known_container_shell_spawn_cmdlines
-  items: []
-
- list: known_shell_spawn_binaries
-  items: []
-
-## End Deprecated
-
 - macro: ansible_running_python
  condition: (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)

@@ -689,9 +602,6 @@
 - macro: run_by_centrify
  condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)

- macro: run_by_puppet
-  condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
-
 # Also handles running semi-indirectly via scl
 - macro: run_by_foreman
  condition: >
@@ -877,7 +787,7 @@
    or proc.cmdline contains "/var/run/docker")
    and proc.pname in (dockerd, docker, dockerd-current, docker-current)

-# Ideally we'd have a length check here as well but sysdig
+# Ideally we'd have a length check here as well but
 # filterchecks don't have operators like len()
 - macro: sed_temporary_file
  condition: (proc.name=sed and fd.name startswith "/etc/sed")
@@ -988,15 +898,10 @@
 # the following rule and lists.

 - list: monitored_directories
-  items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver]
+  items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh]

-# Until https://github.com/draios/sysdig/pull/1153, which fixes
-# https://github.com/draios/sysdig/issues/1152, is widely available,
-# we can't use glob operators to match pathnames. Until then, we do a
-# looser check to match ssh directories.
-# When fixed, we will use "fd.name glob '/home/*/.ssh/*'"
 - macro: user_ssh_directory
-  condition: (fd.name startswith '/home' and fd.name contains '.ssh')
+  condition: (fd.name glob '/home/*/.ssh/*')

 # google_accounts_(daemon)
 - macro: google_accounts_daemon_writing_ssh
@@ -1024,7 +929,7 @@
  condition: (never_true)

 - rule: Write below monitored dir
-  desc: an attempt to write to any file below a set of binary directories
+  desc: an attempt to write to any file below a set of monitored directories
  condition: >
    evt.dir = < and open_write and monitored_dir
    and not package_mgmt_procs
@@ -1213,6 +1118,9 @@
       fd.name startswith /etc/ssh/ssh_monitor_config_ or
       fd.name startswith /etc/ssh/ssh_config_))

+- macro: multipath_writing_conf
+  condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1333,6 +1241,7 @@
    and not automount_using_mtab
    and not mcafee_writing_cma_d
    and not avinetworks_supervisor_writing_ssh
+    and not multipath_writing_conf

 - rule: Write below etc
  desc: an attempt to write to any file below /etc
@@ -1483,6 +1392,15 @@
 - macro: user_read_sensitive_file_containers
  condition: (container and container.image.repository in (read_sensitive_file_images))

+# This macro detects man-db postinst, see https://salsa.debian.org/debian/man-db/-/blob/master/debian/postinst
+# The rule "Read sensitive file untrusted" use this macro to avoid FPs.
+- macro: mandb_postinst
+  condition: >
+    (proc.name=perl and proc.args startswith "-e" and
+    proc.args contains "@pwd = getpwnam(" and
+    proc.args contains "exec " and
+    proc.args contains "/usr/bin/mandb")
+
 - rule: Read sensitive file untrusted
  desc: >
    an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1498,11 +1416,11 @@
     )
    and not cmp_cp_by_passwd
    and not ansible_running_python
-    and not proc.cmdline contains /usr/bin/mandb
    and not run_by_qualys
    and not run_by_chef
    and not run_by_google_accounts_daemon
    and not user_read_sensitive_file_conditions
+    and not mandb_postinst
    and not perl_running_plesk
    and not perl_running_updmap
    and not veritas_driver_script
@@ -1597,7 +1515,12 @@

 - rule: Mkdir binary dirs
  desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
+  condition: >
+    mkdir
+    and bin_dir_mkdir
+    and not package_mgmt_procs
+    and not user_known_mkdir_bin_dir_activities
+    and not exe_running_docker_save
  output: >
    Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
@@ -1608,7 +1531,7 @@
 # to change thread namespace without having to copy and override the
 # entire change thread namespace rule.
 - list: user_known_change_thread_namespace_binaries
-  items: []
+  items: [crio, multus]

 - macro: user_known_change_thread_namespace_activities
  condition: (never_true)
@@ -1635,7 +1558,6 @@
    and not proc.name startswith "runc"
    and not proc.cmdline startswith "containerd"
    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet, protokube, dockerd, tini, aws)
-    and not python_running_sdchecks
    and not java_running_sdjagent
    and not kubelet_running_loopback
    and not rancher_agent
@@ -1643,6 +1565,7 @@
    and not calico_node
    and not weaveworks_scope
    and not user_known_change_thread_namespace_activities
+  enabled: false
  output: >
    Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -1825,6 +1748,32 @@
       container.image.repository endswith /prometheus-node-exporter or
       container.image.repository endswith /image-inspector))

+# https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
+#  official AWS EKS registry list. AWS has different ECR repo per region
+- macro: allowed_aws_ecr_registry_root_for_eks
+  condition: >
+    (container.image.repository startswith "602401143452.dkr.ecr" or
+     container.image.repository startswith "877085696533.dkr.ecr" or
+     container.image.repository startswith "800184023465.dkr.ecr" or
+     container.image.repository startswith "918309763551.dkr.ecr" or
+     container.image.repository startswith "961992271922.dkr.ecr" or
+     container.image.repository startswith "590381155156.dkr.ecr" or
+     container.image.repository startswith "558608220178.dkr.ecr" or
+     container.image.repository startswith "151742754352.dkr.ecr" or
+     container.image.repository startswith "013241004608.dkr.ecr")
+
+
+- macro: aws_eks_core_images
+  condition: >
+    (allowed_aws_ecr_registry_root_for_eks and
+    (container.image.repository endswith ".amazonaws.com/amazon-k8s-cni" or
+     container.image.repository endswith ".amazonaws.com/eks/kube-proxy"))
+
+
+- macro: aws_eks_image_sensitive_mount
+  condition: >
+    (allowed_aws_ecr_registry_root_for_eks and container.image.repository endswith ".amazonaws.com/amazon-k8s-cni")
+
 # These images are allowed both to run with --privileged and to mount
 # sensitive paths from the host filesystem.
 #
@@ -1835,13 +1784,6 @@
 - list: trusted_images
  items: []

-# NOTE: This macro is only provided for backwards compatibility with
-# older local falco rules files that may have been appending to
-# trusted_images. To make customizations, it's better to add containers to
-# user_trusted_containers, user_privileged_containers or user_sensitive_mount_containers.
- macro: trusted_containers
-  condition: (container.image.repository in (trusted_images))
-
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
 # trusted and therefore allowed to run privileged *and* with sensitive
@@ -1866,12 +1808,12 @@
 - list: falco_privileged_images
  items: [
    docker.io/calico/node,
+    calico/node,
    docker.io/cloudnativelabs/kube-router,
    docker.io/docker/ucp-agent,
    docker.io/falcosecurity/falco,
    docker.io/mesosphere/mesos-slave,
    docker.io/rook/toolbox,
-    docker.io/sysdig/falco,
    docker.io/sysdig/sysdig,
    falcosecurity/falco,
    gcr.io/google_containers/kube-proxy,
@@ -1884,8 +1826,8 @@
    k8s.gcr.io/ip-masq-agent-amd64,
    k8s.gcr.io/kube-proxy,
    k8s.gcr.io/prometheus-to-sd,
+    public.ecr.aws/falcosecurity/falco,
    quay.io/calico/node,
-    sysdig/falco,
    sysdig/sysdig,
    sematext_images
    ]
@@ -1893,6 +1835,7 @@
 - macro: falco_privileged_containers
  condition: (openshift_image or
              user_trusted_containers or
+              aws_eks_core_images or
              container.image.repository in (trusted_images) or
              container.image.repository in (falco_privileged_images) or
              container.image.repository startswith istio/proxy_ or
@@ -1907,28 +1850,23 @@
 - macro: user_privileged_containers
  condition: (never_true)

- list: rancher_images
-  items: [
-    rancher/network-manager, rancher/dns, rancher/agent,
-    rancher/lb-service-haproxy, rancher/metadata, rancher/healthcheck
-  ]
-
 # These container images are allowed to mount sensitive paths from the
 # host filesystem.
 - list: falco_sensitive_mount_images
  items: [
-    docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig,
-    docker.io/falcosecurity/falco, falcosecurity/falco,
+    docker.io/sysdig/sysdig, sysdig/sysdig,
+    docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
    gcr.io/google_containers/hyperkube,
    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
    docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
-    amazon/amazon-ecs-agent
+    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
    ]

 - macro: falco_sensitive_mount_containers
  condition: (user_trusted_containers or
+              aws_eks_image_sensitive_mount or
              container.image.repository in (trusted_images) or
              container.image.repository in (falco_sensitive_mount_images) or
              container.image.repository startswith quay.io/sysdig/)
@@ -1968,12 +1906,13 @@

 # For now, only considering a full mount of /etc as
 # sensitive. Ideally, this would also consider all subdirectories
-# below /etc as well, but the globbing mechanism used by sysdig
+# below /etc as well, but the globbing mechanism
 # doesn't allow exclusions of a full pattern, only single characters.
 - macro: sensitive_mount
  condition: (container.mount.dest[/proc*] != "N/A" or
              container.mount.dest[/var/run/docker.sock] != "N/A" or
              container.mount.dest[/var/run/crio/crio.sock] != "N/A" or
+              container.mount.dest[/run/containerd/containerd.sock] != "N/A" or
              container.mount.dest[/var/lib/kubelet] != "N/A" or
              container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
              container.mount.dest[/] != "N/A" or
@@ -2297,7 +2236,7 @@
  condition: >
    evt.type=setuid and evt.dir=>
    and (known_user_in_container or not container)
-    and not user.name=root
+    and not (user.name=root or user.uid=0)
    and not somebody_becoming_themself
    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                          nomachine_binaries)
@@ -2314,6 +2253,9 @@
 - macro: user_known_user_management_activities
  condition: (never_true)

+- macro: chage_list
+  condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
+
 - rule: User mgmt binaries
  desc: >
    activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2332,6 +2274,7 @@
    not run_by_yum and
    not run_by_ms_oms and
    not run_by_google_accounts_daemon and
+    not chage_list and
    not user_known_user_management_activities
  output: >
    User management binary command run outside of container
@@ -2354,7 +2297,7 @@
  desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
  condition: >
    fd.directory = /dev and
-    (evt.type = creat or ((evt.type = open or evt.type = openat) and evt.arg.flags contains O_CREAT))
+    (evt.type = creat or (evt.type in (open,openat,openat2) and evt.arg.flags contains O_CREAT))
    and not proc.name in (dev_creation_binaries)
    and not fd.name in (allowed_dev_files)
    and not fd.name startswith /dev/tty
@@ -2404,6 +2347,12 @@
  priority: NOTICE
  tags: [network, container, mitre_discovery]

+# Containers from IBM Cloud
+- list: ibm_cloud_containers
+  items:
+    - icr.io/ext/sysdig/agent
+    - registry.ng.bluemix.net/armada-master/metrics-server-amd64
+    - registry.ng.bluemix.net/armada-master/olm

 # In a local/user rules file, list the namespace or container images that are
 # allowed to contact the K8s API Server from within a container. This
@@ -2412,9 +2361,13 @@
 - macro: k8s_containers
  condition: >
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
-     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
+     gcr.io/google_containers/kube2sky,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     sysdig/sysdig, falcosecurity/falco,
+     fluent/fluentd-kubernetes-daemonset, prom/prometheus,
+     ibm_cloud_containers,
+     public.ecr.aws/falcosecurity/falco)
+     or (k8s.ns.name = "kube-system"))

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -2425,9 +2378,9 @@
 - rule: Contact K8S API Server From Container
  desc: Detect attempts to contact the K8S API Server from a container
  condition: >
-    evt.type=connect and evt.dir=< and 
+    evt.type=connect and evt.dir=< and
    (fd.typechar=4 or fd.typechar=6) and
-    container and 
+    container and
    not k8s_containers and
    k8s_api_server and
    not user_known_contact_k8s_api_server_activities
@@ -2673,7 +2626,7 @@
  condition: (always_true)

 - list: user_known_chmod_applications
-  items: [hyperkube, kubelet]
+  items: [hyperkube, kubelet, k3s-agent]

 # This macro should be overridden in user rules as needed. This is useful if a given application
 # should not be ignored alltogether with the user_known_chmod_applications list, but only in
@@ -2691,6 +2644,7 @@
    and not proc.name in (user_known_chmod_applications)
    and not exe_running_docker_save
    and not user_known_set_setuid_or_setgid_bit_conditions
+  enabled: false
  output: >
    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2716,6 +2670,7 @@
     (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
    consider_hidden_file_creation and
    not user_known_create_hidden_file_activities
+    and not exe_running_docker_save
  output: >
    Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2753,7 +2708,7 @@
    create_symlink and
    (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
  output: >
-    Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
+    Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
  priority: NOTICE
  tags: [file, mitre_exfiltration]

@@ -2794,7 +2749,12 @@
      "xmr-eu1.nanopool.org","xmr-eu2.nanopool.org",
      "xmr-jp1.nanopool.org","xmr-us-east1.nanopool.org",
      "xmr-us-west1.nanopool.org","xmr.crypto-pool.fr",
-      "xmr.pool.minergate.com"
+      "xmr.pool.minergate.com", "rx.unmineable.com",
+      "ss.antpool.com","dash.antpool.com",
+      "eth.antpool.com","zec.antpool.com",
+      "xmc.antpool.com","btm.antpool.com",
+      "stratum-dash.antpool.com","stratum-xmc.antpool.com",
+      "stratum-btm.antpool.com"
      ]

 - list: https_miner_domains
@@ -2811,7 +2771,12 @@
    "stratum-ltc.antpool.com",
    "stratum-zec.antpool.com",
    "stratum.antpool.com",
-    "xmr.crypto-pool.fr"
+    "xmr.crypto-pool.fr",
+    "ss.antpool.com",
+    "stratum-dash.antpool.com",
+    "stratum-xmc.antpool.com",
+    "stratum-btm.antpool.com",
+    "btm.antpool.com"
  ]

 - list: http_miner_domains
@@ -2840,7 +2805,7 @@
  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

 - macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco))
+  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco))
  append: false

 # The rule is disabled by default.
@@ -2863,12 +2828,22 @@
 - list: k8s_client_binaries
  items: [docker, kubectl, crictl]

+- list: user_known_k8s_ns_kube_system_images
+  items: [
+      k8s.gcr.io/fluentd-gcp-scaler,
+      k8s.gcr.io/node-problem-detector/node-problem-detector
+  ]
+
+- list: user_known_k8s_images
+  items: [
+      mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+  ]
+
 # Whitelist for known docker client binaries run inside container
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
  condition: >
-    (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
-    container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+    (k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository in (user_known_k8s_images)

 - macro: user_known_k8s_client_container_parens
  condition: (user_known_k8s_client_container)
@@ -2881,7 +2856,7 @@
  tags: [container, mitre_execution]


-# This rule is enabled by default. 
+# This rule is enabled by default.
 # If you want to disable it, modify the following macro.
 - macro: consider_packet_socket_communication
  condition: (always_true)
@@ -2900,10 +2875,6 @@
 - macro: enabled_rule_network_only_subnet
  condition: (never_true)

-# Images that are allowed to have outbound traffic
- list: images_allow_network_outside_subnet
-  items: []
-
 # Namespaces where the rule is enforce
 - list: namespace_scope_network_only_subnet
  items: []
@@ -2943,9 +2914,6 @@
 - list: allowed_image
  items: [] # add image to monitor, i.e.: bitnami/nginx

- list: authorized_server_binaries
-  items: []  # add binary to allow, i.e.: nginx
-
 - list: authorized_server_port
  items: [] # add port to allow, i.e.: 80

@@ -2988,7 +2956,7 @@

 # The two Container Drift rules below will fire when a new executable is created in a container.
 # There are two ways to create executables - file is created with execution permissions or permissions change of existing file.
-# We will use a new sysdig filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container.
+# We will use a new filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container.
 # The use case we are targeting here is an attempt to execute code that was not shipped as part of a container (drift) -
 # an activity that might be malicious or non-compliant.
 # Two things to pay attention to:
@@ -3021,7 +2989,7 @@
 - rule: Container Drift Detected (open+create)
  desc: New executable created in a container due to open+create
  condition: >
-    evt.type in (open,openat,creat) and
+    evt.type in (open,openat,openat2,creat) and
    evt.is_open_exec=true and
    container and
    not runc_writing_exec_fifo and
@@ -3041,6 +3009,118 @@
  priority: WARNING
  tags: [network]

+- list: white_listed_modules
+  items: []
+
+- rule: Linux Kernel Module Injection Detected
+  desc: Detect kernel module was injected (from container).
+  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)
+  priority: WARNING
+  tags: [process]
+
+- list: run_as_root_image_list
+  items: []
+
+- macro: user_known_run_as_root_container
+  condition: (container.image.repository in (run_as_root_image_list))
+
+# The rule is disabled by default and should be enabled when non-root container policy has been applied.
+# Note the rule will not work as expected when usernamespace is applied, e.g. userns-remap is enabled.
+- rule: Container Run as Root User
+  desc: Detected container running as root user
+  condition: spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container
+  enabled: false
+  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: INFO
+  tags: [container, process]
+
+# This rule helps detect CVE-2021-3156:
+# A privilege escalation to root through heap-based buffer overflow
+- rule: Sudo Potential Privilege Escalation
+  desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid != 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
+  priority: CRITICAL
+  tags: [filesystem, mitre_privilege_escalation]
+
+- rule: Debugfs Launched in Privileged Container
+  desc: Detect file system debugger debugfs launched inside a privileged container which might lead to container escape.
+  condition: >
+    spawned_process and container
+    and container.privileged=true
+    and proc.name=debugfs
+  output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: WARNING
+  tags: [container, cis, mitre_lateral_movement]
+
+- macro: mount_info
+  condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
+
+- rule: Mount Launched in Privileged Container
+  desc: Detect file system mount happened inside a privilegd container which might lead to container escape.
+  condition: >
+    spawned_process and container
+    and container.privileged=true
+    and proc.name=mount
+    and not mount_info
+  output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: WARNING
+  tags: [container, cis, mitre_lateral_movement]
+
+- macro: consider_userfaultfd_activities
+  condition: (always_true)
+
+- list: user_known_userfaultfd_processes
+  items: []
+
+- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
+  desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
+  condition: >
+    consider_userfaultfd_activities and
+    evt.type = userfaultfd and
+    user.uid != 0 and
+    (evt.rawres >= 0 or evt.res != -1) and
+    not proc.name in (user_known_userfaultfd_processes)
+  output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: CRITICAL
+  tags: [syscall, mitre_defense_evasion]
+
+- list: ingress_remote_file_copy_binaries
+  items: [wget]
+
+- macro: ingress_remote_file_copy_procs
+  condition: (proc.name in (ingress_remote_file_copy_binaries))
+
+# Users should overwrite this macro to specify conditions under which a
+# Custom condition for use of ingress remote file copy tool in container
+- macro: user_known_ingress_remote_file_copy_activities
+  condition: (never_true)
+
+-  macro: curl_download
+   condition: proc.name = curl and
+              (proc.cmdline contains " > " or
+              proc.cmdline contains " >> " or
+              proc.cmdline contains " | " or
+              proc.cmdline contains " -o " or
+              proc.cmdline contains " --output " or
+              proc.cmdline contains " -O " or
+              proc.cmdline contains " --remote-name ")
+
+- rule: Launch Ingress Remote File Copy Tools in Container
+  desc: Detect ingress remote file copy tools launched in container
+  condition: >
+    spawned_process and
+    container and
+    (ingress_remote_file_copy_procs or curl_download) and
+    not user_known_ingress_remote_file_copy_activities
+  output: >
+    Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: NOTICE
+  tags: [network, process, mitre_command_and_control]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
+
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -50,7 +50,9 @@
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
    "system:addon-manager",
-    "cloud-controller-manager"
+    "cloud-controller-manager",
+    "eks:node-manager",
+    "system:kube-controller-manager"
    ]

 - rule: Disallowed K8s User
@@ -207,6 +209,10 @@
 # events to be stateful, so it could know if a container named in an
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.
+#
+# For the same reason, you can't use things like image names/prefixes,
+# as the event that creates the pod (which has the images) is a
+# separate event than the actual exec/attach to the pod.

 - macro: user_known_exec_pod_activities
  condition: (k8s_audit_never_true)
@@ -295,8 +301,35 @@
 - list: user_known_sa_list
  items: []

+- list: known_sa_list
+  items: [
+    coredns,
+    coredns-autoscaler,
+    cronjob-controller,
+    daemon-set-controller,
+    deployment-controller,
+    disruption-controller,
+    endpoint-controller,
+    endpointslice-controller,
+    endpointslicemirroring-controller,
+    generic-garbage-collector,
+    horizontal-pod-autoscaler,
+    job-controller,
+    namespace-controller,
+    node-controller,
+    persistent-volume-binder,
+    pod-garbage-collector,
+    pv-protection-controller,
+    pvc-protection-controller,
+    replicaset-controller,
+    resourcequota-controller,
+    root-ca-cert-publisher,
+    service-account-controller,
+    statefulset-controller
+    ]
+
 - macro: trusted_sa
-  condition: (ka.target.name in (user_known_sa_list))
+  condition: (ka.target.name in (known_sa_list, user_known_sa_list))

 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
@@ -521,11 +554,11 @@
 - list: full_admin_k8s_users
  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]

-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
+# This rules detect an operation triggered by an user name that is
+# included in the list of those that are default administrators upon
+# cluster creation. This may signify a permission setting too broader.
+# As we can't check for role of the user on a general ka.* event, this
+# may or may not be an administrator. Customize the full_admin_k8s_users
 # list to your needs, and activate at your discrection.

 # # How to test:
@@ -535,9 +568,9 @@
 - rule: Full K8s Administrative Access
  desc: Detect any k8s operation by a user name that may be an administrator with full access.
  condition: >
-    kevt 
-    and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
+    kevt
+    and non_system_user
+    and ka.user.name in (full_admin_k8s_users)
    and not allowed_full_admin_users
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
@@ -575,7 +608,7 @@
  output: >
    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
    namespace=%ka.target.namespace)
-  source: k8s_audit    
+  source: k8s_audit
  priority: WARNING
  tags: [k8s, network]

@@ -598,10 +631,10 @@
  desc: >
    Detect a node successfully joined the cluster outside of the list of allowed nodes.
  condition: >
-    kevt and node 
-    and kcreate 
-    and response_successful 
-    and not allow_all_k8s_nodes 
+    kevt and node
+    and kcreate
+    and response_successful
+    and not allow_all_k8s_nodes
    and not ka.target.name in (allowed_k8s_nodes)
  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
  priority: ERROR
@@ -612,10 +645,10 @@
  desc: >
    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
  condition: >
-    kevt and node 
-    and kcreate 
-    and not response_successful 
-    and not allow_all_k8s_nodes 
+    kevt and node
+    and kcreate
+    and not response_successful
+    and not allow_all_k8s_nodes
    and not ka.target.name in (allowed_k8s_nodes)
  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
  priority: WARNING
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,14 +19,14 @@ configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)

-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")

 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)

-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")

 configure_file(falco-driver-loader falco-driver-loader @ONLY)
--- a/scripts/cleanup
+++ b/scripts/cleanup
@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-
-usage() {
-    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
-    exit 1
-}
-
-user=poiana
-
-# Get the versions to delete.
-#
-# $1: repository to lookup
-# $2: number of versions to skip.
-get_versions() {
-    # The API endpoint returns the Falco package versions sort by most recent.
-    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
-}
-
-# Remove all the versions (${all[@]} array).
-#
-# $1: repository containing the versions.
-rem_versions() {
-    for i in "${!all[@]}";
-    do
-        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
-    done
-}
-
-while getopts ":p::r:" opt; do
-    case "${opt}" in
-        p )
-          pass=${OPTARG}
-          ;;
-        r )
-          repo="${OPTARG}"
-          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
-          ;;
-        : )
-          echo "invalid option: ${OPTARG} requires an argument" 1>&2
-          exit 1
-          ;;
-        \?)
-          echo "invalid option: ${OPTARG}" 1>&2
-          exit 1
-          ;;
-    esac
-done
-shift $((OPTIND-1))
-
-if [ -z "${pass}" ] || [ -z "${repo}" ]; then
-    usage
-fi
-
-skip=51
-if [[ "${repo}" == "bin-dev" ]]; then
-    skip=11
-fi
-
-get_versions "${repo}" ${skip}
-echo "number of versions to delete: ${#all[@]}"
-rem_versions "${repo}"
--- a/scripts/debian/falco
+++ b/scripts/debian/falco
@@ -1,176 +0,0 @@
-#! /bin/sh
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-### BEGIN INIT INFO
-# Provides:          falco
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Falco syscall activity monitoring agent
-# Description:       Falco is a system activity monitoring agent
-#                    driven by system calls with support for containers.
-### END INIT INFO
-
-# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
-
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="Falco"
-NAME=falco
-DAEMON=/usr/bin/$NAME
-PIDFILE=/var/run/$NAME.pid
-DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
-SCRIPTNAME=/etc/init.d/$NAME
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	if [ ! -d /sys/module/falco ]; then
-		/sbin/modprobe falco || exit 1
-	fi
-	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	/sbin/rmmod falco
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:
--- a/scripts/debian/falco.service
+++ b/scripts/debian/falco.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=simple
+User=root
+ExecStartPre=/sbin/modprobe falco
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,8 +41,3 @@ case "$1" in
 		fi
 	;;
 esac
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		update-rc.d $NAME defaults >/dev/null
-fi
-
--- a/scripts/debian/postrm.in
+++ b/scripts/debian/postrm.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-set -e
-
-NAME=falco
-
-if [ "$1" = "purge" ] ; then
-	update-rc.d $NAME remove >/dev/null
-fi
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,16 +17,6 @@
 #
 set -e

-NAME="@PACKAGE_NAME@"
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-				invoke-rc.d $NAME stop || exit $?
-		else
-				/etc/init.d/$NAME stop || exit $?
-		fi
-fi
-
 DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
 DKMS_VERSION="@PROBE_VERSION@"

--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 # Simple script that desperately tries to load the kernel instrumentation by
-# looking for it in a bunch of ways. Convenient when running falco inside
+# looking for it in a bunch of ways. Convenient when running Falco inside
 # a container or in other weird environments.
 #

@@ -82,7 +82,7 @@ get_kernel_config() {
 		echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
-		# this code works both for native host and agent container assuming that
+		# This code works both for native host and containers assuming that
 		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
 		echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
 		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
@@ -107,12 +107,14 @@ get_target_id() {
 		source "${HOST_ROOT}/etc/os-release"
 		OS_ID=$ID
 	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
-		# Older Debian
-		# fixme > can this happen on older Ubuntu?
+		# Older debian distros
+		# fixme > Can this happen on older Ubuntu?
 		OS_ID=debian
 	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
-		# Older CentOS
+		# Older CentOS distros
 		OS_ID=centos
+	elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		OS_ID=minikube
 	else
 		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
 		exit 1
@@ -140,25 +142,27 @@ get_target_id() {
 }

 load_kernel_module_compile() {
-	# skip dkms on UEK hosts because it will always fail
+	# Skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
-		echo "* Skipping dkms install for UEK host"
+		>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
 		return
 	fi

-	if ! hash dkms &>/dev/null; then
-		echo "* Skipping dkms install (dkms not found)"
+	if ! hash dkms >/dev/null 2>&1; then
+		>&2 echo "This program requires dkms"
 		return
 	fi

-	# try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
+	# Try to compile using all the available gcc versions
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
 		chmod +x /tmp/falco-dkms-make
 		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
+			chcon -t modules_object_t "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1 || true
+			chcon -t modules_object_t "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1 || true
 			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
@@ -181,7 +185,6 @@ load_kernel_module_compile() {
 }

 load_kernel_module_download() {
-
 	get_target_id

 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
@@ -189,14 +192,15 @@ load_kernel_module_download() {
 	local URL
 	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)

-	echo "* Trying to download prebuilt module from ${URL}"
+	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		chcon -t modules_object_t "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	else
-		>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
-		exit 1
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
+		return
 	fi
 }

@@ -220,7 +224,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -232,38 +236,83 @@ load_kernel_module() {
 		sleep 1
 	done

-	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
 		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi

-	if [ -n "$ENABLE_COMPILE" ]; then
-		load_kernel_module_compile
-	fi
-
-
-	echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
+	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
 	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
 		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 		exit 0
-	fi		
+	fi

-
-	echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
+	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"

 	get_target_id

 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"

 	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
-		echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		chcon -t modules_object_t "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi

 	if [ -n "$ENABLE_DOWNLOAD" ]; then
 		load_kernel_module_download
 	fi
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		load_kernel_module_compile
+	fi
+
+	# Not able to download a prebuilt module nor to compile one on-the-fly
+	>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
+	exit 1
+}
+
+clean_kernel_module() {
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod"
+		exit 1
+	fi
+
+	if ! hash rmmod > /dev/null 2>&1; then
+		>&2 echo "This program requires rmmod"
+		exit 1
+	fi
+
+	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
+			echo "* Unloading ${DRIVER_NAME} module succeeded"
+		else
+			echo "* Unloading ${DRIVER_NAME} module failed"
+		fi
+	else
+		echo "* There is no ${DRIVER_NAME} module loaded"
+	fi
+
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "* Skipping dkms remove (dkms not found)"
+		return
+	fi
+
+	DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f1 | sed -e 's/^[[:space:]]*//')
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "* There is no ${DRIVER_NAME} module in dkms"
+		return
+	fi
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		if dkms remove "${CURRENT_VER}" --all 2>/dev/null; then
+			echo "* Removing ${CURRENT_VER} succeeded"
+		else
+			echo "* Removing ${CURRENT_VER} failed"
+			exit 1
+		fi
+	done
 }

 load_bpf_probe_compile() {
@@ -272,14 +321,14 @@ load_bpf_probe_compile() {

 	customize_kernel_build() {
 		if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
-		sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
+			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
 		fi
 		make olddefconfig > /dev/null
 		make modules_prepare > /dev/null
 	}

-	if [ -n "${COS}" ]; then
-		echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
+	if [ "${TARGET_ID}" == "cos" ]; then
+		echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"

 		BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
 		KERNEL_EXTRA_VERSION="+"
@@ -310,7 +359,8 @@ load_bpf_probe_compile() {
 		}
 	fi

-	if [ -n "${MINIKUBE}" ]; then
+	if [ "${TARGET_ID}" == "minikube" ]; then
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
 		echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
 		local kernel_version
 		kernel_version=$(uname -r)
@@ -336,14 +386,16 @@ load_bpf_probe_compile() {
 	fi

 	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		get_kernel_config
+
 		echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"

 		mkdir -p /tmp/kernel
 		cd /tmp/kernel || exit
 		cd "$(mktemp -d -p /tmp/kernel)" || exit
 		if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
-			>&2 echo "Download failed"
-			exit 1;
+			>&2 echo "Unable to download the kernel sources"
+			return
 		fi

 		echo "* Extracting kernel sources"
@@ -384,47 +436,22 @@ load_bpf_probe_download() {
 	echo "* Trying to download a prebuilt eBPF probe from ${URL}"

 	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
-		>&2 echo "Download failed"
-		exit 1;
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
+		return
 	fi
 }

 load_bpf_probe() {
-
 	echo "* Mounting debugfs"

 	if [ ! -d /sys/kernel/debug/tracing ]; then
 		mount -t debugfs nodev /sys/kernel/debug
 	fi

-	get_kernel_config
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
-		# shellcheck source=/dev/null
-		source "${HOST_ROOT}/etc/os-release"
-
-		if [ "${ID}" == "cos" ]; then
-			COS=1
-		fi
-	fi
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
-		MINIKUBE=1
-		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
-	fi
-
 	get_target_id

 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"

-	if [ -n "$ENABLE_COMPILE" ]; then
-		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
-		else
-			load_bpf_probe_compile
-		fi
-	fi
-
 	if [ -n "$ENABLE_DOWNLOAD" ]; then
 		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
@@ -433,21 +460,22 @@ load_bpf_probe() {
 		fi
 	fi

+	if [ -n "$ENABLE_COMPILE" ]; then
+		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		else
+			load_bpf_probe_compile
+		fi
+	fi
+
 	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 		echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"

-		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
-			echo "******************************************************************"
-			echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
-			echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **"
-			echo "******************************************************************"
-		fi
-
 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
 			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
 		exit $?
 	else
-		>&2 echo "Failure to find an eBPF probe"
+		>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
 		exit 1
 	fi
 }
@@ -463,15 +491,32 @@ print_usage() {
 	echo ""
 	echo "Options:"
 	echo "  --help         show brief help"
-	echo "  --compile      try to compile the driver locally"
-	echo "  --download     try to download a prebuilt driver"
+	echo "  --clean        try to remove an already present driver installation"
+	echo "  --compile      try to compile the driver locally (default true)"
+	echo "  --download     try to download a prebuilt driver (default true)"
 	echo "  --source-only  skip execution and allow sourcing in another script"
 	echo ""
+	echo "Environment variables:"
+	echo "  DRIVER_REPO              specify a different URL where to look for prebuilt Falco drivers"
+	echo "  DRIVER_NAME              specify a different name for the driver"
+	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
+	echo ""
+	echo "Versions:"
+	echo "  Falco version  ${FALCO_VERSION}"
+	echo "  Driver version ${DRIVER_VERSION}"
+	echo ""
 }

 ARCH=$(uname -m)
+
 KERNEL_RELEASE=$(uname -r)
+
+if ! hash sed > /dev/null 2>&1; then
+	>&2 echo "This program requires sed"
+	exit 1
+fi
 KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
+
 DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}

 if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
@@ -486,7 +531,8 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
 fi

 DRIVER_VERSION="@PROBE_VERSION@"
-DRIVER_NAME="@PROBE_NAME@"
+DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
+FALCO_VERSION="@FALCO_VERSION@"

 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
@@ -496,6 +542,7 @@ fi
 ENABLE_COMPILE=
 ENABLE_DOWNLOAD=

+clean=
 has_args=
 has_opts=
 source_only=
@@ -503,7 +550,7 @@ while test $# -gt 0; do
 	case "$1" in
 		module|bpf)
 			if [ -n "$has_args" ]; then
-				>&2 echo "Only one driver can be passed"
+				>&2 echo "Only one driver per invocation"
 				print_usage
 				exit 1
 			else
@@ -516,6 +563,10 @@ while test $# -gt 0; do
 			print_usage
 			exit 0
 			;;
+		--clean)
+			clean="true"
+			shift
+			;;
 		--compile)
 			ENABLE_COMPILE="yes"
 			has_opts="true"
@@ -549,23 +600,42 @@ if [ -z "$has_opts" ]; then
 fi

 if [ -z "$source_only" ]; then
+	echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
+
 	if [ "$(id -u)" != 0 ]; then
 		>&2 echo "This program must be run as root (or with sudo)"
 		exit 1
 	fi

-	if ! hash curl > /dev/null 2>&1; then
-		>&2 echo "This program requires curl"
-		exit 1
-	fi
+	if [ -n "$clean" ]; then
+		if [ -n "$has_opts" ]; then
+			>&2 echo "Cannot use --clean with other options"
+			exit 1
+		fi

-	echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
-	case $DRIVER in 
+		echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
+		case $DRIVER in
 		module)
-			load_kernel_module
+			clean_kernel_module
 			;;
 		bpf)
-			load_bpf_probe
-			;;
-	esac
+			>&2 echo "--clean not supported for driver=bpf"
+			exit 1
+		esac
+	else
+		if ! hash curl > /dev/null 2>&1; then
+			>&2 echo "This program requires curl"
+			exit 1
+		fi
+
+		echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
+		case $DRIVER in
+			module)
+				load_kernel_module
+				;;
+			bpf)
+				load_bpf_probe
+				;;
+		esac
+	fi
 fi
--- a/scripts/ignored-calls.sh
+++ b/scripts/ignored-calls.sh
@@ -17,9 +17,9 @@
 #
 scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 parentdir="$(dirname "$scriptdir")"
-sysdigdir="${parentdir}/build/sysdig-repo/sysdig-prefix/src/sysdig"
-cat "${sysdigdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
-cat "${sysdigdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
+libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
+cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
+cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt

 cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '

--- a/scripts/publish-bin
+++ b/scripts/publish-bin
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>"
+    exit 1
+}
+
+# parse options
+while getopts ":f::r::a:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "bin" || "${repo}" == "bin-dev" ]] || usage
+          ;;
+        a )
+          arch=${OPTARG}
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ] || [ -z "${repo}" ] || [ -z "${arch}" ]; then
+    usage
+fi
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
+cloudfront_path="/packages/${repo}/${arch}"
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
--- a/scripts/publish-deb
+++ b/scripts/publish-deb
@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
+    exit 1
+}
+
+check_program() {
+  if ! command -v $1 &> /dev/null
+  then
+      echo "$1 is required and could not be found"
+      exit
+  fi
+}
+
+# Add a package to the local DEB repository
+#
+# $1: path of the repository.
+# $2: suite (eg. "stable")
+# $3: path of the DEB file.
+add_deb() {
+    cp -f $3 $1/$2
+    pushd $1/$2 > /dev/null
+    rm -f $(basename -- $3).asc
+    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $3)
+    popd > /dev/null
+}
+
+# Update the local DEB repository
+#
+# $1: path of the repository
+# $2: suite (eg. "stable")
+update_repo() {
+    # fixme(leogr): we cannot use apt-ftparchive --arch packages ...
+    # since our .deb files ends with "_x86_64" instead of "amd64".
+    # See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
+    #
+    # As a workaround, we temporarily stick here with "amd64" 
+    # (the only supported arch at the moment)
+    local arch=amd64
+
+    local component=main
+    local debs_dir=$2
+    local release_dir=dists/$2
+    local packages_dir=${release_dir}/${component}/binary-${arch}
+
+    pushd $1 > /dev/null
+
+    # packages metadata
+    apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
+    gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
+    bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
+    
+    # release metadata
+    apt-ftparchive release \
+      -o APT::FTPArchive::Release::Origin=Falco \
+      -o APT::FTPArchive::Release::Label=Falco \
+      -o APT::FTPArchive::Release::Suite=$2 \
+      -o APT::FTPArchive::Release::Codename=$2 \
+      -o APT::FTPArchive::Release::Components=${component} \
+      -o APT::FTPArchive::Release::Architectures=${arch} \
+      ${release_dir} > ${release_dir}/Release
+
+    # release signature
+    gpg --detach-sign --digest-algo SHA256 --armor ${release_dir}/Release
+    rm -f ${release_dir}/Release.gpg
+    mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
+
+    popd > /dev/null
+}
+
+# parse options
+while getopts ":f::r:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+# check options
+if [ -z "${file}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+# check prerequisites
+check_program apt-ftparchive
+check_program gzip
+check_program bzip2
+check_program gpg
+check_program aws
+
+# settings
+debSuite=stable
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+tmp_repo_path=/tmp/falco-$repo
+
+# prepare repository local copy
+echo "Fetching ${s3_bucket_repo}..."
+mkdir -p ${tmp_repo_path}
+aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
+
+# update the repo
+echo "Adding ${file}..."
+add_deb ${tmp_repo_path} ${debSuite} ${file}
+update_repo ${tmp_repo_path} ${debSuite}
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
+aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
+aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
--- a/scripts/publish-rpm
+++ b/scripts/publish-rpm
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
+    exit 1
+}
+
+check_program() {
+  if ! command -v $1 &> /dev/null
+  then
+      echo "$1 is required and could not be found"
+      exit
+  fi
+}
+
+# Add a package to the local RPM repository
+#
+# $1: path of the repository.
+# $2: path of the RPM file.
+add_rpm() {
+    cp -f $2 $1
+    pushd $1 > /dev/null
+    rm -f $(basename -- $2).asc
+    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $2)
+    popd > /dev/null
+}
+
+# Update the local RPM repository
+#
+# $1: path of the repository.
+update_repo() {
+    pushd $1 > /dev/null
+    createrepo --update --no-database .
+    rm -f repodata/repomd.xml.asc
+    gpg --detach-sign --digest-algo SHA256 --armor repodata/repomd.xml
+    popd > /dev/null
+}
+
+
+# parse options
+while getopts ":f::r:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+# check prerequisites
+check_program createrepo
+check_program gpg
+check_program aws
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+tmp_repo_path=/tmp/falco-$repo
+
+# prepare repository local copy
+echo "Fetching ${s3_bucket_repo}..."
+mkdir -p ${tmp_repo_path}
+aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
+
+# update the repo
+echo "Adding ${file}..."
+add_rpm ${tmp_repo_path} ${file}
+update_repo ${tmp_repo_path}
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
--- a/scripts/rpm/falco
+++ b/scripts/rpm/falco
@@ -1,127 +0,0 @@
-#!/bin/sh
-
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-#
-# falco syscall monitoring agent
-#
-# chkconfig:   2345 55 45
-# description: Falco syscall monitoring agent
-#
-
-### BEGIN INIT INFO
-# Provides:
-# Required-Start:
-# Required-Stop:
-# Should-Start:
-# Should-Stop:
-# Default-Start:
-# Default-Stop:
-# Short-Description:
-# Description:
-### END INIT INFO
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-exec="/usr/bin/falco"
-prog="falco"
-# config="<path to major config file>"
-
-[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
-
-lockfile=/var/lock/subsys/$prog
-pidfile="/var/run/falco.pid"
-
-start() {
-    [ -x $exec ] || exit 5
-    # [ -f $config ] || exit 6
-    echo -n $"Starting $prog: "
-    daemon $exec --daemon --pidfile=$pidfile
-    if [ ! -d /sys/module/falco ]; then
-        /sbin/modprobe falco || return $?
-    fi
-    retval=$?
-    echo
-    [ $retval -eq 0 ] && touch $lockfile
-    return $retval
-}
-
-stop() {
-    echo -n $"Stopping $prog: "
-    killproc -p $pidfile
-    retval=$?
-    echo
-    /sbin/rmmod falco
-    [ $retval -eq 0 ] && rm -f $lockfile
-    return $retval
-}
-
-restart() {
-    stop
-    start
-}
-
-reload() {
-    restart
-}
-
-force_reload() {
-    restart
-}
-
-rh_status() {
-    status -p $pidfile $prog
-}
-
-rh_status_q() {
-    rh_status >/dev/null 2>&1
-}
-
-
-case "$1" in
-    start)
-        rh_status_q && exit 0
-        $1
-        ;;
-    stop)
-        rh_status_q || exit 0
-        $1
-        ;;
-    restart)
-        $1
-        ;;
-    reload)
-        rh_status_q || exit 7
-        $1
-        ;;
-    force-reload)
-        force_reload
-        ;;
-    status)
-        rh_status
-        ;;
-    condrestart|try-restart)
-        rh_status_q || exit 0
-        restart
-        ;;
-    *)
-        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
-        exit 2
-esac
-exit $?
--- a/scripts/rpm/falco.service
+++ b/scripts/rpm/falco.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=simple
+User=root
+ExecStartPre=/sbin/modprobe falco
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts/rpm/postinstall.in
+++ b/scripts/rpm/postinstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,5 +29,3 @@ else
 	echo -e "Module build for the currently running kernel was skipped since the"
 	echo -e "kernel source for this kernel does not seem to be installed."
 fi
-
-/sbin/chkconfig --add falco
--- a/scripts/rpm/postuninstall.in
+++ b/scripts/rpm/postuninstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +14,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
-if [ "$1" -ge "1" ]; then
-	/sbin/service falco condrestart > /dev/null 2>&1
-fi
--- a/scripts/rpm/preuninstall.in
+++ b/scripts/rpm/preuninstall.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,5 @@
 # limitations under the License.
 #

-if [ $1 = 0 ]; then
-	/sbin/service falco stop > /dev/null 2>&1
-	/sbin/chkconfig --del falco
-fi
-
 mod_version="@PROBE_VERSION@"
 dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,4 +1,7 @@
 add_subdirectory(trace_files)

 add_custom_target(test-trace-files ALL)
-add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)
+add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit trace-files-plugins)
+
+add_subdirectory(plugins)
+add_subdirectory(confs/plugins)
--- a/test/README.md
+++ b/test/README.md
@@ -2,7 +2,7 @@

 This folder contains the Regression tests suite for Falco.

-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).

 ## Test suites

@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he

 This step assumes you already built Falco.

-Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.

 Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:

@@ -26,7 +26,15 @@ make test-trace-files

 It prepares the fixtures (`json` and `scap` files) needed by the integration tests.

-Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
+**Requirements**
+
+- Python 3.x
+- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
+- [grpcurl](https://github.com/fullstorydev/grpcurl)
+
+**Setup and execution**
+
+Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):

 ```console
 virtualenv venv
--- a/test/confs/drops_ignore_log.yaml
+++ b/test/confs/drops_ignore_log.yaml
@@ -0,0 +1,12 @@
+syscall_event_drops:
+  actions:
+    - ignore
+    - log
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true
--- a/test/confs/drops_log.yaml
+++ b/test/confs/drops_log.yaml
@@ -9,3 +9,5 @@ stdout_output:
  enabled: true

 log_stderr: true
+
+log_level: debug
--- a/test/confs/drops_threshold_neg.yaml
+++ b/test/confs/drops_threshold_neg.yaml
@@ -0,0 +1,12 @@
+syscall_event_drops:
+  threshold: -1
+  actions:
+    - ignore
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true
--- a/test/confs/drops_threshold_oor.yaml
+++ b/test/confs/drops_threshold_oor.yaml
@@ -0,0 +1,12 @@
+syscall_event_drops:
+  threshold: 1.1
+  actions:
+    - ignore
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true
--- a/test/confs/plugins/CMakeLists.txt
+++ b/test/confs/plugins/CMakeLists.txt
@@ -0,0 +1,16 @@
+# This list is populated at cmake time, not build time
+file(GLOB test_conf_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/*.yaml")
+
+foreach(conf_file_path ${test_conf_files})
+	get_filename_component(conf_file ${conf_file_path} NAME)
+	add_custom_target(test-conf-${conf_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${conf_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${conf_file}
+		COMMAND sed -e s!BUILD_DIR!${CMAKE_BINARY_DIR}! < ${CMAKE_CURRENT_SOURCE_DIR}/${conf_file} > ${CMAKE_CURRENT_BINARY_DIR}/${conf_file}
+		DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/${conf_file})
+	list(APPEND PLUGINS_CONF_FILES_TARGETS test-conf-${conf_file})
+endforeach()
+
+add_custom_target(conf-files-plugins ALL)
+add_dependencies(conf-files-plugins ${PLUGINS_CONF_FILES_TARGETS})
--- a/test/confs/plugins/cloudtrail_json_create_instances.yaml
+++ b/test/confs/plugins/cloudtrail_json_create_instances.yaml
@@ -0,0 +1,14 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: cloudtrail
+    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
+    init_config: ""
+    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances.json"
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+# Optional
+load_plugins: [cloudtrail, json]
--- a/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
+++ b/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
@@ -0,0 +1,14 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: cloudtrail
+    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
+    init_config: ""
+    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances_bigevent.json"
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+# Optional
+load_plugins: [cloudtrail, json]
--- a/test/confs/plugins/incompatible_extract_sources.yaml
+++ b/test/confs/plugins/incompatible_extract_sources.yaml
@@ -0,0 +1,14 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: cloudtrail
+    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
+    init_config: ""
+    open_params: ""
+  - name: test_extract_p1
+    library_path: BUILD_DIR/test/plugins/libtest_extract_p1.so
+    init_config: ""
+
+# Optional
+load_plugins: [cloudtrail, test_extract_p1]
--- a/test/confs/plugins/incompatible_plugin_api.yaml
+++ b/test/confs/plugins/incompatible_plugin_api.yaml
@@ -0,0 +1,10 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: incompatible_plugin_api
+    library_path: BUILD_DIR/test/plugins/libtest_incompat_api.so
+    init_config: ""
+
+# Optional
+load_plugins: [incompatible_plugin_api]
--- a/test/confs/plugins/multiple_source_plugins.yaml
+++ b/test/confs/plugins/multiple_source_plugins.yaml
@@ -0,0 +1,15 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: cloudtrail
+    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
+    init_config: ""
+    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances.json"
+  - name: test_source
+    library_path: BUILD_DIR/test/plugins/libtest_source.so
+    init_config: ""
+    open_params: ""
+
+# Optional
+load_plugins: [cloudtrail, test_source]
--- a/test/confs/plugins/overlap_extract_sources.yaml
+++ b/test/confs/plugins/overlap_extract_sources.yaml
@@ -0,0 +1,17 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: test_source
+    library_path: BUILD_DIR/test/plugins/libtest_source.so
+    init_config: ""
+    open_params: ""
+  - name: test_extract_p1
+    library_path: BUILD_DIR/test/plugins/libtest_extract_p1.so
+    init_config: ""
+  - name: test_extract_p2
+    library_path: BUILD_DIR/test/plugins/libtest_extract_p2.so
+    init_config: ""
+
+# Optional
+load_plugins: [test_source, test_extract_p1, test_extract_p2]
--- a/test/confs/plugins/wrong_plugin_path.yaml
+++ b/test/confs/plugins/wrong_plugin_path.yaml
@@ -0,0 +1,10 @@
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: wrong_plugin_path
+    library_path: BUILD_DIR/test/plugins/wrong_plugin_path.so
+    init_config: ""
+
+# Optional
+load_plugins: [wrong_plugin_path]
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@@ -43,6 +43,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true

+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -128,6 +128,16 @@ trace_files: !mux
      - Create Privileged Pod: 1
    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json

+  create_privileged_no_secctx_1st_container_2nd_container_pod:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - Create Privileged Pod: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+
  create_privileged_2nd_container_pod:
    detect: True
    detect_level: WARNING
@@ -612,4 +622,22 @@ trace_files: !mux
      - ../rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Secret Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_secret.json
+    trace_file: trace_files/k8s_audit/delete_secret.json
+
+  fal_01_003:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/fal_01_003.json
+    stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
+
+  json_pointer_correct_parse:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
+    detect_counts:
+      - json_pointer_example: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -82,6 +82,7 @@ class FalcoTest(Test):

        self.exit_status = self.params.get('exit_status', '*', default=0)
        self.should_detect = self.params.get('detect', '*', default=False)
+        self.check_detection_counts = self.params.get('check_detection_counts', '*', default=True)
        self.trace_file = self.params.get('trace_file', '*', default='')

        if self.trace_file and not os.path.isabs(self.trace_file):
@@ -90,8 +91,11 @@ class FalcoTest(Test):
        self.json_output = self.params.get('json_output', '*', default=False)
        self.json_include_output_property = self.params.get(
            'json_include_output_property', '*', default=True)
+        self.json_include_tags_property = self.params.get(
+            'json_include_tags_property', '*', default=True)
        self.all_events = self.params.get('all_events', '*', default=False)
        self.priority = self.params.get('priority', '*', default='debug')
+        self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='')
        self.rules_file = self.params.get(
            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))

@@ -128,6 +132,7 @@ class FalcoTest(Test):

        self.conf_file = self.params.get(
            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
+        self.conf_file = self.conf_file.replace("BUILD_DIR", build_dir)
        if not os.path.isabs(self.conf_file):
            self.conf_file = os.path.join(self.basedir, self.conf_file)

@@ -388,10 +393,11 @@ class FalcoTest(Test):
            for line in res.stdout.decode("utf-8").splitlines():
                if line.startswith('{'):
                    obj = json.loads(line)
+                    attrs = ['time', 'rule', 'priority']
                    if self.json_include_output_property:
-                        attrs = ['time', 'rule', 'priority', 'output']
-                    else:
-                        attrs = ['time', 'rule', 'priority']
+                        attrs.append('output')
+                    if self.json_include_tags_property:
+                        attrs.append('tags')
                    for attr in attrs:
                        if not attr in obj:
                            self.fail(
@@ -409,10 +415,15 @@ class FalcoTest(Test):
            else:
                actual = open(output['actual']).read()

-            if expected not in actual:
-                self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
-                    output['actual'], output['expected']))
-                return False
+            actual_cursor = actual
+            expected_lines = expected.splitlines()
+            for line in expected_lines:
+                pos = actual_cursor.find(line)
+                if pos < 0:
+                    self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
+                        output['actual'], output['expected']))
+                    return False
+                actual_cursor = actual_cursor[pos + len(line):]

        return True

@@ -609,8 +620,9 @@ class FalcoTest(Test):
                self.log.debug("Converted Rules: {}".format(psp_rules))

        # Run falco
-        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
-            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
+        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format(
+            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
+            self.json_include_output_property, self.json_include_tags_property, self.priority, self.addl_cmdline_opts)

        for tag in self.disable_tags:
            cmd += ' -T {}'.format(tag)
@@ -641,13 +653,13 @@ class FalcoTest(Test):
                self.fail("Stdout was not exactly {}".format(self.stderr_is))

        for pattern in self.stderr_contains:
-            match = re.search(pattern, res.stderr.decode("utf-8"))
+            match = re.search(pattern, res.stderr.decode("utf-8"), re.DOTALL)
            if match is None:
                self.fail(
                    "Stderr of falco process did not contain content matching {}".format(pattern))

        for pattern in self.stdout_contains:
-            match = re.search(pattern, res.stdout.decode("utf-8"))
+            match = re.search(pattern, res.stdout.decode("utf-8"), re.DOTALL)
            if match is None:
                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
                    res.stdout.decode("utf-8"), pattern))
@@ -675,7 +687,8 @@ class FalcoTest(Test):
        self.check_rules_warnings(res)
        if len(self.rules_events) > 0:
            self.check_rules_events(res)
-        self.check_detections(res)
+        if len(self.validate_rules_file) == 0 and self.check_detection_counts:
+            self.check_detections(res)
        if len(self.detect_counts) > 0:
            self.check_detections_by_rule(res)
        self.check_json_output(res)
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -32,20 +32,10 @@ trace_files: !mux
      - leading_not
      - not_equals_at_end
      - not_at_end
-      - not_before_trailing_evttype
-      - not_equals_before_trailing_evttype
      - not_equals_and_not
-      - not_equals_before_in
-      - not_before_in
-      - not_in_before_in
-      - leading_in_not_equals_before_evttype
      - leading_in_not_equals_at_evttype
      - not_with_evttypes
      - not_with_evttypes_addl
-      - not_equals_before_evttype
-      - not_equals_before_in_evttype
-      - not_before_evttype
-      - not_before_evttype_using_in
    rules_events:
      - no_warnings: [execve]
      - no_evttype: [all]
@@ -262,6 +252,7 @@ trace_files: !mux
  invalid_not_yaml:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Rules content is not yaml
      ---
      This is not yaml
@@ -273,6 +264,7 @@ trace_files: !mux
  invalid_not_array:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Rules content is not yaml array of objects
      ---
      foo: bar
@@ -284,6 +276,7 @@ trace_files: !mux
  invalid_array_item_not_object:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Unexpected element of type string. Each element should be a yaml associative array.
      ---
      - foo
@@ -292,20 +285,10 @@ trace_files: !mux
      - rules/invalid_array_item_not_object.yaml
    trace_file: trace_files/cat_write.scap

-  invalid_unexpected object:
-    exit_status: 1
-    stdout_is: |+
-      Unknown rule object: {foo="bar"}
-      ---
-      - foo: bar
-      ---
-    validate_rules_file:
-      - rules/invalid_unexpected_object.yaml
-    trace_file: trace_files/cat_write.scap
-
  invalid_engine_version_not_number:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Value of required_engine_version must be a number
      ---
      - required_engine_version: not-a-number
@@ -317,6 +300,7 @@ trace_files: !mux
  invalid_yaml_parse_error:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      mapping values are not allowed in this context
      ---
      this : is : not : yaml
@@ -328,6 +312,7 @@ trace_files: !mux
  invalid_list_without_items:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      List must have property items
      ---
      - list: bad_list
@@ -340,6 +325,7 @@ trace_files: !mux
  invalid_macro_without_condition:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Macro must have property condition
      ---
      - macro: bad_macro
@@ -352,6 +338,7 @@ trace_files: !mux
  invalid_rule_without_output:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Rule must have property output
      ---
      - rule: no output rule
@@ -366,7 +353,8 @@ trace_files: !mux
  invalid_append_rule_without_condition:
    exit_status: 1
    stdout_is: |+
-      Rule must have property condition
+      1 errors:
+      Appended rule must have exceptions or condition property
      ---
      - rule: no condition rule
        append: true
@@ -378,6 +366,7 @@ trace_files: !mux
  invalid_append_macro_dangling:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Macro dangling append has 'append' key but no macro by that name already exists
      ---
      - macro: dangling append
@@ -391,6 +380,7 @@ trace_files: !mux
  invalid_list_append_dangling:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      List my_list has 'append' key but no list by that name already exists
      ---
      - list: my_list
@@ -404,6 +394,7 @@ trace_files: !mux
  invalid_rule_append_dangling:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Rule my_rule has 'append' key but no rule by that name already exists
      ---
      - rule: my_rule
@@ -418,7 +409,8 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_macro.yaml: Ok
-      .*invalid_overwrite_macro.yaml: Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
+      .*invalid_overwrite_macro.yaml: 1 errors:
+      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      ---
      - macro: some macro
        condition: foo
@@ -433,7 +425,8 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_macro.yaml: Ok
-      .*invalid_append_macro.yaml: Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
+      .*invalid_append_macro.yaml: 1 errors:
+      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      ---
      - macro: some macro
        condition: evt.type=execve
@@ -450,6 +443,7 @@ trace_files: !mux
  invalid_overwrite_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      ---
      - macro: some macro
@@ -463,6 +457,7 @@ trace_files: !mux
  invalid_append_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      ---
      - macro: some macro
@@ -480,7 +475,8 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_rule.yaml: Ok
-      .*invalid_overwrite_rule.yaml: Undefined macro 'bar' used in filter.
+      .*invalid_overwrite_rule.yaml: 1 errors:
+      Undefined macro 'bar' used in filter.
      ---
      - rule: some rule
        desc: some desc
@@ -498,7 +494,8 @@ trace_files: !mux
    exit_status: 1
    stdout_contains: |+
      .*invalid_base_rule.yaml: Ok
-      .*invalid_append_rule.yaml: Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
+      .*invalid_append_rule.yaml: 1 errors:
+      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
      ---
      - rule: some rule
        desc: some desc
@@ -521,6 +518,7 @@ trace_files: !mux
  invalid_overwrite_rule_multiple_docs:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Undefined macro 'bar' used in filter.
      ---
      - rule: some rule
@@ -559,6 +557,7 @@ trace_files: !mux
  invalid_missing_rule_name:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Rule name is empty
      ---
      - rule:
@@ -573,6 +572,7 @@ trace_files: !mux
  invalid_missing_list_name:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      List name is empty
      ---
      - list:
@@ -585,6 +585,7 @@ trace_files: !mux
  invalid_missing_macro_name:
    exit_status: 1
    stdout_is: |+
+      1 errors:
      Macro name is empty
      ---
      - macro:
@@ -596,8 +597,17 @@ trace_files: !mux

  invalid_rule_output:
    exit_status: 1
-    stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
-    rules_file:
+    stdout_is: |+
+      1 errors:
+      Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
+      ---
+      - rule: rule_with_invalid_output
+        desc: A rule with an invalid output field
+        condition: evt.type=open
+        output: "An open was seen %not_a_real_field"
+        priority: WARNING
+      ---
+    validate_rules_file:
      - rules/invalid_rule_output.yaml
    trace_file: trace_files/cat_write.scap

@@ -624,6 +634,20 @@ trace_files: !mux
    rules_file:
      - rules/single_rule_enabled_flag.yaml
    trace_file: trace_files/cat_write.scap
+  
+  disabled_rule_using_false_enabled_flag_only:
+    detect: False
+    rules_file:
+      - rules/disabled_rule_using_enabled_flag_only.yaml
+    trace_file: trace_files/cat_write.scap
+  
+  enabled_rule_using_false_enabled_flag_only:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/enabled_rule_using_enabled_flag_only.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "Warning An open was seen"

  disabled_and_enabled_rules_1:
    exit_status: 1
@@ -668,7 +692,7 @@ trace_files: !mux
    detect: True
    detect_level: WARNING
    rules_file:
-      - rules/single_rule.yaml
+      - rules/single_rule_with_tags.yaml
    conf_file: confs/stdout_output.yaml
    trace_file: trace_files/cat_write.scap
    time_iso_8601: true
@@ -701,7 +725,7 @@ trace_files: !mux
    detect: True
    detect_level: WARNING
    rules_file:
-      - rules/single_rule.yaml
+      - rules/single_rule_with_tags.yaml
    conf_file: confs/grpc_unix_socket.yaml
    trace_file: trace_files/cat_write.scap
    run_duration: 5
@@ -725,6 +749,10 @@ trace_files: !mux
        # For the hostname, since we don't know that beforehand,
        # only check the field presence
        - "hostname: "
+        #tags
+        - "tags: \"filesystem\""
+        - "tags: \"process\""
+        - "tags: \"testing\""

  detect_counts:
    detect: True
@@ -743,7 +771,7 @@ trace_files: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0

  disabled_tags_a:
    detect: True
@@ -1087,6 +1115,25 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)"

+  json_output_no_tags_property:
+    json_output: True
+    json_include_tags_property: False
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)"
+
+  json_output_empty_tags_property:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/rule_append.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)"
+
  in_operator_netmasks:
    detect: True
    detect_level: INFO
@@ -1099,6 +1146,8 @@ trace_files: !mux
    detect_level: INFO
    rules_file:
      - rules/syscalls.yaml
+    rules_warning:
+      - detect_madvise
    detect_counts:
      - detect_madvise: 2
      - detect_open: 2
@@ -1117,7 +1166,8 @@ trace_files: !mux

  skip_unknown_noevt:
    detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping" that contains unknown filter proc.nobody
+    rules_warning:
+      - Contains Unknown Event And Skipping
    rules_file:
      - rules/skip_unknown_evt.yaml
    trace_file: trace_files/cat_write.scap
@@ -1130,14 +1180,33 @@ trace_files: !mux

  skip_unknown_error:
    exit_status: 1
-    stderr_contains: Rule "Contains Unknown Event And Not Skipping" contains unknown filter proc.nobody. Exiting.
+    stderr_contains: |+
+      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
+      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
+      ---
+      - rule: Contains Unknown Event And Not Skipping
+        desc: Contains an unknown event
+        condition: proc.nobody=cat
+        output: Never
+        skip-if-unknown-filter: false
+        priority: INFO
+      ---
    rules_file:
      - rules/skip_unknown_error.yaml
    trace_file: trace_files/cat_write.scap

  skip_unknown_unspec_error:
    exit_status: 1
-    stderr_contains: Rule "Contains Unknown Event And Unspecified" contains unknown filter proc.nobody. Exiting.
+    stderr_contains: |+
+      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
+      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
+      ---
+      - rule: Contains Unknown Event And Unspecified
+        desc: Contains an unknown event
+        condition: proc.nobody=cat
+        output: Never
+        priority: INFO
+      ---
    rules_file:
      - rules/skip_unknown_unspec.yaml
    trace_file: trace_files/cat_write.scap
@@ -1176,6 +1245,51 @@ trace_files: !mux
    stdout_not_contains:
      - "Falco internal: syscall event drop"

+  monitor_syscall_drops_ignore_and_log:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_ignore_log.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
+
+  monitor_syscall_drops_threshold_oor:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_threshold_oor.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drops threshold must be a double in the range"
+
+  monitor_syscall_drops_threshold_neg:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_threshold_neg.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drops threshold must be a double in the range"
+
  monitor_syscall_drops_log:
    exit_status: 0
    rules_file:
--- a/test/falco_tests_exceptions.yaml
+++ b/test/falco_tests_exceptions.yaml
@@ -0,0 +1,353 @@
+#
+# Copyright (C) 2016-2020 The Falco Authors..
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+trace_files: !mux
+
+  rule_exception_no_fields:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: must have fields property with a list of fields
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_no_fields.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_no_name:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item must have name property
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - fields: [proc.name, fd.filename]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_no_name.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_no_name:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item must have name property
+      ---
+      - rule: My Rule
+        exceptions:
+          - values:
+              - [nginx, /tmp/foo]
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/append_item_no_name.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_unknown_fields:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: field name not.exist is not a supported filter field
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [not.exist]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_unknown_fields.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_comps_fields_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: fields and comps lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            comps: [=]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_comps_fields_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_unknown_comp:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            comps: [=, no-comp]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_unknown_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_fields_values_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Exception item ex1: fields and values lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            values:
+              - [nginx]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_fields_values_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_fields_values_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Exception item ex1: fields and values lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+        priority: error
+
+      - rule: My Rule
+        exceptions:
+          - name: ex1
+            values:
+              - [nginx]
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_item_not_in_rule:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception new item ex2: must have fields property with a list of fields
+      ---
+      - rule: My Rule
+        exceptions:
+          - name: ex2
+            values:
+              - [apache, /tmp]
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/append_item_not_in_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_no_values:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_no_values.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_one_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_one_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_one_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_one_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_second_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_second_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_second_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_second_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_second_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_second_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_second_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_second_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_third_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_third_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_third_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_third_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_quoted:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_quoted.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_multiple_values:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_multiple.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_comp:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_comp:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_listref:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_listref.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_listref_noparens:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_listref_noparens.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_list:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_list.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_single_field:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_single_field.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_single_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_single_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_new_single_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_new_single_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+  
+  rule_exception_new_second_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_new_second_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_new_append_no_field:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception new item proc_cmdline: must have fields property with a list of fields
+      ---
+      - rule: Open From Cat
+        exceptions:
+          - name: proc_cmdline
+            comps: in
+            values:
+              - "cat /dev/null"
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/rule_exception_new_no_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+
--- a/test/falco_tests_plugins.yaml
+++ b/test/falco_tests_plugins.yaml
@@ -0,0 +1,106 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# This file is part of Falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+trace_files: !mux
+
+  list_plugins:
+    check_detection_counts: False
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
+    addl_cmdline_opts: --list-plugins
+    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Type: source plugin.*Name: json.*Type: extractor plugin"
+
+  list_plugin_fields:
+    check_detection_counts: False
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
+    addl_cmdline_opts: --list
+    stdout_contains: "ct.id"
+
+  detect_create_instance:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+    detect_counts:
+      - 'Cloudtrail Create Instance': 1
+    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
+
+  detect_create_instance_bigevent:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+    detect_counts:
+      - 'Cloudtrail Create Instance': 1
+    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
+
+  multiple_source_plugins:
+    exit_status: 1
+    stderr_contains: "Runtime error: Can not load multiple source plugins. cloudtrail already loaded. Exiting."
+    conf_file: BUILD_DIR/test/confs/plugins/multiple_source_plugins.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+
+  incompatible_extract_sources:
+    exit_status: 1
+    stderr_contains: "Runtime error: Extractor plugin not compatible with event source aws_cloudtrail. Exiting."
+    conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+
+  overlap_extract_sources:
+    exit_status: 1
+    stderr_contains: "Runtime error: Extractor plugins have overlapping compatible event source test_source. Exiting."
+    conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+
+  incompat_plugin_api:
+    exit_status: 1
+    stderr_contains: "Unsupported plugin required api version 10000000.0.0"
+    conf_file: BUILD_DIR/test/confs/plugins/incompatible_plugin_api.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+
+  incompat_plugin_rules_version:
+    exit_status: 1
+    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
+    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_incompat_plugin_version.yaml
+
+  wrong_plugin_path:
+    exit_status: 1
+    stderr_contains: "error loading plugin.*No such file or directory. Exiting"
+    conf_file: BUILD_DIR/test/confs/plugins/wrong_plugin_path.yaml
+    rules_file:
+      - rules/plugins/cloudtrail_incompat_plugin_version.yaml
+
+  no_plugins_unknown_source:
+    detect: False
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances.yaml
+    trace_file: trace_files/empty.scap
+    rules_warning:
+      - Cloudtrail Create Instance
+    stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
+
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -23,10 +23,10 @@ has_json_output: !mux
 traces: !mux
  change-thread-namespace:
    trace_file: traces-positive/change-thread-namespace.scap
-    detect: True
+    detect: False
    detect_level: NOTICE
    detect_counts:
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0

  container-privileged:
    trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0

  mkdir-binary-dirs:
    trace_file: traces-positive/mkdir-binary-dirs.scap
@@ -111,12 +111,17 @@ traces: !mux
    detect_counts:
      - "Read sensitive file untrusted": 1

+  # This should *not* generate any falco alerts as of the changes in
+  # https://github.com/falcosecurity/libs/pull/94--the execve event in
+  # this trace file is PPME_SYSCALL_EXECVE_18, which was deprecated by
+  # PPME_SYSCALL_EXECVE_19 in 2018.
+  #
+  # This activity in this trace file overlaps with the activity in
+  # falco-event-generator.scap so the rule is still being tested.
  run-shell-untrusted:
    trace_file: traces-positive/run-shell-untrusted.scap
-    detect: True
+    detect: False
    detect_level: DEBUG
-    detect_counts:
-      - "Run shell untrusted": 1

  system-binaries-network-activity:
    trace_file: traces-positive/system-binaries-network-activity.scap
--- a/test/output_files/single_rule_with_cat_write.json
+++ b/test/output_files/single_rule_with_cat_write.json
@@ -1,8 +1,8 @@
-{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
--- a/test/plot-live.r
+++ b/test/plot-live.r
@@ -1,69 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require(jsonlite)
-library(ggplot2)
-library(GetoptLong)
-
-initial.options <- commandArgs(trailingOnly = FALSE)
-file.arg.name <- "--file="
-script.name <- sub(file.arg.name, "", initial.options[grep(file.arg.name, initial.options)])
-script.basename <- dirname(script.name)
-
-if (substr(script.basename, 1, 1) != '/') {
-    script.basename = paste(getwd(), script.basename, sep='/')
-}
-
-results = paste(script.basename, "results.json", sep='/')
-output = "./output.png"
-metric = "cpu"
-
-GetoptLong(
-    "results=s", "Path to results file",
-    "benchmark=s", "Benchmark from results file to graph",
-    "variant=s@", "Variant(s) to include in graph. Can be specified multiple times",
-    "output=s", "Output graph file",
-    "metric=s", "Metric to graph. Can be one of (cpu|drops)"
-)
-
-if (metric == "cpu") {
-    data_metric="cpu_usage"
-    yaxis_label="CPU Usage (%)"
-    title="Falco/Sysdig/Multimatch CPU Usage: %s"
-} else if (metric == "drops") {
-    data_metric="drop_pct"
-    yaxis_label="Event Drops (%)"
-    title="Falco/Sysdig/Multimatch Event Drops: %s"
-}
-
-res <- fromJSON(results, flatten=TRUE)
-
-res2 = res[res$benchmark == benchmark & res$variant %in% variant,]
-
-plot <- ggplot(data=res2, aes(x=sample, y=get(data_metric), group=variant, colour=variant)) +
-    geom_line() +
-    ylab(yaxis_label) +
-    xlab("Time") +
-    ggtitle(sprintf(title, benchmark))
-    theme(legend.position=c(.2, .88));
-
-print(paste("Writing graph to", output, sep=" "))
-ggsave(file=output)
-
-
-
-
--- a/test/plot-traces.r
+++ b/test/plot-traces.r
@@ -1,52 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require(jsonlite)
-library(ggplot2)
-library(reshape)
-
-res <- fromJSON("/home/mstemm/results.txt", flatten=TRUE)
-
-plot <- ggplot(data=res, aes(x=config, y=elapsed.real)) +
-    geom_bar(stat = "summary", fun.y = "mean") +
-    coord_flip() +
-    facet_grid(shortfile ~ .) +
-    ylab("Wall Clock Time (sec)") +
-    xlab("Trace File/Program")
-
-
-ggsave(file="/mnt/sf_mstemm/res-real.png")
-
-plot <- ggplot(data=res, aes(x=config, y=elapsed.user)) +
-    geom_bar(stat = "summary", fun.y = "mean") +
-    coord_flip() +
-    facet_grid(shortfile ~ .) +
-    ylab("User Time (sec)") +
-    xlab("Trace File/Program")
-
-
-ggsave(file="/mnt/sf_mstemm/res-user.png")
-
-res2 <- melt(res, id.vars = c("config", "shortfile"), measure.vars = c("elapsed.sys", "elapsed.user"))
-plot <- ggplot(data=res2, aes(x=config, y=value, fill=variable, order=variable)) +
-     geom_bar(stat = "summary", fun.y = "mean") +
-     coord_flip() +
-     facet_grid(shortfile ~ .) +
-     ylab("User/System Time (sec)") +
-     xlab("Trace File/Program")
-
-ggsave(file="/mnt/sf_mstemm/res-sys-user.png")
--- a/test/plugins/CMakeLists.txt
+++ b/test/plugins/CMakeLists.txt
@@ -0,0 +1,13 @@
+add_library(test_extract_p1 SHARED test_extract.cpp)
+add_library(test_extract_p2 SHARED test_extract.cpp)
+add_library(test_source SHARED test_source.cpp)
+add_library(test_incompat_api SHARED incompat_api.cpp)
+
+target_include_directories(
+	test_extract_p1 PUBLIC "${LIBSCAP_INCLUDE_DIRS}")
+
+target_include_directories(
+	test_extract_p2 PUBLIC "${LIBSCAP_INCLUDE_DIRS}")
+
+target_include_directories(
+	test_source PUBLIC "${LIBSCAP_INCLUDE_DIRS}")
--- a/test/plugins/incompat_api.cpp
+++ b/test/plugins/incompat_api.cpp
@@ -0,0 +1,28 @@
+/*
+Copyright (C) 2021 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string.h>
+#include <stdlib.h>
+
+// Don't need any function other than plugin_get_required_api_version,
+// plugin load will fail after that.
+static const char *pl_required_api_version = "10000000.0.0";
+
+extern "C"
+const char* plugin_get_required_api_version()
+{
+	return pl_required_api_version;
+}
--- a/test/plugins/test_extract.cpp
+++ b/test/plugins/test_extract.cpp
@@ -0,0 +1,116 @@
+/*
+Copyright (C) 2021 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <plugin_info.h>
+
+static const char *pl_required_api_version = "0.1.0";
+static uint32_t    pl_type                 = TYPE_EXTRACTOR_PLUGIN;
+static const char *pl_name_base            = "test_extract";
+static char pl_name[1024];
+static const char *pl_desc                 = "Test Plugin For Regression Tests";
+static const char *pl_contact              = "github.com/falcosecurity/falco";
+static const char *pl_version              = "0.1.0";
+static const char *pl_extract_sources      = "[\"test_source\"]";
+static const char *pl_fields               = "[]";
+
+// This struct represents the state of a plugin. Just has a placeholder string value.
+typedef struct plugin_state
+{
+} plugin_state;
+
+extern "C"
+const char* plugin_get_required_api_version()
+{
+	return pl_required_api_version;
+}
+
+extern "C"
+uint32_t plugin_get_type()
+{
+	return pl_type;
+}
+
+extern "C"
+const char* plugin_get_name()
+{
+	// Add a random-ish suffix to the end, as some tests load
+	// multiple copies of this plugin
+	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld\n", pl_name_base, random());
+	return pl_name;
+}
+
+extern "C"
+const char* plugin_get_description()
+{
+	return pl_desc;
+}
+
+extern "C"
+const char* plugin_get_contact()
+{
+	return pl_contact;
+}
+
+extern "C"
+const char* plugin_get_version()
+{
+	return pl_version;
+}
+
+extern "C"
+const char* plugin_get_extract_event_sources()
+{
+	return pl_extract_sources;
+}
+
+extern "C"
+const char* plugin_get_fields()
+{
+	return pl_fields;
+}
+
+extern "C"
+const char* plugin_get_last_error(ss_plugin_t* s)
+{
+	return NULL;
+}
+
+extern "C"
+ss_plugin_t* plugin_init(const char* config, int32_t* rc)
+{
+	// Note: Using new/delete is okay, as long as the plugin
+	// framework is not deleting the memory.
+	plugin_state *ret = new plugin_state();
+	*rc = SS_PLUGIN_SUCCESS;
+	return ret;
+}
+
+extern "C"
+void plugin_destroy(ss_plugin_t* s)
+{
+	plugin_state *ps = (plugin_state *) s;
+
+	delete(ps);
+}
+
+extern "C"
+int32_t plugin_extract_fields(ss_plugin_t *s, const ss_plugin_event *evt, uint32_t num_fields, ss_plugin_extract_field *fields)
+{
+	return SS_PLUGIN_SUCCESS;
+}
--- a/test/plugins/test_source.cpp
+++ b/test/plugins/test_source.cpp
@@ -0,0 +1,161 @@
+/*
+Copyright (C) 2021 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <plugin_info.h>
+
+static const char *pl_required_api_version = "0.1.0";
+static uint32_t    pl_type                 = TYPE_SOURCE_PLUGIN;
+static uint32_t    pl_id                   = 999;
+static const char *pl_name                 = "test_source";
+static const char *pl_desc                 = "Test Plugin For Regression Tests";
+static const char *pl_contact              = "github.com/falcosecurity/falco";
+static const char *pl_version              = "0.1.0";
+static const char *pl_event_source         = "test_source";
+static const char *pl_fields               = "[]";
+
+// This struct represents the state of a plugin. Just has a placeholder string value.
+typedef struct plugin_state
+{
+} plugin_state;
+
+typedef struct instance_state
+{
+} instance_state;
+
+extern "C"
+const char* plugin_get_required_api_version()
+{
+	return pl_required_api_version;
+}
+
+extern "C"
+uint32_t plugin_get_type()
+{
+	return pl_type;
+}
+
+extern "C"
+uint32_t plugin_get_id()
+{
+	return pl_id;
+}
+
+extern "C"
+const char* plugin_get_name()
+{
+	return pl_name;
+}
+
+extern "C"
+const char* plugin_get_description()
+{
+	return pl_desc;
+}
+
+extern "C"
+const char* plugin_get_contact()
+{
+	return pl_contact;
+}
+
+extern "C"
+const char* plugin_get_version()
+{
+	return pl_version;
+}
+
+extern "C"
+const char* plugin_get_event_source()
+{
+	return pl_event_source;
+}
+
+extern "C"
+const char* plugin_get_fields()
+{
+	return pl_fields;
+}
+
+extern "C"
+const char* plugin_get_last_error(ss_plugin_t* s)
+{
+	return NULL;
+}
+
+extern "C"
+ss_plugin_t* plugin_init(const char* config, int32_t* rc)
+{
+	// Note: Using new/delete is okay, as long as the plugin
+	// framework is not deleting the memory.
+	plugin_state *ret = new plugin_state();
+
+	*rc = SS_PLUGIN_SUCCESS;
+
+	return ret;
+}
+
+extern "C"
+void plugin_destroy(ss_plugin_t* s)
+{
+	plugin_state *ps = (plugin_state *) s;
+
+	delete(ps);
+}
+
+extern "C"
+ss_instance_t* plugin_open(ss_plugin_t* s, const char* params, int32_t* rc)
+{
+	// Note: Using new/delete is okay, as long as the plugin
+	// framework is not deleting the memory.
+	instance_state *ret = new instance_state();
+	*rc = SS_PLUGIN_SUCCESS;
+
+	return ret;
+}
+
+extern "C"
+void plugin_close(ss_plugin_t* s, ss_instance_t* i)
+{
+	instance_state *istate = (instance_state *) i;
+
+	delete(istate);
+}
+
+extern "C"
+int32_t plugin_next_batch(ss_plugin_t* s, ss_instance_t* i, uint32_t *nevts, ss_plugin_event **evts)
+{
+	return SS_PLUGIN_EOF;
+}
+
+// This plugin does not implement plugin_next_batch, due to the lower
+// overhead of calling C functions from the plugin framework compared
+// to calling Go functions.
+
+extern "C"
+const char *plugin_event_to_string(ss_plugin_t *s, const uint8_t *data, uint32_t datalen)
+{
+	return "";
+}
+
+extern "C"
+int32_t plugin_extract_fields(ss_plugin_t *s, const ss_plugin_event *evt, uint32_t num_fields, ss_plugin_extract_field *fields)
+{
+	return SS_PLUGIN_SUCCESS;
+}
--- a/test/requirements.txt
+++ b/test/requirements.txt
@@ -5,9 +5,9 @@ chardet==3.0.4
 idna==2.9
 pathtools==0.1.2
 pbr==5.4.5
-PyYAML==5.3.1
+PyYAML==5.4
 requests==2.23.0
 six==1.14.0
 stevedore==1.32.0
-urllib3==1.25.9
-watchdog==0.10.2
+urllib3==1.26.5
+watchdog==0.10.2
--- a/test/rules/disabled_rule_using_enabled_flag_only.yaml
+++ b/test/rules/disabled_rule_using_enabled_flag_only.yaml
@@ -0,0 +1,24 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen"
+  priority: WARNING
+
+- rule: open_from_cat
+  enabled: false
--- a/test/rules/enabled_rule_using_enabled_flag_only.yaml
+++ b/test/rules/enabled_rule_using_enabled_flag_only.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen"
+  priority: WARNING
+  enabled: false
+
+- rule: open_from_cat
+  enabled: true
--- a/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+  priority: error
+
+- rule: My Rule
+  exceptions:
+    - name: ex1
+      values:
+        - [nginx]
+  append: true
--- a/Show More
+++ b/Show More