update(userspace/falco): initial CLI porting to cxxopts

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

.circleci/config.yml

@@ -282,6 +282,8 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
   "tests/integration-static":
     docker:
       - image: falcosecurity/falco-tester:latest
@@ -297,6 +299,8 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
   "tests/driver-loader/integration":
     machine:
       image: ubuntu-1604:202004-01

.github/stale.yml

@@ -1,20 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
-  Please refer to a maintainer to get such label added if you think this should be kept open.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
 ## v0.26.1
 
 Released on 2020-10-01

CMakeLists.txt

@@ -83,7 +83,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -115,20 +115,8 @@ set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
 
-# libb64
+# b64
-
+include(b64)
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
-  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
 
 # yaml-cpp
 include(yaml-cpp)
@@ -142,52 +130,16 @@ if(NOT MINIMAL_BUILD)
 endif()
 
 # LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+include(luajit)
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
-  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
 
 # Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+include(lpeg)
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
 
 # libyaml
 include(libyaml)
 
 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+include(lyaml)
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-ExternalProject_Add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 
 # One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
@@ -220,12 +172,16 @@ if(NOT MINIMAL_BUILD)
     COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
     BUILD_IN_SOURCE 1
     BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    BUILD_BYPRODUCTS ${CIVETWEB_LIB}
     INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 endif()
 
-#string-view-lite
+# string-view-lite
 include(DownloadStringViewLite)
 
+# cxxopts
+include(DownloadCxxOpts)
+
 if(NOT MINIMAL_BUILD)
   # gRPC
   include(gRPC)

README.md

@@ -5,7 +5,9 @@
 
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
-#### Latest releases
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+
+### Latest releases
 
 Read the [change log](CHANGELOG.md).
 
@@ -39,7 +41,7 @@ If you would like to run Falco in **production** please adhere to the [official
 
 Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
 
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
 The Falco Project supports various SDKs for this endpoint.
 
 ##### SDKs
@@ -63,6 +65,7 @@ For example, Falco can easily detect incidents including but not limited to:
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
+- A privileged pod is started in a Kubernetes cluster.
 
 ### Documentation
 
@@ -72,6 +75,13 @@ The [Official Documentation](https://falco.org/docs/) is the best resource to le
 
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
 
+How to reach out?
+
+ - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
+ - [Read the Falco documentation](https://falco.org/docs/)
+
+
 ### Contributing
 
 See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
@@ -94,4 +104,4 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
 [4]: https://dl.bintray.com/falcosecurity/deb/stable
 [5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

cmake/modules/CPackConfig.cmake

@@ -30,9 +30,15 @@ if(NOT CPACK_GENERATOR)
 endif()
 
 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
-
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA

cmake/modules/DownloadCxxOpts.cmake

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(CXXOPTS_PREFIX ${CMAKE_BINARY_DIR}/cxxopts-prefix)
+set(CXXOPTS_INCLUDE ${CXXOPTS_PREFIX}/include)
+message(STATUS "Using bundled cxxopts in ${CXXOPTS_INCLUDE}")
+
+ExternalProject_Add(
+  cxxopts
+  PREFIX ${CXXOPTS_PREFIX}
+  GIT_REPOSITORY "https://github.com/jarro2783/cxxopts.git"
+  GIT_TAG "master"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CXXOPTS_PREFIX}/src/cxxopts/include/cxxopts.hpp
+                  ${CXXOPTS_INCLUDE}/cxxopts.hpp)

cmake/modules/b64.cmake

@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+message(STATUS "Using bundled b64 in '${B64_SRC}'")
+set(B64_INCLUDE "${B64_SRC}/include")
+set(B64_LIB "${B64_SRC}/src/libb64.a")
+externalproject_add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
+  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${B64_LIB}
+  INSTALL_COMMAND ""
+)

cmake/modules/gRPC.cmake

@@ -115,7 +115,7 @@ else()
     grpc
     DEPENDS openssl
     GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
+    GIT_TAG v1.32.0
     GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
     BUILD_IN_SOURCE 1
     BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}

cmake/modules/libyaml.cmake

@@ -15,12 +15,13 @@ set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
+externalproject_add(
-libyaml
+  libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
+  BUILD_COMMAND ${CMD_MAKE}
-BUILD_IN_SOURCE 1
+  BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
-
+  INSTALL_COMMAND ${CMD_MAKE} install
+)

cmake/modules/lpeg.cmake

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LPEG_LIB}
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")

cmake/modules/luajit.cmake

@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+externalproject_add(
+  luajit
+  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
+  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LUAJIT_LIB}
+  INSTALL_COMMAND ""
+)

cmake/modules/lyaml.cmake

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+externalproject_add(
+  lyaml
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LYAML_LIB}
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+  INSTALL_COMMAND sh -c
+  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua"
+)

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,4 +25,4 @@ ExternalProject_Add(
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
   TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch && patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/luajit.patch)

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,8 +1,8 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
+index 6f51588e..5f9ea84e 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
+@@ -55,7 +55,7 @@ limitations under the License.
  //#define NDEBUG
  #include <assert.h>
  
@@ -11,7 +11,16 @@ index e9faea51..a1b3b501 100644
  
  //
  // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ static uint32_t get_max_consumers()
+ {
+ 	uint32_t max;
+-	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
++	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
+ 	if(pfile != NULL)
+ 	{
+ 		int w = fscanf(pfile, "%"PRIu32, &max);
+@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
  				return NULL;
  			}
  
@@ -20,7 +29,27 @@ index e9faea51..a1b3b501 100644
  			bpf_probe = buf;
  		}
  	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				else if(errno == EBUSY)
+ 				{
+ 					uint32_t curr_max_consumers = get_max_consumers();
+-					snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
++					snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+ 				}
+ 				else
+ 				{
+@@ -579,8 +579,8 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ 	//
+ 	// Map the ppm_ring_buffer_info that contains the buffer pointers
+ 	//
+-	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd), 
+-		&handle->m_devs[0].m_bufinfo, 
++	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
++		&handle->m_devs[0].m_bufinfo,
+ 		&handle->m_devs[0].m_bufstatus,
+ 		error) != SCAP_SUCCESS)
+ 	{
+@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
  
  const char* scap_get_host_root()
  {

cmake/modules/sysdig-repo/patch/luajit.patch

@@ -0,0 +1,57 @@
+diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
+index 0a6e3cf8..0c2e255a 100644
+--- a/userspace/libsinsp/chisel.cpp
++++ b/userspace/libsinsp/chisel.cpp
+@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
+ // Lua callbacks
+ ///////////////////////////////////////////////////////////////////////////////
+ #ifdef HAS_LUA_CHISELS
+-const static struct luaL_reg ll_sysdig [] =
++const static struct luaL_Reg ll_sysdig [] =
+ {
+ 	{"set_filter", &lua_cbacks::set_global_filter},
+ 	{"set_snaplen", &lua_cbacks::set_snaplen},
+@@ -134,7 +134,7 @@ const static struct luaL_reg ll_sysdig [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_chisel [] =
++const static struct luaL_Reg ll_chisel [] =
+ {
+ 	{"request_field", &lua_cbacks::request_field},
+ 	{"set_filter", &lua_cbacks::set_filter},
+@@ -146,7 +146,7 @@ const static struct luaL_reg ll_chisel [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_evt [] =
++const static struct luaL_Reg ll_evt [] =
+ {
+ 	{"field", &lua_cbacks::field},
+ 	{"get_num", &lua_cbacks::get_num},
+diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
+index 0e26617d..78810d96 100644
+--- a/userspace/libsinsp/lua_parser.cpp
++++ b/userspace/libsinsp/lua_parser.cpp
+@@ -32,7 +32,7 @@ extern "C" {
+ #include "lauxlib.h"
+ }
+ 
+-const static struct luaL_reg ll_filter [] =
++const static struct luaL_Reg ll_filter [] =
+ {
+ 	{"rel_expr", &lua_parser_cbacks::rel_expr},
+ 	{"bool_op", &lua_parser_cbacks::bool_op},
+diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
+index c89e9126..c3d8008a 100644
+--- a/userspace/libsinsp/lua_parser_api.cpp
++++ b/userspace/libsinsp/lua_parser_api.cpp
+@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
+ 					string err = "Got non-table as in-expression operand\n";
+ 					throw sinsp_exception("parser API error");
+ 				}
+-				int n = luaL_getn(ls, 4);  /* get size of table */
++				int n = lua_objlen (ls, 4);  /* get size of table */
+ 				for (i=1; i<=n; i++)
+ 				{
+ 					lua_rawgeti(ls, 4, i);

cmake/modules/sysdig.cmake

@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
+  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
+  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
@@ -57,6 +57,7 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+add_definitions(-DNOCURSESUI)
 if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()

docker/driver-loader/Dockerfile

@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
 ENV HOME /root

docker/falco/Dockerfile

@@ -2,7 +2,7 @@ FROM debian:stable
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb

docker/no-driver/Dockerfile

@@ -1,7 +1,5 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 
@@ -22,6 +20,14 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/
 
 FROM scratch
 
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
 COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

proposals/20201025-drivers-storage-s3.md

@@ -1,5 +1,9 @@
 # Falco Drivers Storage S3
 
+Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
+
+Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
+
 ## Introduction
 
 In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
@@ -41,7 +45,7 @@ Before today, we had many issues with storage even without the spike in users we
 
 ## Context on AWS
 
-Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow). 
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).
 
 ## Interactions with other teams and the CNCF
 
@@ -55,7 +59,7 @@ We want to propose to move the drivers and the container dependencies to S3.
 
 #### Moving means:
 
-* We create a public S3 bucket with[ stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+* We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
 
 * We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
 
@@ -113,7 +117,7 @@ export DRIVERS_REPO=https://your-url-here
 
 Pass it as environment variable using the docker run flag -e - for example:
 
-docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here) 
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)
 
 **Kubernetes**
 

rules/falco_rules.yaml

@@ -1213,6 +1213,9 @@
        fd.name startswith /etc/ssh/ssh_monitor_config_ or
        fd.name startswith /etc/ssh/ssh_config_))
 
+- macro: multipath_writing_conf
+  condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1333,6 +1336,7 @@
     and not automount_using_mtab
     and not mcafee_writing_cma_d
     and not avinetworks_supervisor_writing_ssh
+    and not multipath_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
@@ -1866,6 +1870,7 @@
 - list: falco_privileged_images
   items: [
     docker.io/calico/node,
+    calico/node,
     docker.io/cloudnativelabs/kube-router,
     docker.io/docker/ucp-agent,
     docker.io/falcosecurity/falco,
@@ -2314,6 +2319,9 @@
 - macro: user_known_user_management_activities
   condition: (never_true)
 
+- macro: chage_list
+  condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
+
 - rule: User mgmt binaries
   desc: >
     activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2332,6 +2340,7 @@
     not run_by_yum and
     not run_by_ms_oms and
     not run_by_google_accounts_daemon and
+    not chage_list and
     not user_known_user_management_activities
   output: >
     User management binary command run outside of container
@@ -2863,12 +2872,22 @@
 - list: k8s_client_binaries
   items: [docker, kubectl, crictl]
 
+- list: user_known_k8s_ns_kube_system_images
+  items: [
+      k8s.gcr.io/fluentd-gcp-scaler,
+      k8s.gcr.io/node-problem-detector/node-problem-detector
+  ]
+
+- list: user_known_k8s_images
+  items: [
+      mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+  ]
+
 # Whitelist for known docker client binaries run inside container
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
   condition: >
-    (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
+    (k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository in (user_known_k8s_images)
-    container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
 
 - macro: user_known_k8s_client_container_parens
   condition: (user_known_k8s_client_container)
@@ -3041,6 +3060,16 @@
   priority: WARNING
   tags: [network]
 
+- list: white_listed_modules
+  items: []
+    
+- rule: Linux Kernel Module Injection Detected
+  desc: Detect kernel module was injected (from container).
+  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
+  priority: WARNING
+  tags: [process]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

rules/k8s_audit_rules.yaml

@@ -537,7 +537,7 @@
   condition: >
     kevt 
     and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
+    and ka.user.name in (full_admin_k8s_users)
     and not allowed_full_admin_users
   output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING

scripts/falco-driver-loader

@@ -220,7 +220,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do 
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -232,7 +232,7 @@ load_kernel_module() {
 		sleep 1
 	done
 
-	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
 		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi

test/run_regression_tests.sh

@@ -104,8 +104,12 @@ function run_tests() {
         suites+=($SCRIPTDIR/falco_tests_package.yaml)
     fi
     
+    XUNIT_DIR="${OPT_BUILD_DIR}/integration-tests-xunit"
+    mkdir -p "${XUNIT_DIR}"
+
     for mult in "${suites[@]}"; do
-        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        XUNIT_FILE_NAME="${XUNIT_DIR}/$(basename "${mult}").xml"
+        CMD="avocado run --xunit ${XUNIT_FILE_NAME} --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
         echo "Running $CMD"
         BUILD_DIR=${OPT_BUILD_DIR} $CMD
         RC=$?

userspace/engine/formats.cpp

@@ -26,7 +26,7 @@ bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
 std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;
 
-const static struct luaL_reg ll_falco[] =
+const static struct luaL_Reg ll_falco[] =
 	{
 		{"formatter", &falco_formats::lua_formatter},
 		{"free_formatter", &falco_formats::lua_free_formatter},

userspace/engine/rules.cpp

@@ -26,15 +26,14 @@ extern "C" {
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-const static struct luaL_reg ll_falco_rules [] =
+const static struct luaL_Reg ll_falco_rules[] =
-{
+	{
-	{"clear_filters", &falco_rules::clear_filters},
+		{"clear_filters", &falco_rules::clear_filters},
-	{"add_filter", &falco_rules::add_filter},
+		{"add_filter", &falco_rules::add_filter},
-	{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
+		{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
-	{"enable_rule", &falco_rules::enable_rule},
+		{"enable_rule", &falco_rules::enable_rule},
-	{"engine_version", &falco_rules::engine_version},
+		{"engine_version", &falco_rules::engine_version},
-	{NULL,NULL}
+		{NULL, NULL}};
-};
 
 falco_rules::falco_rules(sinsp* inspector,
 			 falco_engine *engine,

userspace/falco/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,39 +11,11 @@
 # specific language governing permissions and limitations under the License.
 #
 
-configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
+configure_file(config_falco.h.in config_falco.h)
 
-if(NOT MINIMAL_BUILD)
+set(
-  add_custom_command(
+  FALCO_SOURCES
-    OUTPUT
+  cli.cpp
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-    COMMENT "Generate gRPC API"
-    # Falco gRPC Version API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    # Falco gRPC Outputs API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-endif()
-
-if(MINIMAL_BUILD)
-add_executable(
-  falco
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
@@ -54,84 +26,76 @@ add_executable(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
+  "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
-else()
+)
-  add_executable(
+
-    falco
+set(
-    configuration.cpp
+  FALCO_INCLUDE_DIRECTORIES
-    logger.cpp
+  "${PROJECT_SOURCE_DIR}/userspace/engine"
-    falco_outputs.cpp
+  "${PROJECT_BINARY_DIR}/userspace/falco"
-    outputs_file.cpp
+  "${PROJECT_BINARY_DIR}/driver/src"
+  "${STRING_VIEW_LITE_INCLUDE}"
+  "${CXXOPTS_INCLUDE}"
+  "${YAMLCPP_INCLUDE_DIR}"
+  "${CMAKE_CURRENT_BINARY_DIR}"
+  "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
+)
+
+set(
+  FALCO_DEPENDENCIES
+  cxxopts
+  string-view-lite
+  libyaml
+  b64
+  luajit
+  lpeg
+  lyaml
+)
+
+set(
+  FALCO_LIBRARIES
+  falco_engine
+  sinsp
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+)
+
+if(USE_BUNDLED_DEPS)
+  list(APPEND FALCO_DEPENDENCIES yamlcpp)
+endif()
+
+if(NOT MINIMAL_BUILD)
+  list(
+    APPEND FALCO_SOURCES
     outputs_grpc.cpp
     outputs_http.cpp
-    outputs_program.cpp
-    outputs_stdout.cpp
-    outputs_syslog.cpp
-    event_drops.cpp
-    statsfilewriter.cpp
-    falco.cpp
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
     webserver.cpp
     grpc_context.cpp
     grpc_server_impl.cpp
     grpc_request_context.cpp
     grpc_server.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
     ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+  )
 
-    add_dependencies(falco civetweb)
+  list(
-endif()
+    APPEND FALCO_INCLUDE_DIRECTORIES
+    "${CIVETWEB_INCLUDE_DIR}"
+    "${OPENSSL_INCLUDE_DIR}"
+    "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
+    "${PROTOBUF_INCLUDE}"
+  )
 
-add_dependencies(falco string-view-lite)
+  list(APPEND FALCO_DEPENDENCIES civetweb)
 
-if(USE_BUNDLED_DEPS)
+  list(
-  add_dependencies(falco yamlcpp)
+    APPEND FALCO_LIBRARIES
-endif()
-
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}")
-else()
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CIVETWEB_INCLUDE_DIR}"
-      "${OPENSSL_INCLUDE_DIR}"
-      "${GRPC_INCLUDE}"
-      "${GRPCPP_INCLUDE}"
-      "${PROTOBUF_INCLUDE}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
     "${GPR_LIB}"
     "${GRPC_LIB}"
     "${GRPCPP_LIB}"
@@ -140,19 +104,66 @@ else()
     "${OPENSSL_LIBRARY_CRYPTO}"
     "${LIBYAML_LIB}"
     "${YAMLCPP_LIB}"
-    "${CIVETWEB_LIB}")
+    "${CIVETWEB_LIB}"
+  )
 endif()
 
-configure_file(config_falco.h.in config_falco.h)
+add_executable(
+  falco
+  ${FALCO_SOURCES}
+)
+
+add_dependencies(falco ${FALCO_DEPENDENCIES})
+
+target_link_libraries(
+  falco
+  ${FALCO_LIBRARIES}
+)
+
+target_include_directories(
+  falco
+  PUBLIC
+  ${FALCO_INCLUDE_DIRECTORIES}
+)
+
+# if(NOT MINIMAL_BUILD)
+#   add_custom_command(
+#     TARGET falco
+#     COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
+#     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+#     COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
+#   )
+# else()
+#   message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+# endif()
 
 if(NOT MINIMAL_BUILD)
   add_custom_command(
-    TARGET falco
+    OUTPUT
-    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+    COMMENT "Generate gRPC API"
+    # Falco gRPC Version API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Outputs API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+  )
-else()
-  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
 endif()
 
 # strip the Falco binary when releasing using musl
@@ -161,7 +172,8 @@ if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
     TARGET falco
     POST_BUILD
     COMMAND ${CMAKE_STRIP} --strip-unneeded falco
-    COMMENT "Strip the Falco binary when releasing the musl build")
+    COMMENT "Strip the Falco binary when releasing the musl build"
+  )
 endif()
 
 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})

userspace/falco/cli.cpp

@@ -0,0 +1,22 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "cli.h"
+
+namespace falco
+{
+
+} // namespace falco

userspace/falco/cli.h

@@ -0,0 +1,188 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <cxxopts.hpp>
+
+namespace falco
+{
+
+class option_requires_specific_argument_exception : public cxxopts::OptionParseException
+{
+public:
+	explicit option_requires_specific_argument_exception(const std::string& option, const std::string& values):
+		OptionParseException("Option " + cxxopts::LQUOTE + option + cxxopts::RQUOTE + " requires an argument equal to " + values)
+	{
+	}
+};
+
+class option_cannot_be_specified_exception : public cxxopts::OptionParseException
+{
+public:
+	explicit option_cannot_be_specified_exception(const std::string& option1, const std::string& option2):
+		OptionParseException("Options " + cxxopts::LQUOTE + option1 + cxxopts::RQUOTE + " and " + cxxopts::LQUOTE + option2 + cxxopts::RQUOTE + " can not be specified together")
+	{
+	}
+};
+
+class cli
+{
+public:
+	cli(int argc, const char** argv):
+		m_argc(argc), m_argv(argv), m_options("falco", "Cloud-Native Runtime Security")
+	{
+	}
+	virtual ~cli()
+	{
+	}
+
+	void run()
+	{
+		// These options give some info about Falco (Falco exits).
+		m_options.add_options(
+			"help",
+			{
+				{"h,help", "Print help page."},
+				{"support", "Print support information (version, rules files, etc.)."},
+				{"version", "Print version info."},
+			});
+
+		// These are options responsible for listing Falco elements (Falco exits).
+		m_options.add_options(
+			"list",
+			{
+				{"L", "Show name and description of all rules."},
+				{"l", "Show name and description of a specific rule.", cxxopts::value<std::string>(), "rule name"},
+				{"list", "Show all fields.", cxxopts::value<std::string>()->implicit_value("all"), "sycall|k8s_audit"},
+				{"N", "Show field names only."},
+			});
+
+		// m_options.add_options(
+		// 	"output",
+		// 	{
+		// 		{},
+		// 	});
+
+		// m_options.add_options(
+		// 	"input",
+		// 	{
+		// 		{},
+		// 	});
+
+		m_options.add_options(
+			"filtering",
+			{
+				{"D", "Disable any rules with names having the given substring. Can be specified multiple times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "substring"},
+				{"T", "Disable any rules with a specific tag. Can be specified several times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "tag"},
+				{"t", "Only run those rules with a specific tag. Can be specified several times. Can not be specified with -T or -D.", cxxopts::value<std::vector<std::string>>(), "tag"},
+			});
+
+		m_result = m_options.parse(m_argc, m_argv);
+
+		process();
+	}
+
+private:
+	void process()
+	{
+		if(m_result.count("help") && m_result["help"].as<bool>())
+		{
+			std::cout << m_options.help() << std::endl;
+			// todo: print > exit
+		}
+
+		if(m_result.count("support") && m_result["support"].as<bool>())
+		{
+			// todo: argv + config rule filenames > cmdline > print > exit
+		}
+
+		if(m_result.count("version") && m_result["version"].as<bool>())
+		{
+			// todo: print > exit
+		}
+
+		if(m_result.count("L") && m_result["L"].as<bool>())
+		{
+			// todo: engine > print > exit
+			// engine->describe_rule(NULL)
+		}
+
+		if(m_result.count("l"))
+		{
+			// todo: engine > print > exit
+			// engine->describe_rule(m_result["l"].as<string>());
+		}
+
+		if(m_result.count("list"))
+		{
+			auto source = m_result["list"].as<std::string>();
+			// todo: retrieve implicit value
+			if(source.empty() || (source != "syscall" && source != "k8s_audit" && source != "all"))
+			{
+				throw falco::option_requires_specific_argument_exception(
+					"list",
+					cxxopts::LQUOTE + "syscall" + cxxopts::RQUOTE + " or " + cxxopts::LQUOTE + "k8s_audit" + cxxopts::RQUOTE);
+			}
+
+			bool names_only = false;
+			if(m_result.count("N"))
+			{
+				names_only = m_result["N"].as<bool>();
+			}
+
+			// todo: engine + names_only + source
+			// se valore == syscall ==> + [-V]
+		}
+
+		bool count_D = m_result.count("D");
+		bool count_t = m_result.count("t");
+		bool count_T = m_result.count("T");
+		if(count_D > 0)
+		{
+			if(count_t > 0)
+			{
+				throw falco::option_cannot_be_specified_exception("D", "t");
+			}
+			// todo
+			// engine > not exit
+		}
+		if(count_T > 0)
+		{
+			if(count_t > 0)
+			{
+				throw falco::option_cannot_be_specified_exception("T", "t");
+			}
+			// todo
+			// engine > not exit
+		}
+		if(count_t > 0)
+		{
+			// todo
+			// engine > not exit
+		}
+	}
+
+	int m_argc;
+	const char** m_argv;
+	cxxopts::Options m_options;
+	cxxopts::ParseResult m_result;
+};
+
+} // namespace falco
+
+// 3 tipi di azioni
+// quelle che una volta date devono farlo uscire e non hanno bisogno di nessuna istanza
+// quelle che hanno bisogno di inspector e/o engine e poi falco esce
+// quelle che hanno bisogno di inspector e/o engine e poi falco esegue

userspace/falco/falco.cpp

@@ -36,13 +36,14 @@ limitations under the License.
 #include "logger.h"
 #include "utils.h"
 #include "chisel.h"
-#include "sysdig.h"
+#include "fields_info.h"
 
 #include "event_drops.h"
 #include "configuration.h"
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
+#include "cli.h"
 #ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
@@ -74,106 +75,102 @@ static void restart_falco(int signal)
 	g_restart = true;
 }
 
-//
+// //
-// Program help
+// // Program help
-//
+// //
-static void usage()
+// static void usage()
-{
+// {
-    printf(
+//     printf(
-	   "Falco version: " FALCO_VERSION "\n"
+// 	   "Falco version: " FALCO_VERSION "\n"
-	   "Usage: falco [options]\n\n"
+// 	   "Usage: falco [options]\n\n"
-	   "Options:\n"
+// 	   "Options:\n"
-	   " -h, --help                    Print this page\n"
+
-	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
+// 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
-	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+// 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
-	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
+// 	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
-	   " -b, --print-base64            Print data buffers in base64.\n"
+// 	   " -b, --print-base64            Print data buffers in base64.\n"
-	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
+// 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
-	   " --cri <path>                  Path to CRI socket for container metadata.\n"
+// 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
-	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
+// 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
-	   " -d, --daemon                  Run as a daemon.\n"
+// 	   " -d, --daemon                  Run as a daemon.\n"
-	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
+// 	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
-	   "                               This is useful to let the input event wait for the container metadata fetch\n"
+// 	   "                               This is useful to let the input event wait for the container metadata fetch\n"
-	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
+// 	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
-	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
+// 	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
-	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
+// 	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
-	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
+// 	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
-	   " --disable-source <event_source>\n"
+// 	   " --disable-source <event_source>\n"
-	   "                               Disable a specific event source.\n"
+// 	   "                               Disable a specific event source.\n"
-	   "                               Available event sources are: syscall, k8s_audit.\n"
+// 	   "                               Available event sources are: syscall, k8s_audit.\n"
-	   "                               It can be passed multiple times.\n"
+// 	   "                               It can be passed multiple times.\n"
-	   "                               Can not disable both the event sources.\n"
+// 	   "                               Can not disable both the event sources.\n"
-	   " -D <substring>                Disable any rules with names having the substring <substring>. Can be specified multiple times.\n"
+
-	   "                               Can not be specified with -t.\n"
+// 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
-	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
+// 	   "                               k8s audit events) instead of tapping into live.\n"
-	   "                               k8s audit events) instead of tapping into live.\n"
+// #ifndef MINIMAL_BUILD
-#ifndef MINIMAL_BUILD
+// 	   " -k <url>, --k8s-api <url>\n"
-	   " -k <url>, --k8s-api <url>\n"
+// 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
-	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
+//        "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
-       "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
+// 	   "                               The API server can also be specified via the environment variable FALCO_K8S_API.\n"
-	   "                               The API server can also be specified via the environment variable FALCO_K8S_API.\n"
+// 	   " -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
-	   " -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
+// 	   "                               Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
-	   "                               Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
+// 	   "                               Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
-	   "                               Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
+// 	   "                               Private key password is optional (needed only if key is password protected).\n"
-	   "                               Private key password is optional (needed only if key is password protected).\n"
+// 	   "                               CA certificate is optional. For all files, only PEM file format is supported. \n"
-	   "                               CA certificate is optional. For all files, only PEM file format is supported. \n"
+// 	   "                               Specifying CA certificate only is obsoleted - when single entry is provided \n"
-	   "                               Specifying CA certificate only is obsoleted - when single entry is provided \n"
+// 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
-	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
+// 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
-	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
+// 	   "                               ':' or '#' characters in the file name.\n"
-	   "                               ':' or '#' characters in the file name.\n"
+// #endif
-#endif
+
-	   " -L                            Show the name and description of all rules and exit.\n"
+
-	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
+
-	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
+
-	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
+// #ifndef MINIMAL_BUILD
-#ifndef MINIMAL_BUILD
+// 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
-	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
+// 	   "                               Enable Mesos support by connecting to the API server\n"
-	   "                               Enable Mesos support by connecting to the API server\n"
+// 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
-	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
+// 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
-	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
+// 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
-	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
+// #endif
-#endif
+// 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
-	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
+
-	   " -N                            When used with --list, only print field names.\n"
+// 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
-	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
+// 	   "                               <key> can be a two-part <key>.<subkey>\n"
-	   "                               <key> can be a two-part <key>.<subkey>\n"
+// 	   " -p <output_format>, --print <output_format>\n"
-	   " -p <output_format>, --print <output_format>\n"
+// 	   "                               Add additional information to each falco notification's output.\n"
-	   "                               Add additional information to each falco notification's output.\n"
+// 	   "                               With -pc or -pcontainer will use a container-friendly format.\n"
-	   "                               With -pc or -pcontainer will use a container-friendly format.\n"
+// 	   "                               With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
-	   "                               With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
+// 	   "                               With -pm or -pmesos will use a mesos-friendly format.\n"
-	   "                               With -pm or -pmesos will use a mesos-friendly format.\n"
+// 	   "                               Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
-	   "                               Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
+// 	   "                               of %%container.info in rule output fields.\n"
-	   "                               of %%container.info in rule output fields.\n"
+// 	   " -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
-	   " -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
+//        " -r <rules_file>               Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
-       " -r <rules_file>               Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
+//        "                               Can be specified multiple times to read from multiple files/directories.\n"
-       "                               Can be specified multiple times to read from multiple files/directories.\n"
+// 	   " -s <stats_file>               If specified, append statistics related to Falco's reading/processing of events\n"
-	   " -s <stats_file>               If specified, append statistics related to Falco's reading/processing of events\n"
+// 	   "                               to this file (only useful in live mode).\n"
-	   "                               to this file (only useful in live mode).\n"
+// 	   " --stats-interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
-	   " --stats-interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
+// 	   "                               This uses signals, so don't recommend intervals below 200 ms.\n"
-	   "                               This uses signals, so don't recommend intervals below 200 ms.\n"
+// 	   "                               Defaults to 5000 (5 seconds).\n"
-	   "                               Defaults to 5000 (5 seconds).\n"
+// 	   " -S <len>, --snaplen <len>\n"
-	   " -S <len>, --snaplen <len>\n"
+// 	   "                               Capture the first <len> bytes of each I/O buffer.\n"
-	   "                               Capture the first <len> bytes of each I/O buffer.\n"
+// 	   "                               By default, the first 80 bytes are captured. Use this\n"
-	   "                               By default, the first 80 bytes are captured. Use this\n"
+// 	   "                               option with caution, it can generate huge trace files.\n"
-	   "                               option with caution, it can generate huge trace files.\n"
+
-	   " --support                     Print support information including version, rules files used, etc. and exit.\n"
+
-	   " -T <tag>                      Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
+// 	   " -U,--unbuffered               Turn off output buffering to configured outputs.\n"
-	   "                               Can not be specified with -t.\n"
+// 	   "                               This causes every single line emitted by falco to be flushed,\n"
-	   " -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
+// 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
-	   "                               Can not be specified with -T/-D.\n"
+// 	   "                               into another process or into a script.\n"
-	   " -U,--unbuffered               Turn off output buffering to configured outputs.\n"
+// 	   " -u, --userspace               Parse events from userspace.\n"
-	   "                               This causes every single line emitted by falco to be flushed,\n"
+// 	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
-	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
+// 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
-	   "                               into another process or into a script.\n"
+// 	   "                               Can be specified multiple times to validate multiple files.\n"
-	   " -u, --userspace               Parse events from userspace.\n"
+// 	   " -v                            Verbose output.\n"
-	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
+
-	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
+// 	   "\n"
-	   "                               Can be specified multiple times to validate multiple files.\n"
+//     );
-	   " -v                            Verbose output.\n"
+// }
-       " --version                     Print version number.\n"
-	   "\n"
-    );
-}
 
 static void display_fatal_err(const string &msg)
 {
@@ -395,8 +392,7 @@ static void print_all_ignored_events(sinsp *inspector)
 
 static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
 {
-	if(source.size() > 0 &&
+	if(!source.empty() && !(source == "syscall" || source == "k8s_audit"))
-	   !(source == "syscall" || source == "k8s_audit"))
 	{
 		throw std::invalid_argument("Value for --list must be \"syscall\" or \"k8s_audit\"");
 	}
@@ -413,7 +409,7 @@ static void list_source_fields(falco_engine *engine, bool verbose, bool names_on
 //
 // ARGUMENT PARSING AND PROGRAM SETUP
 //
-int falco_init(int argc, char **argv)
+int falco_init()
 {
 	int result = EXIT_SUCCESS;
 	sinsp* inspector = NULL;
@@ -514,198 +510,197 @@ int falco_init(int argc, char **argv)
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
-		//
+		// 		//
-		// Parse the args
+		// 		// Parse the args
-		//
+		// 		//
-		while((op = getopt_long(argc, argv,
+		// 		while((op = getopt_long(argc, argv,
-                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
+		//                                         "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
-                                        long_options, &long_index)) != -1)
+		//                                         long_options, &long_index)) != -1)
-		{
+		// 		{
-			switch(op)
+		// 			switch(op)
-			{
+		// 			{
-			case 'h':
+		// 			case 'h':
-				usage();
+		// 				usage();
-				goto exit;
+		// 				goto exit;
-			case 'c':
+		// 			case 'c':
-				conf_filename = optarg;
+		// 				conf_filename = optarg;
-				break;
+		// 				break;
-			case 'A':
+		// 			case 'A':
-				all_events = true;
+		// 				all_events = true;
-				break;
+		// 				break;
-			case 'b':
+		// 			case 'b':
-				event_buffer_format = sinsp_evt::PF_BASE64;
+		// 				event_buffer_format = sinsp_evt::PF_BASE64;
-				break;
+		// 				break;
-			case 'd':
+		// 			case 'd':
-				daemon = true;
+		// 				daemon = true;
-				break;
+		// 				break;
-			case 'D':
+		// 			case 'D':
-				substring = optarg;
+		// 				substring = optarg;
-				disabled_rule_substrings.insert(substring);
+		// 				disabled_rule_substrings.insert(substring);
-				break;
+		// 				break;
-			case 'e':
+		// 			case 'e':
-				trace_filename = optarg;
+		// 				trace_filename = optarg;
-#ifndef MINIMAL_BUILD
+		// #ifndef MINIMAL_BUILD
-				k8s_api = new string();
+		// 				k8s_api = new string();
-				mesos_api = new string();
+		// 				mesos_api = new string();
-#endif
+		// #endif
-				break;
+		// 				break;
-			case 'F':
+		// 			case 'F':
-				list_flds = optarg;
+		// 				list_flds = optarg;
-				break;
+		// 				break;
-			case 'i':
+		// 			case 'i':
-				print_ignored_events = true;
+		// 				print_ignored_events = true;
-				break;
+		// 				break;
-#ifndef MINIMAL_BUILD
+		// #ifndef MINIMAL_BUILD
-			case 'k':
+		// 			case 'k':
-				k8s_api = new string(optarg);
+		// 				k8s_api = new string(optarg);
-				break;
+		// 				break;
-			case 'K':
+		// 			case 'K':
-				k8s_api_cert = new string(optarg);
+		// 				k8s_api_cert = new string(optarg);
-				break;
+		// 				break;
-#endif
+		// #endif
-			case 'L':
+		// 			case 'L':
-				describe_all_rules = true;
+		// 				describe_all_rules = true;
-				break;
+		// 				break;
-			case 'l':
+		// 			case 'l':
-				describe_rule = optarg;
+		// 				describe_rule = optarg;
-				break;
+		// 				break;
-#ifndef MINIMAL_BUILD
+		// #ifndef MINIMAL_BUILD
-			case 'm':
+		// 			case 'm':
-				mesos_api = new string(optarg);
+		// 				mesos_api = new string(optarg);
-				break;
+		// 				break;
-#endif
+		// #endif
-			case 'M':
+		// 			case 'M':
-				duration_to_tot = atoi(optarg);
+		// 				duration_to_tot = atoi(optarg);
-				if(duration_to_tot <= 0)
+		// 				if(duration_to_tot <= 0)
-				{
+		// 				{
-					throw sinsp_exception(string("invalid duration") + optarg);
+		// 					throw sinsp_exception(string("invalid duration") + optarg);
-				}
+		// 				}
-				break;
+		// 				break;
-			case 'N':
+		// 			case 'N':
-				names_only = true;
+		// 				names_only = true;
-				break;
+		// 				break;
-			case 'o':
+		// 			case 'o':
-				cmdline_options.push_back(optarg);
+		// 				cmdline_options.push_back(optarg);
-				break;
+		// 				break;
-			case 'P':
+		// 			case 'P':
-				pidfilename = optarg;
+		// 				pidfilename = optarg;
-				break;
+		// 				break;
-			case 'p':
+		// 			case 'p':
-				if(string(optarg) == "c" || string(optarg) == "container")
+		// 				if(string(optarg) == "c" || string(optarg) == "container")
-				{
+		// 				{
-					output_format = "container=%container.name (id=%container.id)";
+		// 					output_format = "container=%container.name (id=%container.id)";
-					replace_container_info = true;
+		// 					replace_container_info = true;
-				}
+		// 				}
-				else if(string(optarg) == "k" || string(optarg) == "kubernetes")
+		// 				else if(string(optarg) == "k" || string(optarg) == "kubernetes")
-				{
+		// 				{
-					output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
+		// 					output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
-					replace_container_info = true;
+		// 					replace_container_info = true;
-				}
+		// 				}
-				else if(string(optarg) == "m" || string(optarg) == "mesos")
+		// 				else if(string(optarg) == "m" || string(optarg) == "mesos")
-				{
+		// 				{
-					output_format = "task=%mesos.task.name container=%container.id";
+		// 					output_format = "task=%mesos.task.name container=%container.id";
-					replace_container_info = true;
+		// 					replace_container_info = true;
-				}
+		// 				}
-				else
+		// 				else
-				{
+		// 				{
-					output_format = optarg;
+		// 					output_format = optarg;
-					replace_container_info = false;
+		// 					replace_container_info = false;
-				}
+		// 				}
-				break;
+		// 				break;
-			case 'r':
+		// 			case 'r':
-				falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
+		// 				falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
-				break;
+		// 				break;
-			case 'S':
+		// 			case 'S':
-				snaplen = atoi(optarg);
+		// 				snaplen = atoi(optarg);
-				break;
+		// 				break;
-			case 's':
+		// 			case 's':
-				stats_filename = optarg;
+		// 				stats_filename = optarg;
-				break;
+		// 				break;
-			case 'T':
+		// 			case 'T':
-				disabled_rule_tags.insert(optarg);
+		// 				disabled_rule_tags.insert(optarg);
-				break;
+		// 				break;
-			case 't':
+		// 			case 't':
-				enabled_rule_tags.insert(optarg);
+		// 				enabled_rule_tags.insert(optarg);
-				break;
+		// 				break;
-			case 'U':
+		// 			case 'U':
-				buffered_outputs = false;
+		// 				buffered_outputs = false;
-				buffered_cmdline = true;
+		// 				buffered_cmdline = true;
-				break;
+		// 				break;
-			case 'u':
+		// 			case 'u':
-				userspace = true;
+		// 				userspace = true;
-				break;
+		// 				break;
-			case 'v':
+		// 			case 'v':
-				verbose = true;
+		// 				verbose = true;
-				break;
+		// 				break;
-			case 'V':
+		// 			case 'V':
-				validate_rules_filenames.push_back(optarg);
+		// 				validate_rules_filenames.push_back(optarg);
-				break;
+		// 				break;
-			case 'w':
+		// 			case 'w':
-				outfile = optarg;
+		// 				outfile = optarg;
-				break;
+		// 				break;
-			case '?':
+		// 			case '?':
-				result = EXIT_FAILURE;
+		// 				result = EXIT_FAILURE;
-				goto exit;
+		// 				goto exit;
 
-			case 0:
+		// 			case 0:
-				if(string(long_options[long_index].name) == "version")
+		// 				if(string(long_options[long_index].name) == "version")
-				{
+		// 				{
-					printf("Falco version: %s\n", FALCO_VERSION);
+		// 					printf("Falco version: %s\n", FALCO_VERSION);
-					printf("Driver version: %s\n", DRIVER_VERSION);
+		// 					printf("Driver version: %s\n", DRIVER_VERSION);
-					return EXIT_SUCCESS;
+		// 					return EXIT_SUCCESS;
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "cri")
+		// 				else if (string(long_options[long_index].name) == "cri")
-				{
+		// 				{
-					if(optarg != NULL)
+		// 					if(optarg != NULL)
-					{
+		// 					{
-						cri_socket_path = optarg;
+		// 						cri_socket_path = optarg;
-					}
+		// 					}
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "disable-cri-async")
+		// 				else if (string(long_options[long_index].name) == "disable-cri-async")
-				{
+		// 				{
-				  cri_async = false;
+		// 				  cri_async = false;
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "list")
+		// 				else if (string(long_options[long_index].name) == "list")
-				{
+		// 				{
-					list_flds = true;
+		// 					list_flds = true;
-					if(optarg != NULL)
+		// 					if(optarg != NULL)
-					{
+		// 					{
-						list_flds_source = optarg;
+		// 						list_flds_source = optarg;
-					}
+		// 					}
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "stats-interval")
+		// 				else if (string(long_options[long_index].name) == "stats-interval")
-				{
+		// 				{
-					stats_interval = atoi(optarg);
+		// 					stats_interval = atoi(optarg);
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "support")
+		// 				else if (string(long_options[long_index].name) == "support")
-				{
+		// 				{
-					print_support = true;
+		// 					print_support = true;
-				}
+		// 				}
-				else if (string(long_options[long_index].name) == "disable-source")
+		// 				else if (string(long_options[long_index].name) == "disable-source")
-				{
+		// 				{
-					if(optarg != NULL)
+		// 					if(optarg != NULL)
-					{
+		// 					{
-						disable_sources.insert(optarg);
+		// 						disable_sources.insert(optarg);
-					}
+		// 					}
-				}
+		// 				}
-				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+		// 				else if (string(long_options[long_index].name)== "alternate-lua-dir")
-				{
+		// 				{
-					if(optarg != NULL)
+		// 					if(optarg != NULL)
-					{
+		// 					{
-						alternate_lua_dir = optarg;
+		// 						alternate_lua_dir = optarg;
-						if (alternate_lua_dir.back() != '/') {
+		// 						if (alternate_lua_dir.back() != '/') {
-							alternate_lua_dir += '/';
+		// 							alternate_lua_dir += '/';
-						}
+		// 						}
-					}
+		// 					}
-				}
+		// 				}
-				break;
+		// 				break;
 
-			default:
+				// 			default:
-				break;
+				// 				break;
-			}
+				// 			}
-
-		}
 
+						// 		}
 		inspector = new sinsp();
 		inspector->set_buffer_format(event_buffer_format);
 
@@ -921,14 +916,14 @@ int falco_init(int argc, char **argv)
 				throw std::runtime_error(string("Could not uname() to find system info: %s\n") + strerror(errno));
 			}
 
-			for(char **arg = argv; *arg; arg++)
+			// for(char **arg = argv; *arg; arg++)
-			{
+			// {
-				if(cmdline.size() > 0)
+			// 	if(cmdline.size() > 0)
-				{
+			// 	{
-					cmdline += " ";
+			// 		cmdline += " ";
-				}
+			// 	}
-				cmdline += *arg;
+			// 	cmdline += *arg;
-			}
+			// }
 
 			support["version"] = FALCO_VERSION;
 			support["system_info"]["sysname"] = sysinfo.sysname;
@@ -1181,8 +1176,8 @@ int falco_init(int argc, char **argv)
 						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
-				} 
+				}
-				else 
+				else
 				{
 					rethrow_exception(current_exception());
 				}
@@ -1291,7 +1286,7 @@ int falco_init(int argc, char **argv)
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD			
+#ifndef MINIMAL_BUILD
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
@@ -1378,13 +1373,23 @@ exit:
 //
 // MAIN
 //
-int main(int argc, char **argv)
+int main(int argc, const char **argv)
 {
-	int rc;
+	try
+	{
+		auto cli = new falco::cli(argc, argv);
+		cli->run();
+	}
+	catch(const cxxopts::OptionException &e)
+	{
+		display_fatal_err("Error parsing options: " + string(e.what()) + "\n");
+		return EXIT_FAILURE;
+	}
 
+	int rc;
 	// g_restart will cause the falco loop to exit, but we
 	// should reload everything and start over.
-	while((rc = falco_init(argc, argv)) == EXIT_SUCCESS && g_restart)
+	while((rc = falco_init()) == EXIT_SUCCESS && g_restart)
 	{
 		g_restart = false;
 		optind = 1;