rule(Create Disallowed Pod): required_engine_version 5

rule(Create Privileged Pod): required_engine_version 5 rule(Create Sensitive Mount Pod): required_engine_version 5 rule(Create HostNetwork Pod): required_engine_version 5 rule(Pod Created in Kube Namespace): required_engine_version 5 rule(ClusterRole With Wildcard Created): required_engine_version 5 rule(ClusterRole With Write Privileges Created): required_engine_version 5 rule(ClusterRole With Pod Exec Created): required_engine_version 5 Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com>
rules(Container Drift Detected (open+create)): specify that rule is only
2026-03-23 13:12:25 +00:00 · 2020-07-13 15:57:08 +02:00 · 2020-07-13 15:55:49 +02:00 · 2020-07-13 15:53:36 +02:00
25 changed files with 929 additions and 803 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,114 +2,9 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

-## v0.24.0
-
-Released on 2020-07-16
-
-### Major Changes
-
-* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
-* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
-* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
-* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
-* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
-* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
-
-
-### Minor Changes
-
-* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
-* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
-* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
-* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
-* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
-* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
-* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
-
-
-### Bug Fixes
-
-* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
-* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
-* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
-* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
-* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
-* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
-
-
-### Rule Changes
-
-* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
-* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
-* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
-* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
-* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
-* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
-* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
-* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
-* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
-* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
-* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
-* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
-* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
-* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
-* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
-* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
-* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
-* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
-* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
-* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
-* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
-* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
-* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
-* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
-
 ## v0.23.0

-Released on 2020-05-18
+Released on 2020-18-05

 ### Major Changes

@@ -151,7 +46,7 @@ Released on 2020-05-18

 ## v0.22.1

-Released on 2020-04-17
+Released on 2020-17-04

 ### Major Changes

@@ -171,7 +66,7 @@ Released on 2020-04-17

 ## v0.22.0

-Released on 2020-04-16
+Released on 2020-16-04

 ### Major Changes

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -160,7 +160,12 @@ ExternalProject_Add(
  INSTALL_COMMAND "")

 # libyaml
-include(libyaml)
+find_library(LIBYAML_LIB NAMES libyaml.so)
+if(LIBYAML_LIB)
+  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
+else()
+  message(FATAL_ERROR "Couldn't find system libyaml")
+endif()

 # lyaml
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,7 +2,7 @@

 Our release process is mostly automated, but we still need some manual steps to initiate and complete it.

-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 

 Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.

@@ -19,19 +19,18 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 - Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them

 ### 2. Milestones
-
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
-
+- Close the completed milestone
+    
 ### 3. Release PR

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
    - Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
 - Add the lastest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
- Close the completed milestone as soon PR is merged

 ## Release

@@ -53,7 +52,6 @@ Let `x.y.z` the new version.
 - Wait for the CI to complete

 ### 2. Update the GitHub release
-
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -30,14 +30,14 @@ set(CPACK_GENERATOR DEB RPM TGZ)
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if(NOT USE_BUNDLED_DEPS)
-    find_library(LIBYAML_LIB NAMES libyaml.so)
-    if(LIBYAML_LIB)
-    message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-    else()
-    message(FATAL_ERROR "Couldn't find system libyaml")
-    endif()
-else()
-    set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
-    message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
-    set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-    ExternalProject_Add(
-    libyaml
-    URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-    URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-    CONFIGURE_COMMAND ./configure --enable-static=true --enable-shared=false
-    BUILD_COMMAND ${CMD_MAKE} 
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -13,7 +13,7 @@ WORKDIR /
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /

 RUN apt-get update -y && \
-    apt-get install -y binutils && \
+    apt-get install -y libyaml-0-2 binutils && \
    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
@@ -43,6 +43,9 @@ COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
 COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
    /usr/lib/x86_64-linux-gnu/libstdc++.so.6

+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
+    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
+
 COPY --from=ubuntu /etc/ld.so.cache \
    /etc/nsswitch.conf \
    /etc/ld.so.cache \
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms -y
+RUN apt install dkms libyaml-0-2 -y

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms curl -y
+RUN apt install dkms libyaml-0-2 curl -y

 ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
 RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -69,7 +69,7 @@ case "$CMD" in
    # run tests
    echo "Running regression tests ..."
    cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"

    # clean docker images
    clean_image "deb"
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -44,10 +44,17 @@
  items: ["vpa-recommender", "vpa-updater"]

 - list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    "kubernetes-admin",
-    vertical_pod_autoscaler_users,
+  items:
+    [
+      "minikube",
+      "minikube-user",
+      "kubelet",
+      "kops",
+      "admin",
+      "kube",
+      "kube-proxy",
+      "kube-apiserver-healthcheck",
+      vertical_pod_autoscaler_users,
    ]

 - rule: Disallowed K8s User
@@ -116,6 +123,7 @@
  condition: ka.uri=/healthz

 - rule: Create Disallowed Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
@@ -125,6 +133,7 @@
  tags: [k8s]

 - rule: Create Privileged Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a privileged container
  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
@@ -138,6 +147,7 @@
    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))

 - rule: Create Sensitive Mount Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
    Exceptions are made for known trusted images.
@@ -149,6 +159,7 @@

 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
+  required_engine_version: 5
  desc: Detect an attempt to start a pod using the host network.
  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
@@ -179,7 +190,7 @@

 - rule: Create/Modify Configmap With Private Credentials
  desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
+    Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
  condition: kevt and configmap and kmodify and contains_private_credentials
  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
  priority: WARNING
@@ -217,19 +228,6 @@
  source: k8s_audit
  tags: [k8s]

- macro: user_known_pod_debug_activities
-  condition: (k8s_audit_never_true)
-
-# Only works when feature gate EphemeralContainers is enabled
- rule: EphemeralContainers Created
-  desc: >
-    Detect any ephemeral container created
-  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
  items: [kube-system, kube-public, default]
@@ -245,15 +243,12 @@
 - list: user_trusted_image_list
  items: []

- list: k8s_image_list
-  items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
-
 - macro: trusted_pod
-  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
-              ka.req.pod.containers.image.repository in (k8s_image_list))
+  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list))

 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
+  required_engine_version: 5
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
@@ -298,6 +293,7 @@
  tags: [k8s]

 - rule: ClusterRole With Wildcard Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -310,6 +306,7 @@
    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))

 - rule: ClusterRole With Write Privileges Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -318,6 +315,7 @@
  tags: [k8s]

 - rule: ClusterRole With Pod Exec Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -480,20 +478,26 @@
  source: k8s_audit
  tags: [k8s]

-
 # This macro disables following rule, change to k8s_audit_never_true to enable it
 - macro: allowed_full_admin_users
  condition: (k8s_audit_always_true)

 # This list includes some of the default user names for an administrator in several K8s installations
 - list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+  items:
+    [
+      "admin",
+      "kubernetes-admin",
+      "kubernetes-admin@kubernetes",
+      "kubernetes-admin@cluster.local",
+      "minikube-user",
+    ]

-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
+# This rules detect an operation triggered by an user name that is
+# included in the list of those that are default administrators upon
+# cluster creation. This may signify a permission setting too broader.
+# As we can't check for role of the user on a general ka.* event, this
+# may or may not be an administrator. Customize the full_admin_k8s_users
 # list to your needs, and activate at your discrection.

 # # How to test:
@@ -543,7 +547,7 @@
  output: >
    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
    namespace=%ka.target.namespace)
-  source: k8s_audit    
+  source: k8s_audit
  priority: WARNING
  tags: [k8s, network]

@@ -589,4 +593,3 @@
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
-
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -473,8 +473,9 @@ else
 	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi

-if [[ -z "$MAX_RMMOD_WAIT" ]]; then
-	MAX_RMMOD_WAIT=60
+MAX_RMMOD_WAIT=60
+if [[ $# -ge 1 ]]; then
+	MAX_RMMOD_WAIT=$1
 fi

 DRIVER_VERSION="@PROBE_VERSION@"
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,4 +1 @@
 add_subdirectory(trace_files)
-
-add_custom_target(test-trace-files ALL)
-add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)
--- a/test/README.md
+++ b/test/README.md
@@ -7,25 +7,13 @@ You can find instructions on how to run this test suite on the Falco website [he
 ## Test suites

 - [falco_tests](./falco_tests.yaml)
- [falco_traces](./falco_traces.yaml.in)
+- [falco_traces](./falco_traces.yaml)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
 - [falco_tests_psp](./falco_tests_psp.yaml)

 ## Running locally

-This step assumes you already built Falco.
-
-Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
-
-Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
-
-```console
-make test-trace-files
-```
-
-It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
-
 Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):

 ```console
@@ -44,72 +32,8 @@ In case you want to only execute a specific test case, use the `--mux-filter-onl
 BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
 ```

-To obtain the path of all the available variants for a given test suite, execute:
+To obtain the path of all the available variants, execute:

 ```console
-avocado variants --mux-yaml falco_tests.yaml
-```
-
-### falco_traces
-
-The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
-
-1. Ensure you have `unzip` and `xargs` utilities
-2. Prepare the test suite with the following command:
-
-    ```console
-    bash run_regression_tests.sh -p -v
-    ```
-
-### falco_tests_package
-
-The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
-
-In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
-
-1. Ensure you have `docker` up and running
-2. Ensure you build Falco (with bundled deps)
-
-    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
-
-    ```console
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
-    ```
-
-3. Ensure you build the Falco packages from the Falco above:
-
-    ```console
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
-    ```
-
-4. Ensure you build the runners:
-
-    ```console
-    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
-    mkdir -p /tmp/runners-rootfs
-    cp -R ./test/rules /tmp/runners-rootfs
-    cp -R ./test/trace_files /tmp/runners-rootfs
-    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
-    ```
-
-5. Run the `falco_tests_package.yaml` test suite from the `test` directory
-
-    ```console
-    cd test
-    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
-    ```
-
-### Execute all the test suites
-
-In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
-
-```console
-cd test
-./run_regression_tests.sh -v
-```
-
-Just make sure you followed all the previous setup steps.
+avocado variants --mux-yaml falco_test.yaml
+```
--- a/test/driver-loader/run_test.sh
+++ b/test/driver-loader/run_test.sh
@@ -20,17 +20,17 @@ set -euo pipefail
 BUILD_DIR=$1

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname "$SCRIPT")
+SCRIPTDIR=$(dirname $SCRIPT)
 RUNNERDIR="${SCRIPTDIR}/runner"
 FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"

 cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd "${RUNNERDIR}"
+pushd ${RUNNERDIR}
 docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
    -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
+    -f "${RUNNERDIR}/Dockerfile" ${RUNNERDIR}
 popd
 rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"

--- a/test/driver-loader/runner/Dockerfile
+++ b/test/driver-loader/runner/Dockerfile
@@ -10,6 +10,7 @@ ENV HOST_ROOT=/host
 RUN apt-get update -y
 RUN apt-get install -y --no-install-recommends \
 	ca-certificates \
+	libyaml-0-2 \
 	dkms \
 	curl \
 	gcc \
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/test/rules/k8s_audit/allow_nginx_container.yaml
+++ b/test/rules/k8s_audit/allow_nginx_container.yaml
@@ -1,3 +1,2 @@
 - macro: allowed_k8s_containers
  condition: (ka.req.pod.containers.image.repository in (nginx))
-
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,46 +18,45 @@
 set -euo pipefail

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname "$SCRIPT")
+SCRIPTDIR=$(dirname $SCRIPT)
+BUILD_DIR=$1
+BRANCH=${2:-none}
+
+TRACE_DIR=$BUILD_DIR/test
+
+mkdir -p $TRACE_DIR

 function download_trace_files() {
+    echo "branch=$BRANCH"
    for TRACE in traces-positive traces-negative traces-info ; do
-    if [ ! -e "$TRACE_DIR/$TRACE" ]; then
-        if [ "$OPT_BRANCH" != "none" ]; then
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
-        else
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
-        fi
-        unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
-        rm -rf "$TRACE_DIR/$TRACE.zip"
-    else
-        if ${OPT_VERBOSE}; then
-            echo "Trace directory $TRACE_DIR/$TRACE already exist: skipping"
-        fi
-    fi
+	if [ ! -e $TRACE_DIR/$TRACE ]; then
+	    if [ $BRANCH != "none" ]; then
+		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$BRANCH.zip
+	    else
+		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
+	    fi
+	    unzip -d $TRACE_DIR $TRACE_DIR/$TRACE.zip
+	    rm -rf $TRACE_DIR/$TRACE.zip
+	fi
    done
 }

 function prepare_multiplex_fileset() {
+
    dir=$1
    detect=$2

-    for trace in "$TRACE_DIR/$dir"/*.scap ; do
-        [ -e "$trace" ] || continue
-        NAME=$(basename "$trace" .scap)
+    for trace in $TRACE_DIR/$dir/*.scap ; do
+	[ -e "$trace" ] || continue
+	NAME=`basename $trace .scap`

-        # falco_traces.yaml might already have an entry for this trace file, with specific detection levels and counts.
-        # If so, skip it.
-        # Otherwise, add a generic entry showing whether or not to detect anything.
-        if grep -q "$NAME:" "$SCRIPTDIR/falco_traces.yaml"; then
-            if ${OPT_VERBOSE}; then
-                echo "Entry $NAME already exist: skipping"
-            fi
-            continue
-        fi
-
-        cat << EOF >> "$SCRIPTDIR/falco_traces.yaml"
+	# falco_traces.yaml might already have an entry for this trace
+	# file, with specific detection levels and counts. If so, skip
+	# it. Otherwise, add a generic entry showing whether or not to
+	# detect anything.
+	grep -q "$NAME:" $SCRIPTDIR/falco_traces.yaml && continue

+	cat << EOF >> $SCRIPTDIR/falco_traces.yaml
  $NAME:
    detect: $detect
    detect_level: WARNING
@@ -67,96 +66,41 @@ EOF
 }

 function prepare_multiplex_file() {
-    /bin/cp -f "$SCRIPTDIR/falco_traces.yaml.in" "$SCRIPTDIR/falco_traces.yaml"
+    cp $SCRIPTDIR/falco_traces.yaml.in $SCRIPTDIR/falco_traces.yaml

    prepare_multiplex_fileset traces-positive True
    prepare_multiplex_fileset traces-negative False
    prepare_multiplex_fileset traces-info True

-    if ${OPT_VERBOSE}; then
-        echo "Contents of $SCRIPTDIR/falco_traces.yaml"
-        cat "$SCRIPTDIR/falco_traces.yaml"
-    fi
+    echo "Contents of $SCRIPTDIR/falco_traces.yaml:"
+    cat $SCRIPTDIR/falco_traces.yaml
 }

 function print_test_failure_details() {
    echo "Showing full job logs for any tests that failed:"
-    jq '.tests[] | select(.status != "PASS") | .logfile' "$SCRIPTDIR/job-results/latest/results.json" | xargs cat
+    jq '.tests[] | select(.status != "PASS") | .logfile' $SCRIPTDIR/job-results/latest/results.json  | xargs cat
 }

 function run_tests() {
    rm -rf /tmp/falco_outputs
    mkdir /tmp/falco_outputs
-    # If we got this far, we can undo set -e,
-    # as we're watching the return status when running avocado.
+    # If we got this far, we can undo set -e, as we're watching the
+    # return status when running avocado.
    set +e
    TEST_RC=0
    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
-        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
-        echo "Running $CMD"
-        BUILD_DIR=${OPT_BUILD_DIR} $CMD
-        RC=$?
-        TEST_RC=$((TEST_RC+RC))
-        if [ $RC -ne 0 ]; then
-            print_test_failure_details
-        fi
+	CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+	echo "Running: $CMD"
+	BUILD_DIR=${BUILD_DIR} $CMD
+	RC=$?
+	TEST_RC=$((TEST_RC+$RC))
+	if [ $RC -ne 0 ]; then
+	    print_test_failure_details
+	fi
    done
 }

-OPT_ONLY_PREPARE="false"
-OPT_VERBOSE="false"
-OPT_BUILD_DIR="$(dirname "$SCRIPTDIR")/build"
-OPT_BRANCH="none"
-while getopts ':p :h :v :b: :d:' 'OPTKEY'; do
-    case ${OPTKEY} in
-        'p')
-            OPT_ONLY_PREPARE="true"
-            ;;
-        'h')
-            /bin/bash usage
-            exit 0
-            ;;
-        'v')
-            OPT_VERBOSE="true"
-            ;;
-        'd')
-            OPT_BUILD_DIR=${OPTARG}
-            ;;
-        'b')
-            OPT_BRANCH=${OPTARG}
-            ;;
-        '?')
-            echo "Invalid option: ${OPTARG}." >&2
-            /bin/bash usage
-            exit 1
-            ;;
-        ':')
-            echo "Missing argument for option: ${OPTARG}." >&2
-            /bin/bash usage
-            exit 1
-            ;;
-        *)
-            echo "Unimplemented option: ${OPTKEY}." >&2
-            /bin/bash usage
-            exit 1
-            ;;
-        esac
-done
-
-TRACE_DIR=$OPT_BUILD_DIR/test
-
-if ${OPT_VERBOSE}; then
-    echo "Build directory = $OPT_BUILD_DIR"
-    echo "Trace directory = $TRACE_DIR"
-    echo "Custom branch   = $OPT_BRANCH"
-fi
-
-mkdir -p "$TRACE_DIR"
-
 download_trace_files
 prepare_multiplex_file
-
-if ! ${OPT_ONLY_PREPARE}; then
-    run_tests
-    exit $TEST_RC
-fi
+run_tests
+exit $TEST_RC
--- a/test/trace_files/CMakeLists.txt
+++ b/test/trace_files/CMakeLists.txt
@@ -1,6 +1,5 @@
 add_subdirectory(k8s_audit)
 add_subdirectory(psp)
-
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
@@ -12,8 +11,4 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
-	list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
-
-add_custom_target(trace-files-base-scap ALL)
-add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})
--- a/test/trace_files/k8s_audit/CMakeLists.txt
+++ b/test/trace_files/k8s_audit/CMakeLists.txt
@@ -9,8 +9,4 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
-	list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
-
-add_custom_target(trace-files-k8s-audit ALL)
-add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})
--- a/test/trace_files/psp/CMakeLists.txt
+++ b/test/trace_files/psp/CMakeLists.txt
@@ -10,8 +10,4 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
-	list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
-
-add_custom_target(trace-files-psp ALL)
-add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})
--- a/test/usage
+++ b/test/usage
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-cat <<EOF
-Hello, this is Falco integration tests runner.
-
-SYNOPSIS
-
-    bash run_regression_tests.sh [-h] [-v] [-p] [-d=<build directory>] [-b=<custom branch>]
-
-DESCRIPTION
-
-    -h                      Display usage instructions
-    -v                      Verbose output
-    -p                      Prepare the falco_traces integration test suite
-    -b=CUSTOM_BRANCH        Specify a custom branch for downloading falco_traces fixtures (defaults to "none")
-    -d=BUILD_DIRECTORY      Specify the build directory where Falco has been built (defaults to $SCRIPTDIR/../build)
-EOF
--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@@ -23,10 +23,6 @@ set(FALCO_ENGINE_SOURCE_FILES
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
 add_dependencies(falco_engine njson lyaml lpeg string-view-lite)

-if(USE_BUNDLED_DEPS)
-  add_dependencies(falco_engine libyaml)
-endif()
-
 target_include_directories(
  falco_engine
  PUBLIC
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -158,8 +158,6 @@ static void usage()
 	   "                               This causes every single line emitted by falco to be flushed,\n"
 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
 	   "                               into another process or into a script.\n"
-	   " -u, --userspace               Parse events from userspace.\n"
-	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
 	   "                               Can be specified multiple times to validate multiple files.\n"
 	   " -v                            Verbose output.\n"
@@ -445,7 +443,6 @@ int falco_init(int argc, char **argv)
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
-	bool userspace = false;

 	// Used for writing trace files
 	int duration_seconds = 0;
@@ -485,7 +482,6 @@ int falco_init(int argc, char **argv)
        {"stats-interval", required_argument, 0},
        {"support", no_argument, 0},
        {"unbuffered", no_argument, 0, 'U'},
-        {"userspace", no_argument, 0, 'u'},
        {"validate", required_argument, 0, 'V'},
        {"version", no_argument, 0, 0},
        {"writefile", required_argument, 0, 'w'},
@@ -504,7 +500,7 @@ int falco_init(int argc, char **argv)
 		// Parse the args
 		//
 		while((op = getopt_long(argc, argv,
-                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
+                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UvV:w:",
                                        long_options, &long_index)) != -1)
 		{
 			switch(op)
@@ -611,9 +607,6 @@ int falco_init(int argc, char **argv)
 				buffered_outputs = false;
 				buffered_cmdline = true;
 				break;
-			case 'u':
-				userspace = true;
-				break;
 			case 'v':
 				verbose = true;
 				break;
@@ -802,16 +795,12 @@ int falco_init(int argc, char **argv)
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);

 			// log after config init because config determines where logs go
-			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
 		}
 		else
 		{
 			config.init(cmdline_options);
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
-
-			// log after config init because config determines where logs go
-			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}

@@ -1102,17 +1091,7 @@ int falco_init(int argc, char **argv)
 		}
 		else
 		{
-			open_t open_cb = [&userspace](sinsp* inspector)
-			{
-				if(userspace)
-				{
-					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
-					//
-					// Falco uses a ptrace(2) based userspace implementation.
-					// Regardless of the implementation, the underlying method remains the same.
-					inspector->open_udig();
-					return;
-				}
+			open_t open_cb = [](sinsp* inspector) {
 				inspector->open();
 			};
 			open_t open_nodriver_cb = [](sinsp* inspector) {
@@ -1137,17 +1116,11 @@ int falco_init(int argc, char **argv)
 			}
 			catch(sinsp_exception &e)
 			{
-				// If syscall input source is enabled and not through userspace instrumentation
-				if (!disable_syscall && !userspace)
+				if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 				{
-					// Try to insert the Falco kernel module
-					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
-					{
-						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
-					}
-					open_f(inspector);
+					falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
 				}
-				rethrow_exception(current_exception());
+				open_f(inspector);
 			}
 		}

@@ -1166,7 +1139,7 @@ int falco_init(int argc, char **argv)
 		duration = ((double)clock()) / CLOCKS_PER_SEC;

 		//
-		// Run k8s, if required
+		// run k8s, if required
 		//
 		if(k8s_api)
 		{
@@ -1205,7 +1178,7 @@ int falco_init(int argc, char **argv)
 		}

 		//
-		// Run mesos, if required
+		// run mesos, if required
 		//
 		if(mesos_api)
 		{