docs: add sections about drivers into RELEASE.md file

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
update(scripts): driver loader cycle available gcc versions
2026-03-20 11:42:06 +00:00 · 2020-09-16 19:46:01 +02:00 · 2020-09-16 18:09:09 +02:00 · 2020-09-14 11:09:09 +02:00 · 2020-09-14 11:09:09 +02:00 · 2020-09-14 11:09:09 +02:00
60 changed files with 1753 additions and 717 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,5 +1,85 @@
 version: 2
 jobs:
+  # Build a statically linked Falco release binary using musl
+  # This build is 100% static, there are no host dependencies
+  "build/musl":
+    docker:
+      - image: alpine:3.12
+    steps:
+      - checkout:
+          path: /source-static/falco
+      - run:
+          name: Update base image
+          command: apk update
+      - run:
+          name: Install build dependencies
+          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+      - run:
+          name: Prepare project
+          command: |
+            mkdir -p /build-static/release
+            cd /build-static/release
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+      - run:
+          name: Build
+          command: |
+            cd /build-static/release
+            make -j4 all
+      - run:
+          name: Package
+          command: |
+            cd /build-static/release
+            make -j4 package
+      - run:
+          name: Run unit tests
+          command: |
+            cd /build-static/release
+            make tests
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build-static/release/*.tar.gz /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build-static/release
+            - source-static
+  # Build the minimal Falco
+  # This build only contains the Falco engine and the basic input/output.
+  "build/minimal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build-minimal
+            pushd build-minimal
+            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build-minimal
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build-minimal
+            make tests
+            popd
  # Build using ubuntu LTS
  # This build is dynamic, most dependencies are taken from the OS
  "build/ubuntu-focal":
@@ -64,8 +144,72 @@ jobs:
            pushd build
            make tests
            popd
+  # Build using Ubuntu Bionic Beaver (18.04)
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/ubuntu-bionic":
+    docker:
+      - image: ubuntu:bionic
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using CentOS 8
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/centos8":
+    docker:
+      - image: centos:8
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: dnf update -y
+      - run:
+          name: Install dependencies
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -102,7 +246,7 @@ jobs:
          path: /tmp/packages
          destination: /packages
  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7-debug":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -138,6 +282,21 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+  "tests/integration-static":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source-static"
+          BUILD_DIR: "/build-static"
+          BUILD_TYPE: "release"
+          SKIP_PACKAGES_TESTS: "true"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
  "tests/driver-loader/integration":
    machine:
      image: ubuntu-1604:202004-01
@@ -203,10 +362,34 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz-dev
+          name: Publish bin-dev
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Clenup the Falco development release packages
+  "cleanup/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare env
+          command: |
+            apk add --no-cache --update
+            apk add curl jq
+      - run:
+          name: Only keep the 10 most recent Falco development release tarballs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release RPMs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release DEBs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
  # Publish docker packages
  "publish/docker-dev":
    docker:
@@ -263,10 +446,10 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz
+          name: Publish bin
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
  # Publish docker packages
  "publish/docker":
    docker:
@@ -308,13 +491,20 @@ workflows:
  version: 2
  build_and_test:
    jobs:
+      - "build/musl"
+      - "build/minimal"
      - "build/ubuntu-focal"
      - "build/ubuntu-focal-debug"
+      - "build/ubuntu-bionic"
+      - "build/centos8"
      - "build/centos7"
      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
+      - "tests/integration-static":
+          requires:
+            - "build/musl"
      - "tests/driver-loader/integration":
          requires:
            - "build/centos7"
@@ -336,6 +526,16 @@ workflows:
              only: master
          requires:
            - "rpm/sign"
+            - "tests/integration-static"
+      - "cleanup/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
      - "publish/docker-dev":
          context: falco
          filters:
@@ -348,6 +548,12 @@ workflows:
            - "tests/driver-loader/integration"
  release:
    jobs:
+      - "build/musl":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
      - "build/centos7":
          filters:
            tags:
@@ -366,6 +572,7 @@ workflows:
      - "publish/packages":
          context: falco
          requires:
+            - "build/musl"
            - "rpm/sign"
          filters:
            tags:
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -6,7 +6,6 @@ daysUntilClose: 7
 exemptLabels:
  - cncf
  - roadmap
-  - enhancement
  - "help wanted"
 # Label to use when marking an issue as stale
 staleLabel: wontfix
@@ -15,5 +14,7 @@ markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
+  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
+  Please refer to a maintainer to get such label added if you think this should be kept open.
 # Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
+closeComment: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,9 +2,156 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

+## v0.25.0
+
+Released on 2020-08-25
+
+### Major Changes
+
+* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
+* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Minor Changes
+
+* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
+* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
+* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
+
+
+### Rule Changes
+
+* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
+* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
+* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
+* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
+
+## v0.24.0
+
+Released on 2020-07-16
+
+### Major Changes
+
+* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
+* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
+
+
+### Minor Changes
+
+* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
+* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
+* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
+* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
+* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
+* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
+
+
+### Bug Fixes
+
+* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
+* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
+* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
+* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
+
+
+### Rule Changes
+
+* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
+* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
+* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
+* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
+* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
+* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
+* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
+* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
+* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
+
 ## v0.23.0

-Released on 2020-18-05
+Released on 2020-05-18

 ### Major Changes

@@ -46,7 +193,7 @@ Released on 2020-18-05

 ## v0.22.1

-Released on 2020-17-04
+Released on 2020-04-17

 ### Major Changes

@@ -66,7 +213,7 @@ Released on 2020-17-04

 ## v0.22.0

-Released on 2020-16-04
+Released on 2020-04-16

 ### Major Changes

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,8 @@ project(falco)

 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)

 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -50,7 +52,15 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
+endif()
+
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")

 if(BUILD_WARNINGS_AS_ERRORS)
  set(CMAKE_SUPPRESSED_WARNINGS
@@ -123,11 +133,13 @@ ExternalProject_Add(
 # yaml-cpp
 include(yaml-cpp)

-# OpenSSL
-include(OpenSSL)
+if(NOT MINIMAL_BUILD)
+  # OpenSSL
+  include(OpenSSL)

-# libcurl
-include(cURL)
+  # libcurl
+  include(cURL)
+endif()

 # LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
@@ -160,27 +172,20 @@ ExternalProject_Add(
  INSTALL_COMMAND "")

 # libyaml
-find_library(LIBYAML_LIB NAMES libyaml.so)
-if(LIBYAML_LIB)
-  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-else()
-  message(FATAL_ERROR "Couldn't find system libyaml")
-endif()
+include(libyaml)

 # lyaml
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-set(LYAML_DEPENDENCIES "")
-list(APPEND LYAML_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lyaml
-  DEPENDS ${LYAML_DEPENDENCIES}
+  DEPENDS luajit libyaml
  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
  INSTALL_COMMAND sh -c
                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")

@@ -201,26 +206,30 @@ ExternalProject_Add(
  BUILD_BYPRODUCTS ${TBB_LIB}
  INSTALL_COMMAND "")

-# civetweb
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-ExternalProject_Add(
-  civetweb
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_IN_SOURCE 1
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+if(NOT MINIMAL_BUILD)
+  # civetweb
+  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+  ExternalProject_Add(
+    civetweb
+    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+    BUILD_IN_SOURCE 1
+    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+endif()

 #string-view-lite
 include(DownloadStringViewLite)

-# gRPC
-include(gRPC)
+if(NOT MINIMAL_BUILD)
+  # gRPC
+  include(gRPC)
+endif()

 # sysdig
 include(sysdig)
@@ -228,11 +237,13 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

-# Coverage
-include(Coverage)
+if(NOT MINIMAL_BUILD)
+  # Coverage
+  include(Coverage)

-# Tests
-add_subdirectory(test)
+  # Tests
+  add_subdirectory(test)
+endif()

 # Rules
 add_subdirectory(rules)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,38 +0,0 @@
-# CNCF Community Code of Conduct v1.0
-
-## Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
-http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,150 +0,0 @@
-# Contributing to Falco
-
- [Contributing to Falco](#contributing-to-falco)
-  - [Code of Conduct](#code-of-conduct)
-  - [Issues](#issues)
-    - [Triage issues](#triage-issues)
-      - [More about labels](#more-about-labels)
-    - [Slack](#slack)
-  - [Pull Requests](#pull-requests)
-    - [Commit convention](#commit-convention)
-      - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
-    - [Unit testing](/tests/README.md)
-  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
-
-## Code of Conduct
-
-Falco has a
-[Code of Conduct](CODE_OF_CONDUCT.md)
-to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
-
-## Issues
-
-Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
-
- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
-creating an issue with the **bug report template** is the best way to do so.
- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
-
-The best way to get **involved** in the project is through issues, you can help in many ways:
-
- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
-sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
-
-### Triage issues
-
-We need help in categorizing issues. Thus any help is welcome!
-
-When you triage an issue, you:
-
-* assess whether it has merit or not
-
-* quickly close it by correctly answering a question
-
-* point the reporter to a resource or documentation answering the issue
-
-* tag it via labels, projects, or milestones
-
-* take ownership submitting a PR for it, in case you want 😇
-
-#### More about labels
-
-These guidelines are not set in stone and are subject to change.
-
-Anyway a `kind/*` label for any issue is mandatory.
-
-This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
-
-You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
-
-The commands available are the following ones:
-
-```
-/[remove-](area|kind|priority|triage|label)
-```
-
-Some examples:
-
-* `/area rules`
-* `/remove-area rules`
-* `/kind kernel-module`
-* `/label good-first-issue`
-* `/triage duplicate`
-* `/triage unresolved`
-* `/triage not-reproducible`
-* `/triage support`
-* ...
-
-### Slack
-
-Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
-
-## Pull Requests
-
-Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
-
-In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
-need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
-
-The list of labels is [here](https://github.com/falcosecurity/falco/labels).
-
-Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
-
-Once your reviewer is happy, they will say `/lgtm` which will apply the
-`lgtm` label, and will apply the `approved` label if they are an
-[owner](/OWNERS).
-
-Your PR will be automatically merged once it has the `lgtm` and `approved`
-labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
-
-### Commit convention
-
-As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
-of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
-
-#### Rule type
-
-Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
-Example:
-
-```
-rule(Write below monitored dir): make sure monitored dirs are monitored.
-```
-
-Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
-
-If you are changing only a macro, the commit will look like this:
-
-```
-rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
-```
-
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
-
-## Developer Certificate Of Origin
-
-The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
-
-Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
-
-```
-This is my commit message
-
-Signed-off-by: John Poiana <jpoiana@falco.org>
-```
-
-Git even has a `-s` command line option to append this automatically to your commit message:
-
-```
-$ git commit -s -m 'This is my commit message'
-```
--- a/2
+++ b/2
@@ -3,6 +3,7 @@ approvers:
  - kris-nova
  - leodido
  - mstemm
+  - leogr
 reviewers:
  - fntlnz
  - kaizhe
@@ -10,3 +11,4 @@ reviewers:
  - leodido
  - mfdii
  - mstemm
+  - leogr
--- a/README.md
+++ b/README.md
@@ -3,8 +3,6 @@

 <hr>

-# The Falco Project
-
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

 #### Latest releases
@@ -19,63 +17,78 @@ Read the [change log](CHANGELOG.md).

 ---

-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
+Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

-Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
+### Installing Falco

-#### What kind of behaviors can Falco detect?
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).

-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
+##### Kubernetes

- A shell is running inside a container.
+| Tool     | Link                                                                                       | Note                                                               |
+|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
+| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+
+### Developing
+
+Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+The Falco Project supports various SDKs for this endpoint.
+
+##### SDKs
+
+| Language | Repository                                              |
+|----------|---------------------------------------------------------|
+| Go       | [client-go](https://github.com/falcosecurity/client-go) |
+| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
+| Python   | [client-py](https://github.com/falcosecurity/client-py) |
+
+
+### What can Falco detect?
+
+Falco can detect and alert on any behavior that involves making Linux system calls.
+Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
+For example, Falco can easily detect incidents including but not limited to:
+
+- A shell is running inside a container or pod in Kubernetes.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.

+### Documentation

-### Installing Falco
+The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.

-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
-
-#### How do you compare Falco with other security tools?
-
-One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
-
-
-Documentation
---
-
-See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
-
-Join the Community
---
+### Join the Community

 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

-License Terms
---
+### Contributing

-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
-
-Contributing
---
-
-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
-
-Security
---
+See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).

 ### Security Audit

 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).

 ### Reporting security vulnerabilities
+
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).

+### License Terms
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,7 +2,7 @@

 Our release process is mostly automated, but we still need some manual steps to initiate and complete it.

-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.

 Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.

@@ -10,27 +10,35 @@ Finally, on the proposed due date the assignees for the upcoming release proceed

 ## Pre-Release Checklist

-### 1. Release notes
+### 1. Drivers
+
+- Check whether the [driver version](https://github.com/falcosecurity/falco/blob/master/cmake/modules/sysdig.cmake#L32) has changed since the last stable release of Falco
+    - Verify the release notes (point 2) eventually communicate this change 
+- Update the [Drivers Build Grid](https://github.com/falcosecurity/test-infra/tree/master/driverkit) so to ship prebuilt drivers for it (**best-effort** task)
+
+### 2. Release notes
+
 - Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+
+### 3. Milestones

-### 2. Milestones
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
- Close the completed milestone
-    
-### 3. Release PR
+
+### 4. Release PR

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
    - Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
 - Add the lastest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
+- Close the completed milestone as soon PR is merged

 ## Release

@@ -52,6 +60,7 @@ Let `x.y.z` the new version.
 - Wait for the CI to complete

 ### 2. Update the GitHub release
+
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -25,19 +25,23 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")

-set(CPACK_GENERATOR DEB RPM TGZ)
+if(NOT CPACK_GENERATOR)
+    set(CPACK_GENERATOR DEB RPM TGZ)
+endif()
+
+message(STATUS "Using package generators: ${CPACK_GENERATOR}")

 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -15,7 +15,7 @@ include(ExternalProject)

 set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
 set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
+message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")

 ExternalProject_Add(
  string-view-lite
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -35,7 +35,7 @@ else()
    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
    BUILD_COMMAND ${CMD_MAKE}
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND ${CMD_MAKE} install)
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -19,13 +19,9 @@ else()
  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")

-  if(NOT USE_BUNDLED_OPENSSL)
-    set(CURL_SSL_OPTION "--with-ssl")
-  else()
-    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-  endif()
+  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")

  externalproject_add(
    curl
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -96,12 +96,17 @@ else()
  # that zlib will be very outdated
  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that c-ares will be very outdated
+  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
+  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")

  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
  message(
    STATUS
      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")

  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
@@ -110,8 +115,8 @@ else()
    grpc
    DEPENDS openssl
    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    GIT_TAG v1.31.1
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
    BUILD_IN_SOURCE 1
    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
    INSTALL_COMMAND ""
@@ -121,6 +126,8 @@ else()
      HAS_SYSTEM_ZLIB=false
      HAS_SYSTEM_PROTOBUF=false
      HAS_SYSTEM_CARES=false
+      HAS_EMBEDDED_OPENSSL_ALPN=false
+      HAS_SYSTEM_OPENSSL_ALPN=true
      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
      PATH=${PROTOC_DIR}:$ENV{PATH}
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -10,26 +10,44 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-if(NOT USE_BUNDLED_DEPS)
-  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-  find_library(JQ_LIB NAMES jq)
-  if(JQ_INCLUDE AND JQ_LIB)
-    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system jq")
-  endif()
-else()
-  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-  set(JQ_INCLUDE "${JQ_SRC}")
-  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-  ExternalProject_Add(
-    jq
-    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
-    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    BUILD_IN_SOURCE 1
-    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    INSTALL_COMMAND "")
-endif()
+if (NOT USE_BUNDLED_DEPS)
+    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+    find_library(JQ_LIB NAMES jq)
+    if (JQ_INCLUDE AND JQ_LIB)
+        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+    else ()
+        message(FATAL_ERROR "Couldn't find system jq")
+    endif ()
+else ()
+    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+    message(STATUS "Using bundled jq in '${JQ_SRC}'")
+    set(JQ_INCLUDE "${JQ_SRC}/target/include")
+    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
+    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
+    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
+    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+
+    # Why we mirror jq here?
+    #
+    # In their readme, jq claims that you don't have
+    # to do autoreconf -fi when downloading a released tarball.
+    #
+    # However, they forgot to push the released makefiles
+    # into their release tarbal.
+    #
+    # For this reason, we have to mirror their release after
+    # doing the configuration ourselves.
+    #
+    # This is needed because many distros do not ship the right
+    # version of autoreconf, making virtually impossible to build Falco on them.
+    # Read more about it here:
+    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
+    ExternalProject_Add(
+            jq
+            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
+            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
+            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+            BUILD_IN_SOURCE 1
+            INSTALL_COMMAND ${CMD_MAKE} install)
+endif ()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -0,0 +1,26 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
+message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+ExternalProject_Add(
+libyaml
+URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+BUILD_COMMAND ${CMD_MAKE} 
+BUILD_IN_SOURCE 1
+INSTALL_COMMAND ${CMD_MAKE} install)
+
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -17,23 +17,26 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
  # explicitly force this dependency to use the bundled OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
+  if(NOT MINIMAL_BUILD)
+    set(USE_BUNDLED_OPENSSL ON)
+  endif()
+  set(USE_BUNDLED_JQ ON)
 endif()

 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
+# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
+# -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "422ab408c5706fbdd45432646cc197eb79459169")
-  set(SYSDIG_CHECKSUM "SHA256=367db2a480bca327a46f901bcc8384f151231bcddba88c719a06cf13971f4ab5")
+  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
+  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
+                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13

@@ -54,6 +57,9 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")

 # Add libsinsp directory
@@ -64,5 +70,8 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)

 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
+  add_dependencies(scap jq)
+  if(NOT MINIMAL_BUILD)
+    add_dependencies(scap curl grpc)
+  endif()
 endif()
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -34,6 +34,7 @@ case "$CMD" in
    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DBUILD_DRIVER="$BUILD_DRIVER" \
+    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
    -DBUILD_BPF="$BUILD_BPF" \
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,10 +16,14 @@
 # limitations under the License.
 #

+# todo(leogr): remove deprecation notice within a couple of releases
+if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
+fi

-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,9 +17,9 @@
 #


-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -12,50 +12,16 @@ WORKDIR /

 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /

-RUN apt-get update -y && \
-    apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader

 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

 FROM scratch

-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
-
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
-
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
 COPY --from=ubuntu /falco /

 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms libyaml-0-2 -y
+RUN apt install dkms -y

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms libyaml-0-2 curl -y
+RUN apt install dkms curl -y

 ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
 RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,9 +1,11 @@
 #!/usr/bin/env bash

-set -eu -o pipefail
+set -u -o pipefail
+
+BUILD_DIR=${BUILD_DIR:-/build}
+SOURCE_DIR=${SOURCE_DIR:-/source}
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}

-SOURCE_DIR=/source
-BUILD_DIR=/build
 CMD=${1:-test}
 shift

@@ -56,9 +58,11 @@ case "$CMD" in
    fi

    # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    fi

    # check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -69,12 +73,14 @@ case "$CMD" in
    # run tests
    echo "Running regression tests ..."
    cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
+    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"

    # clean docker images
-    clean_image "deb"
-    clean_image "rpm"
-    clean_image "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        clean_image "deb"
+        clean_image "rpm"
+        clean_image "tar.gz"
+    fi
    ;;
 "bash")
    CMD=/bin/bash
--- a/falco.yaml
+++ b/falco.yaml
@@ -182,7 +182,8 @@ http_output:
 # grpc:
 #   enabled: true
 #   bind_address: "0.0.0.0:5060"
-#   threadiness: 8
+#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
+#   threadiness: 0
 #   private_key: "/etc/falco/certs/server.key"
 #   cert_chain: "/etc/falco/certs/server.crt"
 #   root_certs: "/etc/falco/certs/ca.crt"
@@ -191,7 +192,8 @@ http_output:
 grpc:
  enabled: false
  bind_address: "unix:///var/run/falco.sock"
-  threadiness: 8
+  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 0

 # gRPC output service.
 # By default it is off.
--- a/proposals/20200506-artifacts-scope-part-1.md
+++ b/proposals/20200506-artifacts-scope-part-1.md
@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward

-## Summary 
+## Summary

 As a project we would like to support the following artifacts.

@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.

 ## Terms

-**falco** 
+**falco**

 *The Falco binary*

@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.

 **package**

-*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
+*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*

 **image**

 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
- 
+

 # Packages

@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):

 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be

 ### repository

-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.

 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.

@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.

-    
+
 ### Action Items

 Here are SOME of the items that would need to be done, for example:
--- a/proposals/20200818-artifacts-storage.md
+++ b/proposals/20200818-artifacts-storage.md
@@ -0,0 +1,83 @@
+# Falco Artifacts Storage
+
+This document reflects the way we store the Falco artifacts.
+
+## Terms & Definitions
+
+- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
+- Bintray: artifacts distribution platform
+
+## Packages
+
+The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
+
+The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
+
+As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
+
+- DEB
+- RPM
+- Tarball
+
+Thus, we have three repositories for the Falco stable releases:
+
+- https://bintray.com/falcosecurity/deb
+- https://bintray.com/falcosecurity/rpm
+- https://bintray.com/falcosecurity/bin
+
+And three repositories for the Falco development releases:
+
+- https://bintray.com/falcosecurity/deb-dev
+- https://bintray.com/falcosecurity/rpm-dev
+- https://bintray.com/falcosecurity/bin-dev
+
+## Drivers
+
+The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
+
+This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
+
+Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
+
+Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
+
+The driver versions we ship prebuilt drivers for are:
+
+- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
+- the driver version associated with the penultimate Falco stable version
+
+The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
+
+You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
+
+### Notice
+
+The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
+
+Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
+
+Nevertheless, this process is an open, auditable, and transparent one.
+
+So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
+
+Some pull-requests you can look at to create your own are:
+
+- https://github.com/falcosecurity/test-infra/pull/165
+- https://github.com/falcosecurity/test-infra/pull/163
+- https://github.com/falcosecurity/test-infra/pull/162
+
+While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
+
+## Container images
+
+As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
+
+These images are built and published in two cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens (**Falco stable releases**)
+
+For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).
--- a/proposals/20200901-artifacts-cleanup.md
+++ b/proposals/20200901-artifacts-cleanup.md
@@ -0,0 +1,102 @@
+# Falco Artifacts Cleanup
+
+This document reflects when and how we clean up the Falco artifacts from their storage location.
+
+## Motivation
+
+The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
+
+They also kindly granted us an additional 5GB of free space.
+
+## Goal
+
+Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
+
+## Status
+
+To be implemented.
+
+## Packages
+
+### Tarballs from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
+
+Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
+
+This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
+
+### DEB from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
+
+Historically, every Falco release is composed by less than 50 merges (upper limit).
+
+So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
+
+This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
+
+### RPM from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
+
+For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
+
+This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
+
+### Stable releases
+
+This document proposes to retain all the stable releases.
+
+This means that all the Falco packages present in the Falco stable release repositories will be kept.
+
+The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
+This means it grows in space of ~50MB each month.
+
+The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
+This means it grows in space of ~5MB each month.
+
+The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
+This means it grows in space of ~4.3MB each month.
+
+### Considerations
+
+Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
+
+Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
+
+### Implementation
+
+The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
+
+This job will be triggered after the `publish/packages-dev` completed successfully.
+
+## Drivers
+
+As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
+Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
+
+This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
+
+At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
+
+Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
+
+This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
+
+This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
+
+Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
+
+### Archivation
+
+Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
+
+The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
+
+### Implementation
+
+The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
+will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
+
+This job will be triggered after the `drivers/publish` completed successfully on the master branch.
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -37,8 +37,7 @@ if(DEFINED FALCO_COMPONENT)
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
-  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
  install(
    FILES falco_rules.yaml
@@ -57,8 +56,8 @@ else()

  install(
    FILES application_rules.yaml
-    DESTINATION "/etc/falco/rules.available"
+    DESTINATION "${FALCO_ETC_DIR}/rules.available"
    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")

-  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -23,7 +23,7 @@
 # change to this rules file, we'll uncomment this line and set it to
 # the falco engine version in use at the time.
 #
-#- required_engine_version: 2
+- required_engine_version: 7

 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -55,11 +55,12 @@
 - macro: proc_name_exists
  condition: (proc.name!="<NA>")

-# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
 - macro: rename
-  condition: evt.type in (rename, renameat)
+  condition: evt.type in (rename, renameat, renameat2)
+
 - macro: mkdir
  condition: evt.type in (mkdir, mkdirat)
+
 - macro: remove
  condition: evt.type in (rmdir, unlink, unlinkat)

@@ -232,7 +233,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the sysdig level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]

 - macro: package_mgmt_procs
  condition: proc.name in (package_mgmt_binaries)
@@ -343,8 +344,8 @@
 # for efficiency.
 - macro: inbound_outbound
  condition: >
-    (((evt.type in (accept,listen,connect) and evt.dir=<)) or
-     (fd.typechar = 4 or fd.typechar = 6) and
+    ((((evt.type in (accept,listen,connect) and evt.dir=<)) or
+     (fd.typechar = 4 or fd.typechar = 6)) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS))

@@ -367,7 +368,7 @@
 - rule: Disallowed SSH Connection
  desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
  condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
-  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_remote_service]

@@ -398,7 +399,7 @@
    ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
     (fd.snet in (allowed_outbound_destination_networks)) or
     (fd.sip.name in (allowed_outbound_destination_domains)))
-  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network]

@@ -421,7 +422,7 @@
    ((fd.cip in (allowed_inbound_source_ipaddrs)) or
     (fd.cnet in (allowed_inbound_source_networks)) or
     (fd.cip.name in (allowed_inbound_source_domains)))
-  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
+  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network]

@@ -460,7 +461,7 @@
    and not proc.name in (shell_binaries)
    and not exe_running_docker_save
  output: >
-    a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
  tags: [file, mitre_persistence]
@@ -482,7 +483,7 @@
     fd.directory in (shell_config_directories)) and
    (not proc.name in (shell_binaries))
  output: >
-    a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
  tags: [file, mitre_discovery]
@@ -490,14 +491,18 @@
 - macro: consider_all_cron_jobs
  condition: (never_true)

+- macro: user_known_cron_jobs
+  condition: (never_true)
+
 - rule: Schedule Cron Jobs
  desc: Detect cron jobs scheduled
  condition: >
-    consider_all_cron_jobs and
    ((open_write and fd.name startswith /etc/cron) or
-     (spawned_process and proc.name = "crontab"))
+     (spawned_process and proc.name = "crontab")) and
+    consider_all_cron_jobs and
+    not user_known_cron_jobs
  output: >
-    Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline
+    Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
@@ -507,8 +512,8 @@

 # When displaying container information in the output field, use
 # %container.info, without any leading term (file=%fd.name
-# %container.info user=%user.name, and not file=%fd.name
-# container=%container.info user=%user.name). The output will change
+# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
+# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
 # based on the context and whether or not -pk/-pm/-pc was specified on
 # the command line.
 - macro: container
@@ -691,8 +696,8 @@
 - macro: run_by_foreman
  condition: >
    (user.name=foreman and
-     (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
-     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
+     ((proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
+     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))))

 - macro: java_running_sdjagent
  condition: proc.name=java and proc.cmdline contains sdjagent.jar
@@ -741,6 +746,13 @@
 - macro: runuser_reading_pam
  condition: (proc.name=runuser and fd.directory=/etc/pam.d)

+# CIS Linux Benchmark program
+- macro: linux_bench_reading_etc_shadow
+  condition: ((proc.aname[2]=linux-bench and
+               proc.name in (awk,cut,grep)) and
+              (fd.name=/etc/shadow or
+               fd.directory=/etc/pam.d))
+
 - macro: parent_ucf_writing_conf
  condition: (proc.pname=ucf and proc.aname[2]=frontend)

@@ -863,7 +875,7 @@
    proc.name = "exe"
    and (proc.cmdline contains "/var/lib/docker"
    or proc.cmdline contains "/var/run/docker")
-    and proc.pname in (dockerd, docker)
+    and proc.pname in (dockerd, docker, dockerd-current, docker-current)

 # Ideally we'd have a length check here as well but sysdig
 # filterchecks don't have operators like len()
@@ -923,22 +935,29 @@
  items: [sources.list]

 - list: repository_directories
-  items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
+  items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]

 - macro: access_repositories
-  condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
+  condition: (fd.directory in (repository_directories) or
+              (fd.name pmatch (repository_directories) and
+               fd.filename in (repository_files)))

 - macro: modify_repositories
  condition: (evt.arg.newpath pmatch (repository_directories))

+- macro: user_known_update_package_registry
+  condition: (never_true)
+
 - rule: Update Package Repository
  desc: Detect package repositories get updated
  condition: >
    ((open_write and access_repositories) or (modify and modify_repositories))
    and not package_mgmt_procs
+    and not package_mgmt_ancestor_procs
    and not exe_running_docker_save
+    and not user_known_update_package_registry
  output: >
-    Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
+    Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
  priority:
    NOTICE
  tags: [filesystem, mitre_persistence]
@@ -959,7 +978,7 @@
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
  output: >
-    File below a known binary directory opened for writing (user=%user.name
+    File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
  priority: ERROR
  tags: [filesystem, mitre_persistence]
@@ -1017,7 +1036,7 @@
    and not cloud_init_writing_ssh
    and not user_known_write_monitored_dir_conditions
  output: >
-    File below a monitored directory opened for writing (user=%user.name
+    File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
  priority: ERROR
  tags: [filesystem, mitre_persistence]
@@ -1028,15 +1047,19 @@
 - macro: consider_ssh_reads
  condition: (never_true)

+- macro: user_known_read_ssh_information_activities
+  condition: (never_true)
+
 - rule: Read ssh information
  desc: Any attempt to read files below ssh directories by non-ssh programs
  condition: >
-    (consider_ssh_reads and
-     (open_read or open_directory) and
+    ((open_read or open_directory) and
+     consider_ssh_reads and
     (user_ssh_directory or fd.name startswith /root/.ssh) and
-     (not proc.name in (ssh_binaries)))
+     not user_known_read_ssh_information_activities and
+     not proc.name in (ssh_binaries))
  output: >
-    ssh-related file/directory read by non-ssh program (user=%user.name
+    ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
  priority: ERROR
  tags: [filesystem, mitre_discovery]
@@ -1132,7 +1155,7 @@

 - macro: redis_writing_conf
  condition: >
-    (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis)
+    (proc.name in (run-redis, redis-launcher.) and (fd.name=/etc/redis.conf or fd.name startswith /etc/redis))

 - macro: openvpn_writing_conf
  condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
@@ -1160,7 +1183,10 @@

 - macro: calico_writing_conf
  condition: >
-    (proc.name = calico-node and fd.name startswith /etc/calico)
+    (((proc.name = calico-node) or
+      (container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or
+      (container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed))
+     and fd.name startswith /etc/calico)

 - macro: prometheus_conf_writing_conf
  condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)
@@ -1311,7 +1337,7 @@
 - rule: Write below etc
  desc: an attempt to write to any file below /etc
  condition: write_etc_common
-  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
+  output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

@@ -1380,6 +1406,9 @@
 - macro: runc_writing_var_lib_docker
  condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)

+- macro: mysqlsh_writing_state
+  condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
+
 - rule: Write below root
  desc: an attempt to write to any file directly below / or /root
  condition: >
@@ -1400,24 +1429,28 @@
    and not calico_writing_state
    and not rancher_writing_root
    and not runc_writing_exec_fifo
+    and not mysqlsh_writing_state
    and not known_root_conditions
    and not user_known_write_root_conditions
    and not user_known_write_below_root_activities
-  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
+  output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

 - macro: cmp_cp_by_passwd
  condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)

+- macro: user_known_read_sensitive_files_activities
+  condition: (never_true)
+
 - rule: Read sensitive file trusted after startup
  desc: >
    an attempt to read any sensitive file (e.g. files containing user/password/authentication
    information) by a trusted program after startup. Trusted programs might read these files
    at startup to load initial state, but not afterwards.
-  condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
+  condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities
  output: >
-    Sensitive file opened for reading by trusted program after startup (user=%user.name
+    Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
  priority: WARNING
  tags: [filesystem, mitre_credential_access]
@@ -1443,6 +1476,12 @@
 - macro: user_read_sensitive_file_conditions
  condition: cmp_cp_by_passwd

+- list: read_sensitive_file_images
+  items: []
+
+- macro: user_read_sensitive_file_containers
+  condition: (container and container.image.repository in (read_sensitive_file_images))
+
 - rule: Read sensitive file untrusted
  desc: >
    an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1453,7 +1492,9 @@
    and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
     cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
     vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
+     google_oslogin_
+     )
    and not cmp_cp_by_passwd
    and not ansible_running_python
    and not proc.cmdline contains /usr/bin/mandb
@@ -1466,8 +1507,11 @@
    and not veritas_driver_script
    and not perl_running_centrifydc
    and not runuser_reading_pam
+    and not linux_bench_reading_etc_shadow
+    and not user_known_read_sensitive_files_activities
+    and not user_read_sensitive_file_containers
  output: >
-    Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
+    Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name
    command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
  priority: WARNING
  tags: [filesystem, mitre_credential_access, mitre_discovery]
@@ -1478,6 +1522,9 @@
     proc.pcmdline = "python -m amazon_linux_extras system_motd" and
     proc.cmdline startswith "python -c import yum;")

+- macro: user_known_write_rpm_database_activities
+  condition: (never_true)
+
 # Only let rpm-related programs write to the rpm database
 - rule: Write below rpm database
  desc: an attempt to write to the rpm database by any non-rpm related program
@@ -1488,6 +1535,7 @@
    and not python_running_chef
    and not exe_running_docker_save
    and not amazon_linux_running_python_yum
+    and not user_known_write_rpm_database_activities
  output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, software_mgmt, mitre_persistence]
@@ -1512,6 +1560,9 @@
 - macro: run_by_appdynamics
  condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")

+- macro: user_known_db_spawned_processes
+  condition: (never_true)
+
 - rule: DB program spawned process
  desc: >
    a database-server related program spawned a new process other than itself.
@@ -1521,26 +1572,33 @@
    and spawned_process
    and not proc.name in (db_server_binaries)
    and not postgres_running_wal_e
+    and not user_known_db_spawned_processes
  output: >
-    Database-related program spawned process other than itself (user=%user.name
+    Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
    program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [process, database, mitre_execution]

+- macro: user_known_modify_bin_dir_activities
+  condition: (never_true)
+
 - rule: Modify binary dirs
  desc: an attempt to modify any file below a set of binary directories.
-  condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save
+  condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities
  output: >
-    File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
+    File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
  priority: ERROR
  tags: [filesystem, mitre_persistence]

+- macro: user_known_mkdir_bin_dir_activities
+  condition: (never_true)
+
 - rule: Mkdir binary dirs
  desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
+  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
  output: >
-    Directory below known binary directory created (user=%user.name
+    Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
  priority: ERROR
  tags: [filesystem, mitre_persistence]
@@ -1569,6 +1627,7 @@
    as a part of creating a container) by calling setns.
  condition: >
    evt.type=setns and evt.dir=<
+    and proc_name_exists
    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
    and not proc.name in (user_known_change_thread_namespace_binaries)
@@ -1584,7 +1643,7 @@
    and not weaveworks_scope
    and not user_known_change_thread_namespace_activities
  output: >
-    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
+    Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
  priority: NOTICE
  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
@@ -1730,7 +1789,7 @@
    and not run_by_appdynamics
    and not user_shell_container_exclusions
  output: >
-    Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
+    Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
    cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
    aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
  priority: DEBUG
@@ -1794,7 +1853,7 @@
 # In this file, it just takes one of the images in trusted_containers
 # and repeats it.
 - macro: user_trusted_containers
-  condition: (container.image.repository endswith sysdig/agent)
+  condition: (never_true)

 - list: sematext_images
  items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
@@ -1805,10 +1864,29 @@
 # These container images are allowed to run with --privileged
 - list: falco_privileged_images
  items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
-    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
-    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
-    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
+    docker.io/calico/node,
+    docker.io/cloudnativelabs/kube-router,
+    docker.io/docker/ucp-agent,
+    docker.io/falcosecurity/falco,
+    docker.io/mesosphere/mesos-slave,
+    docker.io/rook/toolbox,
+    docker.io/sysdig/falco,
+    docker.io/sysdig/sysdig,
+    falcosecurity/falco,
+    gcr.io/google_containers/kube-proxy,
+    gcr.io/google-containers/startup-script,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/netd-amd64,
+    gcr.io/google-containers/prometheus-to-sd,
+    k8s.gcr.io/ip-masq-agent-amd64,
+    k8s.gcr.io/kube-proxy,
+    k8s.gcr.io/prometheus-to-sd,
+    quay.io/calico/node,
+    sysdig/falco,
+    sysdig/sysdig,
+    sematext_images
    ]

 - macro: falco_privileged_containers
@@ -1817,7 +1895,7 @@
              container.image.repository in (trusted_images) or
              container.image.repository in (falco_privileged_images) or
              container.image.repository startswith istio/proxy_ or
-              container.image.repository startswith quay.io/sysdig)
+              container.image.repository startswith quay.io/sysdig/)

 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1826,7 +1904,7 @@
 # In this file, it just takes one of the images in falco_privileged_images
 # and repeats it.
 - macro: user_privileged_containers
-  condition: (container.image.repository endswith sysdig/agent)
+  condition: (never_true)

 - list: rancher_images
  items: [
@@ -1838,7 +1916,7 @@
 # host filesystem.
 - list: falco_sensitive_mount_images
  items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig,
    gcr.io/google_containers/hyperkube,
    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -1851,11 +1929,20 @@
  condition: (user_trusted_containers or
              container.image.repository in (trusted_images) or
              container.image.repository in (falco_sensitive_mount_images) or
-              container.image.repository startswith quay.io/sysdig)
+              container.image.repository startswith quay.io/sysdig/)

 # These container images are allowed to run with hostnetwork=true
 - list: falco_hostnetwork_images
-  items: []
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/typha,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/ip-masq-agent-amd64
+    k8s.gcr.io/prometheus-to-sd,
+    ]

 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1864,7 +1951,7 @@
 # In this file, it just takes one of the images in falco_sensitive_mount_images
 # and repeats it.
 - macro: user_sensitive_mount_containers
-  condition: (container.image.repository = docker.io/sysdig/agent)
+  condition: (never_true)

 - rule: Launch Privileged Container
  desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
@@ -1873,7 +1960,7 @@
    and container.privileged=true
    and not falco_privileged_containers
    and not user_privileged_containers
-  output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]

@@ -1917,7 +2004,7 @@
    and sensitive_mount
    and not falco_sensitive_mount_containers
    and not user_sensitive_mount_containers
-  output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
+  output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
  priority: INFO
  tags: [container, cis, mitre_lateral_movement]

@@ -1937,10 +2024,13 @@
  desc: >
    Detect the initial process started by a container that is not in a list of allowed containers.
  condition: container_started and container and not allowed_containers
-  output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
  priority: WARNING
  tags: [container, mitre_lateral_movement]

+- macro: user_known_system_user_login
+  condition: (never_true)
+
 # Anything run interactively by root
 # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
 #  output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
@@ -1948,8 +2038,8 @@

 - rule: System user interactive
  desc: an attempt to run interactive commands by a system (i.e. non-login) user
-  condition: spawned_process and system_users and interactive
-  output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
+  condition: spawned_process and system_users and interactive and not user_known_system_user_login
+  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
  priority: INFO
  tags: [users, mitre_remote_access_tools]

@@ -1966,7 +2056,7 @@
    and container_entrypoint
    and not user_expected_terminal_shell_in_container_conditions
  output: >
-    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
+    A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [container, shell, mitre_execution]
@@ -2042,7 +2132,7 @@
    and not user_expected_system_procs_network_activity_conditions
  output: >
    Known system binary sent/received network traffic
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_exfiltration]

@@ -2080,7 +2170,7 @@
    proc.env icontains HTTP_PROXY
  output: >
    Program run with disallowed HTTP_PROXY environment variable
-    (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [host, users]

@@ -2103,7 +2193,7 @@
     and interpreted_procs)
  output: >
    Interpreted program received/listened for network traffic
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_exfiltration]

@@ -2114,7 +2204,7 @@
     and interpreted_procs)
  output: >
    Interpreted program performed outgoing network connection
-    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_exfiltration]

@@ -2155,7 +2245,7 @@
  condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
  output: >
    Unexpected UDP Traffic Seen
-    (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_exfiltration]

@@ -2214,11 +2304,14 @@
    and not nrpe_becoming_nagios
    and not user_known_non_sudo_setuid_conditions
  output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
+    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
    command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [users, mitre_privilege_escalation]

+- macro: user_known_user_management_activities
+  condition: (never_true)
+
 - rule: User mgmt binaries
  desc: >
    activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2236,10 +2329,11 @@
    not run_by_sumologic_securefiles and
    not run_by_yum and
    not run_by_ms_oms and
-    not run_by_google_accounts_daemon
+    not run_by_google_accounts_daemon and
+    not user_known_user_management_activities
  output: >
    User management binary command run outside of container
-    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
  priority: NOTICE
  tags: [host, users, mitre_persistence]

@@ -2249,6 +2343,9 @@
    /dev/random, /dev/urandom, /dev/console, /dev/kmsg
    ]

+- macro: user_known_create_files_below_dev_activities
+  condition: (never_true)
+
 # (we may need to add additional checks against false positives, see:
 # https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
 - rule: Create files below dev
@@ -2259,7 +2356,8 @@
    and not proc.name in (dev_creation_binaries)
    and not fd.name in (allowed_dev_files)
    and not fd.name startswith /dev/tty
-  output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
+    and not user_known_create_files_below_dev_activities
+  output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

@@ -2312,15 +2410,25 @@
 - macro: k8s_containers
  condition: >
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
-     gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco,
-     sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
+     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")

+- macro: user_known_contact_k8s_api_server_activities
+  condition: (never_true)
+
 - rule: Contact K8S API Server From Container
  desc: Detect attempts to contact the K8S API Server from a container
-  condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) and container and not k8s_containers and k8s_api_server
+  condition: >
+    evt.type=connect and evt.dir=< and 
+    (fd.typechar=4 or fd.typechar=6) and
+    container and 
+    not k8s_containers and
+    k8s_api_server and
+    not user_known_contact_k8s_api_server_activities
  output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
  priority: NOTICE
  tags: [network, k8s, container, mitre_discovery]
@@ -2367,7 +2475,7 @@
    and not package_mgmt_ancestor_procs
    and not user_known_package_manager_in_container
  output: >
-    Package management process launched in container (user=%user.name
+    Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: ERROR
  tags: [process, mitre_persistence]
@@ -2381,17 +2489,20 @@
                              or proc.args contains "-c " or proc.args contains "--lua-exec"))
    )
  output: >
-    Netcat runs inside container that allows remote code execution (user=%user.name
+    Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: WARNING
  tags: [network, process, mitre_execution]

+- macro: user_known_network_tool_activities
+  condition: (never_true)
+
 - rule: Launch Suspicious Network Tool in Container
  desc: Detect network tools launched inside container
  condition: >
-    spawned_process and container and network_tool_procs
+    spawned_process and container and network_tool_procs and not user_known_network_tool_activities
  output: >
-    Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: NOTICE
  tags: [network, process, mitre_discovery, mitre_exfiltration]
@@ -2408,9 +2519,10 @@
    spawned_process and
    not container and
    consider_network_tools_on_host and
-    network_tool_procs
+    network_tool_procs and
+    not user_known_network_tool_activities
  output: >
-    Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname)
+    Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname)
  priority: NOTICE
  tags: [network, process, mitre_discovery, mitre_exfiltration]

@@ -2446,7 +2558,7 @@
    )
  output: >
    Grep private keys or passwords activities found
-    (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name
    image=%container.image.repository:%container.image.tag)
  priority:
    WARNING
@@ -2480,7 +2592,7 @@
    not trusted_logging_images and
    not allowed_clear_log_files
  output: >
-    Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
  tags: [file, mitre_defense_evasion]
@@ -2491,11 +2603,14 @@
 - macro: clear_data_procs
  condition: (proc.name in (data_remove_commands))

+- macro: user_known_remove_data_activities
+  condition: (never_true)
+
 - rule: Remove Bulk Data from Disk
  desc: Detect process running to clear bulk data from disk
-  condition: spawned_process and clear_data_procs
+  condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
  output: >
-    Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
  tags: [process, mitre_persistence]
@@ -2522,7 +2637,7 @@
      fd.name contains "fish_read_history" or
      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
  output: >
-    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
  tags: [process, mitre_defense_evasion]
@@ -2535,7 +2650,7 @@
    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
  output: >
-    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
  tags: [process, mitre_defense_evasion]
@@ -2563,7 +2678,7 @@
    and not exe_running_docker_save
    and not user_known_set_setuid_or_setgid_bit_conditions
  output: >
-    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
+    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
@@ -2576,16 +2691,19 @@
 - macro: consider_hidden_file_creation
  condition: (never_true)

+- macro: user_known_create_hidden_file_activities
+  condition: (never_true)
+
 - rule: Create Hidden Files or Directories
  desc: Detect hidden files or directories created
  condition: >
-    (consider_hidden_file_creation and (
-      (modify and evt.arg.newpath contains "/.") or
-      (mkdir and evt.arg.path contains "/.") or
-      (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
-    )
+    ((modify and evt.arg.newpath contains "/.") or
+     (mkdir and evt.arg.path contains "/.") or
+     (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
+    consider_hidden_file_creation and
+    not user_known_create_hidden_file_activities
  output: >
-    Hidden file or directory created (user=%user.name command=%proc.cmdline
+    Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
    file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
@@ -2602,7 +2720,7 @@
  condition: >
    spawned_process and container and remote_file_copy_procs
  output: >
-    Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: NOTICE
  tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
@@ -2613,7 +2731,7 @@
    create_symlink and
    (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
  output: >
-    Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
+    Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
  priority: NOTICE
  tags: [file, mitre_exfiltration]

@@ -2700,7 +2818,7 @@
  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

 - macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
+  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco))
  append: false

 # The rule is disabled by default.
@@ -2736,7 +2854,7 @@
 - rule: The docker client is executed in a container
  desc: Detect a k8s client tool executed inside a container
  condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
-  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
+  output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
  priority: WARNING
  tags: [container, mitre_execution]

@@ -2753,7 +2871,7 @@
 - rule: Packet socket created in container
  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
  condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
-  output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: NOTICE
  tags: [network, mitre_discovery]

@@ -2792,7 +2910,7 @@
    k8s.ns.name in (namespace_scope_network_only_subnet)
  output: >
    Network connection outside local subnet
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
     image=%container.image.repository namespace=%k8s.ns.name
     fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
  priority: WARNING
@@ -2832,16 +2950,19 @@
    not fd.sport in (authorized_server_port)
  output: >
    Network connection outside authorized port and binary
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
    image=%container.image.repository)
  priority: WARNING
  tags: [network]

+- macro: user_known_stand_streams_redirect_activities
+  condition: (never_true)
+
 - rule: Redirect STDOUT/STDIN to Network Connection in Container
  desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
-  condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
+  condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
  output: >
-    Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
+    Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
  priority: WARNING

 # The two Container Drift rules below will fire when a new executable is created in a container.
@@ -2852,6 +2973,10 @@
 # Two things to pay attention to:
 #   1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged
 #   2) Drift rules will be noisy in environments in which containers are built (e.g. docker build)
+# These two rules are not enabled by default. Use `never_true` in macro condition to enable them.
+
+- macro: user_known_container_drift_activities
+  condition: (always_true)

 - rule: Container Drift Detected (chmod)
  desc: New executable created in a container due to chmod
@@ -2861,11 +2986,12 @@
    container and
    not runc_writing_exec_fifo and
    not runc_writing_var_lib_docker and
+    not user_known_container_drift_activities and
    evt.rawres>=0 and
    ((evt.arg.mode contains "S_IXUSR") or
    (evt.arg.mode contains "S_IXGRP") or
    (evt.arg.mode contains "S_IXOTH"))
-  output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
  priority: ERROR

 # ****************************************************************************
@@ -2879,8 +3005,9 @@
    container and
    not runc_writing_exec_fifo and
    not runc_writing_var_lib_docker and
+    not user_known_container_drift_activities and
    evt.rawres>=0
-  output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
  priority: ERROR


--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -46,7 +46,10 @@
 - list: allowed_k8s_users
  items: [
    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
+    "kubernetes-admin",
    vertical_pod_autoscaler_users,
+    cluster-autoscaler,
+    system:addon-manager
    ]

 - rule: Disallowed K8s User
@@ -155,10 +158,13 @@
  source: k8s_audit
  tags: [k8s]

+- macro: user_known_node_port_service
+  condition: (k8s_audit_never_true)
+
 - rule: Create NodePort Service
  desc: >
    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort
+  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
  priority: WARNING
  source: k8s_audit
@@ -201,15 +207,31 @@
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.

+- macro: user_known_exec_pod_activities
+  condition: (k8s_audit_never_true)
+
 - rule: Attach/Exec Pod
  desc: >
    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach)
+  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]

+- macro: user_known_pod_debug_activities
+  condition: (k8s_audit_never_true)
+
+# Only works when feature gate EphemeralContainers is enabled
+- rule: EphemeralContainers Created
+  desc: >
+    Detect any ephemeral container created
+  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
+  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
  items: [kube-system, kube-public, default]
@@ -222,19 +244,63 @@
  source: k8s_audit
  tags: [k8s]

+# Only defined for backwards compatibility. Use the more specific
+# user_allowed_kube_namespace_image_list instead.
+- list: user_trusted_image_list
+  items: []
+
+- list: user_allowed_kube_namespace_image_list
+  items: [user_trusted_image_list]
+
+# Only defined for backwards compatibility. Use the more specific
+# allowed_kube_namespace_image_list instead.
+- list: k8s_image_list
+  items: []
+
+- list: allowed_kube_namespace_image_list
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/addon-resizer,
+    gke.gcr.io/heapster,
+    gke.gcr.io/gke-metadata-server,
+    k8s.gcr.io/ip-masq-agent-amd64,
+    k8s.gcr.io/kube-apiserver,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/addon-resizer
+    k8s.gcr.io/prometheus-to-sd,
+    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
+    k8s.gcr.io/k8s-dns-kube-dns-amd64,
+    k8s.gcr.io/k8s-dns-sidecar-amd64,
+    k8s.gcr.io/metrics-server-amd64,
+    kope/kube-apiserver-healthcheck,
+    k8s_image_list
+    ]
+
+- macro: allowed_kube_namespace_pods
+  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
+              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
+
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

+- list: user_known_sa_list
+  items: []
+
+- macro: trusted_sa
+  condition: (ka.target.name in (user_known_sa_list))
+
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
  priority: WARNING
  source: k8s_audit
@@ -245,7 +311,8 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
+             not ka.target.name in (system:coredns, system:managed-certificate-controller)
  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
  priority: WARNING
  source: k8s_audit
@@ -476,8 +543,6 @@
  source: k8s_audit
  tags: [k8s]

-
-
 - macro: ingress
  condition: ka.target.resource=ingresses

@@ -513,8 +578,6 @@
  priority: WARNING
  tags: [k8s, network]

-
-
 - macro: node
  condition: ka.target.resource=nodes

--- a/scripts/cleanup
+++ b/scripts/cleanup
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+usage() {
+    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
+    exit 1
+}
+
+user=poiana
+
+# Get the versions to delete.
+#
+# $1: repository to lookup
+# $2: number of versions to skip.
+get_versions() {
+    # The API endpoint returns the Falco package versions sort by most recent.
+    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
+}
+
+# Remove all the versions (${all[@]} array).
+#
+# $1: repository containing the versions.
+rem_versions() {
+    for i in "${!all[@]}";
+    do
+        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
+    done
+}
+
+while getopts ":p::r:" opt; do
+    case "${opt}" in
+        p )
+          pass=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${pass}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+skip=51
+if [[ "${repo}" == "bin-dev" ]]; then
+    skip=11
+fi
+
+get_versions "${repo}" ${skip}
+echo "number of versions to delete: ${#all[@]}"
+rem_versions "${repo}"
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -143,33 +143,41 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-	else
-		if hash dkms &>/dev/null; then
-				echo "* Trying to dkms install ${DRIVER_NAME} module"
-			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
-				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-					exit 0
-				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
-					exit 0
-				else
-					echo "* Unable to insmod ${DRIVER_NAME} module"
-				fi
+		return
+	fi
+
+	if ! hash dkms &>/dev/null; then
+		echo "* Skipping dkms install (dkms not found)"
+		return
+	fi
+
+	# try to compile using all the available gcc versions
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
+		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
+		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
+		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
+		chmod +x /tmp/falco-dkms-make
+		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+				exit 0
+			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+				exit 0
 			else
-				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-				if [ -f "${DKMS_LOG}" ]; then
-					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
-					cat "${DKMS_LOG}"
-				else
-					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
-				fi
+				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
 		else
-			echo "* Skipping dkms install (dkms not found)"
+			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+			if [ -f "${DKMS_LOG}" ]; then
+				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+				cat "${DKMS_LOG}"
+			else
+				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+			fi
 		fi
-	fi
+	done
 }

 load_kernel_module_download() {
@@ -473,9 +481,8 @@ else
 	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi

-MAX_RMMOD_WAIT=60
-if [[ $# -ge 1 ]]; then
-	MAX_RMMOD_WAIT=$1
+if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+	MAX_RMMOD_WAIT=60
 fi

 DRIVER_VERSION="@PROBE_VERSION@"
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1 +1,4 @@
 add_subdirectory(trace_files)
+
+add_custom_target(test-trace-files ALL)
+add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)
--- a/test/README.md
+++ b/test/README.md
@@ -7,13 +7,25 @@ You can find instructions on how to run this test suite on the Falco website [he
 ## Test suites

 - [falco_tests](./falco_tests.yaml)
- [falco_traces](./falco_traces.yaml)
+- [falco_traces](./falco_traces.yaml.in)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
 - [falco_tests_psp](./falco_tests_psp.yaml)

 ## Running locally

+This step assumes you already built Falco.
+
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+
+Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
+
+```console
+make test-trace-files
+```
+
+It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
+
 Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):

 ```console
@@ -32,8 +44,72 @@ In case you want to only execute a specific test case, use the `--mux-filter-onl
 BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
 ```

-To obtain the path of all the available variants, execute:
+To obtain the path of all the available variants for a given test suite, execute:

 ```console
-avocado variants --mux-yaml falco_test.yaml
-```
+avocado variants --mux-yaml falco_tests.yaml
+```
+
+### falco_traces
+
+The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
+
+1. Ensure you have `unzip` and `xargs` utilities
+2. Prepare the test suite with the following command:
+
+    ```console
+    bash run_regression_tests.sh -p -v
+    ```
+
+### falco_tests_package
+
+The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
+
+In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
+
+1. Ensure you have `docker` up and running
+2. Ensure you build Falco (with bundled deps)
+
+    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
+    ```
+
+3. Ensure you build the Falco packages from the Falco above:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
+    ```
+
+4. Ensure you build the runners:
+
+    ```console
+    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+    mkdir -p /tmp/runners-rootfs
+    cp -R ./test/rules /tmp/runners-rootfs
+    cp -R ./test/trace_files /tmp/runners-rootfs
+    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
+    ```
+
+5. Run the `falco_tests_package.yaml` test suite from the `test` directory
+
+    ```console
+    cd test
+    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
+    ```
+
+### Execute all the test suites
+
+In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
+
+```console
+cd test
+./run_regression_tests.sh -v
+```
+
+Just make sure you followed all the previous setup steps.
--- a/test/driver-loader/run_test.sh
+++ b/test/driver-loader/run_test.sh
@@ -20,17 +20,17 @@ set -euo pipefail
 BUILD_DIR=$1

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
+SCRIPTDIR=$(dirname "$SCRIPT")
 RUNNERDIR="${SCRIPTDIR}/runner"
 FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"

 cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd ${RUNNERDIR}
+pushd "${RUNNERDIR}"
 docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
    -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" ${RUNNERDIR}
+    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
 popd
 rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"

--- a/test/driver-loader/runner/Dockerfile
+++ b/test/driver-loader/runner/Dockerfile
@@ -10,7 +10,6 @@ ENV HOST_ROOT=/host
 RUN apt-get update -y
 RUN apt-get install -y --no-install-recommends \
 	ca-certificates \
-	libyaml-0-2 \
 	dkms \
 	curl \
 	gcc \
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/test/rules/detect_connect_using_in.yaml
+++ b/test/rules/detect_connect_using_in.yaml
@@ -18,5 +18,5 @@
  desc: Detect any connect to the localhost network, using fd.net and the in operator
  condition: evt.type=connect and fd.net in ("127.0.0.1/24")
  output: Program connected to localhost network
-    (user=%user.name command=%proc.cmdline connection=%fd.name)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
  priority: INFO
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,45 +18,53 @@
 set -euo pipefail

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
-BUILD_DIR=$1
-BRANCH=${2:-none}
+SCRIPTDIR=$(dirname "$SCRIPT")
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}

-TRACE_DIR=$BUILD_DIR/test
-
-mkdir -p $TRACE_DIR
+# Trace file tarballs are now versioned. Any time a substantial change
+# is made that affects the interaction of rules+engine and the trace
+# files here, upload a new trace file zip file and change the version
+# suffix here.
+TRACE_FILES_VERSION=20200831

 function download_trace_files() {
-    echo "branch=$BRANCH"
    for TRACE in traces-positive traces-negative traces-info ; do
-	if [ ! -e $TRACE_DIR/$TRACE ]; then
-	    if [ $BRANCH != "none" ]; then
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$BRANCH.zip
-	    else
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
-	    fi
-	    unzip -d $TRACE_DIR $TRACE_DIR/$TRACE.zip
-	    rm -rf $TRACE_DIR/$TRACE.zip
-	fi
+    if [ ! -e "$TRACE_DIR/$TRACE" ]; then
+        if [ "$OPT_BRANCH" != "none" ]; then
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
+        else
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
+        fi
+        unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
+        rm -rf "$TRACE_DIR/$TRACE.zip"
+    else
+        if ${OPT_VERBOSE}; then
+            echo "Trace directory $TRACE_DIR/$TRACE already exist: skipping"
+        fi
+    fi
    done
 }

 function prepare_multiplex_fileset() {
-
    dir=$1
    detect=$2

-    for trace in $TRACE_DIR/$dir/*.scap ; do
-	[ -e "$trace" ] || continue
-	NAME=`basename $trace .scap`
+    for trace in "$TRACE_DIR/$dir"/*.scap ; do
+        [ -e "$trace" ] || continue
+        NAME=$(basename "$trace" .scap)

-	# falco_traces.yaml might already have an entry for this trace
-	# file, with specific detection levels and counts. If so, skip
-	# it. Otherwise, add a generic entry showing whether or not to
-	# detect anything.
-	grep -q "$NAME:" $SCRIPTDIR/falco_traces.yaml && continue
+        # falco_traces.yaml might already have an entry for this trace file, with specific detection levels and counts.
+        # If so, skip it.
+        # Otherwise, add a generic entry showing whether or not to detect anything.
+        if grep -q "$NAME:" "$SCRIPTDIR/falco_traces.yaml"; then
+            if ${OPT_VERBOSE}; then
+                echo "Entry $NAME already exist: skipping"
+            fi
+            continue
+        fi
+
+        cat << EOF >> "$SCRIPTDIR/falco_traces.yaml"

-	cat << EOF >> $SCRIPTDIR/falco_traces.yaml
  $NAME:
    detect: $detect
    detect_level: WARNING
@@ -66,41 +74,102 @@ EOF
 }

 function prepare_multiplex_file() {
-    cp $SCRIPTDIR/falco_traces.yaml.in $SCRIPTDIR/falco_traces.yaml
+    /bin/cp -f "$SCRIPTDIR/falco_traces.yaml.in" "$SCRIPTDIR/falco_traces.yaml"

    prepare_multiplex_fileset traces-positive True
    prepare_multiplex_fileset traces-negative False
    prepare_multiplex_fileset traces-info True

-    echo "Contents of $SCRIPTDIR/falco_traces.yaml:"
-    cat $SCRIPTDIR/falco_traces.yaml
+    if ${OPT_VERBOSE}; then
+        echo "Contents of $SCRIPTDIR/falco_traces.yaml"
+        cat "$SCRIPTDIR/falco_traces.yaml"
+    fi
 }

 function print_test_failure_details() {
    echo "Showing full job logs for any tests that failed:"
-    jq '.tests[] | select(.status != "PASS") | .logfile' $SCRIPTDIR/job-results/latest/results.json  | xargs cat
+    jq '.tests[] | select(.status != "PASS") | .logfile' "$SCRIPTDIR/job-results/latest/results.json" | xargs cat
 }

 function run_tests() {
    rm -rf /tmp/falco_outputs
    mkdir /tmp/falco_outputs
-    # If we got this far, we can undo set -e, as we're watching the
-    # return status when running avocado.
+    # If we got this far, we can undo set -e,
+    # as we're watching the return status when running avocado.
    set +e
    TEST_RC=0
-    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
-	CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
-	echo "Running: $CMD"
-	BUILD_DIR=${BUILD_DIR} $CMD
-	RC=$?
-	TEST_RC=$((TEST_RC+$RC))
-	if [ $RC -ne 0 ]; then
-	    print_test_failure_details
-	fi
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
+
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        suites+=($SCRIPTDIR/falco_tests_package.yaml)
+    fi
+    
+    for mult in "${suites[@]}"; do
+        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        echo "Running $CMD"
+        BUILD_DIR=${OPT_BUILD_DIR} $CMD
+        RC=$?
+        TEST_RC=$((TEST_RC+RC))
+        if [ $RC -ne 0 ]; then
+            print_test_failure_details
+        fi
    done
 }

+OPT_ONLY_PREPARE="false"
+OPT_VERBOSE="false"
+OPT_BUILD_DIR="$(dirname "$SCRIPTDIR")/build"
+OPT_BRANCH="none"
+while getopts ':p :h :v :b: :d:' 'OPTKEY'; do
+    case ${OPTKEY} in
+        'p')
+            OPT_ONLY_PREPARE="true"
+            ;;
+        'h')
+            /bin/bash usage
+            exit 0
+            ;;
+        'v')
+            OPT_VERBOSE="true"
+            ;;
+        'd')
+            OPT_BUILD_DIR=${OPTARG}
+            ;;
+        'b')
+            OPT_BRANCH=${OPTARG}
+            ;;
+        '?')
+            echo "Invalid option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        ':')
+            echo "Missing argument for option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        *)
+            echo "Unimplemented option: ${OPTKEY}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        esac
+done
+
+TRACE_DIR=$OPT_BUILD_DIR/test
+
+if ${OPT_VERBOSE}; then
+    echo "Build directory = $OPT_BUILD_DIR"
+    echo "Trace directory = $TRACE_DIR"
+    echo "Custom branch   = $OPT_BRANCH"
+fi
+
+mkdir -p "$TRACE_DIR"
+
 download_trace_files
 prepare_multiplex_file
-run_tests
-exit $TEST_RC
+
+if ! ${OPT_ONLY_PREPARE}; then
+    run_tests
+    exit $TEST_RC
+fi
--- a/test/trace_files/CMakeLists.txt
+++ b/test/trace_files/CMakeLists.txt
@@ -1,5 +1,6 @@
 add_subdirectory(k8s_audit)
 add_subdirectory(psp)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
@@ -11,4 +12,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-base-scap ALL)
+add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})
--- a/test/trace_files/k8s_audit/CMakeLists.txt
+++ b/test/trace_files/k8s_audit/CMakeLists.txt
@@ -9,4 +9,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-k8s-audit ALL)
+add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})
--- a/test/trace_files/psp/CMakeLists.txt
+++ b/test/trace_files/psp/CMakeLists.txt
@@ -10,4 +10,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-psp ALL)
+add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})
--- a/test/usage
+++ b/test/usage
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+cat <<EOF
+Hello, this is Falco integration tests runner.
+
+SYNOPSIS
+
+    bash run_regression_tests.sh [-h] [-v] [-p] [-d=<build directory>] [-b=<custom branch>]
+
+DESCRIPTION
+
+    -h                      Display usage instructions
+    -v                      Verbose output
+    -p                      Prepare the falco_traces integration test suite
+    -b=CUSTOM_BRANCH        Specify a custom branch for downloading falco_traces fixtures (defaults to "none")
+    -d=BUILD_DIRECTORY      Specify the build directory where Falco has been built (defaults to $SCRIPTDIR/../build)
+EOF
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -14,7 +14,11 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 #
-set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
+if(MINIMAL_BUILD)
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp)
+else()
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
+endif()

 set(FALCO_TESTED_LIBRARIES falco_engine)

@@ -35,14 +39,25 @@ if(FALCO_BUILD_TESTS)
  add_executable(falco_test ${FALCO_TESTS_SOURCES})

  target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-  target_include_directories(
-    falco_test
-    PUBLIC "${CATCH2_INCLUDE}"
-           "${FAKEIT_INCLUDE}"
-           "${PROJECT_SOURCE_DIR}/userspace/engine"
-           "${YAMLCPP_INCLUDE_DIR}"
-           "${CIVETWEB_INCLUDE_DIR}"
-           "${PROJECT_SOURCE_DIR}/userspace/falco")
+
+  if(MINIMAL_BUILD)
+    target_include_directories(
+      falco_test
+      PUBLIC "${CATCH2_INCLUDE}"
+            "${FAKEIT_INCLUDE}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  else()
+    target_include_directories(
+      falco_test
+      PUBLIC "${CATCH2_INCLUDE}"
+            "${FAKEIT_INCLUDE}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${CIVETWEB_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  endif()
  add_dependencies(falco_test catch2)

  include(CMakeParseArguments)
--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@@ -23,18 +23,36 @@ set(FALCO_ENGINE_SOURCE_FILES
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
 add_dependencies(falco_engine njson lyaml lpeg string-view-lite)

-target_include_directories(
-  falco_engine
-  PUBLIC
-    "${LUAJIT_INCLUDE}"
-    "${NJSON_INCLUDE}"
-    "${CURL_INCLUDE_DIR}"
-    "${TBB_INCLUDE_DIR}"
-    "${STRING_VIEW_LITE_INCLUDE}"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-    "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-    "${PROJECT_BINARY_DIR}/userspace/engine")
+if(USE_BUNDLED_DEPS)
+  add_dependencies(falco_engine libyaml)
+endif()
+
+if(MINIMAL_BUILD)
+  target_include_directories(
+    falco_engine
+    PUBLIC
+      "${LUAJIT_INCLUDE}"
+      "${NJSON_INCLUDE}"
+      "${TBB_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${PROJECT_BINARY_DIR}/userspace/engine")
+else()
+  target_include_directories(
+    falco_engine
+    PUBLIC
+      "${LUAJIT_INCLUDE}"
+      "${NJSON_INCLUDE}"
+      "${CURL_INCLUDE_DIR}"
+      "${TBB_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${PROJECT_BINARY_DIR}/userspace/engine")
+endif()

 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}")

--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ limitations under the License.

 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (6)
+#define FALCO_ENGINE_VERSION (7)

 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
--- a/userspace/engine/falco_utils.cpp
+++ b/userspace/engine/falco_utils.cpp
@@ -52,6 +52,12 @@ std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t ind
 	return ret;
 }

+uint32_t hardware_concurrency()
+{
+	auto hc = std::thread::hardware_concurrency();
+	return hc ? hc : 1;
+}
+
 void readfile(const std::string& filename, std::string& data)
 {
 	std::ifstream file(filename.c_str(), std::ios::in);
--- a/userspace/engine/falco_utils.h
+++ b/userspace/engine/falco_utils.h
@@ -21,6 +21,7 @@ limitations under the License.
 #include <fstream>
 #include <iostream>
 #include <string>
+#include <thread>
 #include <nonstd/string_view.hpp>

 #pragma once
@@ -34,6 +35,9 @@ namespace utils
 std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t indent, uint32_t line_len);

 void readfile(const std::string& filename, std::string& data);
+
+uint32_t hardware_concurrency();
+
 namespace network
 {
 static const std::string UNIX_SCHEME("unix://");
--- a/userspace/engine/json_evt.cpp
+++ b/userspace/engine/json_evt.cpp
@@ -45,7 +45,7 @@ const json &json_event::jevt()
 	return m_jevt;
 }

-uint64_t json_event::get_ts()
+uint64_t json_event::get_ts() const
 {
 	return m_event_ts;
 }
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@@ -38,14 +38,14 @@ public:
 	void set_jevt(nlohmann::json &evt, uint64_t ts);
 	const nlohmann::json &jevt();

-	uint64_t get_ts();
+	uint64_t get_ts() const;

-	inline uint16_t get_source()
+	inline uint16_t get_source() const
 	{
 		return ESRC_K8S_AUDIT;
 	}

-	inline uint16_t get_type()
+	inline uint16_t get_type() const
 	{
 		// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
 		return 1;
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -13,32 +13,35 @@

 configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)

-add_custom_command(
-  OUTPUT
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-  COMMENT "Generate gRPC API"
-  # Falco gRPC Version API
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  # Falco gRPC Outputs API
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-          ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    OUTPUT
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+    COMMENT "Generate gRPC API"
+    # Falco gRPC Version API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Outputs API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+endif()

+if(MINIMAL_BUILD)
 add_executable(
  falco
  configuration.cpp
@@ -47,63 +50,109 @@ add_executable(
  event_drops.cpp
  statsfilewriter.cpp
  falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
-  webserver.cpp
-  grpc_context.cpp
-  grpc_server_impl.cpp
-  grpc_request_context.cpp
-  grpc_server.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
+else()
+  add_executable(
+    falco
+    configuration.cpp
+    logger.cpp
+    falco_outputs.cpp
+    event_drops.cpp
+    statsfilewriter.cpp
+    falco.cpp
+    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+    webserver.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
+    grpc_request_context.cpp
+    grpc_server.cpp
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)

-add_dependencies(falco civetweb string-view-lite)
+    add_dependencies(falco civetweb)
+endif()
+
+add_dependencies(falco string-view-lite)

 if(USE_BUNDLED_DEPS)
  add_dependencies(falco yamlcpp)
 endif()

-target_include_directories(
-  falco
-  PUBLIC
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-    "${PROJECT_SOURCE_DIR}/userspace/engine"
-    "${PROJECT_BINARY_DIR}/userspace/falco"
-    "${PROJECT_BINARY_DIR}/driver/src"
-    "${STRING_VIEW_LITE_INCLUDE}"
-    "${YAMLCPP_INCLUDE_DIR}"
-    "${CIVETWEB_INCLUDE_DIR}"
-    "${GRPC_INCLUDE}"
-    "${GRPCPP_INCLUDE}"
-    "${PROTOBUF_INCLUDE}"
-    "${CMAKE_CURRENT_BINARY_DIR}"
-    "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+if(MINIMAL_BUILD)
+  target_include_directories(
+    falco
+    PUBLIC
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
+      "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_BINARY_DIR}/driver/src"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")

-target_link_libraries(
-  falco
-  falco_engine
-  sinsp
-  "${GPR_LIB}"
-  "${GRPC_LIB}"
-  "${GRPCPP_LIB}"
-  "${PROTOBUF_LIB}"
-  "${LIBYAML_LIB}"
-  "${YAMLCPP_LIB}"
-  "${CIVETWEB_LIB}")
+  target_link_libraries(
+    falco
+    falco_engine
+    sinsp
+    "${LIBYAML_LIB}"
+    "${YAMLCPP_LIB}")
+else()
+  target_include_directories(
+    falco
+    PUBLIC
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
+      "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_BINARY_DIR}/driver/src"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${CIVETWEB_INCLUDE_DIR}"
+      "${OPENSSL_INCLUDE_DIR}"
+      "${GRPC_INCLUDE}"
+      "${GRPCPP_INCLUDE}"
+      "${PROTOBUF_INCLUDE}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+
+  target_link_libraries(
+    falco
+    falco_engine
+    sinsp
+    "${GPR_LIB}"
+    "${GRPC_LIB}"
+    "${GRPCPP_LIB}"
+    "${PROTOBUF_LIB}"
+    "${OPENSSL_LIBRARY_SSL}"
+    "${OPENSSL_LIBRARY_CRYPTO}"
+    "${LIBYAML_LIB}"
+    "${YAMLCPP_LIB}"
+    "${CIVETWEB_LIB}")
+endif()

 configure_file(config_falco.h.in config_falco.h)

-add_custom_command(
-  TARGET falco
-  COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY}
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-  COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    TARGET falco
+    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+else()
+  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()

-# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h)
-
-# add_dependencies(verify_engine_fields falco)
+# strip the Falco binary when releasing using musl
+if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
+  add_custom_command(
+    TARGET falco
+    POST_BUILD
+    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
+    COMMENT "Strip the Falco binary when releasing the musl build")
+endif()

 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
 install(
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ limitations under the License.
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include "falco_utils.h"

 #include "configuration.h"
 #include "logger.h"
@@ -148,11 +149,12 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	m_grpc_enabled = m_config->get_scalar<bool>("grpc", "enabled", false);
 	m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
-	m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 8); // todo > limit it to avoid overshubscription? std::thread::hardware_concurrency()
+	m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 0);
 	if(m_grpc_threadiness == 0)
 	{
-		throw logic_error("error reading config file (" + m_config_file + "): gRPC threadiness must be greater than 0");
+		m_grpc_threadiness = falco::utils::hardware_concurrency();
 	}
+	// todo > else limit threadiness to avoid oversubscription?
 	m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "/etc/falco/certs/server.key");
 	m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
 	m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");
@@ -344,4 +346,4 @@ void falco_configuration::set_cmdline_option(const string &opt)
 	{
 		m_config->set_scalar(keyval.first, keyval.second);
 	}
-}
+}
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -206,7 +206,7 @@ public:
 	bool m_time_format_iso_8601;

 	bool m_grpc_enabled;
-	int m_grpc_threadiness;
+	uint32_t m_grpc_threadiness;
 	std::string m_grpc_bind_address;
 	std::string m_grpc_private_key;
 	std::string m_grpc_cert_chain;
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -43,8 +43,10 @@ limitations under the License.
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
+#ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
+#endif
 #include "banned.h" // This raises a compilation error when certain functions are used

 typedef function<void(sinsp* inspector)> open_t;
@@ -104,6 +106,7 @@ static void usage()
 	   "                               Can not be specified with -t.\n"
 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
 	   "                               k8s audit events) instead of tapping into live.\n"
+#ifndef MINIMAL_BUILD
 	   " -k <url>, --k8s-api <url>\n"
 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
       "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
@@ -117,15 +120,18 @@ static void usage()
 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
 	   "                               ':' or '#' characters in the file name.\n"
+#endif
 	   " -L                            Show the name and description of all rules and exit.\n"
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
 	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
 	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
+#ifndef MINIMAL_BUILD
 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
 	   "                               Enable Mesos support by connecting to the API server\n"
 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
+#endif
 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
 	   " -N                            When used with --list, only print field names.\n"
 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
@@ -140,9 +146,9 @@ static void usage()
 	   " -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
       " -r <rules_file>               Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
       "                               Can be specified multiple times to read from multiple files/directories.\n"
-	   " -s <stats_file>               If specified, write statistics related to falco's reading/processing of events\n"
-	   "                               to this file. (Only useful in live mode).\n"
-	   " --stats_interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
+	   " -s <stats_file>               If specified, append statistics related to Falco's reading/processing of events\n"
+	   "                               to this file (only useful in live mode).\n"
+	   " --stats-interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
 	   "                               This uses signals, so don't recommend intervals below 200 ms.\n"
 	   "                               Defaults to 5000 (5 seconds).\n"
 	   " -S <len>, --snaplen <len>\n"
@@ -158,6 +164,8 @@ static void usage()
 	   "                               This causes every single line emitted by falco to be flushed,\n"
 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
 	   "                               into another process or into a script.\n"
+	   " -u, --userspace               Parse events from userspace.\n"
+	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
 	   "                               Can be specified multiple times to validate multiple files.\n"
 	   " -v                            Verbose output.\n"
@@ -183,6 +191,7 @@ static void display_fatal_err(const string &msg)
 // Splitting into key=value or key.subkey=value will be handled by configuration class.
 std::list<string> cmdline_options;

+#ifndef MINIMAL_BUILD
 // Read a jsonl file containing k8s audit events and pass each to the engine.
 void read_k8s_audit_trace_file(falco_engine *engine,
 			       falco_outputs *outputs,
@@ -211,6 +220,7 @@ void read_k8s_audit_trace_file(falco_engine *engine,
 		}
 	}
 }
+#endif

 static std::string read_file(std::string filename)
 {
@@ -427,9 +437,11 @@ int falco_init(int argc, char **argv)
 	bool verbose = false;
 	bool names_only = false;
 	bool all_events = false;
+#ifndef MINIMAL_BUILD
 	string* k8s_api = 0;
 	string* k8s_api_cert = 0;
 	string* mesos_api = 0;
+#endif
 	string output_format = "";
 	uint32_t snaplen = 0;
 	bool replace_container_info = false;
@@ -443,6 +455,7 @@ int falco_init(int argc, char **argv)
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
+	bool userspace = false;

 	// Used for writing trace files
 	int duration_seconds = 0;
@@ -458,9 +471,11 @@ int falco_init(int argc, char **argv)
 	double duration;
 	scap_stats cstats;

+#ifndef MINIMAL_BUILD
 	falco_webserver webserver;
 	falco::grpc::server grpc_server;
 	std::thread grpc_server_thread;
+#endif

 	static struct option long_options[] =
 	{
@@ -479,9 +494,10 @@ int falco_init(int argc, char **argv)
        {"print-base64", no_argument, 0, 'b'},
        {"print", required_argument, 0, 'p'},
        {"snaplen", required_argument, 0, 'S'},
-        {"stats_interval", required_argument, 0},
+        {"stats-interval", required_argument, 0},
        {"support", no_argument, 0},
        {"unbuffered", no_argument, 0, 'U'},
+        {"userspace", no_argument, 0, 'u'},
        {"validate", required_argument, 0, 'V'},
        {"version", no_argument, 0, 0},
        {"writefile", required_argument, 0, 'w'},
@@ -500,7 +516,7 @@ int falco_init(int argc, char **argv)
 		// Parse the args
 		//
 		while((op = getopt_long(argc, argv,
-                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UvV:w:",
+                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
                                        long_options, &long_index)) != -1)
 		{
 			switch(op)
@@ -526,8 +542,10 @@ int falco_init(int argc, char **argv)
 				break;
 			case 'e':
 				trace_filename = optarg;
+#ifndef MINIMAL_BUILD
 				k8s_api = new string();
 				mesos_api = new string();
+#endif
 				break;
 			case 'F':
 				list_flds = optarg;
@@ -535,21 +553,25 @@ int falco_init(int argc, char **argv)
 			case 'i':
 				print_ignored_events = true;
 				break;
+#ifndef MINIMAL_BUILD
 			case 'k':
 				k8s_api = new string(optarg);
 				break;
 			case 'K':
 				k8s_api_cert = new string(optarg);
 				break;
+#endif
 			case 'L':
 				describe_all_rules = true;
 				break;
 			case 'l':
 				describe_rule = optarg;
 				break;
+#ifndef MINIMAL_BUILD
 			case 'm':
 				mesos_api = new string(optarg);
 				break;
+#endif
 			case 'M':
 				duration_to_tot = atoi(optarg);
 				if(duration_to_tot <= 0)
@@ -607,6 +629,9 @@ int falco_init(int argc, char **argv)
 				buffered_outputs = false;
 				buffered_cmdline = true;
 				break;
+			case 'u':
+				userspace = true;
+				break;
 			case 'v':
 				verbose = true;
 				break;
@@ -646,7 +671,7 @@ int falco_init(int argc, char **argv)
 						list_flds_source = optarg;
 					}
 				}
-				else if (string(long_options[long_index].name) == "stats_interval")
+				else if (string(long_options[long_index].name) == "stats-interval")
 				{
 					stats_interval = atoi(optarg);
 				}
@@ -795,12 +820,16 @@ int falco_init(int argc, char **argv)
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);

 			// log after config init because config determines where logs go
+			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
 		}
 		else
 		{
 			config.init(cmdline_options);
 			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
+
+			// log after config init because config determines where logs go
+			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
 			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}

@@ -1063,6 +1092,12 @@ int falco_init(int argc, char **argv)

 			if(!trace_is_scap)
 			{
+#ifdef MINIMAL_BUILD
+				// Note that the webserver is not available when MINIMAL_BUILD is defined.
+				fprintf(stderr, "Cannot use k8s audit events trace file with a minimal Falco build");
+				result = EXIT_FAILURE;
+				goto exit;
+#else
 				try {
 					string line;
 					nlohmann::json j;
@@ -1087,11 +1122,22 @@ int falco_init(int argc, char **argv)
 					result = EXIT_FAILURE;
 					goto exit;
 				}
+#endif
 			}
 		}
 		else
 		{
-			open_t open_cb = [](sinsp* inspector) {
+			open_t open_cb = [&userspace](sinsp* inspector)
+			{
+				if(userspace)
+				{
+					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
+					//
+					// Falco uses a ptrace(2) based userspace implementation.
+					// Regardless of the implementation, the underlying method remains the same.
+					inspector->open_udig();
+					return;
+				}
 				inspector->open();
 			};
 			open_t open_nodriver_cb = [](sinsp* inspector) {
@@ -1116,11 +1162,20 @@ int falco_init(int argc, char **argv)
 			}
 			catch(sinsp_exception &e)
 			{
-				if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
+				// If syscall input source is enabled and not through userspace instrumentation
+				if (!disable_syscall && !userspace)
 				{
-					falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
+					// Try to insert the Falco kernel module
+					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
+					{
+						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
+					}
+					open_f(inspector);
+				} 
+				else 
+				{
+					rethrow_exception(current_exception());
 				}
-				open_f(inspector);
 			}
 		}

@@ -1138,8 +1193,9 @@ int falco_init(int argc, char **argv)

 		duration = ((double)clock()) / CLOCKS_PER_SEC;

+#ifndef MINIMAL_BUILD
 		//
-		// run k8s, if required
+		// Run k8s, if required
 		//
 		if(k8s_api)
 		{
@@ -1178,7 +1234,7 @@ int falco_init(int argc, char **argv)
 		}

 		//
-		// run mesos, if required
+		// Run mesos, if required
 		//
 		if(mesos_api)
 		{
@@ -1206,6 +1262,7 @@ int falco_init(int argc, char **argv)
 		// gRPC server
 		if(config.m_grpc_enabled)
 		{
+			falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(config.m_grpc_threadiness) + "\n");
 			// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
 			// different queuing mechanisms, round robin, fanout? What we want to achieve?
 			grpc_server.init(
@@ -1220,12 +1277,15 @@ int falco_init(int argc, char **argv)
 				grpc_server.run();
 			});
 		}
+#endif

 		if(!trace_filename.empty() && !trace_is_scap)
 		{
+#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
+#endif
 		}
 		else
 		{
@@ -1263,7 +1323,7 @@ int falco_init(int argc, char **argv)
 		// Honor -M also when using a trace file.
 		// Since inspection stops as soon as all events have been consumed
 		// just await the given duration is reached, if needed.
-		if(!trace_filename.empty() && duration_to_tot>0) 
+		if(!trace_filename.empty() && duration_to_tot>0)
 		{
 			std::this_thread::sleep_for(std::chrono::seconds(duration_to_tot));
 		}
@@ -1271,12 +1331,14 @@ int falco_init(int argc, char **argv)
 		inspector->close();
 		engine->print_stats();
 		sdropmgr.print_stats();
+#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
+#endif
 	}
 	catch(exception &e)
 	{
@@ -1284,12 +1346,14 @@ int falco_init(int argc, char **argv)

 		result = EXIT_FAILURE;

+#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
+#endif
 	}

 exit:
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -14,7 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

+#ifndef MINIMAL_BUILD
 #include <google/protobuf/util/time_util.h>
+#endif

 #include "falco_outputs.h"

@@ -22,15 +24,19 @@ limitations under the License.

 #include "formats.h"
 #include "logger.h"
+#ifndef MINIMAL_BUILD
 #include "falco_outputs_queue.h"
+#endif
 #include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;

 const static struct luaL_reg ll_falco_outputs [] =
 {
+#ifndef MINIMAL_BUILD
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
+#endif
 	{NULL, NULL}
 };

@@ -259,6 +265,7 @@ void falco_outputs::reopen_outputs()
 	}
 }

+#ifndef MINIMAL_BUILD
 int falco_outputs::handle_http(lua_State *ls)
 {
 	CURL *curl = NULL;
@@ -369,3 +376,4 @@ int falco_outputs::handle_grpc(lua_State *ls)

 	return 1;
 }
+#endif
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -74,8 +74,10 @@ public:

 	void reopen_outputs();

+#ifndef MINIMAL_BUILD
 	static int handle_http(lua_State *ls);
 	static int handle_grpc(lua_State *ls);
+#endif

 private:

--- a/userspace/falco/lua/output.lua
+++ b/userspace/falco/lua/output.lua
@@ -18,7 +18,7 @@ local mod = {}
 local outputs = {}

 function mod.stdout(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.stdout_message(priority, priority_num, msg, outputs)
+   mod.stdout_message(priority, priority_num, msg, options)
 end

 function mod.stdout_message(priority, priority_num, msg, options)
--- a/userspace/falco/statsfilewriter.cpp
+++ b/userspace/falco/statsfilewriter.cpp
@@ -58,8 +58,8 @@ bool StatsFileWriter::init(sinsp *inspector, string &filename, uint32_t interval
 		return false;
 	}

-	timer.it_value.tv_sec = 0;
-	timer.it_value.tv_usec = interval_msec * 1000;
+	timer.it_value.tv_sec = interval_msec / 1000;
+	timer.it_value.tv_usec = (interval_msec % 1000) * 1000;
 	timer.it_interval = timer.it_value;
 	if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
 	{
--- a/userspace/falco/verify_engine_fields.sh
+++ b/userspace/falco/verify_engine_fields.sh
@@ -1,19 +1,12 @@
-#!/bin/sh
+#!/bin/env/bash

 set -euo pipefail

 SOURCE_DIR=$1
-OPENSSL=$2

-if ! command -v "${OPENSSL}" version > /dev/null 2>&1; then
-    echo "No openssl command at ${OPENSSL}"
-    exit 1
-fi
-
-NEW_CHECKSUM=$(./falco --list -N | ${OPENSSL} dgst -sha256 | awk '{print $2}')
+NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')

-
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then
    echo "Set of fields supported has changed (new checksum $NEW_CHECKSUM != old checksum $CUR_CHECKSUM)."
    echo "Update checksum and/or version in falco_engine_version.h."