fix(metrics/prometheus): adopt best prometheus practices for rules counters and sha256 file metrics

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>

.circleci/config.yml

@@ -1,232 +0,0 @@
-version: 2.1
-jobs:
-  "build-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: arm.large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path to the source code
-      - checkout:
-          path: /tmp/source-arm64/falco
-
-      # Build the skeleton
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source-arm64/falco/skeleton-build
-            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            FALCO_VERSION=$(cat /tmp/source-arm64/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build-arm64/release
-            - source-arm64
-
-  # Build a statically linked Falco release binary using musl
-  # This build is 100% static, there are no host dependencies
-  "build-musl":
-    docker:
-      - image: alpine:3.17
-    resource_class: large
-    steps:
-      - checkout:
-          path: /source-static/falco
-      - run:
-          name: Update base image
-          command: apk update
-      - run:
-          name: Install build dependencies
-          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-      - run:
-          name: Prepare project
-          command: |
-            mkdir -p /build-static/release
-            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
-      - run:
-          name: Build
-          command: |
-            cd /build-static/release
-            make -j6 all
-      - run:
-          name: Package
-          command: |
-            cd /build-static/release
-            make -j6 package
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build-static/release/*.tar.gz /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build-static/release
-            - source-static
-
-  # This build is static, dependencies are bundled in the Falco binary
-  "build-centos7":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path for the source code
-      - checkout:
-          path: /tmp/source/falco
-
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source/falco/skeleton-build
-            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            FALCO_VERSION=$(cat /tmp/source/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build/release
-            - source
-
-  # Execute integration tests based on the build results coming from the "build-centos7" job
-  "tests-integration":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source"
-          BUILD_DIR: "/build"
-          BUILD_TYPE: "release"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build/release/integration-tests-xunit
-  "tests-integration-static":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source-static"
-          BUILD_DIR: "/build-static"
-          BUILD_TYPE: "release"
-          SKIP_PACKAGES_TESTS: "true"
-          SKIP_PLUGINS_TESTS: "true"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build-static/release/integration-tests-xunit
-  # Execute integration tests based on the build results coming from the "build-arm64" job
-  "tests-integration-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2004:202101-01
-    resource_class: arm.medium
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Execute integration tests
-          command: |
-            docker run -e BUILD_TYPE="release" -e BUILD_DIR="/build" -e SOURCE_DIR="/source" -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-tester:latest \
-              test
-      - store_test_results:
-          path: /tmp/build-arm64/release/integration-tests-xunit
-  "tests-driver-loader-integration":
-    machine:
-      image: ubuntu-2004:202107-02
-    steps:
-      - attach_workspace:
-          at: /tmp/ws
-      - run:
-          name: Execute driver-loader integration tests
-          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-
-workflows:
-  version: 2.1
-  build_and_test:
-    jobs:
-      - "build-musl"
-      - "build-arm64"
-      - "build-centos7"
-      - "tests-integration":
-          requires:
-            - "build-centos7"
-      - "tests-integration-arm64":
-          requires:
-            - "build-arm64"
-      - "tests-integration-static":
-          requires:
-            - "build-musl"
-      - "tests-driver-loader-integration":
-          requires:
-            - "build-centos7"

.github/release_template.md

@@ -0,0 +1,21 @@
+[![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/LIBSVER)
+[![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/DRIVERVER)
+
+| Packages | Download                                                                                                                                               |
+| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
+| deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
+| tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
+| rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
+| deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
+| tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
+
+| Images                                                                      |
+| --------------------------------------------------------------------------- |
+| `docker pull docker.io/falcosecurity/falco:FALCOVER`                           |
+| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                      |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`             |
+| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER`      |
+| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER`                 |
+| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER`                |
+

.github/workflows/ci.yml

@@ -1,7 +1,9 @@
 name: CI Build
 on:
   pull_request:
-    branches: [master]
+    branches:
+      - master
+      - release/*
   workflow_dispatch:
 
 # Checks if any concurrent jobs under the same pull request or branch are being executed
@@ -11,104 +13,149 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  build-minimal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml
+
+  build-dev-packages-sanitizers-x86_64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: true
+
+  build-dev-packages-x86_64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Release
+
+  build-dev-packages-arm64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+      build_type: Debug
+      sanitizers: false
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages-sanitizers-x86_64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
+    with:
+      arch: x86_64
+      sanitizers: true
+      # static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+    with:
+      arch: aarch64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  build-dev-minimal:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: true
+      build_type: Debug
+
+  build-dev-minimal-arm64:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: aarch64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: true
+      build_type: Debug
+
+  # builds using system deps, checking out the PR's code
+  # note: this also runs a command that generates an output of form: "<engine_version> <some_hash>",
+  # of which <some_hash> is computed by hashing in order the following:
+  # - Driver schema version supported by the built-in falcosecurity/libs
+  # - The supported event types usable in Falco rules (evt.type=xxx)
+  # - The supported rules fields with their name, type, and description
+  build-dev:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: false
+      sanitizers: true
+      build_type: Debug
+      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
+
+  # checks the falco engine checksum for consistency
+  check-engine-checksum:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout PR head ref
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-
-      - name: Prepare project
+      - name: Check Engine checksum
         run: |
-          mkdir build-minimal
-          pushd build-minimal
-          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
+          prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          
+          echo "encoded checksum: $prev_hash"
+          echo "current checksum: $cur_hash"
+          if [ $prev_hash != $cur_hash ]; then
+            echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h"
+            exit 1
+          else
+            echo "current and encoded engine checksum are matching"
+          fi
 
-      - name: Build
-        run: |
-          pushd build-minimal
-          make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build-minimal
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+  # checks the falco engine version and enforce bumping when necessary
+  check-engine-version:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout base ref
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.base_ref }}
 
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
+      - name: Check Engine version
         run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
+          base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          base_engine_ver_major=$(grep ENGINE_VERSION_MAJOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_minor=$(grep ENGINE_VERSION_MINOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_patch=$(grep ENGINE_VERSION_PATCH "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver="${base_engine_ver_major}.${base_engine_ver_minor}.${base_engine_ver_patch}"
 
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)
 
-      - name: Run unit tests
-        run: |
-          pushd build
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal-debug:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
-        run: |
-          mkdir build
-          pushd build
-          cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build
-          sudo ./unit_tests/falco_unit_tests 
-          popd
+          echo "baseref checksum: $base_hash"
+          echo "baseref engine version: $base_engine_ver"
+          echo "headref checksum: $cur_hash"
+          echo "headref engine version: $cur_engine_ver"
+          if [ "$base_hash" != "$cur_hash" ]; then
+              echo "engine checksum for baseref and headref differ"
+              if [ "$base_engine_ver" == "$cur_engine_ver" ]; then
+                  echo "engine version must be bumped"
+                  exit 1
+              else
+                  echo "engine version for baseref and headref differ too, so no bump is required"
+              fi
+          fi

.github/workflows/codeql.yaml

@@ -21,7 +21,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -36,19 +36,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       with:
         fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
@@ -56,20 +56,15 @@ jobs:
       run: sudo apt update -y
 
     - name: Install build dependencies
-      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
 
     - name: Prepare project
       run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On ..
-          popd
+          cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
 
     - name: Build
       run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5

.github/workflows/codespell.yml

@@ -5,8 +5,8 @@ jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: codespell-project/actions-codespell@master
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
       with:
         skip: .git
         ignore_words_file: .codespellignore

.github/workflows/engine-version-weakcheck.yaml

@@ -0,0 +1,41 @@
+# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!
+# DO NOT TOUCH THIS FILE UNLESS THE TRIGGER IS CHANGED.
+# See warning in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+
+name: Engine version checks (weak)
+on:
+  pull_request_target:
+    paths:
+      - 'userspace/engine/*.cpp'
+      - 'userspace/engine/*.h'
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      engine_version_changed: ${{ steps.filter.outputs.engine_version }}
+    steps:
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+      id: filter
+      with:
+        filters: |
+          engine_version:
+            - 'userspace/engine/falco_engine_version.h'
+
+  check-engine-version-weak:
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+    needs: paths-filter
+    if: needs.paths-filter.outputs.engine_version_changed == 'false'
+    steps:
+      - name: Check driver Falco engine version
+        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        with:
+          message: |
+            This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
+
+            Please double check **userspace/engine/falco_engine_version.h** file. See [versioning for FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-repo-this-repo).
+
+            /hold

.github/workflows/images_bumper.yml

@@ -1,64 +0,0 @@
-name: Builder and Tester Images Bumper
-
-on:
-  push:
-    branches: [master]
-
-jobs:
-  paths-filter:
-    runs-on: ubuntu-latest
-    outputs:
-      builder_changed: ${{ steps.filter.outputs.builder }}
-      tester_changed: ${{ steps.filter.outputs.tester }}
-    steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
-      id: filter
-      with:
-        filters: |
-          builder:
-            - 'docker/builder/**'
-          tester:
-            - 'docker/tester/**'
-
-  update-builder-tester-images:
-    runs-on: ubuntu-22.04
-    needs: paths-filter
-    if: needs.paths-filter.outputs.builder_changed == 'true' || needs.paths-filter.outputs.tester_changed == 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_SECRET }}
-          
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-        with:
-          platforms: 'amd64,arm64'
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      
-      - name: Build and push new builder image
-        if: needs.paths-filter.outputs.builder_changed == 'true'
-        uses: docker/build-push-action@v3
-        with:
-          context: docker/builder
-          platforms: linux/amd64,linux/arm64
-          tags: latest
-          push: true
-
-      - name: Build and push new tester image
-        if: needs.paths-filter.outputs.tester_changed == 'true'
-        uses: docker/build-push-action@v3
-        with:
-          context: docker/tester
-          platforms: linux/amd64,linux/arm64
-          tags: latest
-          push: true

.github/workflows/insecure-api.yaml

@@ -0,0 +1,26 @@
+name: Insecure API check
+on:
+  pull_request:
+    branches:
+      - master
+      - 'release/**'
+      - 'maintainers/**'
+
+jobs:
+  insecure-api:
+    name: check-insecure-api
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep:1.41.0@sha256:85956fbe795a0e8a3825d5252f175887c0e0c6ce7a766a07062c0fb68415cd67
+    steps:
+      - name: Checkout Falco ⤵️
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+      - name: Scan PR for insecure API usage 🕵️
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config=./semgrep

.github/workflows/master.yaml

@@ -9,37 +9,8 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  # We need to use an ubuntu-latest to fetch Falco version because
-  # Falco version is computed by some cmake scripts that do git sorceries
-  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
-  # fully clone the repo, but uses http rest api instead.
   fetch-version:
-    runs-on: ubuntu-latest
-    # Map the job outputs to step outputs
-    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          
-      - name: Install build dependencies
-        run: |
-          sudo apt update 
-          sudo apt install -y cmake build-essential
-      
-      - name: Configure project
-        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
-      - name: Load and store Falco version output
-        id: store_version
-        run: |
-          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT     
+    uses: ./.github/workflows/reusable_fetch_version.yaml 
 
   build-dev-packages:
     needs: [fetch-version]
@@ -56,9 +27,30 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
     secrets: inherit
-    
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
+    with:
+      arch: x86_64
+      # static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+  
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
   publish-dev-packages:
-    needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
+    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'

.github/workflows/release.yaml

@@ -65,9 +65,31 @@ jobs:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
     secrets: inherit
+
+  test-packages:
+    needs: [release-settings, build-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
+    with:
+      arch: x86_64
+      # static: ${{ matrix.static != '' && true || false }}
+      version: ${{ github.event.release.tag_name }}
+  
+  test-packages-arm64:
+    needs: [release-settings, build-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ github.event.release.tag_name }}
     
   publish-packages:
-    needs: [release-settings, build-packages, build-packages-arm64]
+    needs: [release-settings, test-packages, test-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -103,3 +125,47 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
+      
+  release-body:
+    needs: [release-settings, publish-docker]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+          
+      - name: Extract LIBS and DRIVER versions
+        run: |
+          cp .github/release_template.md release-body.md
+          LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
+          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
+          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
+          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
+          
+      - name: Append release matrixes
+        run: |
+          sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
+          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
+          
+      - name: Generate release notes
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
+        with:
+          milestone: ${{ github.event.release.tag_name }}
+          output: ./notes.md
+        
+      - name: Merge release notes to pre existent body
+        run: cat notes.md >> release-body.md
+        
+      - name: Attach release creator to release body
+        run: |
+          echo "" >> release-body.md
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
+        
+      - name: Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        with:
+          body_path: ./release-body.md
+          tag_name: ${{ github.event.release.tag_name }}
+          name: ${{ github.event.release.name }}

.github/workflows/reusable_build_dev.yaml

@@ -0,0 +1,90 @@
+# This is a reusable workflow used by the master CI
+on:
+  workflow_call:
+    outputs:
+      cmdout:
+        description: "Post-build command output"
+        value: ${{ jobs.build-and-test.outputs.cmdout }}
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      minimal:
+        description: Minimal build
+        required: true
+        type: boolean
+      sanitizers:
+        description: Enable sanitizer support
+        required: false
+        default: false
+        type: boolean
+      build_type:
+        description: One of 'Debug' or 'Release'
+        required: true
+        type: string
+      git_ref:
+        description: Git ref used for checking out the code
+        required: true
+        type: string
+      cmd:
+        description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output
+        required: false
+        default: ''
+        type: string
+
+jobs:
+  build-and-test:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    outputs:
+      cmdout: ${{ steps.run_cmd.outputs.out }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.git_ref }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libelf-dev libyaml-cpp-dev cmake build-essential git -y
+
+      - name: Install build dependencies (non-minimal)
+        if: inputs.minimal != true
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S .\
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DBUILD_FALCO_MODERN_BPF=Off \
+            -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
+            -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_BUNDLED_DEPS=Off \
+            -DUSE_BUNDLED_NLOHMANN_JSON=On \
+            -DUSE_BUNDLED_CXXOPTS=On \
+            -DUSE_BUNDLED_CPPHTTPLIB=On \
+
+      - name: Build
+        run: |
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests
+          popd
+
+      - name: Run command
+        id: run_cmd
+        if: inputs.cmd != ''
+        run: |
+          OUT=$(${{ inputs.cmd }})
+          echo "out=${OUT}" >> $GITHUB_OUTPUT

.github/workflows/reusable_build_docker.yaml

@@ -27,15 +27,15 @@ on:
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
     env:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
           
       - name: Build no-driver image
         run: |
@@ -46,6 +46,16 @@ jobs:
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
+
+      - name: Build distroless image
+        run: |
+          cd ${{ github.workspace }}/docker/no-driver/
+          docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar
             
       - name: Build falco image
         run: |
@@ -65,9 +75,20 @@ jobs:
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
-            
+
+      - name: Build falco-driver-loader-legacy image
+        run: |
+          cd ${{ github.workspace }}/docker/driver-loader-legacy/
+          docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
+
       - name: Upload images tarballs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-images
           path: /tmp/falco-*.tar
+          retention-days: 1

.github/workflows/reusable_build_packages.yaml

@@ -10,115 +10,145 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
+      build_type:
+        description: The build type
+        required: false
+        type: string
+        default: 'Release'
+      sanitizers:
+        description: enable sanitizer support
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
     container: fedora:latest
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
-    
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Build modern BPF skeleton
         run: |
-          mkdir skeleton-build && cd skeleton-build
-          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} ..
-          make ProbeSkeleton -j6
-          
+          cmake -B skeleton-build -S . \
+                -DUSE_BUNDLED_DEPS=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }}
+          cmake --build skeleton-build --target ProbeSkeleton -j6
+
       - name: Upload skeleton
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
-          
+          retention-days: 1
+
   build-packages:
+    env:
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
     needs: [build-modern-bpf-skeleton]
     container: centos:7
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Install build dependencies
+      - name: Fix mirrors to use vault.centos.org
+        run: |
+          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
+          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
+          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
+
+      - name: Install scl repos
         run: |
           yum -y install centos-release-scl
+
+      - name: Fix new mirrors to use vault.centos.org
+        run: |
+          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
+          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
+          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
+
+      - name: Fix arm64 scl repos to use correct mirror
+        if: inputs.arch == 'aarch64'
+        run: |
+          sed -i 's/vault.centos.org\/centos/vault.centos.org\/altarch/g' /etc/yum.repos.d/CentOS-SCLo-scl*.repo
+
+      - name: Install build deps
+        run: |
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build
-    
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
+
       - name: Checkout
-        uses: actions/checkout@v3
-    
+        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
       - name: Download skeleton
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: /tmp
-          
+
       - name: Install updated cmake
         run: |
-          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
-          gzip -d /tmp/cmake.tar.gz
-          tar -xpf /tmp/cmake.tar --directory=/tmp
-          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
-          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
-    
+          curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
+            | tar --directory=/usr --strip-components=1 -xzp
+
       - name: Prepare project
         run: |
-          mkdir build && cd build
           source /opt/rh/devtoolset-9/enable
-          cmake \
-              -DCMAKE_BUILD_TYPE=Release \
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
-              -DBUILD_FALCO_MODERN_BPF=ON \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DFALCO_VERSION=${{ inputs.version }} \
-              ..
-              
+              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
+              -DFALCO_VERSION=${{ inputs.version }}
+
       - name: Build project
         run: |
-          cd build
           source /opt/rh/devtoolset-9/enable
-          make falco -j6
-      
+          cmake --build build --target falco -j6
+
       - name: Build packages
         run: |
-          cd build
           source /opt/rh/devtoolset-9/enable
-          make package
+          cmake --build build --target package
 
       - name: Upload Falco tar.gz package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-*.tar.gz
-            
+
       - name: Upload Falco deb package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.deb
           path: |
             ${{ github.workspace }}/build/falco-*.deb
-      
+
       - name: Upload Falco rpm package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.rpm
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
-            
+
+  # The musl build job is currently disabled because we link libelf dynamically and it is
+  # not possible to dynamically link with musl
   build-musl-package:
     # x86_64 only for now
-    if: ${{ inputs.arch == 'x86_64' }}
+    # if: ${{ inputs.arch == 'x86_64' }}
+    if: false
     runs-on: ubuntu-latest
     container: alpine:3.17
     steps:
@@ -126,35 +156,154 @@ jobs:
       - name: Install build dependencies
         run: |
           apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-    
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-          
+
       - name: Prepare project
         run: |
-          mkdir build && cd build
-          cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }}
-          
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+                -DCPACK_GENERATOR=TGZ \
+                -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
+                -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
+
       - name: Build project
         run: |
-          cd build
-          make -j6 all
-      
+          cmake --build build -j6
+
       - name: Build packages
         run: |
-          cd build
-          make -j6 package
+          cmake --build build -j6 --target package
 
       - name: Rename static package
         run: |
           cd build
-          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
-          
+          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
+
       - name: Upload Falco static package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
+
+  build-wasm-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: ubuntu-latest
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          sudo apt update
+          sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
+
+      - name: Select node version
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: 14
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Prepare project
+        run: |
+          emcmake cmake -B build -S . \
+            -DBUILD_BPF=Off \
+            -DBUILD_DRIVER=Off \
+            -DBUILD_FALCO_MODERN_BPF=Off \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DUSE_BUNDLED_DEPS=On \
+            -DFALCO_ETC_DIR=/etc/falco \
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cd build
+          emmake make -j6 all
+
+      - name: Run unit Tests
+        run: |
+          cd build
+          node ./unit_tests/falco_unit_tests.js
+
+      - name: Build packages
+        run: |
+          cd build
+          emmake make -j6 package
+
+      - name: Upload Falco WASM package
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: falco-${{ inputs.version }}-wasm.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
+
+  build-win32-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      # NOTE: Backslash doesn't work as line continuation on Windows.
+      - name: Prepare project
+        run: |
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target package --config ${{ inputs.build_type }}
+
+      - name: Run unit Tests
+        run: |
+          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
+
+      - name: Upload Falco win32 installer
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: falco-installer-${{ inputs.version }}-win32.exe
+          path: build/falco-*.exe
+
+      - name: Upload Falco win32 package
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: falco-${{ inputs.version }}-win32.exe
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
+
+  build-macos-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S . \
+                -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target package
+
+      - name: Run unit Tests
+        run: |
+          sudo build/unit_tests/falco_unit_tests
+
+      - name: Upload Falco macos package
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: falco-${{ inputs.version }}-macos
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/falco

.github/workflows/reusable_fetch_version.yaml

@@ -0,0 +1,39 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "Falco version"
+        value: ${{ jobs.fetch-version.outputs.version }}
+
+jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not
+  # fully clone the repo, but uses http rest api instead.
+  fetch-version:
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install build dependencies
+        run: |
+          sudo apt update
+          sudo apt install -y cmake build-essential
+
+      - name: Configure project
+        run: |
+          cmake -B build -S . -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off
+
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_docker.yaml

@@ -26,10 +26,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
     
       - name: Download images tarballs
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-images
           path: /tmp/falco-images
@@ -39,13 +39,13 @@ jobs:
           for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
     
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
       
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
           aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
@@ -57,7 +57,7 @@ jobs:
           registry-type: public    
       
       - name: Setup Crane
-        uses: imjasonh/setup-crane@v0.3
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
         with:
           version: v0.15.1
 
@@ -66,68 +66,93 @@ jobs:
         run: |
           docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
 
       - name: Create no-driver manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
           push: true
+
+      - name: Create distroless manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
+          push: true
           
       - name: Tag slim manifest on Docker Hub
         run: |
           crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
 
       - name: Create falco manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           push: true
           
       - name: Create falco-driver-loader manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
           push: true
 
+      - name: Create falco-driver-loader-legacy manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
+          push: true
+
       - name: Get Digests for images
         id: digests
+        # We could probably use the docker-manifest-action output instead of recomputing those with crane
         run: |
           echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
 
       - name: Publish images to ECR
         run: |
           crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
           crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
 
       - name: Tag latest on Docker Hub and ECR
         if: inputs.is_latest
         run: |
           crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
 
           crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
 
       - name: Setup Cosign
         if: inputs.sign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: v2.0.2
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Sign images with cosign
         if: inputs.sign
@@ -136,9 +161,13 @@ jobs:
           COSIGN_YES: "true"
         run: |
           cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
           cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
           cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
 
           cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
           cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
           cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}

.github/workflows/reusable_publish_packages.yaml

@@ -23,122 +23,124 @@ env:
 jobs:
   publish-packages:
     runs-on: ubuntu-latest
-    container: docker.io/centos:7
+    container: docker.io/library/fedora:38
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
-          yum install epel-release -y
-          yum update -y
-          yum install rpm-sign expect which createrepo gpg python python-pip -y
-          pip install awscli==1.19.47
+          dnf install rpm-sign expect which createrepo gpg python python-pip -y
+          pip install awscli==1.29.60
 
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
           aws-region: ${{ env.AWS_S3_REGION }}    
           
       - name: Download RPM x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
-          path: /tmp/falco-rpm
+          path: /tmp/falco-build-rpm
 
       - name: Download RPM aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
-          path: /tmp/falco-rpm
+          path: /tmp/falco-build-rpm
 
       - name: Download binary x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
-          path: /tmp/falco-bin
+          path: /tmp/falco-build-bin
 
       - name: Download binary aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
-          path: /tmp/falco-bin
+          path: /tmp/falco-build-bin
 
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Download static binary x86_64
-        uses: actions/download-artifact@v3
+        if: false
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
-          path: /tmp/falco-bin-static
-        
-      - name: Import gpg key 
+          path: /tmp/falco-build-bin-static
+
+      - name: Download WASM package
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: falco-${{ inputs.version }}-wasm.tar.gz
+          path: /tmp/falco-wasm
+
+      - name: Import gpg key
         env:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
-        
+
       - name: Sign rpms
         run: |
-          echo "%_signature gpg" > ~/.rpmmacros
-          echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-          echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
-          cat > ~/sign <<EOF
-          #!/usr/bin/expect -f
-          spawn rpmsign --addsign {*}\$argv
-          expect -exact "Enter pass phrase: "
-          send -- "\n"
-          expect eof
-          EOF
-          chmod +x ~/sign
-          ~/sign /tmp/falco-rpm/falco-*.rpm
-          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-rpm/falco-*.rpm | grep SHA256
+          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
+          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+
+      - name: Publish wasm
+        run: |
+          ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
           
       - name: Publish rpm
         run: |
-          ./scripts/publish-rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
+          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
       
       - name: Publish bin
         run: |
-          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-          
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
+
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Publish static
+        if: false
         run: |
-          ./scripts/publish-bin -f /tmp/falco-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          
+          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+
   publish-packages-deb:
     runs-on: ubuntu-latest
     container: docker.io/debian:stable
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
           apt update -y
-          apt-get install apt-utils bzip2 gpg python python3-pip -y
-          pip install awscli
+          apt-get install apt-utils bzip2 gpg awscli -y
       
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
           aws-region: ${{ env.AWS_S3_REGION }}     
       
       - name: Download deb x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
-          path: /tmp/falco-deb
+          path: /tmp/falco-build-deb
 
       - name: Download deb aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
-          path: /tmp/falco-deb
+          path: /tmp/falco-build-deb
 
       - name: Import gpg key 
         env:
@@ -147,4 +149,4 @@ jobs:
           
       - name: Publish deb
         run: |
-          ./scripts/publish-deb -f /tmp/falco-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
+          ./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}

.github/workflows/reusable_test_packages.yaml

@@ -0,0 +1,64 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      static:
+        description: Falco packages use a static build
+        required: false
+        type: boolean
+        default: false
+      version:
+        description: The Falco version to use when testing packages
+        required: true
+        type: string
+      sanitizers:
+        description: Use sanitizer enabled build
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  test-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    steps:
+      - name: Download binary
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
+      
+      - name: Install Falco package
+        run: |
+          ls falco-*.tar.gz
+          tar -xvf $(ls falco-*.tar.gz)
+          cd falco-${{ inputs.version }}-${{ inputs.arch }}
+          sudo cp -r * /
+     
+      # We only run driver loader tests on x86_64
+      - name: Install kernel headers for falco-driver-loader tests
+        if: ${{ inputs.arch == 'x86_64' }}
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
+
+      # Some builds use sanitizers, we always install support for them so they can run
+      - name: Install sanitizer support
+        run: |
+          sudo apt update -y
+          sudo apt install -y libasan5 libubsan1
+          
+      - name: Run tests
+        env:
+          LSAN_OPTIONS: "intercept_tls_get_addr=0"
+        uses: falcosecurity/testing@main    
+        with:
+          test-falco: 'true'
+          test-falcoctl: 'true'
+          test-k8saudit: 'true'
+          static: ${{ inputs.static && 'true' || 'false' }}
+          test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
+          show-all: 'true'

.github/workflows/scorecard.yaml

@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    # Weekly on Mondays at 00:00.
+    - cron: '0 0 * * 1'
+
+  # The OSSF recommendation encourages to enable branch protection rules trigger
+  # to update the scorecard
+  # (https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
+  # but due to our GitHub org management this check is triggered too often and is
+  # therefore disabled.
+  # branch_protection_rule:
+  
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
+

.github/workflows/staticanalysis.yaml

@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: Checkout ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
@@ -19,13 +19,14 @@ jobs:
 
       - name: Build and run cppcheck 🏎️
         run: |
-          mkdir build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
-          make -j4 cppcheck
-          make -j4 cppcheck_htmlreport
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE="release" \
+                -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off
+          cmake --build build -j4 --target cppcheck
+          cmake --build build -j4 --target cppcheck_htmlreport
 
       - name: Upload reports ⬆️
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: static-analysis-reports
           path: ./build/static-analysis-reports

.gitignore

@@ -2,14 +2,7 @@
 *~
 *.pyc
 
-test/traces-negative
-test/traces-positive
-test/traces-info
-test/job-results
-test/.phoronix-test-suite
-test/results*.json.*
-test/build
-
 .vscode/*
 
 *.idea*
+CMakeUserPresets.json

ADOPTERS.md

@@ -68,12 +68,18 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
 
-* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
-
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
+* [Thales Group](https://www.thalesgroup.com) Thales is a global technology leader with more than 81,000 employees on five continents. The Thales Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust. In the past few years, the Cloud-Native paradigms and its frameworks and tools have challenged the way applications and services are developed, delivered, and instantiated. All sorts of services are container-based workloads managed by higher level layers of orchestration such as the Kubernetes environment. Thales is committed to develop Cloud-Native services and to provide its customers with security features that ensure their applications and services are protected against cyber threats. Falco is a framework that can help Thales' products and services reach the level of trust, security and safety our clients need.
+
+* [Thought Machine](https://www.thoughtmachine.net) Thought Machine builds Vault Core and Vault Payments: cloud-native core and payments technology enabling banks and fintechs to remain competitive and flourish into the future. Vault Core and Vault Payments are the foundation layer of a bank's technology stack. They can run any bank, any product, and any payment set. Thought Machine uses Falco to perform cloud agnostic real time detections of suspicious container behaviour.
+
+* [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).
+
 * [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
 
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
@@ -82,6 +88,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [StackRox](https://stackrox.io) is the industry’s first Kubernetes-native security platform enabling organizations to build, deploy, and run cloud-native applications securely. The platform works with Kubernetes environments and integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. StackRox aims to harness containerized applications’ development speed while giving operations and security teams greater context and risk profiling. StackRox leverages cloud-native principles and declarative artifacts to automate DevSecOps best practices.
 
+* [Wireshark](https://www.wireshark.org) is the world's most powerful and popular network protocol analyzer. The Wireshark team is combining Wireshark's features and Falco libs to create Logray, a cloud and system log analyzer with advanced filtering, capture, and scripting capabilities.
+
 ## Adding a name
 
 If you would like to add your name to this file, submit a pull request with your change.

CHANGELOG.md

@@ -1,5 +1,611 @@
 # Change Log
 
+## v0.38.1
+
+Released on 2024-06-19
+
+### Major Changes
+
+* new(metrics): enable plugins metrics [[#3228](https://github.com/falcosecurity/falco/pull/3228)] - [@mrgian](https://github.com/mrgian)
+
+
+### Minor Changes
+
+* cleanup(falco): clarify that --print variants only affect syscalls [[#3238](https://github.com/falcosecurity/falco/pull/3238)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [[#3239](https://github.com/falcosecurity/falco/pull/3239)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Bug Fixes
+
+* fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [[#3236](https://github.com/falcosecurity/falco/pull/3236)] - [@mrgian](https://github.com/mrgian)
+* fix(metrics): allow each metric output channel to be selected independently [[#3232](https://github.com/falcosecurity/falco/pull/3232)] - [@incertum](https://github.com/incertum)
+* fix(userspace/falco): fixed `falco_metrics::to_text` implementation when running with plugins [[#3230](https://github.com/falcosecurity/falco/pull/3230)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      6 |
+| Total           |      6 |
+
+## v0.38.0
+
+Released on 2024-05-30
+
+### Breaking Changes :warning:
+
+* new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [[#3154](https://github.com/falcosecurity/falco/pull/3154)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(falco.yaml)!: remove some deprecated configs [[#3087](https://github.com/falcosecurity/falco/pull/3087)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(docker)!: remove unused builder dockerfile [[#3088](https://github.com/falcosecurity/falco/pull/3088)] - [@Andreagit97](https://github.com/Andreagit97)
+
+More details: https://falco.org/blog/falco-0-38-0/#breaking-changes-and-deprecations
+
+### Major Changes
+
+* new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new `metrics.prometheus_enabled` configuration option. It will only be activated if the `metrics.enabled` is true as well. [[#3140](https://github.com/falcosecurity/falco/pull/3140)] - [@sgaist](https://github.com/sgaist)
+* new(metrics): add `rules_counters_enabled` option [[#3192](https://github.com/falcosecurity/falco/pull/3192)] - [@incertum](https://github.com/incertum)
+* new(build): provide signatures for .tar.gz packages [[#3201](https://github.com/falcosecurity/falco/pull/3201)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(engine): add print_enabled_rules_falco_logger when log_level debug [[#3189](https://github.com/falcosecurity/falco/pull/3189)] - [@incertum](https://github.com/incertum)
+* new(falco): allow selecting which rules to load from the configuration file or command line [[#3178](https://github.com/falcosecurity/falco/pull/3178)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(metrics): add file sha256sum metrics for loaded config and rules files [[#3187](https://github.com/falcosecurity/falco/pull/3187)] - [@incertum](https://github.com/incertum)
+* new(engine): throw an error when an invalid macro/list name is used [[#3116](https://github.com/falcosecurity/falco/pull/3116)] - [@mrgian](https://github.com/mrgian)
+* new(engine): raise warning instead of error on invalid macro/list name [[#3167](https://github.com/falcosecurity/falco/pull/3167)] - [@mrgian](https://github.com/mrgian)
+* new(userspace): support split config files [[#3024](https://github.com/falcosecurity/falco/pull/3024)] - [@FedeDP](https://github.com/FedeDP)
+* new(engine): enforce unique exceptions names [[#3134](https://github.com/falcosecurity/falco/pull/3134)] - [@mrgian](https://github.com/mrgian)
+* new(engine): add warning when appending an exception with no values [[#3133](https://github.com/falcosecurity/falco/pull/3133)] - [@mrgian](https://github.com/mrgian)
+* feat(metrics): coherent metrics stats model  including few metrics naming changes [[#3129](https://github.com/falcosecurity/falco/pull/3129)] - [@incertum](https://github.com/incertum)
+* new(config): add `falco_libs.thread_table_size` [[#3071](https://github.com/falcosecurity/falco/pull/3071)] - [@incertum](https://github.com/incertum)
+* new(proposals): introduce on host anomaly detection framework [[#2655](https://github.com/falcosecurity/falco/pull/2655)] - [@incertum](https://github.com/incertum)
+
+
+### Minor Changes
+
+* update(cmake): bump falcoctl to v0.8.0. [[#3219](https://github.com/falcosecurity/falco/pull/3219)] - [@FedeDP](https://github.com/FedeDP)
+* update(rules): update falco-rules to 3.1.0 [[#3217](https://github.com/falcosecurity/falco/pull/3217)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): move falco logger under falco engine [[#3208](https://github.com/falcosecurity/falco/pull/3208)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(docs): apply features adoption and deprecation proposal to config file keys [[#3206](https://github.com/falcosecurity/falco/pull/3206)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(metrics): add original rule name as label [[#3205](https://github.com/falcosecurity/falco/pull/3205)] - [@incertum](https://github.com/incertum)
+* update(falco): deprecate options -T, -t and -D [[#3193](https://github.com/falcosecurity/falco/pull/3193)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor: bump libs and driver, support field modifiers [[#3186](https://github.com/falcosecurity/falco/pull/3186)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): deprecated old 'rules_file' config key [[#3162](https://github.com/falcosecurity/falco/pull/3162)] - [@FedeDP](https://github.com/FedeDP)
+* chore(falco): update falco libs and driver to master (Apr 8th 2024) [[#3158](https://github.com/falcosecurity/falco/pull/3158)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [[#3151](https://github.com/falcosecurity/falco/pull/3151)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: minor adjustments to readme, add new testing section [[#3072](https://github.com/falcosecurity/falco/pull/3072)] - [@incertum](https://github.com/incertum)
+* refactor(userspace/engine): reduce allocations during rules loading [[#3065](https://github.com/falcosecurity/falco/pull/3065)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(CI): publish wasm package as dev-wasm [[#3017](https://github.com/falcosecurity/falco/pull/3017)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): fix state initialization avoid a crash during hot reload [[#3190](https://github.com/falcosecurity/falco/pull/3190)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/engine): make sure exception fields are not optional in replace mode [[#3108](https://github.com/falcosecurity/falco/pull/3108)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(docker): added zstd to driver loader images [[#3203](https://github.com/falcosecurity/falco/pull/3203)] - [@FedeDP](https://github.com/FedeDP)
+* fix(engine): raise warning instead of error on not-unique exceptions names [[#3159](https://github.com/falcosecurity/falco/pull/3159)] - [@mrgian](https://github.com/mrgian)
+* fix(engine): apply output substitutions for all sources [[#3135](https://github.com/falcosecurity/falco/pull/3135)] - [@mrgian](https://github.com/mrgian)
+* fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [[#3127](https://github.com/falcosecurity/falco/pull/3127)] - [@sgaist](https://github.com/sgaist)
+* fix(engine): logical issue in exceptions condition [[#3115](https://github.com/falcosecurity/falco/pull/3115)] - [@mrgian](https://github.com/mrgian)
+* fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [[#3105](https://github.com/falcosecurity/falco/pull/3105)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* update(scripts/falcoctl): bump falco-rules version to 3 [[#3128](https://github.com/falcosecurity/falco/pull/3128)] - [@alacuku](https://github.com/alacuku)
+* build(deps): Bump submodules/falcosecurity-rules from `59bf03b` to `9e56293` [[#3212](https://github.com/falcosecurity/falco/pull/3212)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(gha): update cosign to v3.5.0 [[#3209](https://github.com/falcosecurity/falco/pull/3209)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `29c41c4` to `59bf03b` [[#3207](https://github.com/falcosecurity/falco/pull/3207)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [[#3204](https://github.com/falcosecurity/falco/pull/3204)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `3f668d0` to `3cac61c` [[#3044](https://github.com/falcosecurity/falco/pull/3044)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-testing from `ae3950a` to `7abf76f` [[#3094](https://github.com/falcosecurity/falco/pull/3094)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): enforce bundled deps OFF in build-dev CI [[#3118](https://github.com/falcosecurity/falco/pull/3118)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `88a40c8` to `869c9a7` [[#3156](https://github.com/falcosecurity/falco/pull/3156)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped falcoctl to v0.8.0-rc5. [[#3199](https://github.com/falcosecurity/falco/pull/3199)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `4f153f5` to `29c41c4` [[#3198](https://github.com/falcosecurity/falco/pull/3198)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump falcoctl to v0.8.0-rc4 [[#3191](https://github.com/falcosecurity/falco/pull/3191)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: smart pointer usage [[#3184](https://github.com/falcosecurity/falco/pull/3184)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `ec255e6` to `4f153f5` [[#3182](https://github.com/falcosecurity/falco/pull/3182)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs and driver to latest master. [[#3177](https://github.com/falcosecurity/falco/pull/3177)] - [@FedeDP](https://github.com/FedeDP)
+* chore(cmake): enable modern bpf build by default. [[#3180](https://github.com/falcosecurity/falco/pull/3180)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(docs): fix typo in license blocks [[#3175](https://github.com/falcosecurity/falco/pull/3175)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(docker,scripts): set old eBPF probe as lowest priority driver. [[#3173](https://github.com/falcosecurity/falco/pull/3173)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `869c9a7` to `ec255e6` [[#3170](https://github.com/falcosecurity/falco/pull/3170)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(app): close inspectors at teardown time [[#3169](https://github.com/falcosecurity/falco/pull/3169)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(docker): fixed docker entrypoints for driver loading. [[#3168](https://github.com/falcosecurity/falco/pull/3168)] - [@FedeDP](https://github.com/FedeDP)
+* fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [[#3166](https://github.com/falcosecurity/falco/pull/3166)] - [@FedeDP](https://github.com/FedeDP)
+* update(ci): build both release and debug versions [[#3161](https://github.com/falcosecurity/falco/pull/3161)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/falco): watch all configs files. [[#3160](https://github.com/falcosecurity/falco/pull/3160)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): update scorecard-action to v2.3.1 [[#3153](https://github.com/falcosecurity/falco/pull/3153)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(falco): consolidate falco::grpc::server in one class [[#3150](https://github.com/falcosecurity/falco/pull/3150)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build): enable ASan and UBSan builds with options and in CI [[#3147](https://github.com/falcosecurity/falco/pull/3147)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace): variable / function shadowing [[#3123](https://github.com/falcosecurity/falco/pull/3123)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `fbf0a4e` to `88a40c8` [[#3145](https://github.com/falcosecurity/falco/pull/3145)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [[#3146](https://github.com/falcosecurity/falco/pull/3146)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [[#3143](https://github.com/falcosecurity/falco/pull/3143)] - [@Sryther](https://github.com/Sryther)
+* build(deps): Bump submodules/falcosecurity-rules from `44addef` to `fbf0a4e` [[#3139](https://github.com/falcosecurity/falco/pull/3139)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump to latest libs commit [[#3137](https://github.com/falcosecurity/falco/pull/3137)] - [@Andreagit97](https://github.com/Andreagit97)
+* refactor: Use FetchContent for integrating three bundled libs [[#3107](https://github.com/falcosecurity/falco/pull/3107)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `dc7970d` to `44addef` [[#3136](https://github.com/falcosecurity/falco/pull/3136)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `f88b991` to `dc7970d` [[#3126](https://github.com/falcosecurity/falco/pull/3126)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* refactor(ci): Avoid using command make directly [[#3101](https://github.com/falcosecurity/falco/pull/3101)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* docs(proposal): 20231220-features-adoption-and-deprecation.md [[#2986](https://github.com/falcosecurity/falco/pull/2986)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b499a1d` to `f88b991` [[#3125](https://github.com/falcosecurity/falco/pull/3125)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(README.md): Falco Graduates within the CNCF [[#3124](https://github.com/falcosecurity/falco/pull/3124)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `497e011` to `b499a1d` [[#3111](https://github.com/falcosecurity/falco/pull/3111)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped codeql actions. [[#3114](https://github.com/falcosecurity/falco/pull/3114)] - [@FedeDP](https://github.com/FedeDP)
+* Cleanup warnings and smart ptrs [[#3112](https://github.com/falcosecurity/falco/pull/3112)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* new(build): add options to use bundled dependencies [[#3092](https://github.com/falcosecurity/falco/pull/3092)] - [@mrgian](https://github.com/mrgian)
+* fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [[#3110](https://github.com/falcosecurity/falco/pull/3110)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: bump libs and driver, and adopt unique pointers wherever possible [[#3109](https://github.com/falcosecurity/falco/pull/3109)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: falco_engine test fixture [[#3099](https://github.com/falcosecurity/falco/pull/3099)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* refactor: test AtomicSignalHandler.handle_once_wait_consistency [[#3100](https://github.com/falcosecurity/falco/pull/3100)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* Cleanup variable use [[#3097](https://github.com/falcosecurity/falco/pull/3097)] - [@sgaist](https://github.com/sgaist)
+* cleanup(submodules): dropped testing submodule. [[#3098](https://github.com/falcosecurity/falco/pull/3098)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(ci): make use of falcosecurity/testing provided composite action [[#3093](https://github.com/falcosecurity/falco/pull/3093)] - [@FedeDP](https://github.com/FedeDP)
+* Improve const correctness [[#3083](https://github.com/falcosecurity/falco/pull/3083)] - [@sgaist](https://github.com/sgaist)
+* Improve exception throwing [[#3085](https://github.com/falcosecurity/falco/pull/3085)] - [@sgaist](https://github.com/sgaist)
+* fix(ci): update sync in deb and rpm scripts with acl [[#3062](https://github.com/falcosecurity/falco/pull/3062)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(tests): consolidate Falco engine and rule loader tests [[#3066](https://github.com/falcosecurity/falco/pull/3066)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: falco_engine deps and include paths [[#3090](https://github.com/falcosecurity/falco/pull/3090)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* fix: Some compiler warnings [[#3089](https://github.com/falcosecurity/falco/pull/3089)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `0f60976` to `497e011` [[#3081](https://github.com/falcosecurity/falco/pull/3081)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing explicit to single argument constructors [[#3069](https://github.com/falcosecurity/falco/pull/3069)] - [@sgaist](https://github.com/sgaist)
+* Improve class initialization [[#3074](https://github.com/falcosecurity/falco/pull/3074)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `6ed2036` to `0f60976` [[#3078](https://github.com/falcosecurity/falco/pull/3078)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `1053b2d` to `6ed2036` [[#3067](https://github.com/falcosecurity/falco/pull/3067)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing overrides [[#3064](https://github.com/falcosecurity/falco/pull/3064)] - [@sgaist](https://github.com/sgaist)
+* new(build): prune deb-dev and rpm-dev directories [[#3056](https://github.com/falcosecurity/falco/pull/3056)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): align falco to gen-event class family deprecation [[#3051](https://github.com/falcosecurity/falco/pull/3051)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(deps): Bump submodules/falcosecurity-rules from `3cac61c` to `1053b2d` [[#3047](https://github.com/falcosecurity/falco/pull/3047)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix: adopt new libsinsp logger [[#3026](https://github.com/falcosecurity/falco/pull/3026)] - [@therealbobo](https://github.com/therealbobo)
+* refactor: cleanup libs relative include paths [[#2936](https://github.com/falcosecurity/falco/pull/2936)] - [@therealbobo](https://github.com/therealbobo)
+* chore(ci): bumped rn2md to latest master. [[#3046](https://github.com/falcosecurity/falco/pull/3046)] - [@FedeDP](https://github.com/FedeDP)
+* Support alternate rules loader [[#3008](https://github.com/falcosecurity/falco/pull/3008)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed release body driver version. [[#3042](https://github.com/falcosecurity/falco/pull/3042)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `c39d31a` to `3f668d0` [[#3039](https://github.com/falcosecurity/falco/pull/3039)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
+
+## v0.37.1
+
+Released on 2024-02-13
+
+### Major Changes
+
+* new(docker): added option for insecure http driver download to falco and driver-loader images [[#3058](https://github.com/falcosecurity/falco/pull/3058)] - [@toamto94](https://github.com/toamto94)
+
+### Minor Changes
+
+* update(cmake): bumped falcoctl to v0.7.2 [[#3076](https://github.com/falcosecurity/falco/pull/3076)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): link libelf dynamically [[#3048](https://github.com/falcosecurity/falco/pull/3048)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Bug Fixes
+
+* fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [[#3060](https://github.com/falcosecurity/falco/pull/3060)] - [@FedeDP](https://github.com/FedeDP)
+
+### Non user-facing changes
+
+* Added http headers option for driver download in docker images [[#3075](https://github.com/falcosecurity/falco/pull/3075)] - [@toamto94](https://github.com/toamto94)
+* fix(build): install libstdc++ in the Wolfi image [[#3053](https://github.com/falcosecurity/falco/pull/3053)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+## v0.37.0
+
+Released on 2024-01-30
+
+### Breaking Changes
+
+- The deprecated `rate-limiter` mechanism is removed as it is no longer used.
+  - the deprecated `outputs.rate` Falco config is removed.
+  - the deprecated `outputs.max_burst` Falco config is removed.
+- The deprecated `--userspace` CLI option is removed as it is no longer used.
+- The `falco-driver-loader` script will be removed and embedded into falcoctl. The new falcoctl driven implementation will drop:
+  - `--source-only` CLI option.
+  - `BPF_USE_LOCAL_KERNEL_SOURCES` environment variable.
+  - `DRIVER_CURL_OPTIONS` environment variable.
+  - `FALCO_BPF_PROBE` environment variable is not used by the new falcoctl driver loader, since it is already deprecated and will be removed in the next major version.
+  
+  Some env vars were renamed:
+  - `DRIVERS_REPO` env variable has been replaced by `FALCOCTL_DRIVER_NAME`  or `--name` command line argument for `falcoctl driver` command
+  - `DRIVERS_NAME` env variable has been replaced by `FALCOCTL_DRIVER_REPOS`, or `--repo` command line argument for `falcoctl driver` command
+  - `DRIVER_KERNEL_RELEASE` env variable has been replaced by `--kernelrelease` command line argument for `falcoctl driver install` command
+  - `DRIVER_KERNEL_VERSION` env variable has been replaced by `--kernelversion` command line argument for `falcoctl driver install` command
+  - `DRIVER_INSECURE_DOWNLOAD` env variable has been replaced by `--http-insecure` command line argument for `falcoctl driver install` command
+- Remove `-K/-k` options from Falco in favor of the new `k8smeta` plugin.
+- Drop plugins shipped with Falco since plugins are now be managed by falcoctl.
+- Falco 0.37.0 allows environment variables to be expanded even if they are part of a string. This introduces small breaking changes:
+  - Previously, environment variables used in YAML that were empty or defined as `“”` would be expanded to the default value. This was not consistent with the way YAML was handled in other cases, where we only returned the default values if the node was not defined. Now expanded env vars retain the same behavior of all other variables.
+  - Falco 0.37.0 will return default value for nodes that cannot be parsed to chosen type.
+  - `program_output` command will be env-expanded at init time, instead of letting `popen` and thus the `sh` shell expand it. This is technically a breaking change even if no behavioral change is expected. Also, you can avoid env var expansion by using `${{FOO}}` instead of `${FOO}`. It will resolve to `${FOO}` and won't be resolved to the env var value.
+
+### Major Changes
+
+* new!: dropped falco-driver-loader script in favor of new falcoctl driver command [[#2905](https://github.com/falcosecurity/falco/pull/2905)] - [@FedeDP](https://github.com/FedeDP)
+* update!: bump libs to latest and deprecation of k8s metadata options and configs [[#2914](https://github.com/falcosecurity/falco/pull/2914)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(falco)!: remove `outputs.rate` and `outputs.max_burst` from Falco config [[#2841](https://github.com/falcosecurity/falco/pull/2841)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(falco)!: remove `--userspace` support [[#2839](https://github.com/falcosecurity/falco/pull/2839)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(engine): add selective overrides for Falco rules [[#2981](https://github.com/falcosecurity/falco/pull/2981)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the `falco.yaml` file can be used for that purpose. Both are disabled by default. [[#2974](https://github.com/falcosecurity/falco/pull/2974)] - [@sgaist](https://github.com/sgaist)
+* new(userspace): support env variable expansion in all yaml, even inside strings. [[#2918](https://github.com/falcosecurity/falco/pull/2918)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [[#2773](https://github.com/falcosecurity/falco/pull/2773)] - [@vjjmiras](https://github.com/vjjmiras)
+* new(falco): print system info when Falco starts [[#2927](https://github.com/falcosecurity/falco/pull/2927)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: driver selection in falco.yaml [[#2413](https://github.com/falcosecurity/falco/pull/2413)] - [@therealbobo](https://github.com/therealbobo)
+* new(build): enable compilation on win32 and macOS. [[#2889](https://github.com/falcosecurity/falco/pull/2889)] - [@therealbobo](https://github.com/therealbobo)
+* feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the `falco.yaml` file. [[#2890](https://github.com/falcosecurity/falco/pull/2890)] - [@sgaist](https://github.com/sgaist)
+
+### Minor Changes
+
+* update(userspace/falco): add `engine_version_semver` key in `/versions` endpoint [[#2899](https://github.com/falcosecurity/falco/pull/2899)] - [@loresuso](https://github.com/loresuso)
+* update: default ruleset upgrade to version 3.0 [[#3034](https://github.com/falcosecurity/falco/pull/3034)] - [@leogr](https://github.com/leogr)
+* update!(config): soft deprecation of drop stats counters in `syscall_event_drops` [[#3015](https://github.com/falcosecurity/falco/pull/3015)] - [@incertum](https://github.com/incertum)
+* update(cmake): bumped falcoctl tool to v0.7.1. [[#3030](https://github.com/falcosecurity/falco/pull/3030)] - [@FedeDP](https://github.com/FedeDP)
+* update(rule_loader): deprecate the `append` flag in Falco rules [[#2992](https://github.com/falcosecurity/falco/pull/2992)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup!(cmake): drop bundled plugins in Falco [[#2997](https://github.com/falcosecurity/falco/pull/2997)] - [@FedeDP](https://github.com/FedeDP)
+* update(config): clarify deprecation notices + list all env vars [[#2988](https://github.com/falcosecurity/falco/pull/2988)] - [@incertum](https://github.com/incertum)
+* update: now the `watch_config_files` config option monitors file/directory moving and deletion, too [[#2965](https://github.com/falcosecurity/falco/pull/2965)] - [@NitroCao](https://github.com/NitroCao)
+* update(userspace): enhancements in rule description feature [[#2934](https://github.com/falcosecurity/falco/pull/2934)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): add libsinsp state metrics option [[#2883](https://github.com/falcosecurity/falco/pull/2883)] - [@incertum](https://github.com/incertum)
+* update(doc): Add Thought Machine as adopters [[#2919](https://github.com/falcosecurity/falco/pull/2919)] - [@RichardoC](https://github.com/RichardoC)
+* update(docs): add Wireshark/Logray as adopter [[#2867](https://github.com/falcosecurity/falco/pull/2867)] - [@geraldcombs](https://github.com/geraldcombs)
+* update: engine_version in semver representation [[#2838](https://github.com/falcosecurity/falco/pull/2838)] - [@loresuso](https://github.com/loresuso)
+* update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [[#2817](https://github.com/falcosecurity/falco/pull/2817)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+### Bug Fixes
+
+* fix(userspace/metric): minor fixes in new libsinsp state metrics handling [[#3033](https://github.com/falcosecurity/falco/pull/3033)] - [@incertum](https://github.com/incertum)
+* fix(userspace/engine): avoid storing escaped strings in engine defs [[#3028](https://github.com/falcosecurity/falco/pull/3028)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): cache latest rules compilation output [[#2900](https://github.com/falcosecurity/falco/pull/2900)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): solve description of macro-only rules [[#2898](https://github.com/falcosecurity/falco/pull/2898)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): fix memory leak [[#2877](https://github.com/falcosecurity/falco/pull/2877)] - [@therealbobo](https://github.com/therealbobo)
+
+### Non user-facing changes
+
+* fix: nlohmann_json lib include path [[#3032](https://github.com/falcosecurity/falco/pull/3032)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore: bump falco rules [[#3021](https://github.com/falcosecurity/falco/pull/3021)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump Falco to libs 0.14.1 [[#3020](https://github.com/falcosecurity/falco/pull/3020)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(build): remove outdated development libs [[#2946](https://github.com/falcosecurity/falco/pull/2946)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(falco): bump Falco to `000d576` libs commit [[#2944](https://github.com/falcosecurity/falco/pull/2944)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(gha): update rpmsign [[#2856](https://github.com/falcosecurity/falco/pull/2856)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `424b258` to `1221b9e` [[#3000](https://github.com/falcosecurity/falco/pull/3000)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `2ac430b` to `c39d31a` [[#3019](https://github.com/falcosecurity/falco/pull/3019)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco.yaml): rename `none` in `nodriver` [[#3012](https://github.com/falcosecurity/falco/pull/3012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(config): graduate outputs_queue to stable [[#3016](https://github.com/falcosecurity/falco/pull/3016)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump falcoctl to v0.7.0. [[#3009](https://github.com/falcosecurity/falco/pull/3009)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `1221b9e` to `2ac430b` [[#3007](https://github.com/falcosecurity/falco/pull/3007)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped rn2md to latest master. [[#3006](https://github.com/falcosecurity/falco/pull/3006)] - [@FedeDP](https://github.com/FedeDP)
+* chore: bump Falco to latest libs [[#3002](https://github.com/falcosecurity/falco/pull/3002)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump driver version [[#2998](https://github.com/falcosecurity/falco/pull/2998)] - [@Andreagit97](https://github.com/Andreagit97)
+* Add addl source related methods [[#2939](https://github.com/falcosecurity/falco/pull/2939)] - [@mstemm](https://github.com/mstemm)
+* build(deps): Bump submodules/falcosecurity-rules from `cd33bc3` to `424b258` [[#2993](https://github.com/falcosecurity/falco/pull/2993)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(engine): clarify deprecation notice for engines [[#2987](https://github.com/falcosecurity/falco/pull/2987)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped falcoctl to v0.7.0-rc1. [[#2983](https://github.com/falcosecurity/falco/pull/2983)] - [@FedeDP](https://github.com/FedeDP)
+* chore(ci): revert #2961. [[#2984](https://github.com/falcosecurity/falco/pull/2984)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-testing from `930170b` to `9b9630e` [[#2980](https://github.com/falcosecurity/falco/pull/2980)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump Falco to latest libs [[#2977](https://github.com/falcosecurity/falco/pull/2977)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `262f569` to `cd33bc3` [[#2976](https://github.com/falcosecurity/falco/pull/2976)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Allow enabling rules by ruleset id in addition to name [[#2920](https://github.com/falcosecurity/falco/pull/2920)] - [@mstemm](https://github.com/mstemm)
+* chore(ci): enable aarch64 falco driver loader tests. [[#2961](https://github.com/falcosecurity/falco/pull/2961)] - [@FedeDP](https://github.com/FedeDP)
+* chore(unit_tests): added more tests for yaml env vars expansion. [[#2972](https://github.com/falcosecurity/falco/pull/2972)] - [@FedeDP](https://github.com/FedeDP)
+* chore(falco.yaml): use HOME env var for ebpf probe path. [[#2971](https://github.com/falcosecurity/falco/pull/2971)] - [@FedeDP](https://github.com/FedeDP)
+* chore: bump falco to latest libs [[#2970](https://github.com/falcosecurity/falco/pull/2970)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `dd38952` to `262f569` [[#2969](https://github.com/falcosecurity/falco/pull/2969)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(readme): add actuated.dev badge [[#2967](https://github.com/falcosecurity/falco/pull/2967)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [[#2968](https://github.com/falcosecurity/falco/pull/2968)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `64e2adb` to `dd38952` [[#2959](https://github.com/falcosecurity/falco/pull/2959)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(docker): small fixes in docker entrypoints for new driver loader. [[#2966](https://github.com/falcosecurity/falco/pull/2966)] - [@FedeDP](https://github.com/FedeDP)
+* chore(build): allow usage of non-bundled nlohmann-json [[#2947](https://github.com/falcosecurity/falco/pull/2947)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* update(ci): enable actuated.dev [[#2945](https://github.com/falcosecurity/falco/pull/2945)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: fix several warnings from a Clang build [[#2948](https://github.com/falcosecurity/falco/pull/2948)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(docker/falco): add back some deps to falco docker image. [[#2932](https://github.com/falcosecurity/falco/pull/2932)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-testing from `92c313f` to `5248e6d` [[#2937](https://github.com/falcosecurity/falco/pull/2937)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `e206c1a` to `8f0520f` [[#2904](https://github.com/falcosecurity/falco/pull/2904)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco): remove decode_uri as it is no longer used [[#2933](https://github.com/falcosecurity/falco/pull/2933)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(engine): port decode_uri in falco engine [[#2912](https://github.com/falcosecurity/falco/pull/2912)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(falco): update to libs on nov 28th [[#2929](https://github.com/falcosecurity/falco/pull/2929)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(falco): remove `init` in the configuration constructor [[#2917](https://github.com/falcosecurity/falco/pull/2917)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `8f0520f` to `64e2adb` [[#2908](https://github.com/falcosecurity/falco/pull/2908)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(userspace/engine): remove legacy k8saudit implementation [[#2913](https://github.com/falcosecurity/falco/pull/2913)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(gha): disable branch protection rule trigger for scorecard [[#2911](https://github.com/falcosecurity/falco/pull/2911)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): set cosign-installer to v3.1.2 [[#2901](https://github.com/falcosecurity/falco/pull/2901)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docs): sync changelog for 0.36.2. [[#2894](https://github.com/falcosecurity/falco/pull/2894)] - [@FedeDP](https://github.com/FedeDP)
+* Run OpenSSF Scorecard in pipeline [[#2888](https://github.com/falcosecurity/falco/pull/2888)] - [@maxgio92](https://github.com/maxgio92)
+* cleanup: replace banned.h with semgrep [[#2881](https://github.com/falcosecurity/falco/pull/2881)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): upgrade GitHub actions [[#2876](https://github.com/falcosecurity/falco/pull/2876)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `a22d0d7` to `e206c1a` [[#2865](https://github.com/falcosecurity/falco/pull/2865)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `d119706` to `a22d0d7` [[#2860](https://github.com/falcosecurity/falco/pull/2860)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(gha): use fedora instead of centos 7 for package publishing [[#2854](https://github.com/falcosecurity/falco/pull/2854)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(gha): pin versions to hashes [[#2849](https://github.com/falcosecurity/falco/pull/2849)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `c366d5b` to `d119706` [[#2847](https://github.com/falcosecurity/falco/pull/2847)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* new(ci): properly link libs and driver releases linked to a Falco release [[#2846](https://github.com/falcosecurity/falco/pull/2846)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `7a7cf24` to `c366d5b` [[#2842](https://github.com/falcosecurity/falco/pull/2842)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `77ba57a` to `7a7cf24` [[#2836](https://github.com/falcosecurity/falco/pull/2836)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped rn2md to latest master. [[#2844](https://github.com/falcosecurity/falco/pull/2844)] - [@FedeDP](https://github.com/FedeDP)
+
+## v0.36.2
+
+Released on 2023-10-27
+
+NO CHANGES IN FALCO, ALL CHANGES IN LIBS.
+
+
+## v0.36.1
+
+Released on 2023-10-16
+
+### Major Changes
+
+### Minor Changes
+
+* feat(userspace): remove experimental outputs queue recovery strategies [[#2863](https://github.com/falcosecurity/falco/pull/2863)] - [@incertum](https://github.com/incertum)
+
+### Bug Fixes
+
+* fix(userspace/falco): timer_delete() workaround due to bug in older GLIBC [[#2851](https://github.com/falcosecurity/falco/pull/2851)] - [@incertum](https://github.com/incertum)
+
+
+## v0.36.0
+
+Released on 2023-09-26
+
+### Breaking Changes
+
+- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as `falco-rules` is now a _stable_ rule file. This file **contains a much smaller number of rules** that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into `falco-incubating-rules` and `falco-sandbox-rules`. For more information, see the [rules repository](https://github.com/falcosecurity/rules)
+- The main `falcosecurity/falco` container image and its `falco-driver-loader` counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as `falcosecurity/falco-driver-loader-legacy`.
+- The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option `http_output.echo` in `falco.yaml`.
+- The `--list-syscall-events` command line option has been replaced by `--list-events` which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
+- The semantics of `proc.exepath` have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
+- The `-d` daemonize option has been removed.
+- The `-p` option is now changed:
+    - when only `-pc` is set Falco will print `container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name`
+    - when `-pk` is set it will print as above, but with `k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name` appended
+
+
+### Major Changes
+
+
+* new(falco-driver-loader): --source-only now prints the values as env vars [[#2353](https://github.com/falcosecurity/falco/pull/2353)] - [@steakunderscore](https://github.com/steakunderscore)
+* new(docker): allow passing options to falco-driver-loader from the driver loader container [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docker): add experimental falco-distroless image based on Wolfi [[#2768](https://github.com/falcosecurity/falco/pull/2768)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new: the legacy falco image is available as driver-loader-legacy [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* new: support systemctl reload for Falco services [[#2588](https://github.com/falcosecurity/falco/pull/2588)] - [@jabdr](https://github.com/jabdr)
+* new(falco/config): add new configurations for http_output that allow mTLS [[#2633](https://github.com/falcosecurity/falco/pull/2633)] - [@annadorottya](https://github.com/annadorottya)
+* new: allow falco to match multiple rules on same event [[#2705](https://github.com/falcosecurity/falco/pull/2705)] - [@loresuso](https://github.com/loresuso)
+
+
+### Minor Changes
+
+* update(cmake): bumped bundled falcoctl to 0.6.2 [[#2829](https://github.com/falcosecurity/falco/pull/2829)] - [@FedeDP](https://github.com/FedeDP)
+* update(rules)!: major rule update to version 2.0.0 [[#2823](https://github.com/falcosecurity/falco/pull/2823)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped plugins to latest stable versions [[#2820](https://github.com/falcosecurity/falco/pull/2820)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [[#2806](https://github.com/falcosecurity/falco/pull/2806)] - [@FedeDP](https://github.com/FedeDP)
+* update!: default substitution for `%container.info` is now equal `container_id=%container.id container_name=%container.name` [[#2793](https://github.com/falcosecurity/falco/pull/2793)] - [@leogr](https://github.com/leogr)
+* update!: the --list-syscall-events flag is now called --list-events and lists all events [[#2771](https://github.com/falcosecurity/falco/pull/2771)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update!: the Falco base image is now based on Debian 12 with gcc 11-12 [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(docker): the Falco no-driver image is now based on Debian 12 [[#2782](https://github.com/falcosecurity/falco/pull/2782)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* feat(userspace)!: remove `-d` daemonize option [[#2677](https://github.com/falcosecurity/falco/pull/2677)] - [@incertum](https://github.com/incertum)
+* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [[#2693](https://github.com/falcosecurity/falco/pull/2693)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [[#2756](https://github.com/falcosecurity/falco/pull/2756)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [[#2780](https://github.com/falcosecurity/falco/pull/2780)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [[#2783](https://github.com/falcosecurity/falco/pull/2783)] - [@FedeDP](https://github.com/FedeDP)
+* feat: support parsing of system environment variables in yaml [[#2562](https://github.com/falcosecurity/falco/pull/2562)] - [@therealdwright](https://github.com/therealdwright)
+* feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [[#2739](https://github.com/falcosecurity/falco/pull/2739)] - [@incertum](https://github.com/incertum)
+* update: upgrade `falcoctl` to version 0.6.0 [[#2764](https://github.com/falcosecurity/falco/pull/2764)] - [@leogr](https://github.com/leogr)
+* cleanup: deprecate rate limiter mechanism [[#2762](https://github.com/falcosecurity/falco/pull/2762)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(config): add more info [[#2758](https://github.com/falcosecurity/falco/pull/2758)] - [@incertum](https://github.com/incertum)
+* update(userspace/engine): improve skip-if-unknown-filter YAML field [[#2749](https://github.com/falcosecurity/falco/pull/2749)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: improved HTTP output performance [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* update!: HTTP output will no more echo to stdout by default [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* chore: remove b64 from falco dependencies [[#2746](https://github.com/falcosecurity/falco/pull/2746)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): support building libs and driver from forks [[#2747](https://github.com/falcosecurity/falco/pull/2747)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: `-p` presets have been updated to reflect the new rules style guide [[#2737](https://github.com/falcosecurity/falco/pull/2737)] - [@leogr](https://github.com/leogr)
+* feat: Allow specifying explicit kernel release and version for falco-driver-loader [[#2728](https://github.com/falcosecurity/falco/pull/2728)] - [@johananl](https://github.com/johananl)
+* cleanup(config): assign Stable to `base_syscalls` config [[#2740](https://github.com/falcosecurity/falco/pull/2740)] - [@incertum](https://github.com/incertum)
+* update : support build for wasm [[#2663](https://github.com/falcosecurity/falco/pull/2663)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
+* docs(config.yaml): fix wrong severity levels for sinsp logger [[#2736](https://github.com/falcosecurity/falco/pull/2736)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): bump libs and driver to 0.12.0 [[#2721](https://github.com/falcosecurity/falco/pull/2721)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(docker): remove experimental image based on RedHat UBI [[#2720](https://github.com/falcosecurity/falco/pull/2720)] - [@leogr](https://github.com/leogr)
+
+
+### Bug Fixes
+
+* fix(outputs): expose queue_capacity_outputs config for memory control [[#2711](https://github.com/falcosecurity/falco/pull/2711)] - [@incertum](https://github.com/incertum)
+* fix(userspace/falco): cleanup metrics timer upon leaving. [[#2759](https://github.com/falcosecurity/falco/pull/2759)] - [@FedeDP](https://github.com/FedeDP)
+* fix: restore Falco MINIMAL_BUILD and deprecate `userspace` option [[#2761](https://github.com/falcosecurity/falco/pull/2761)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): support appending to unknown sources [[#2753](https://github.com/falcosecurity/falco/pull/2753)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+
+### Non user-facing changes
+
+* build(deps): Bump submodules/falcosecurity-rules from `69c9be8` to `77ba57a` [[#2833](https://github.com/falcosecurity/falco/pull/2833)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump submodule testing to 62edc65 [[#2831](https://github.com/falcosecurity/falco/pull/2831)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(gha): add version for rn2md [[#2830](https://github.com/falcosecurity/falco/pull/2830)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore: automatically attach release author to release body. [[#2828](https://github.com/falcosecurity/falco/pull/2828)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): autogenerate release body. [[#2812](https://github.com/falcosecurity/falco/pull/2812)] - [@FedeDP](https://github.com/FedeDP)
+* fix(dockerfile): remove useless CMD [[#2824](https://github.com/falcosecurity/falco/pull/2824)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump to the latest libs [[#2822](https://github.com/falcosecurity/falco/pull/2822)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: add SPDX license identifier [[#2809](https://github.com/falcosecurity/falco/pull/2809)] - [@leogr](https://github.com/leogr)
+* chore: bump to latest libs [[#2815](https://github.com/falcosecurity/falco/pull/2815)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `ee5fb38` to `bea364e` [[#2814](https://github.com/falcosecurity/falco/pull/2814)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(build): set the right bucket and version for driver legacy [[#2800](https://github.com/falcosecurity/falco/pull/2800)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `43580b4` to `ee5fb38` [[#2810](https://github.com/falcosecurity/falco/pull/2810)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(userspace): thrown exceptions and avoid multiple logs [[#2803](https://github.com/falcosecurity/falco/pull/2803)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `c6e01fa` to `43580b4` [[#2801](https://github.com/falcosecurity/falco/pull/2801)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-testing from `76d1743` to `30c3643` [[#2802](https://github.com/falcosecurity/falco/pull/2802)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(userspace/falco): clearing full output queue [[#2798](https://github.com/falcosecurity/falco/pull/2798)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(docs): add driver-loader-legacy to readme and fix bad c&p [[#2799](https://github.com/falcosecurity/falco/pull/2799)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `d31dbc2` to `c6e01fa` [[#2797](https://github.com/falcosecurity/falco/pull/2797)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs: add LICENSE file [[#2796](https://github.com/falcosecurity/falco/pull/2796)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b6372d2` to `d31dbc2` [[#2794](https://github.com/falcosecurity/falco/pull/2794)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(stats): always initialize m_output field [[#2789](https://github.com/falcosecurity/falco/pull/2789)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `6ed73fe` to `b6372d2` [[#2786](https://github.com/falcosecurity/falco/pull/2786)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [[#2775](https://github.com/falcosecurity/falco/pull/2775)] - [@leogr](https://github.com/leogr)
+* update(OWNERS): add LucaGuerra to owners [[#2650](https://github.com/falcosecurity/falco/pull/2650)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `9126bef` to `0328c59` [[#2709](https://github.com/falcosecurity/falco/pull/2709)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `0d0e333` to `64ce419` [[#2731](https://github.com/falcosecurity/falco/pull/2731)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `3ceea88` to `40a9817` [[#2745](https://github.com/falcosecurity/falco/pull/2745)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(README.md): correct URL [[#2772](https://github.com/falcosecurity/falco/pull/2772)] - [@vjjmiras](https://github.com/vjjmiras)
+* #2393 Document why Falco is written in C++ rather than anything else [[#2410](https://github.com/falcosecurity/falco/pull/2410)] - [@RichardoC](https://github.com/RichardoC)
+* chore: bump Falco to latest libs [[#2769](https://github.com/falcosecurity/falco/pull/2769)] - [@Andreagit97](https://github.com/Andreagit97)
+* ci: disable falco-driver-loader tests on ARM64 [[#2770](https://github.com/falcosecurity/falco/pull/2770)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/falco): revised CLI help messages [[#2755](https://github.com/falcosecurity/falco/pull/2755)] - [@leogr](https://github.com/leogr)
+* fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [[#2767](https://github.com/falcosecurity/falco/pull/2767)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update: introduce new stats updated to the latest libs version [[#2766](https://github.com/falcosecurity/falco/pull/2766)] - [@Andreagit97](https://github.com/Andreagit97)
+* ci: support tests on amazon-linux [[#2765](https://github.com/falcosecurity/falco/pull/2765)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump Falco to latest libs master [[#2754](https://github.com/falcosecurity/falco/pull/2754)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-testing from `b39c807` to `9110022` [[#2760](https://github.com/falcosecurity/falco/pull/2760)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix: fix "ebpf_enabled" output stat [[#2751](https://github.com/falcosecurity/falco/pull/2751)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): support both old and new gcc + std::move [[#2748](https://github.com/falcosecurity/falco/pull/2748)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: turn some warnings into errors [[#2744](https://github.com/falcosecurity/falco/pull/2744)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(ci): minimize retention days for build-only CI artifacts [[#2743](https://github.com/falcosecurity/falco/pull/2743)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: remove unused `--pidfile` option from systemd units [[#2742](https://github.com/falcosecurity/falco/pull/2742)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `bf1639a` to `3ceea88` [[#2741](https://github.com/falcosecurity/falco/pull/2741)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `64ce419` to `bf1639a` [[#2738](https://github.com/falcosecurity/falco/pull/2738)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Relocate tools on Flatcar in BPF mode [[#2729](https://github.com/falcosecurity/falco/pull/2729)] - [@johananl](https://github.com/johananl)
+* build: update versioning with cmake [[#2727](https://github.com/falcosecurity/falco/pull/2727)] - [@leogr](https://github.com/leogr)
+* update(userspace/engine): make rule_matching strategy stateless  [[#2726](https://github.com/falcosecurity/falco/pull/2726)] - [@loresuso](https://github.com/loresuso)
+* chore: bump Falco to latest libs version [[#2722](https://github.com/falcosecurity/falco/pull/2722)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: enforce bumping engine version whenever appropriate [[#2719](https://github.com/falcosecurity/falco/pull/2719)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+## v0.35.1
+
+Released on 2023-06-29
+
+### Major Changes
+
+
+### Minor Changes
+
+* update(userspace): change description of snaplen option stating only performance implications [[#2634](https://github.com/falcosecurity/falco/pull/2634)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.3 [[#2662](https://github.com/falcosecurity/falco/pull/2662)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(config): minor config clarifications [[#2651](https://github.com/falcosecurity/falco/pull/2651)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump falco rules to v1.0.1 [[#2648](https://github.com/falcosecurity/falco/pull/2648)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): make source matching error more expressive [[#2623](https://github.com/falcosecurity/falco/pull/2623)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(.github): integrate Go regression tests [[#2437](https://github.com/falcosecurity/falco/pull/2437)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [[#2627](https://github.com/falcosecurity/falco/pull/2627)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): solve live multi-source issues when loading more than two sources [[#2653](https://github.com/falcosecurity/falco/pull/2653)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(driver-loader): fix ubuntu kernel version parsing [[#2635](https://github.com/falcosecurity/falco/pull/2635)] - [@therealbobo](https://github.com/therealbobo)
+* fix(userspace): switch to timer_settime API for stats writer. [[#2646](https://github.com/falcosecurity/falco/pull/2646)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* CI: bump ubuntu version for tests-driver-loader-integration job [[#2661](https://github.com/falcosecurity/falco/pull/2661)] - [@Andreagit97](https://github.com/Andreagit97)
+
+## v0.35.0
+
+Released on 2023-06-07
+
+### Major Changes
+
+* BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
+
+* new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [[#2333](https://github.com/falcosecurity/falco/pull/2333)] - [@incertum](https://github.com/incertum)
+* new(scripts): properly manage talos prebuilt drivers [[#2537](https://github.com/falcosecurity/falco/pull/2537)] - [@FedeDP](https://github.com/FedeDP)
+* new(release): released container images are now signed with cosign [[#2546](https://github.com/falcosecurity/falco/pull/2546)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(ci): ported master and release artifacts publishing CI to gha [[#2501](https://github.com/falcosecurity/falco/pull/2501)] - [@FedeDP](https://github.com/FedeDP)
+* new(app_actions): introduce base_syscalls user option [[#2428](https://github.com/falcosecurity/falco/pull/2428)] - [@incertum](https://github.com/incertum)
+* new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [[#2458](https://github.com/falcosecurity/falco/pull/2458)] - [@alacuku](https://github.com/alacuku)
+* new(userspace): add a new `syscall_drop_failed` config option to drop failed syscalls exit events [[#2456](https://github.com/falcosecurity/falco/pull/2456)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* update(cmake): bump Falco rules to 1.0.0 [[#2618](https://github.com/falcosecurity/falco/pull/2618)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.1 [[#2614](https://github.com/falcosecurity/falco/pull/2614)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump plugins to latest versions [[#2610](https://github.com/falcosecurity/falco/pull/2610)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump falco rules to 1.0.0-rc1 [[#2609](https://github.com/falcosecurity/falco/pull/2609)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.0 [[#2608](https://github.com/falcosecurity/falco/pull/2608)] - [@loresuso](https://github.com/loresuso)
+* cleanup(docs): update release.md [[#2599](https://github.com/falcosecurity/falco/pull/2599)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [[#2600](https://github.com/falcosecurity/falco/pull/2600)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(docs): adjust falco readme style and content [[#2594](https://github.com/falcosecurity/falco/pull/2594)] - [@incertum](https://github.com/incertum)
+* cleanup(userspace, config): improve metrics UX, add include_empty_values option [[#2593](https://github.com/falcosecurity/falco/pull/2593)] - [@incertum](https://github.com/incertum)
+* feat: add the curl and jq packages to the falco-no-driver docker image [[#2581](https://github.com/falcosecurity/falco/pull/2581)] - [@therealdwright](https://github.com/therealdwright)
+* update: add missing exception, required_engine_version, required_plugin_version to -L json output [[#2584](https://github.com/falcosecurity/falco/pull/2584)] - [@loresuso](https://github.com/loresuso)
+* feat: add image source OCI label to docker images [[#2592](https://github.com/falcosecurity/falco/pull/2592)] - [@therealdwright](https://github.com/therealdwright)
+* cleanup(config): improve falco config [[#2571](https://github.com/falcosecurity/falco/pull/2571)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump libs and plugins to latest dev versions [[#2586](https://github.com/falcosecurity/falco/pull/2586)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): always print invalid syscalls from custom set [[#2578](https://github.com/falcosecurity/falco/pull/2578)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(build): upgrade falcoctl to 0.5.0 [[#2572](https://github.com/falcosecurity/falco/pull/2572)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/falco/app): print all supported plugin caps [[#2564](https://github.com/falcosecurity/falco/pull/2564)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: get rules details with `-l` or `-L` flags when json output format is specified [[#2544](https://github.com/falcosecurity/falco/pull/2544)] - [@loresuso](https://github.com/loresuso)
+* update!: bump libs version, and support latest plugin features, add --nodriver option [[#2552](https://github.com/falcosecurity/falco/pull/2552)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(actions): now modern bpf support `-A` flag [[#2551](https://github.com/falcosecurity/falco/pull/2551)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: `falco-driver-loader` now uses now uses $TMPDIR if set [[#2518](https://github.com/falcosecurity/falco/pull/2518)] - [@jabdr](https://github.com/jabdr)
+* update: improve control and UX of ignored events [[#2509](https://github.com/falcosecurity/falco/pull/2509)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: bump libs and adapt Falco to new libsinsp event source management [[#2507](https://github.com/falcosecurity/falco/pull/2507)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [[#2457](https://github.com/falcosecurity/falco/pull/2457)] - [@incertum](https://github.com/incertum)
+* update(scripts): support al2022 and al2023 in falco-driver-loader. [[#2494](https://github.com/falcosecurity/falco/pull/2494)] - [@FedeDP](https://github.com/FedeDP)
+* update: sync libs with newest event name APIs [[#2471](https://github.com/falcosecurity/falco/pull/2471)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update!: remove `--mesos-api`, `-pmesos`, and `-pm` command-line flags [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
+* cleanup(unit_tests): try making test_configure_interesting_sets more robust [[#2464](https://github.com/falcosecurity/falco/pull/2464)] - [@incertum](https://github.com/incertum)
+
+
+### Bug Fixes
+
+* fix: unquote quoted URL's to avoid libcurl errors [[#2596](https://github.com/falcosecurity/falco/pull/2596)] - [@therealdwright](https://github.com/therealdwright)
+* fix(userspace/engine): store alternatives as array in -L json output [[#2597](https://github.com/falcosecurity/falco/pull/2597)] - [@loresuso](https://github.com/loresuso)
+* fix(userspace/engine): store required engine version as string in -L json output [[#2595](https://github.com/falcosecurity/falco/pull/2595)] - [@loresuso](https://github.com/loresuso)
+* fix(userspace/falco): report plugin deps rules issues in any case [[#2589](https://github.com/falcosecurity/falco/pull/2589)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): hotreload on wrong metrics [[#2582](https://github.com/falcosecurity/falco/pull/2582)] - [@therealbobo](https://github.com/therealbobo)
+* fix(userspace): check the supported number of online CPUs with modern bpf [[#2575](https://github.com/falcosecurity/falco/pull/2575)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): don't hang on terminating error when multi sourcing [[#2576](https://github.com/falcosecurity/falco/pull/2576)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): properly format numeric values in metrics [[#2569](https://github.com/falcosecurity/falco/pull/2569)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(scripts): properly support debian kernel releases embedded in kernel version [[#2377](https://github.com/falcosecurity/falco/pull/2377)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* docs(README.md): add scope/status badge and simply doc structure [[#2611](https://github.com/falcosecurity/falco/pull/2611)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `3471984` to `16fb709` [[#2598](https://github.com/falcosecurity/falco/pull/2598)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(proposals): Falco roadmap management [[#2547](https://github.com/falcosecurity/falco/pull/2547)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b2290ad` to `3471984` [[#2577](https://github.com/falcosecurity/falco/pull/2577)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(build): libs 0.11.0-rc2 [[#2573](https://github.com/falcosecurity/falco/pull/2573)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `b2290ad` [[#2570](https://github.com/falcosecurity/falco/pull/2570)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(ci): use repo instead of master branch for reusable workflows [[#2568](https://github.com/falcosecurity/falco/pull/2568)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(ci): cleaned up circleci workflow. [[#2566](https://github.com/falcosecurity/falco/pull/2566)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [[#2567](https://github.com/falcosecurity/falco/pull/2567)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): simplify and fix multi-arch image publishing process [[#2542](https://github.com/falcosecurity/falco/pull/2542)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): get the manifest for the correct tag [[#2563](https://github.com/falcosecurity/falco/pull/2563)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `6da15ae` [[#2559](https://github.com/falcosecurity/falco/pull/2559)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): properly use `docker save` to store images. [[#2560](https://github.com/falcosecurity/falco/pull/2560)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): docker arg is named `TARGETARCH`. [[#2558](https://github.com/falcosecurity/falco/pull/2558)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): set docker TARGET_ARCH [[#2557](https://github.com/falcosecurity/falco/pull/2557)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): use normal docker to build docker images, instead of buildx. [[#2556](https://github.com/falcosecurity/falco/pull/2556)] - [@FedeDP](https://github.com/FedeDP)
+* docs: improve documentation and description of base_syscalls option [[#2515](https://github.com/falcosecurity/falco/pull/2515)] - [@Happy-Dude](https://github.com/Happy-Dude)
+* Updating Falco branding guidelines [[#2493](https://github.com/falcosecurity/falco/pull/2493)] - [@aijamalnk](https://github.com/aijamalnk)
+* build(deps): Bump submodules/falcosecurity-rules from `f773578` to `6da15ae` [[#2553](https://github.com/falcosecurity/falco/pull/2553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): properly exclude prereleases when fetching latest tag from cmake [[#2550](https://github.com/falcosecurity/falco/pull/2550)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): load falco image before building falco-driver-loader [[#2549](https://github.com/falcosecurity/falco/pull/2549)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): correctly tag slim manifest [[#2545](https://github.com/falcosecurity/falco/pull/2545)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(config): modern bpf is no more experimental [[#2538](https://github.com/falcosecurity/falco/pull/2538)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(ci): add RC/prerelease support [[#2533](https://github.com/falcosecurity/falco/pull/2533)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): configure ECR public region [[#2531](https://github.com/falcosecurity/falco/pull/2531)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): falco images directory, ecr login [[#2528](https://github.com/falcosecurity/falco/pull/2528)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [[#2527](https://github.com/falcosecurity/falco/pull/2527)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): add Cloudfront Distribution ID [[#2525](https://github.com/falcosecurity/falco/pull/2525)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): escape heredoc [[#2521](https://github.com/falcosecurity/falco/pull/2521)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(ci): build-musl-package does not need to wait for build-packages anymore [[#2520](https://github.com/falcosecurity/falco/pull/2520)] - [@FedeDP](https://github.com/FedeDP)
+* fix: ci Falco version [[#2516](https://github.com/falcosecurity/falco/pull/2516)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fetch version step, download rpms/debs, minor change [[#2519](https://github.com/falcosecurity/falco/pull/2519)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [[#2514](https://github.com/falcosecurity/falco/pull/2514)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): enable toolset before every make command [[#2513](https://github.com/falcosecurity/falco/pull/2513)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): remove unnecessary mv [[#2512](https://github.com/falcosecurity/falco/pull/2512)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): bucket -> bucket_suffix [[#2511](https://github.com/falcosecurity/falco/pull/2511)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `5857874` to `1bd7e4a` [[#2478](https://github.com/falcosecurity/falco/pull/2478)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `694adf5` to `5857874` [[#2473](https://github.com/falcosecurity/falco/pull/2473)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(ci): properly set a concurrency for CI workflows. [[#2470](https://github.com/falcosecurity/falco/pull/2470)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `e0646a0` to `694adf5` [[#2466](https://github.com/falcosecurity/falco/pull/2466)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `0b0f50f` to `e0646a0` [[#2460](https://github.com/falcosecurity/falco/pull/2460)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
 ## v0.34.1
 
 Released on 2023-02-20
@@ -822,7 +1428,7 @@ Released on 2021-01-18
 ### Minor Changes
 
 * build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
-* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* rules(macro container_started): reuse `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
 * docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
 * docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
 * docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)

CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -14,11 +15,32 @@ cmake_minimum_required(VERSION 3.5.1)
 
 project(falco)
 
-option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
+option(USE_ASAN "Build with AddressSanitizer" OFF)
+option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
+
+if(WIN32)
+  if(POLICY CMP0091)
+    # Needed for CMAKE_MSVC_RUNTIME_LIBRARY
+    # https://cmake.org/cmake/help/latest/policy/CMP0091.html
+    cmake_policy(SET CMP0091 NEW)
+  endif()
+	set(CPACK_GENERATOR "NSIS") # this needs NSIS installed, and available
+elseif (APPLE)
+	set(CPACK_GENERATOR "DragNDrop")
+elseif(EMSCRIPTEN)
+  set(USE_BUNDLED_DEPS ON CACHE BOOL "" FORCE)
+  set(BUILD_DRIVER OFF CACHE BOOL "" FORCE)
+  set(ENABLE_DKMS OFF CACHE BOOL "" FORCE)
+  set(BUILD_BPF OFF CACHE BOOL "" FORCE)
+  set(CPACK_GENERATOR TGZ CACHE BOOL "" FORCE)
+endif()
 
 # gVisor is currently only supported on Linux x86_64
 if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
@@ -30,7 +52,7 @@ endif()
 
 # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
 if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
-  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
+  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON)
   if(BUILD_FALCO_MODERN_BPF)
     add_definitions(-DHAS_MODERN_BPF)
   endif()
@@ -44,9 +66,6 @@ if (${EP_UPDATE_DISCONNECTED})
     PROPERTY EP_UPDATE_DISCONNECTED TRUE)
 endif()
 
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_EXTENSIONS OFF)
-
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
 
@@ -68,57 +87,13 @@ if(NOT DEFINED FALCO_ETC_DIR)
 endif()
 
 # This will be used to print the architecture for which Falco is compiled.
-set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
-
-if(NOT FALCO_EXTRA_DEBUG_FLAGS)
-  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
-endif()
-
-string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
-if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+if (EMSCRIPTEN)
+  set(FALCO_TARGET_ARCH "wasm")
 else()
-  set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
-  add_definitions(-DBUILD_TYPE_RELEASE)
-endif()
-message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
-
-if(MINIMAL_BUILD)
-  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+  set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
 endif()
 
-if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -fPIE -pie")
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
-
-# explicitly set hardening flags
-set(CMAKE_POSITION_INDEPENDENT_CODE ON)
-set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
-if(CMAKE_BUILD_TYPE STREQUAL "release")
-  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
-endif()
-
-set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
-
-if(BUILD_WARNINGS_AS_ERRORS)
-  set(CMAKE_SUPPRESSED_WARNINGS
-      "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
-  )
-  set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
-endif()
-
-set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
-
-set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
-set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
-
-set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
-set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
-
-include(GetFalcoVersion)
+include(CompilerFlags)
 
 set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
@@ -147,25 +122,23 @@ include(ExternalProject)
 # libs
 include(falcosecurity-libs)
 
-# jq
-include(jq)
+# compute FALCO_VERSION (depends on libs)
+include(falco-version)
 
 # nlohmann-json
 include(njson)
 
-# b64
-include(b64)
-
 # yaml-cpp
 include(yaml-cpp)
 
-if(NOT MINIMAL_BUILD)
+if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
   # OpenSSL
   include(openssl)
 
   # libcurl
   include(curl)
 
+  # todo(jasondellaluce,rohith-raju): support webserver for non-linux builds too
   # cpp-httlib
   include(cpp-httplib)
 endif()
@@ -173,33 +146,43 @@ endif()
 include(cxxopts)
 
 # One TBB
-include(tbb)
+if (NOT EMSCRIPTEN)
+  include(tbb)
+endif()
 
-if(NOT MINIMAL_BUILD)
-  include(zlib)
-  include(cares)
-  include(protobuf)
-  # gRPC
-  include(grpc)
+include(zlib)
+if (NOT MINIMAL_BUILD)
+  if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN)
+    include(cares)
+    include(protobuf)
+    # gRPC
+    include(grpc)
+  endif()
 endif()
 
 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+if(WIN32)
+	set(FALCO_INSTALL_CONF_FILE "%PROGRAMFILES%/${PACKAGE_NAME}-${FALCO_VERSION}/etc/falco/falco.yaml")
+	install(FILES falco.yaml DESTINATION etc/falco/ COMPONENT "${FALCO_COMPONENT_NAME}")
+    install(DIRECTORY DESTINATION etc/falco/config.d COMPONENT "${FALCO_COMPONENT_NAME}")
+elseif(APPLE)
+	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
+	install(FILES falco.yaml DESTINATION etc/falco/ COMPONENT "${FALCO_COMPONENT_NAME}")
+    install(DIRECTORY DESTINATION etc/falco/config.d COMPONENT "${FALCO_COMPONENT_NAME}")
+else()
+	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
+	install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+    install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/config.d" COMPONENT "${FALCO_COMPONENT_NAME}")
+endif()
 
 if(NOT MINIMAL_BUILD)
   # Coverage
   include(Coverage)
-
-  # Tests
-  add_subdirectory(test)
 endif()
 
 # Rules
 include(rules)
 
-# Dockerfiles
-add_subdirectory(docker)
-
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
@@ -207,9 +190,7 @@ add_subdirectory(docker)
 include(static-analysis)
 
 # Shared build variables
-set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
-set(FALCO_PLUGINS_DIR ${FALCO_SHARE_DIR}/plugins)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 
@@ -217,12 +198,10 @@ add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 
-if(NOT MUSL_OPTIMIZED_BUILD)
-  include(plugins)
+if(NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
+  include(falcoctl)
 endif()
 
-include(falcoctl)
-
 # Packages configuration
 include(CPackConfig)
 

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2019 The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

OWNERS

@@ -4,6 +4,8 @@ approvers:
   - jasondellaluce
   - fededp
   - andreagit97
+  - incertum
+  - LucaGuerra
 reviewers:
   - kaizhe
 emeritus_approvers:

README.md

@@ -1,75 +1,24 @@
-<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
+# Falco
 
-<hr>
+[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
 
-## Latest releases
+[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 
-<!-- 
-Badges in the following table are constructed by using the
-https://img.shields.io/badge/dynamic/xml endpoint.
+[Falco](https://falco.org/) is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
 
-Parameters are configured for fetching packages from S3 before 
-(filtered by prefix, sorted in ascending order) and for picking 
-the latest package by using an XPath selector after.
+At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
 
-- Common query parameters:
-
-color=#300aec7
-style=flat-square
-label=Falco
-
-- DEB packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
-
-- RPM packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
-
-- BIN packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
-query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
-
-Notes:
- - if more than 1000 items are present under as S3 prefix, 
-   the actual latest package will be not picked;
-   see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- - for `-dev` packages, the S3 prefix is modified accordingly
- - finally, all parameters are URL encoded and appended to the badge endpoint
-
--->
-
-|              | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| rpm-x86_64          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
-| deb-x86_64          | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
-| binary-x86_64       | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
-| rpm-aarch64    | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
-| deb-aarch64    | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
-| binary-aarch64 | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
-
-For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.
-
-## Introduction to Falco
-
-[Falco](https://falco.org/), originally created by [Sysdig](https://sysdig.com), is an incubating project under the [CNCF](https://cncf.io).
-
-Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
-
-At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
+Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated project** under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).
 
 For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
+For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md). Additionally, we have documented the [Release Process](RELEASE.md) for delivering new versions of Falco.
 
 ## Falco Repo: Powering the Core of The Falco Project
 
-This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libs](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
 
 - [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
 - [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
@@ -80,7 +29,7 @@ For more information, visit the official hub of The Falco Project: [falcosecurit
 
 ## Getting Started with Falco
 
-Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).
+Carefully review and follow the [Official Documentation](https://falco.org/docs/install-operate/).
 
 Considerations and guidance for Falco adopters:
 
@@ -97,12 +46,11 @@ Considerations and guidance for Falco adopters:
 
 ## How to Contribute
 
-Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.
-
+Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
 
 ## Join the Community
 
-To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
+To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.
 
 If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
 
@@ -116,7 +64,7 @@ How to reach out?
 
 Full reports of various security audits can be found [here](./audits/).
 
-In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.
+In addition, you can refer to the [falco](https://github.com/falcosecurity/falco/security) and [libs](https://github.com/falcosecurity/libs/security) security sections for detailed updates on security advisories and policies.
 
 To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
@@ -124,11 +72,67 @@ To report security vulnerabilities, please follow the community process outlined
 
 Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
 
-
 ## License
 
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
+## Testing
+
+<details>
+	<summary>Expand Testing Instructions</summary>
+
+Falco's [Build Falco from source](https://falco.org/docs/install-operate/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
+
+Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
+
+```bash
+cmake \
+-DUSE_BUNDLED_DEPS=ON \
+-DBUILD_LIBSCAP_GVISOR=ON \
+-DBUILD_BPF=ON \
+-DBUILD_DRIVER=ON \
+-DBUILD_FALCO_MODERN_BPF=ON \
+-DCREATE_TEST_TARGETS=ON \
+-DBUILD_FALCO_UNIT_TESTS=ON ..;
+```
+
+Build and run the unit test suite:
+
+```bash
+nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');
+make -j$(($nproc-1)) falco_unit_tests;
+# Run the tests
+sudo ./unit_tests/falco_unit_tests;
+```
+
+Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.
+
+Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity/testing](https://github.com/falcosecurity/testing).
+
+
+</details>
+
+</br>
+
+## Why is Falco in C++ rather than Go or {language}?
+
+<details>
+	<summary>Expand Information</summary>
+
+1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
+2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
+3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
+4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
+5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
+6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
+7. The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.
+8. In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.
+9. Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
+10. The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.
+
+</details>
+</br>
+
 ## Resources
 
  - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
@@ -138,13 +142,5 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
  - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
  - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
  - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
-
-
-[1]: https://download.falco.org/?prefix=packages/rpm-dev/
-[2]: https://download.falco.org/?prefix=packages/rpm/
-[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
-[4]: https://download.falco.org/?prefix=packages/deb/stable/
-[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
-[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
-[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
-[8]: https://download.falco.org/?prefix=packages/bin/aarch64/
+ - [Install and Operate](https://falco.org/docs/install-operate/)
+ - [Troubleshooting](https://falco.org/docs/troubleshooting/)

RELEASE.md

@@ -146,46 +146,8 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
-- Use the following template to fill the release description:
-    ```
-    <!-- Substitute M.m.p with the current release version -->
-
-    | Packages | Download                                                                                                                                               |
-    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
-    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
-    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
-    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
-    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
-    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
-
-    | Images                                                                      |
-    | --------------------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
-    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |
-
-    <changelog>
-
-    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
-
-    ### Statistics
-
-    | Merged PRs      | Number |
-    | --------------- | ------ |
-    | Not user-facing | x      |
-    | Release note    | x      |
-    | Total           | x      |
-
-    <!-- Calculate stats and fill the above table -->
-
-    #### Release Manager <github handle>
-
-    <!-- Substitute GitHub handle with the release manager's one -->
-    ```
-
-- Finally, publish the release!
+- Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
+- Publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
@@ -217,7 +179,7 @@ This section provides more details around the versioning of the components that
 
 ### Falco repo (this repo)
 - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
-- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and/or `FALCO_FIELDS_CHECKSUM` computed via `falco --list -N | sha256sum` has changed. The primary idea is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced, a version change indicates that these fields were not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. Lastly, `FALCO_ENGINE_VERSION` is typically incremented once during a Falco release cycle, while `FALCO_FIELDS_CHECKSUM` is bumped whenever necessary during the development and testing phases of the release cycle.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and loading logic, and/or when `FALCO_ENGINE_CHECKSUM` has changed. The checksum is computed by considering the available rules fields (see currently supported [Falco fields](https://falco.org/docs/reference/rules/supported-fields/)), the event types (see currently supported [Falco events](https://falco.org/docs/reference/rules/supported-events/)), and the supported driver schema version. A checksum indicates that something was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The version number must be incremented every time and only when a single change or an atomic group of changes - which meet the criteria described above - is included in the `master` branch. Thus, a version bump can occur multiple times during the development and testing phases of a given release cycle. A given version bump must not group multiple changes that occurred sporadically during the release cycle.
 - During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
 - Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
 - At release time Plugin, Libs and Driver versions are compatible with Falco.

brand/README.md

@@ -7,13 +7,9 @@ Falco is an open source security project whose brand and identity are governed b
 
 This document describes the official branding guidelines of The Falco Project. Please see the [Falco Branding](https://falco.org/community/falco-brand/) page on our website for further details.
 
-Content in this document can be used to publicly share about Falco.
-
-
-
 ### Logo
 
-There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues or printing.
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
@@ -36,55 +32,6 @@ The primary colors are those in the first two rows.
 
 > Cloud Native Runtime Security
 
-### What is Falco?
-
-Falco is a runtime security project originally created by Sysdig, Inc.
-Falco was contributed to the CNCF in October 2018.
-The CNCF now owns The Falco Project.
-
-### What is Runtime Security?
-
-Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
-Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
-Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
-
-### What does Falco do?
-
-Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
-Falco parses the signals and asserts them against security rules.
-If a rule has been violated, Falco triggers an alert. 
-
-### How does Falco work?
-
-Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
-Falco enriches these kernel events with information about containers running on the system.
-Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
-At runtime, Falco will reason about these events and assert them against configured security rules.
-Based on the severity of a violation an alert is triggered.
-These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
-
-### Benefits of using Falco
-
- - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
- - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
- - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
-    
-### Falco and securing Kubernetes
-
-Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
-
-Examples of malicious behavior include: 
-
- - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
- - Insecure configurations in applications or Kubernetes itself. 
- - Leaked or weak credentials or secret material.
- - Insider threats from adjacent applications running at the same layer. 
-
-Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
-By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
-
 ### Writing about Falco
 
 ##### Yes
@@ -100,49 +47,31 @@ Notice the capitalization of the following terms.
  - the falco project
  - the Falco project
 
-### Encouraged Phrasing
-
-Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
-Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
-
-##### Falco as a factory
-
-This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
-
-##### The engine that powers...
-
-Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
-
-##### Anomaly detection
-
-This refers to an event that occurs with something unusual, concerning, or odd occurs.
-We can associate anomalies with unwanted behavior, and alert in their presence.
-
-##### Detection tooling
-
-Falco does not prevent unwanted behavior.
-Falco however alerts when unusual behavior occurs.
-This is commonly referred to as **detection** or **forensics**.
-
 ---
 
-# Glossary 
+# Glossary
 
-#### Probe
+This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website.
+
+#### eBPF Probe
 
 Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `module`.
 
-#### Module
+#### Modern eBPF Probe
+
+More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability. 
+Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+
+#### Kernel Module
 
 Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `probe`.
 
 #### Driver 
 
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
 
 #### Plugin
 
@@ -150,13 +79,5 @@ Used to describe a dynamic shared library (`.so` files in Unix, `.dll` files in
 
 #### Falco
 
-The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
-
-#### Sysdig, Inc
-
-The name of the company that originally created The Falco Project, and later donated to the CNCF.
-
-#### sysdig 
-
-A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+The name of the project and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
 

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,3 +1,17 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -20,24 +21,35 @@ set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
 set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
 set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
+if (EMSCRIPTEN)
+  set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
+else()
+  set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
+endif()
+
+if(WIN32)
+	SET(CPACK_PACKAGE_INSTALL_DIRECTORY "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
+endif()
 
 # Built packages will include only the following components
 set(CPACK_INSTALL_CMAKE_PROJECTS
-  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
-  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/" 
 )
-if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux") # only Linux has drivers
   list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
-    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
-  )
+    "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/")
 endif()
 
 if(NOT CPACK_GENERATOR)
+  if (CMAKE_SYSTEM_NAME MATCHES "Linux")
     set(CPACK_GENERATOR DEB RPM TGZ)
+  else()
+    set(CPACK_GENERATOR TGZ)
+  endif()
 endif()
 
 message(STATUS "Using package generators: ${CPACK_GENERATOR}")

cmake/modules/CompilerFlags.cmake

@@ -0,0 +1,115 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_EXTENSIONS OFF)
+
+if(NOT FALCO_EXTRA_DEBUG_FLAGS)
+  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
+endif()
+
+string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+else()
+  set(CMAKE_BUILD_TYPE "release")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+  add_definitions(-DBUILD_TYPE_RELEASE)
+endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
+
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os -fPIE -pie")
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+# explicitly set hardening flags
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+set(FALCO_SECURITY_FLAGS "")
+if(LINUX)
+  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fstack-protector-strong")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
+endif()
+
+
+if(NOT MSVC)
+
+	if(CMAKE_BUILD_TYPE STREQUAL "release")
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+	endif()
+
+	if(USE_ASAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
+	endif()
+
+	if(USE_UBSAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")
+		if(UBSAN_HALT_ON_ERROR)
+			set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-sanitize-recover=undefined")
+		endif()
+	endif()
+
+	set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+
+	if(BUILD_WARNINGS_AS_ERRORS)
+		set(CMAKE_SUPPRESSED_WARNINGS
+			"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
+		)
+		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
+		set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
+	endif()
+
+	set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
+	set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS}")
+
+	set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+	set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+
+	set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
+	set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
+
+else() # MSVC
+	set(MINIMAL_BUILD ON)
+	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
+
+	# The WIN32_LEAN_AND_MEAN define avoids possible macro pollution
+	# when a libsinsp consumer includes the windows.h header.
+	# See: https://stackoverflow.com/a/28380820
+
+	add_compile_definitions(
+		_HAS_STD_BYTE=0
+		_CRT_SECURE_NO_WARNINGS
+		WIN32
+		MINIMAL_BUILD
+		WIN32_LEAN_AND_MEAN
+	)
+
+	set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
+	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
+	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+
+	set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
+	set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
+
+	set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
+	set(CMAKE_CXX_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
+
+	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
+	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
+
+endif()

cmake/modules/Coverage.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/GetFalcoVersion.cmake

@@ -1,84 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# Retrieve git ref and commit hash
-include(GetGitRevisionDescription)
-
-# Create the falco version variable according to git index
-if(NOT FALCO_VERSION)
-  # Try to obtain the exact git tag
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-      # Obtain the closest tag
-      git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
-      string(REGEX MATCH "^[0-9]+.[0-9]+.[0-9]+$" FALCO_TAG ${FALCO_VERSION})
-      if(FALCO_VERSION MATCHES "NOTFOUND$" OR FALCO_TAG STREQUAL "")
-        # Fetch current hash
-        get_git_head_revision(refspec FALCO_HASH)
-        if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
-          set(FALCO_VERSION "0.0.0")
-        else()
-          # Obtain the closest tag
-          git_get_latest_tag(FALCO_LATEST_TAG)
-          if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
-            set(FALCO_VERSION "0.0.0")
-          else()
-            # Compute commit delta since tag
-            git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
-            if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
-              set(FALCO_VERSION "0.0.0")
-            else()
-              # Cut hash to 7 bytes
-              string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
-              # Format FALCO_VERSION to be semver with prerelease and build part
-              set(FALCO_VERSION
-                    "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
-            endif()
-          endif()
-        endif()
-      endif()
-      # Format FALCO_VERSION to be semver with prerelease and build part
-      string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
-  else()
-    # A tag has been found: use it as the Falco version
-    set(FALCO_VERSION "${FALCO_TAG}")
-  endif()
-endif()
-
-# Remove the starting "v" in case there is one
-string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
-
-# TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
-string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                     "${FALCO_VERSION}")
-string(
-  REGEX
-  REPLACE
-    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-    "\\5"
-    FALCO_VERSION_PRERELEASE
-    "${FALCO_VERSION}")
-
-if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_PRERELEASE "")
-endif()
-if(NOT FALCO_VERSION_BUILD)
-  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
-endif()
-if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_BUILD "")
-endif()
-
-message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -1,275 +0,0 @@
-# * Returns a version string from Git
-#
-# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
-# build system.
-#
-# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
-#
-# Returns the refspec and sha hash of the current head revision
-#
-# git_describe(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
-# occurs.
-#
-# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
-# if there was no exact matching tag.
-#
-# git_local_changes(<var>)
-#
-# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
-# HEAD --". Does not regard untracked files.
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
-# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
-
-if(__get_git_revision_description)
-  return()
-endif()
-set(__get_git_revision_description YES)
-
-# We must run the following at "include" time, not at function call time, to find the path to this module rather than
-# the path to a calling list file
-get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
-
-function(get_git_head_revision _refspecvar _hashvar)
-  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
-  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
-    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
-    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
-    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
-      # We have reached the root directory, we are not in git
-      set(${_refspecvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      set(${_hashvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      return()
-    endif()
-    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  endwhile()
-  # check if this is a submodule
-  if(NOT IS_DIRECTORY ${GIT_DIR})
-    file(READ ${GIT_DIR} submodule)
-    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
-    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
-    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
-  endif()
-  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
-  if(NOT EXISTS "${GIT_DATA}")
-    file(MAKE_DIRECTORY "${GIT_DATA}")
-  endif()
-
-  if(NOT EXISTS "${GIT_DIR}/HEAD")
-    return()
-  endif()
-  set(HEAD_FILE "${GIT_DATA}/HEAD")
-  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
-
-  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
-  include("${GIT_DATA}/grabRef.cmake")
-
-  set(${_refspecvar}
-      "${HEAD_REF}"
-      PARENT_SCOPE)
-  set(${_hashvar}
-      "${HEAD_HASH}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_get_latest_tag _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # We use git describe --tags `git rev-list --exclude "*.*.*-*" --tags --max-count=1`
-  # Note how we eclude prereleases tags (the ones with "-alphaX")
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          rev-list
-          --exclude "*.*.*-*"
-          --tags
-          --max-count=1
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          tag_hash
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    describe
-    --tags
-    ${tag_hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-  set(${_var} "${out}" PARENT_SCOPE)
-endfunction()
-
-function(git_get_delta_from_tag _var tag hash)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # Count commits in HEAD
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_head
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  # Count commits in latest tag
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_tag
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    expr
-    ${out_counter_head} - ${out_counter_tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_delta
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-  set(${_var} "${out_delta}" PARENT_SCOPE)
-endfunction()
-
-function(git_describe _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-            "GIT-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-            "HEAD-HASH-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          describe
-          ${hash}
-          ${ARGN}
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          out
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-
-  set(${_var}
-          "${out}"
-          PARENT_SCOPE)
-endfunction()
-
-function(git_get_exact_tag _var)
-  git_describe(out --exact-match ${ARGN})
-  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_local_changes _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(
-    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
-    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE res
-    OUTPUT_VARIABLE out
-    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(res EQUAL 0)
-    set(${_var}
-        "CLEAN"
-        PARENT_SCOPE)
-  else()
-    set(${_var}
-        "DIRTY"
-        PARENT_SCOPE)
-  endif()
-endfunction()

cmake/modules/GetGitRevisionDescription.cmake.in

@@ -1,41 +0,0 @@
-#
-# Internal file for GetGitRevisionDescription.cmake
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author:
-# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
-# http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010.
-# Distributed under the Boost Software License, Version 1.0.
-# (See accompanying file LICENSE_1_0.txt or copy at
-# http://www.boost.org/LICENSE_1_0.txt)
-
-set(HEAD_HASH)
-
-file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
-
-string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
-if(HEAD_CONTENTS MATCHES "ref")
-	# named branch
-	string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
-	if(EXISTS "@GIT_DIR@/${HEAD_REF}")
-		configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
-	else()
-		configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
-		file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
-		if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
-			set(HEAD_HASH "${CMAKE_MATCH_1}")
-		endif()
-	endif()
-else()
-	# detached HEAD
-	configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
-endif()
-
-if(NOT HEAD_HASH)
-	file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
-	string(STRIP "${HEAD_HASH}" HEAD_HASH)
-endif()

cmake/modules/copy_files_to_build_dir.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/cpp-httplib.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,22 +12,15 @@
 # specific language governing permissions and limitations under the License.
 #
 
-#
-# cpp-httplib (https://github.com/yhirose/cpp-httplib)
-#
-if(CPPHTTPLIB_INCLUDE)
-	# we already have cpp-httplib
+option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_CPPHTTPLIB)
+    include(FetchContent)
+    FetchContent_Declare(cpp-httplib
+        URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.15.3.tar.gz
+        URL_HASH SHA256=2121bbf38871bb2aafb5f7f2b9b94705366170909f434428352187cb0216124e
+    )
+    FetchContent_MakeAvailable(cpp-httplib)
 else()
-	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
-	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
-
-	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
-
-	ExternalProject_Add(cpp-httplib
-		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
-		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ""
-		INSTALL_COMMAND "")	
+    find_package(httplib CONFIG REQUIRED)
 endif()

cmake/modules/cxxopts.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,13 +12,32 @@
 # specific language governing permissions and limitations under the License.
 #
 
-set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
-set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+#
+# cxxopts (https://github.com/jarro2783/cxxopts)
+#
 
-ExternalProject_Add(
+option(USE_BUNDLED_CXXOPTS "Enable building of the bundled cxxopts" ${USE_BUNDLED_DEPS})
+
+if(CXXOPTS_INCLUDE_DIR)
+    # we already have cxxopts
+elseif(NOT USE_BUNDLED_CXXOPTS)
+    find_package(cxxopts CONFIG REQUIRED)
+    get_target_property(CXXOPTS_INCLUDE_DIR cxxopts::cxxopts INTERFACE_INCLUDE_DIRECTORIES)
+else()
+    set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
+    set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+
+    message(STATUS "Using bundled cxxopts in ${CXXOPTS_SRC}")
+
+    ExternalProject_Add(
         cxxopts
         URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
         URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
-	CONFIGURE_COMMAND ""
-	BUILD_COMMAND ""
-	INSTALL_COMMAND "")
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+endif()
+
+if(NOT TARGET cxxopts)
+    add_custom_target(cxxopts)
+endif()

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -15,11 +16,12 @@ cmake_minimum_required(VERSION 3.5.1)
 project(driver-repo NONE)
 
 include(ExternalProject)
+message(STATUS "Driver repository: ${DRIVER_REPO}")
 message(STATUS "Driver version: ${DRIVER_VERSION}")
 
 ExternalProject_Add(
   driver
-  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
+  URL "https://github.com/${DRIVER_REPO}/archive/${DRIVER_VERSION}.tar.gz"
   URL_HASH "${DRIVER_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/driver.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -20,18 +21,29 @@ if(DRIVER_SOURCE_DIR)
   set(DRIVER_VERSION "0.0.0-local")
   message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
 else()
+  # DRIVER_REPO accepts a repository name (<org name>/<repo name>) alternative to the falcosecurity/libs repository.
+  # In case you want to test against a fork of falcosecurity/libs just pass the variable -
+  # ie., `cmake -DDRIVER_REPO=<your-gh-handle>/libs ..` 
+  if (NOT DRIVER_REPO)
+    set(DRIVER_REPO "falcosecurity/libs")
+  endif()
+
   # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
   # which contains the driver source code under the `/driver` directory.
   # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "5.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=8b197b916b6419dac8fb41807aa05d822164c7bfd2c3eef66d20d060a05a485a")
+    set(DRIVER_VERSION "7.2.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=0ae749718557812dc008bdfd8eaa81355094a0975380df1021b1e2bf2ee91457")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}" -DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+  execute_process(COMMAND "${CMAKE_COMMAND}"
+      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+      -DDRIVER_REPO=${DRIVER_REPO}
+      -DDRIVER_VERSION=${DRIVER_VERSION}
+      -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
     ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
 
   # cmake --build .

cmake/modules/falco-version.cmake

@@ -0,0 +1,49 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# Retrieve git ref and commit hash
+include(GetVersionFromGit)
+
+# Get Falco version variable according to git index
+if(NOT FALCO_VERSION)
+  set(FALCO_VERSION "0.0.0")
+  get_version_from_git(FALCO_VERSION "" "")
+endif()
+
+# Remove the starting "v" in case there is one
+string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
+
+string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                     "${FALCO_VERSION}")
+string(
+  REGEX
+  REPLACE
+    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+    "\\5"
+    FALCO_VERSION_PRERELEASE
+    "${FALCO_VERSION}")
+
+if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_PRERELEASE "")
+endif()
+if(NOT FALCO_VERSION_BUILD)
+  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+endif()
+if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+  set(FALCO_VERSION_BUILD "")
+endif()
+
+message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/falcoctl.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -15,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.5.0")
+set(FALCOCTL_VERSION "0.8.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
+    set(FALCOCTL_HASH "7b763bfaf38faf582840af22750dca7150d03958a5dc47f6118748713d661589")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
+    set(FALCOCTL_HASH "7f826de7a8a84e65c46a160e7e59d1deca874f39b79a8251721a2669905baf14")
 endif()
 
 ExternalProject_Add(
@@ -34,3 +35,4 @@ ExternalProject_Add(
         INSTALL_COMMAND "")
 
 install(PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl" DESTINATION "${FALCO_BIN_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+install(DIRECTORY DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins" COMPONENT "${FALCO_COMPONENT_NAME}")

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -15,11 +16,12 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
+message(STATUS "Libs repository: ${FALCOSECURITY_LIBS_REPO}")
 message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/${FALCOSECURITY_LIBS_REPO}/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -23,17 +24,25 @@ if(FALCOSECURITY_LIBS_SOURCE_DIR)
   set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
   message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
 else()
+  # FALCOSECURITY_LIBS_REPO accepts a repository name (<org name>/<repo name>) alternative to the falcosecurity/libs repository.
+  # In case you want to test against a fork of falcosecurity/libs just pass the variable -
+  # ie., `cmake -DFALCOSECURITY_LIBS_REPO=<your-gh-handle>/libs ..`
+  if (NOT FALCOSECURITY_LIBS_REPO)
+    set(FALCOSECURITY_LIBS_REPO "falcosecurity/libs")
+  endif()
+
   # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc5")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=079ab5f596a0d8af2a7f843e8159f83cb7c864331019aaed822daa737c75e9e7")
+    set(FALCOSECURITY_LIBS_VERSION "0.17.3-rc2")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=687981eab9b5fedd6c2565fe3dd2ed85d35414eb5c548553aef485b1a48f87ba")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
   execute_process(COMMAND "${CMAKE_COMMAND}"
       -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+      -DFALCOSECURITY_LIBS_REPO=${FALCOSECURITY_LIBS_REPO}
       -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
       -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
     ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
@@ -45,8 +54,10 @@ endif()
 
 set(LIBS_PACKAGE_NAME "falcosecurity")
 
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+  add_definitions(-D_GNU_SOURCE)
+  add_definitions(-DHAS_CAPTURE)
+endif()
 
 if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
@@ -56,12 +67,10 @@ set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME")
 set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH")
 
-if(NOT LIBSCAP_DIR)
-  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+if(NOT LIBS_DIR)
+  set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()
 
-set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
-
 # configure gVisor support
 set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
 
@@ -73,10 +82,14 @@ set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
 set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
 
 set(USE_BUNDLED_TBB ON CACHE BOOL "")
-set(USE_BUNDLED_B64 ON CACHE BOOL "")
 set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
 set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
 set(USE_BUNDLED_RE2 ON CACHE BOOL "")
+set(USE_BUNDLED_UTHASH ON CACHE BOOL "")
+if(USE_DYNAMIC_LIBELF)
+  set(USE_BUNDLED_LIBELF OFF CACHE BOOL "")
+  set(USE_SHARED_LIBELF ON CACHE BOOL "")
+endif()
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 
@@ -84,12 +97,15 @@ include(CheckSymbolExists)
 check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
 
 if(HAVE_STRLCPY)
-  message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+  message(STATUS "Existing strlcpy and strlcat found, will *not* use local definition by setting -DHAVE_STRLCPY and -DHAVE_STRLCAT.")
   add_definitions(-DHAVE_STRLCPY)
+  add_definitions(-DHAVE_STRLCAT)
 else()
-  message(STATUS "No strlcpy found, will use local definition")
+  message(STATUS "No strlcpy and strlcat found, will use local definition")
 endif()
 
-include(driver)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+  include(driver)
+endif()
 include(libscap)
 include(libsinsp)

cmake/modules/libyaml.cmake

@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
-set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
-message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
-set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-externalproject_add(
-  libyaml
-  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${LIBYAML_LIB}
-  INSTALL_COMMAND ${CMD_MAKE} install
-)

cmake/modules/njson.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -11,24 +12,15 @@
 # specific language governing permissions and limitations under the License.
 #
 
-#
-# nlohmann-json
-#
-if(NJSON_INCLUDE)
-    # Adding the custom target we can use it with `add_dependencies()`
-    if(NOT TARGET njson)
-        add_custom_target(njson)
-    endif()
+option(USE_BUNDLED_NLOHMANN_JSON "Enable building of the bundled nlohmann-json" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_NLOHMANN_JSON)
+    include(FetchContent)
+    FetchContent_Declare(nlohmann_json
+        URL https://github.com/nlohmann/json/archive/v3.11.3.tar.gz
+        URL_HASH SHA256=0d8ef5af7f9794e3263480193c491549b2ba6cc74bb018906202ada498a79406
+    )
+    FetchContent_MakeAvailable(nlohmann_json)
 else()
-    # We always use the bundled version
-    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-    ExternalProject_Add(
-        njson
-        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-        CONFIGURE_COMMAND ""
-        BUILD_COMMAND ""
-        INSTALL_COMMAND "")
-    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+    find_package(nlohmann_json CONFIG REQUIRED)
 endif()

cmake/modules/plugins.cmake

@@ -1,97 +0,0 @@
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-# 'stable' or 'dev'
-set(PLUGINS_DOWNLOAD_BUCKET "dev")
-
-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
-
-if(NOT DEFINED PLUGINS_COMPONENT_NAME)
-    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
-endif()
-
-# k8saudit
-set(PLUGIN_K8S_AUDIT_VERSION "0.6.0-0.5.3-33%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "990e5c67d3b3c7cf5d30c73d73871b58767171ce7c998c1ca1d94d70c67db290")
-else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "c3634dfa83c8c8898811ab6b7587ea6d1c6dfffbdfa56def28cab43aaf01f88c")
-endif()
-
-ExternalProject_Add(
-  k8saudit-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-ExternalProject_Add(
-  k8saudit-rules
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=2e3214fee00a012b32402aad5198df889773fc5f86b8ab87583fbc56ae5fb78c"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-# cloudtrail
-set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0-0.7.3-33%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "144c297ae4285ea84b04af272f708a8b824f58bc9427a2eb91b467a6285d9e10")
-else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "19e7e8e11aaecd16442f65a265d3cd80ffb736ca4d3d8215893900fa0f04b926")
-endif()
-
-ExternalProject_Add(
-  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-ExternalProject_Add(
-  cloudtrail-rules
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=4f51d4bd9679f7f244c225b6fe530323f3536663da26a5b9d94d6953ed4e2cbc"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-# json
-set(PLUGIN_JSON_VERSION "0.7.0-0.6.2-36%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "a9d8c595a139df5dc0cf2117127b496c94a9d3a3d0e84c1f18b3ccc9163f5f4a")
-else() # aarch64
-    set(PLUGIN_JSON_HASH "7d78620395526d1e6a948cc915d1d52a343c2b637c9ac0e3892e76826fcdc2df")
-endif()
-
-ExternalProject_Add(
-  json-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

cmake/modules/rules.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2024 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -15,8 +16,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-0.1.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=0d3705a4650f09d10e7831b16e7af59c1da34ff19e788896e9ee77010014db4d")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.1.0")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=3b617920c0b66128627613e591a954eb9572747a4c287bc13b53b38786250162")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco
@@ -33,7 +34,11 @@ set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-lo
 file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
 
 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+	set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+endif()
+
+if(WIN32 OR APPLE)
+	set(FALCO_ETC_DIR "etc/falco")
 endif()
 
 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)

cmake/modules/static-analysis.cmake

@@ -1,3 +1,17 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)

cmake/modules/yaml-cpp.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -10,26 +11,16 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
-if(NOT USE_BUNDLED_DEPS)
-  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
-  find_library(YAMLCPP_LIB NAMES yaml-cpp)
-  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
-    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system yamlcpp")
-  endif()
-  add_custom_target(yamlcpp)
+
+option(USE_BUNDLED_YAMLCPP "Enable building of the bundled yamlcpp" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_YAMLCPP)
+    include(FetchContent)
+    FetchContent_Declare(yamlcpp
+        URL https://github.com/jbeder/yaml-cpp/archive/refs/tags/0.8.0.tar.gz
+        URL_HASH SHA256=fbe74bbdcee21d656715688706da3c8becfd946d92cd44705cc6098bb23b3a16
+    )
+    FetchContent_MakeAvailable(yamlcpp)
 else()
-  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-  set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-  ExternalProject_Add(
-    yamlcpp
-    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
-    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
+    find_package(yaml-cpp CONFIG REQUIRED)
 endif()

docker/CMakeLists.txt

@@ -1 +0,0 @@
-add_subdirectory(local)

docker/README.md

@@ -7,11 +7,12 @@ This directory contains various ways to package Falco as a container and related
 | Name | Directory | Description |
 |---|---|---|
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| _not yet published (experimental)_ | docker/ubi | Falco (built from RedHat's UBI base image) with the building toolchain. |
 | [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
 | [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
-| _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
 
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+## Experimental Images
+
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |

docker/builder/Dockerfile

@@ -1,47 +0,0 @@
-FROM centos:7
-
-LABEL name="falcosecurity/falco-builder"
-LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG BUILD_TYPE=release
-ARG BUILD_DRIVER=OFF
-ARG BUILD_BPF=OFF
-ARG BUILD_WARNINGS_AS_ERRORS=ON
-ARG MAKE_JOBS=4
-ARG FALCO_VERSION
-ARG CMAKE_VERSION=3.22.5
-
-ENV BUILD_TYPE=${BUILD_TYPE}
-ENV BUILD_DRIVER=${BUILD_DRIVER}
-ENV BUILD_BPF=${BUILD_BPF}
-ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
-ENV MAKE_JOBS=${MAKE_JOBS}
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV CMAKE_VERSION=${CMAKE_VERSION}
-
-# build toolchain
-RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
-    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS
-
-
-RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
-
-RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
-    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
-
-COPY ./root /
-
-# DTS
-ENV BASH_ENV=/usr/bin/scl_enable \
-    ENV=/usr/bin/scl_enable \
-    PROMPT_COMMAND=". /usr/bin/scl_enable"
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/builder/README.md

@@ -1,8 +0,0 @@
-# Builder folder
-
-* We use `Dockerfile` to build the `centos7` Falco builder image.
-* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
-  * Falco `tar.gz`.
-  * Falco `deb` package.
-  * Falco `rpm` package.
-  * Falco build directory, used by other CI jobs.

docker/builder/modern-falco-builder.Dockerfile

@@ -1,62 +0,0 @@
-
-FROM centos:7 AS build-stage
-
-# To build Falco you need to pass the cmake option
-ARG CMAKE_OPTIONS=""
-ARG MAKE_JOBS=6
-
-# Install all the dependencies
-WORKDIR /
-
-RUN yum -y install centos-release-scl; \
-    yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++; \
-    source scl_source enable devtoolset-9; \
-    yum install -y git wget make m4 rpm-build
-
-# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
-RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
-    gzip -d /tmp/cmake.tar.gz; \
-    tar -xpf /tmp/cmake.tar --directory=/tmp; \
-    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
-    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
-
-# Copy Falco folder from the build context
-COPY . /source
-WORKDIR /build/release
-
-RUN source scl_source enable devtoolset-9; \
-    cmake ${CMAKE_OPTIONS} /source; \
-    make falco -j${MAKE_JOBS}
-RUN make package
-
-# We need `make all` for integration tests.
-RUN make all -j${MAKE_JOBS}
-
-FROM scratch AS export-stage
-
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG DEST_BUILD_DIR="/build"
-
-COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
-COPY --from=build-stage /build/release/falco-*.deb /packages/
-COPY --from=build-stage /build/release/falco-*.rpm /packages/
-
-# This is what we need for integration tests. We don't export all the build directory
-# outside the container since its size is almost 6 GB, we export only what is strictly necessary
-# for integration tests.
-# This is just a workaround to fix the CI build until we replace our actual testing framework.
-COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
-COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
-COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-plugin-prefix ${DEST_BUILD_DIR}/k8saudit-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-rules-prefix ${DEST_BUILD_DIR}/k8saudit-rules-prefix
-COPY --from=build-stage /build/release/scripts ${DEST_BUILD_DIR}/scripts
-COPY --from=build-stage /build/release/test ${DEST_BUILD_DIR}/test
-COPY --from=build-stage /build/release/userspace/falco/falco ${DEST_BUILD_DIR}/userspace/falco/falco
-COPY --from=build-stage /build/release/userspace/falco/config_falco.h ${DEST_BUILD_DIR}/userspace/falco/config_falco.h
-COPY --from=build-stage /build/release/falco-*.tar.gz ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.deb ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.rpm ${DEST_BUILD_DIR}/

docker/builder/root/usr/bin/entrypoint

@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-SOURCE_DIR=/source
-BUILD_DIR=/build
-CMD=${1:-usage}
-shift
-
-# Build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-FALCO_EXTRA_DEBUG_FLAGS=
-case "$BUILD_TYPE" in
-"debug")
-    FALCO_EXTRA_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-case "$CMD" in
-"cmake")
-    # Check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco" ]; then
-        echo "Missing falco source." >&2
-        exit 1
-    fi
-    # Prepare build directory
-    mkdir -p "$BUILD_DIR/$BUILD_TYPE"
-    cd "$BUILD_DIR/$BUILD_TYPE"
-
-    cmake \
-    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DBUILD_BPF="$BUILD_BPF" \
-    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-    -DFALCO_VERSION="$FALCO_VERSION" \
-    -DFALCO_EXTRA_DEBUG_FLAGS="$FALCO_EXTRA_DEBUG_FLAGS" \
-    -DUSE_BUNDLED_DEPS=ON \
-    "$SOURCE_DIR/falco"
-    exit "$(printf '%d\n' $?)"
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-*)
-    if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
-        echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
-        exit 1
-    fi
-    cd "$BUILD_DIR/$BUILD_TYPE"
-    make -j"$MAKE_JOBS" "$CMD"
-    ;;
-esac

docker/builder/root/usr/bin/scl_enable

@@ -1,6 +0,0 @@
-# IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced every time the shell session is opened.
-#
-# This will make scl collection binaries work out of box.
-unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7.0

docker/builder/root/usr/bin/usage

@@ -1,53 +0,0 @@
-#!/usr/bin/env bash
-
-gccversion=$(gcc --version | head -n1)
-cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
-cmakeversion=$(cmake --version | head -n1)
-clangversion=$(clang --version | head -n1)
-
-cat <<EOF
-Hello, this is the Falco builder container.
-
-How to use.
-
-    The default commands for the Falco builder image reports usage and environment info.
-    * docker run falcosecurity/falco-builder
-    * docker run falcosecurity/falco-builder usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-builder bash
-
-    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling)
-
-    Optionally, you can also bind-mount the build directory.
-    So, you can execute it from the Falco root directory as follows.
-
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
-
-    Eg.,
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
-
-How to build.
-
-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
-
-    In case you want to customise the builder at build time the following build arguments are provided:
-    - BUILD_TYPE                whether you want a "release" or "debug" build (defaults to "release").
-    - BUILD_DRIVER              whether to build the driver or not (defaults to "OFF")
-    - BUILD_BPF                 whether to build the BPF driver or not (defaults to "OFF")
-    - BUILD_WARNINGS_AS_ERRORS  whether to intend warnings as errors or not (defaults to "ON")
-    - MAKE_JOBS                 the number of jobs to use during make (defaults to "4")
-    - FALCO_VERSION             the version to label the build (built from git index in case it is missing)
-
-    It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
-
-Environment.
-
-    * ${gccversion}
-    * cplusplus ${cppversion}
-    * ${cmakeversion}
-    * ${clangversion}
-EOF

docker/driver-loader-legacy/Dockerfile

@@ -1,17 +1,18 @@
 FROM debian:buster
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+
 ARG TARGETARCH
 
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
+ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
-
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
@@ -20,32 +21,27 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
 	libc6-dev \
 	libelf-dev \
-	libyaml-0-2 \
+	libssl-dev \
 	llvm-7 \
 	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libcc1-0 \
 	patchelf \
+	xz-utils \
+	zstd \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
+    then apt-get install -y --no-install-recommends libmpx2; \
     fi
 
 # gcc 6 is no longer included in debian stable, but we need it to
@@ -94,23 +90,28 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
 
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
 	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
+
 RUN if [ "$TARGETARCH" = "amd64" ] ; then \
     curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
     else  \
@@ -123,13 +124,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-# The local container also copies some test trace files and
-# corresponding rules that are used when running regression tests.
-COPY rules/*.yaml /rules/
-COPY traces/*.scap /traces/
-
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "  modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
+	echo "  ebpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
+	echo ""
+}
+
+echo "* Setting up /usr/src links from host"
+
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
+
+ENABLE_COMPILE="false"
+ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
+driver=
+has_opts=
+while test $# -gt 0; do
+	case "$1" in
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
+				>&2 echo "Only one driver per invocation"
+				print_usage
+				exit 1
+			else
+			  driver=$1
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--clean)
+			/usr/bin/falcoctl driver cleanup
+			exit 0
+			;;
+		--compile)
+			ENABLE_COMPILE="true"
+			has_opts="true"
+			;;
+		--download)
+			ENABLE_DOWNLOAD="true"
+			has_opts="true"
+			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;
+		--print-env)
+			/usr/bin/falcoctl driver printenv
+			exit 0
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+    shift
+done
+
+# No opts passed, enable both compile and download
+if [ -z "$has_opts" ]; then
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
+fi
+
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

docker/driver-loader/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,6 +18,34 @@
 #
 
 
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
+	echo "  ebpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help                   show this help message"
+	echo "  --clean                  try to remove an already present driver installation"
+	echo "  --compile                try to compile the driver locally (default true)"
+	echo "  --download               try to download a prebuilt driver (default true)"
+	echo "  --kernel-release <value> set the kernel release"
+	echo "  --kernel-version <value> set the kernel version"
+ 	echo "  --http-insecure	         enable insecure downloads"
+	echo "  --print-env              skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
+	echo ""
+}
+
 echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
@@ -25,4 +54,85 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+ENABLE_COMPILE="false"
+ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
+driver=
+has_opts=
+extra_args=
+
+while test $# -gt 0; do
+	case "$1" in
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
+				>&2 echo "Only one driver per invocation"
+				print_usage
+				exit 1
+			else
+				driver=$1
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--clean)
+			/usr/bin/falcoctl driver cleanup
+			exit 0
+			;;
+		--compile)
+			ENABLE_COMPILE="true"
+			has_opts="true"
+			;;
+		--download)
+			ENABLE_DOWNLOAD="true"
+			has_opts="true"
+			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;
+		--kernel-release)
+			extra_args+="--kernelrelease=$2 "
+			shift
+			;;
+		--kernel-version)
+			extra_args+="--kernelversion=$2 "
+			shift
+			;;
+		--print-env)
+			/usr/bin/falcoctl driver printenv
+			exit 0
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+    shift
+done
+
+# No opts passed, enable both compile and download
+if [ -z "$has_opts" ]; then
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
+fi
+
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args

docker/falco/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:buster
+FROM debian:bookworm
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -19,80 +19,33 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
-	bash-completion \
 	bc \
 	bison \
-	clang-7 \
 	ca-certificates \
+	clang \
 	curl \
 	dkms \
+	dwarves \
 	flex \
-	gnupg2 \
 	gcc \
+	gcc-11 \
+	gnupg2 \
 	jq \
 	libc6-dev \
 	libelf-dev \
 	libssl-dev \
-	llvm-7 \
-	netcat \
+	llvm \
+	make \
+	netcat-openbsd \
 	patchelf \
 	xz-utils \
+	zstd \
 	&& rm -rf /var/lib/apt/lists/*
 
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2; \
-    fi
-
-# gcc 6 is no longer included in debian stable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
-	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
-	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
-
-# gcc 5 is no longer included in debian stable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
-	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
-	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -107,22 +60,6 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-# debian:stable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
-
-RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,6 +17,33 @@
 # limitations under the License.
 #
 
+
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
+	echo ""
+	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "  modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
+	echo "  ebpf           eBPF probe"
+	echo ""
+	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
+	echo ""
+}
+
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 
 if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
@@ -27,7 +55,82 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
         ln -s "$i" "/usr/src/$base"
     done
 
-    /usr/bin/falco-driver-loader
+    # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
+    # shell expansion and use it as argument list for falcoctl
+    read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
+
+    ENABLE_COMPILE="false"
+    ENABLE_DOWNLOAD="false"
+    HTTP_INSECURE="false"
+    driver=
+    has_opts=
+    for opt in "${falco_driver_loader_option_arr[@]}"
+    do
+        case "$opt" in
+            auto|kmod|ebpf|modern_ebpf)
+                if [ -n "$driver" ]; then
+                    >&2 echo "Only one driver per invocation"
+                    print_usage
+                    exit 1
+                else
+                    driver=$opt
+                fi
+                ;;
+            -h|--help)
+                print_usage
+                exit 0
+                ;;    
+            --clean)
+                /usr/bin/falcoctl driver cleanup
+                exit 0
+                ;;
+            --compile)
+                ENABLE_COMPILE="true"
+                has_opts="true"
+                ;;
+            --download)
+                ENABLE_DOWNLOAD="true"
+                has_opts="true"
+                ;;
+            --http-insecure)
+                HTTP_INSECURE="true"
+                ;;
+            --print-env)
+                /usr/bin/falcoctl driver printenv
+                exit 0
+                ;;
+            --*)
+                >&2 echo "Unknown option: $opt"
+                print_usage
+                exit 1
+                ;;
+            *)
+                >&2 echo "Unknown driver: $opt"
+                print_usage
+                exit 1
+                ;;
+        esac
+    done
+
+    # No opts passed, enable both compile and download
+    if [ -z "$has_opts" ]; then
+        ENABLE_COMPILE="true"
+        ENABLE_DOWNLOAD="true"
+    fi
+
+    # Default value: auto
+    if [ -z "$driver" ]; then
+      driver="auto"
+    fi
+
+    if [ "$driver" != "auto" ]; then
+      /usr/bin/falcoctl driver config --type $driver
+    else
+      # Needed because we need to configure Falco to start with correct driver
+      /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+    fi
+    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
+
 fi
 
-exec "$@"
+exec "$@"

docker/local/CMakeLists.txt

@@ -1,17 +0,0 @@
-add_subdirectory(traces)
-add_subdirectory(rules)
-
-add_custom_target(local-Dockerfile ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
-
-add_custom_target(local-docker-entrypoint ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
-

docker/local/rules/CMakeLists.txt

@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of rules is created at cmake time, not build time
-file(GLOB test_rule_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
-
-copy_files_to_build_dir("${test_rule_files}" docker-local-rules)

docker/local/traces/CMakeLists.txt

@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
-
-copy_files_to_build_dir("${test_trace_files}" docker-local-traces)

docker/no-driver/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04 as ubuntu
+FROM debian:12 as builder
 
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
@@ -15,12 +15,12 @@ RUN curl -L -o falco.tar.gz \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
     mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
+    rm -rf /falco/usr/src/falco-*
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM debian:11-slim
+FROM debian:12-slim
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -28,12 +28,12 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
     && apt clean -y && rm -rf /var/lib/apt/lists/*
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
-COPY --from=ubuntu /falco /
+COPY --from=builder /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/no-driver/Dockerfile.distroless

@@ -0,0 +1,40 @@
+FROM cgr.dev/chainguard/wolfi-base as builder
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
+
+WORKDIR /
+
+RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+    curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    rm -rf /falco/usr/src/falco-*
+
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
+    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
+
+FROM cgr.dev/chainguard/wolfi-base
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+RUN apk update && apk add libelf libstdc++
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+USER root
+COPY --from=builder /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -1,30 +0,0 @@
-FROM fedora:31
-
-LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG TARGETARCH
-
-ENV FALCO_VERSION=
-ENV BUILD_TYPE=release
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
-    else curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
-    fi;
-
-RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
-ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip install --user avocado-framework==69.0
-RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
-RUN pip install --user watchdog==0.10.2
-RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl.tar.gz
-
-COPY ./root /
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/tester/root/runners/deb.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms -y
-
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/runners/rpm.Dockerfile

@@ -1,22 +0,0 @@
-FROM centos:7
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN yum update -y
-RUN yum install epel-release -y
-
-ADD falco-${FALCO_VERSION}-*.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/runners/tar.gz.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms curl -y
-
-ADD falco-${FALCO_VERSION}-*.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/usr/bin/entrypoint

@@ -1,93 +0,0 @@
-#!/usr/bin/env bash
-
-BUILD_DIR=${BUILD_DIR:-/build}
-SOURCE_DIR=${SOURCE_DIR:-/source}
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
-
-CMD=${1:-test}
-shift
-
-# Stop the execution if a command in the pipeline has an error, from now on
-set -e -u -o pipefail
-
-# build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-case "$BUILD_TYPE" in
-"debug")
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-build_image() {
-    BUILD_DIR=$1
-    BUILD_TYPE=$2
-    FALCO_VERSION=$3
-    PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
-    if [ ! -f "$PACKAGE" ]; then
-        echo "Package not found: ${PACKAGE}." >&2
-        exit 1
-    fi
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
-
-    mkdir -p /runner-rootfs
-    cp "$PACKAGE" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
-    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
-}
-
-clean_image() {
-    PACKAGE_TYPE=$1
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    docker rmi -f "$DOCKER_IMAGE_NAME"
-}
-
-case "$CMD" in
-"test")
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Automatically figuring out Falco version."
-        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
-        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
-        echo "Falco version: $FALCO_VERSION"
-    fi
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
-        exit 1
-    fi
-
-    # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
-    fi
-
-    # check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
-        echo "Missing $SOURCE_DIR/falco/test directory." >&2
-        exit 1
-    fi
-
-    # run tests
-    echo "Running regression tests ..."
-    cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
-
-    # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        clean_image "deb"
-        clean_image "rpm"
-        clean_image "tar.gz"
-    fi
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-esac

docker/tester/root/usr/bin/usage

@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-
-pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
-dockerversion=$(docker --version)
-avocadoversion=$(pip show avocado-framework | grep Version)
-avocadoversion=${avocadoversion#"Version: "}
-
-cat <<EOF
-Hello, this is the Falco tester container.
-
-How to use.
-
-    The default commands for the Falco tester image reports usage and environment info.
-    * docker run falcosecurity/falco-tester
-    * docker run falcosecurity/falco-tester usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-tester bash
-
-    To run Falco regression tests you need to provide:
-    - the docker socket
-    - the boot directory
-    - the source directory
-    - the directory where Falco has been built
-    - the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
-
-    Assuming you are running it from the Falco root directory, you can run it as follows.
-    * docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
-
-How to build.
-
-    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
-
-Environment.
-
-    * python ${pythonversion}
-    * ${pipversion}
-    * avocado ${avocadoversion}
-    * ${dockerversion}
-EOF

docker/ubi/Dockerfile

@@ -1,46 +0,0 @@
-ARG UBI_VERSION=latest
-FROM registry.access.redhat.com/ubi8/ubi:${UBI_VERSION}
-
-ARG FALCO_VERSION
-RUN test -n "$FALCO_VERSION" || (echo "FALCO_VERSION  not set" && false)
-ENV FALCO_VERSION=${FALCO_VERSION}
-
-LABEL "name"="Falco Runtime Security"
-LABEL "vendor"="Falco"
-LABEL "version"="${FALCO_VERSION}"
-LABEL "release"="${FALCO_VERSION}"
-LABEL "ubi-version"="${UBI_VERSION}"
-LABEL "summary"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "io.k8s.display-name"="Falco"
-LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
-
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-RUN  dnf -y update && \
-     dnf -y install \
-          curl \
-          make \
-          cmake \
-          gcc \
-          llvm-toolset \
-          clang \
-          kmod \
-     && dnf -y clean all ; rm -rf /var/cache/{dnf,yum}
-
-RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
-     tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
-
-RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     rm -rf /deploy
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/falco"]

docker/ubi/docker-entrypoint.sh

@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-
-    # Required by dkms to find the required dependencies on RedHat UBI
-    rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/
-    rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules
-    rm -fr /boot && ln -s $HOST_ROOT/boot /boot
-
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"

falco.yaml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -24,49 +25,63 @@
 #
 #     (Falco command-line arguments)
 #     (Falco environment variables)
+# Falco config files settings
+#     config_files [Stable]
+#     watch_config_files [Stable]
 # Falco rules files
-#     rules_file
+#     rules_files [Stable]
+# Falco rules
+#     rules [Incubating]
+# Falco engine
+#     engine [Stable]
 # Falco plugins
-#     load_plugins
-#     plugins
-# Falco config files
-#     watch_config_files
+#     load_plugins [Stable]
+#     plugins [Stable]
 # Falco outputs settings
-#     time_format_iso_8601
-#     priority
-#     json_output
-#     json_include_output_property
-#     json_include_tags_property
-#     buffered_outputs
-#     outputs (throttling)
+#     time_format_iso_8601 [Stable]
+#     priority [Stable]
+#     json_output [Stable]
+#     json_include_output_property [Stable]
+#     json_include_tags_property [Stable]
+#     buffered_outputs [Stable]
+#     rule_matching [Incubating]
+#     outputs_queue [Stable]
 # Falco outputs channels
-#     stdout_output
-#     syslog_output
-#     file_output
-#     http_output
-#     program_output
-#     grpc_output
+#     stdout_output [Stable]
+#     syslog_output [Stable]
+#     file_output [Stable]
+#     http_output [Stable]
+#     program_output [Stable]
+#     grpc_output [Stable]
 # Falco exposed services
-#     grpc
-#     webserver
+#     grpc [Stable]
+#     webserver [Stable]
 # Falco logging / alerting / metrics related to software functioning (basic)
-#     log_stderr
-#     log_syslog
-#     log_level
-#     libs_logger
+#     log_stderr [Stable]
+#     log_syslog [Stable]
+#     log_level [Stable]
+#     libs_logger [Stable]
 # Falco logging / alerting / metrics related to software functioning (advanced)
-#     output_timeout
-#     syscall_event_timeouts
-#     syscall_event_drops
-#     metrics
+#     output_timeout [Stable]
+#     syscall_event_timeouts [Stable]
+#     syscall_event_drops [Stable] -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead
+#     metrics [Stable]
 # Falco performance tuning (advanced)
-#     syscall_buf_size_preset
-#     syscall_drop_failed_exit
-#     base_syscalls
-#     modern_bpf.cpus_for_each_syscall_buffer
-# Falco cloud orchestration systems integration
-#     metadata_download
-#     (Guidance for Kubernetes container engine command-line args settings)
+#     base_syscalls [Stable]
+# Falco libs
+#     falco_libs [Incubating]
+
+########################
+# Config maturity tags #
+########################
+
+# As per features adoption and deprecation proposal we support 4 levels of configuration keys maturity:
+# * Sandbox -> Experimental/alpha features, not recommended for production use, can be removed at any time without further notice.
+# * Incubating -> Beta features, long-term support is not guaranteed.
+# * Stable -> General Availability (GA) features for which long-term support is expected.
+# * Deprecated -> Deprecated keys, soon to be removed.
+#
+# For more info, please take a look at the proposal: https://github.com/falcosecurity/falco/blob/master/proposals/20231220-features-adoption-and-deprecation.md.
 
 
 ################################
@@ -78,9 +93,9 @@
 # configuration options from this config file as command-line arguments by using
 # the `-o` flag followed by the option name and value. In the following example,
 # three config options (`json_output`, `log_level`, and
-# `modern_bpf.cpus_for_each_syscall_buffer`) are passed as command-line
+# `engine.kind`) are passed as command-line
 # arguments with their corresponding values: falco -o "json_output=true"
-# -o "log_level=debug" -o "modern_bpf.cpus_for_each_syscall_buffer=4" 
+# -o "log_level=debug" -o "engine.kind=kmod" 
 # Please note that command-line arguments take precedence over the options
 # specified in this config file.
 
@@ -91,27 +106,68 @@
 
 # Customize Falco settings using environment variables:
 #
-# - "HOST_ROOT": Specifies the prefix to the underlying host `/proc` filesystem
+# - HOST_ROOT: Specifies the prefix to the underlying host `/proc` filesystem
 #   when deploying Falco over a container with read-only host mounts instead of
 #   directly on the host. Defaults to "/host". 
-# - "FALCO_BPF_PROBE": Specify a custom path to the BPF object code file (`bpf`
-#   driver). This is not needed for the modern_bpf driver. 
-# - "FALCO_HOSTNAME": Customize the hostname output field logged by Falco by
+#
+# - FALCO_HOSTNAME: Customize the hostname output field logged by Falco by
 #   setting the "FALCO_HOSTNAME" environment variable.
-# - "FALCO_CGROUP_MEM_PATH": Specifies the file path holding the container
+#
+# - FALCO_CGROUP_MEM_PATH: Specifies the file path holding the container
 #   memory usage metric for the `metrics` feature. Defaults to
 #   "/sys/fs/cgroup/memory/memory.usage_in_bytes" (Kubernetes).
+#
+# - SKIP_DRIVER_LOADER is used by the Falco fat image to skip the driver loading part.
+#
+# - FALCO_FRONTEND is useful when set to noninteractive to skip the dialog choice during 
+# the installation of Falco deb/rpm packages. This setting is somewhat similar to DEBIAN_FRONTEND.
+#
+# - FALCO_DRIVER_CHOICE is useful when set to kmod, ebpf, or modern_ebpf (matching the names 
+# used in engine.kind in the Falco config) during the installation of Falco deb/rpm packages. 
+# It skips the dialog choice but retains the driver configuration.
+#
+# - FALCOCTL_ENABLED is useful when set to 'no' during the installation of Falco deb/rpm packages, 
+# disabling the automatic artifacts followed by falcoctl.
 
 
+###############################
+# Falco config files settings #
+###############################
+
+# [Stable] `config_files`
+#
+# Falco will load additional configs files specified here.
+# Their loading is assumed to be made *after* main config file has been processed,
+# exactly in the order they are specified.
+# Therefore, loaded config files *can* override values from main config file.
+# Also, nested include is not allowed, ie: included config files won't be able to include other config files.
+#
+# Like for 'rules_files', specifying a folder will load all the configs files present in it in a lexicographical order.
+config_files:
+  - /etc/falco/config.d
+
+# [Stable] `watch_config_files`
+#
+# Falco monitors configuration and rules files for changes and automatically
+# reloads itself to apply the updated configuration when any modifications are
+# detected. This feature is particularly useful when you want to make real-time
+# changes to the configuration or rules of Falco without interrupting its
+# operation or losing its state. For more information about Falco's state
+# engine, please refer to the `base_syscalls` section.
+watch_config_files: true
+
 #####################
 # Falco rules files #
 #####################
 
-# [Stable] `rules_file`
+# [Stable] `rules_files`
+
+# NOTICE: Before Falco 0.38, this config key was `rules_file` (singular form), which is now deprecated in favor of `rules_files` (plural form).
 #
 # Falco rules can be specified using files or directories, which are loaded at
-# startup. The name "rules_file" is maintained for backwards compatibility. If
-# the entry is a file, it will be read directly. If the entry is a directory,
+# startup.
+#
+# If the entry is a file, it will be read directly. If the entry is a directory,
 # all files within that directory will be read in alphabetical order.
 #
 # The falco_rules.yaml file ships with the Falco package and is overridden with
@@ -134,11 +190,240 @@
 # By arranging the order of files and rules thoughtfully, you can ensure that
 # desired customizations and rule behaviors are prioritized and applied as
 # intended.
-rules_file:
+# 
+# With Falco 0.36 and beyond, it's now possible to apply multiple rules that match 
+# the same event type, eliminating concerns about rule prioritization based on the 
+# "first match wins" principle. However, enabling the `all` matching option may result
+# in a performance penalty. We recommend carefully testing this alternative setting  
+# before deploying it in production. Read more under the `rule_matching` configuration.
+rules_files:
   - /etc/falco/falco_rules.yaml
   - /etc/falco/falco_rules.local.yaml
   - /etc/falco/rules.d
 
+# [Incubating] `rules`
+#
+# --- [Description]
+#
+# Falco rules can be enabled or disabled by name (with wildcards *) and/or by tag.
+#
+# This configuration is applied after all rules files have been loaded, including
+# their overrides, and will take precedence over the enabled/disabled configuration
+# specified or overridden in the rules files.
+#
+# The ordering matters and selections are evaluated in order. For instance, if you
+# need to only enable a rule you would first disable all of them and then only
+# enable what you need, regardless of the enabled status in the files.
+#
+# --- [Examples]
+#
+# Only enable two rules:
+#
+# rules:
+#   - disable:
+#       rule: "*"
+#   - enable:
+#       rule: Netcat Remote Code Execution in Container
+#   - enable:
+#       rule: Delete or rename shell history
+#
+# Disable all rules with a specific tag:
+#
+# rules:
+#   - disable:
+#       tag: network
+#
+
+################
+# Falco engine #
+################
+
+# [Stable] `engine`
+#
+# --- [Description]
+#
+# Falco supports different engines to generate events.
+# Choose the appropriate engine kind based on your system's configuration and requirements.
+#
+# Available engines:
+# - `kmod`: Kernel Module (Kernel Module)
+# - `ebpf`: eBPF (eBPF probe)
+# - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
+# - `gvisor`: gVisor (gVisor sandbox)
+# - `replay`: Replay a scap trace file
+# - `nodriver`: No driver is injected into the system.
+#   This is useful to debug and to run plugins with 'syscall' source.
+#
+# Only one engine can be specified in the `kind` key.
+# Moreover, for each engine multiple options might be available,
+# grouped under engine-specific configuration keys.
+# Some of them deserve an in-depth description:
+#
+################### `buf_size_preset`
+#
+# --- [Description]
+#
+# The syscall buffer index determines the size of the shared space between Falco
+# and its drivers. This shared space serves as a temporary storage for syscall
+# events, allowing them to be transferred from the kernel to the userspace
+# efficiently. The buffer size for each online CPU is determined by the buffer
+# index, and each CPU has its own dedicated buffer. Adjusting this index allows
+# you to control the overall size of the syscall buffers.
+#
+# --- [Usage]
+#
+# The index 0 is reserved, and each subsequent index corresponds to an
+# increasing size in bytes. For example, index 1 corresponds to a size of 1 MB,
+# index 2 corresponds to 2 MB, and so on:
+#
+# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
+#   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
+#   |    |     |     |     |     |      |      |       |       |       |
+#   0    1     2     3     4     5      6      7       8       9       10
+#
+#
+# The buffer dimensions in bytes are determined by the following requirements:
+# (1) a power of 2.
+# (2) a multiple of your system_page_dimension.
+# (3) greater than `2 * (system_page_dimension).
+#
+# The buffer size constraints may limit the usability of certain indexes. Let's
+# consider an example to illustrate this:
+#
+# If your system has a page size of 1 MB, the first available buffer size would
+# be 4 MB because 2 MB is exactly equal to 2 * (system_page_size), which is not
+# sufficient as we require more than 2 * (system_page_size). In this example, it
+# is evident that if the page size is 1 MB, the first index that can be used is 3.
+#
+# However, in most cases, these constraints do not pose a limitation, and all
+# indexes from 1 to 10 can be used. You can check your system's page size using
+# the Falco `--page-size` command-line option.
+# 
+# --- [Suggestions]
+#
+# The buffer size was previously fixed at 8 MB (index 4). You now have the
+# option to adjust the size based on your needs. Increasing the size, such as to
+# 16 MB (index 5), can reduce syscall drops in heavy production systems, but may
+# impact performance. Decreasing the size can speed up the system but may
+# increase syscall drops. It's important to note that the buffer size is mapped
+# twice in the process' virtual memory, so a buffer of 8 MB will result in a 16
+# MB area in virtual memory. Use this parameter with caution and only modify it
+# if the default size is not suitable for your use case.
+#
+################### `drop_failed_exit`
+#
+# --- [Description]
+#
+# Enabling this option in Falco allows it to drop failed system call exit events
+# in the kernel drivers before pushing them onto the ring buffer. This
+# optimization can result in lower CPU usage and more efficient utilization of
+# the ring buffer, potentially reducing the number of event losses. However, it
+# is important to note that enabling this option also means sacrificing some
+# visibility into the system.
+#
+################### `cpus_for_each_buffer` (modern_ebpf only)
+#
+# --- [Description]
+#
+# The modern_bpf driver in Falco utilizes the new BPF ring buffer, which has a
+# different memory footprint compared to the current BPF driver that uses the
+# perf buffer. The Falco core maintainers have discussed the differences and
+# their implications, particularly in Kubernetes environments where limits need
+# to be carefully set to avoid interference with the Falco daemonset deployment
+# from the OOM killer. Based on guidance received from the kernel mailing list,
+# it is recommended to assign multiple CPUs to one buffer instead of allocating
+# a buffer for each CPU individually. This helps optimize resource allocation
+# and prevent potential issues related to memory usage.
+#
+# This is an index that controls how many CPUs you want to assign to a single
+# syscall buffer (ring buffer). By default, for modern_bpf every syscall buffer
+# is associated to 2 CPUs, so the mapping is 1:2. The modern BPF probe allows
+# you to choose different mappings, for example, changing the value to `1`
+# results in a 1:1 mapping and would mean one syscall buffer for each CPU (this
+# is the default for the `bpf` driver).
+#
+# --- [Usage]
+#
+# You can choose an index from 0 to MAX_NUMBER_ONLINE_CPUs to set the dimension
+# of the syscall buffers. The value 0 represents a single buffer shared among
+# all online CPUs. It serves as a flexible option when the exact number of
+# online CPUs is unknown. Here's an example to illustrate this:
+#
+# Consider a system with 7 online CPUs:
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#
+# - `1` means a syscall buffer for each CPU so 7 buffers
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     1  2        3  4  5  6
+#
+# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     0  1        1  2  2  3
+#
+# Please note that in this example, there are 4 buffers in total. Three of the
+# buffers are associated with pairs of CPUs, while the last buffer is mapped to
+# a single CPU. This arrangement is necessary because we have an odd number of
+# CPUs.
+#
+# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all
+#   CPUs, so 1 buffer
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     0  0        0  0  0  0
+#
+# Moreover, you have the option to combine this parameter with
+# `buf_size_preset` index. For instance, you can create a large shared
+# syscall buffer of 512 MB (using buf_size_preset=10) that is
+# allocated among all the online CPUs.
+#
+# --- [Suggestions]
+#
+# The default choice of index 2 (one syscall buffer for each CPU pair) was made
+# because the modern bpf probe utilizes a different memory allocation strategy
+# compared to the other two drivers (bpf and kernel module). However, you have
+# the flexibility to experiment and find the optimal configuration for your
+# system.
+# 
+# When considering a fixed buf_size_preset and a fixed buffer dimension:
+# - Increasing this configs value results in lower number of buffers and you can
+#   speed up your system and reduce memory usage
+# - However, using too few buffers may increase contention in the kernel,
+#   leading to a slowdown.
+# 
+# If you have low event throughputs and minimal drops, reducing the number of
+# buffers (higher `cpus_for_each_buffer`) can lower the memory footprint.
+#
+engine:
+  kind: modern_ebpf
+  kmod:
+    buf_size_preset: 4
+    drop_failed_exit: false
+  ebpf:
+    # path to the elf file to load.
+    probe: ${HOME}/.falco/falco-bpf.o
+    buf_size_preset: 4
+    drop_failed_exit: false
+  modern_ebpf:
+    cpus_for_each_buffer: 2
+    buf_size_preset: 4
+    drop_failed_exit: false
+  replay:
+    # path to the capture file to replay (eg: /path/to/file.scap)
+    capture_file: ""
+  gvisor:
+    # A Falco-compatible configuration file can be generated with
+    # '--gvisor-generate-config' and utilized for both runsc and Falco.
+    config: ""
+    # Set gVisor root directory for storage of container state when used
+    # in conjunction with 'gvisor.config'. The 'gvisor.root' to be passed
+    # is the one usually passed to 'runsc --root' flag.
+    root: ""
 
 #################
 # Falco plugins #
@@ -148,7 +433,7 @@ rules_file:
 #
 # --- [Description]
 #
-# Falco plugins enable integration with other services in the your ecosystem.
+# Falco plugins enable integration with other services in your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
 # fast on-host detections beyond syscalls and container events. The plugin
@@ -162,9 +447,9 @@ rules_file:
 #
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
-# the `k8saudit` plugin. This information is automatically extracted from the
-# container runtime socket. The `k8saudit` plugin is specifically designed to
-# integrate with Kubernetes audit logs and is not required for basic enrichment
+# the `k8saudit` plugin. This information is automatically extracted from
+# the container runtime socket. The `k8saudit` plugin is specifically designed
+# to integrate with Kubernetes audit logs and is not required for basic enrichment
 # of syscall logs with Kubernetes-related fields.
 #
 # --- [Usage]
@@ -196,21 +481,6 @@ plugins:
     library_path: libjson.so
 
 
-######################
-# Falco config files #
-######################
-
-# [Stable] `watch_config_files`
-#
-# Falco monitors configuration and rule files for changes and automatically
-# reloads itself to apply the updated configuration when any modifications are
-# detected. This feature is particularly useful when you want to make real-time
-# changes to the configuration or rules of Falco without interrupting its
-# operation or losing its state. For more information about Falco's state
-# engine, please refer to the `base_syscalls` section.
-watch_config_files: true
-
-
 ##########################
 # Falco outputs settings #
 ##########################
@@ -264,30 +534,47 @@ json_include_tags_property: true
 # output mechanism. By default, buffering is disabled (false).
 buffered_outputs: false
 
-# [Stable] `outputs`
+# [Incubating] `rule_matching`
 #
-# A throttling mechanism, implemented as a token bucket, can be used to control
-# the rate of Falco outputs. Each event source has its own rate limiter,
-# ensuring that alerts from one source do not affect the throttling of others.
-# The following options control the mechanism:
-#  - rate: the number of tokens (i.e. right to send a notification) gained per
-#    second. When 0, the throttling mechanism is disabled. Defaults to 0.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+# The `rule_matching` configuration key's values are:
+#  - `first`: Falco stops checking conditions of rules against upcoming event
+#    at the first matching rule
+#  - `all`: Falco will continue checking conditions of rules even if a matching 
+#    one was already found
 #
-# For example, setting the rate to 1 allows Falco to send up to 1000
-# notifications initially, followed by 1 notification per second. The burst
-# capacity is fully restored after 1000 seconds of no activity.
+# Rules conditions are evaluated in the order they are defined in the rules files.
+# For this reason, when using `first` as value, only the first defined rule will 
+# trigger, possibly shadowing other rules.
+# In case `all` is used as value, rules still trigger in the order they were
+# defined.
+# 
+# Effectively, with this setting, it is now possible to apply multiple rules that match
+# the same event type. This eliminates concerns about rule prioritization based on the
+# "first match wins" principle. However, enabling the `all` matching option may result in
+# a performance penalty. We recommend carefully testing this alternative setting before
+# deploying it in production.
+rule_matching: first
+
+# [Stable] `outputs_queue`
 #
-# Throttling can be useful in various scenarios, such as preventing notification
-# floods, managing system load, controlling event processing, or complying with
-# rate limits imposed by external systems or APIs. It allows for better resource
-# utilization, avoids overwhelming downstream systems, and helps maintain a
-# balanced and controlled flow of notifications.
-#
-# With the default settings, the throttling mechanism is disabled.
-outputs:
-  rate: 0
-  max_burst: 1000
+# Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
+# allows you to customize the queue capacity. Please refer to the official documentation:
+# https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
+# On a healthy system with optimized Falco rules, the queue should not fill up.
+# If it does, it is most likely happening due to the entire event flow being too slow,
+# indicating that the server is under heavy load.
+# 
+# `capacity`: the maximum number of items allowed in the queue is determined by this value. 
+# Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. 
+# In other words, when this configuration is set to 0, the number of allowed items is 
+# effectively set to the largest possible long value, disabling this setting.
+# 
+# In the case of an unbounded queue, if the available memory on the system is consumed, 
+# the Falco process would be OOM killed. When using this option and setting the capacity, 
+# the current event would be dropped, and the event loop would continue. This behavior mirrors 
+# kernel-side event drops when the buffer between kernel space and user space is full.
+outputs_queue:
+  capacity: 0
 
 
 ##########################
@@ -328,6 +615,9 @@ file_output:
 # [Stable] `http_output`
 #
 # Send logs to an HTTP endpoint or webhook.
+#
+# When using falcosidekick, it is necessary to set `json_output` to true, which is
+# conveniently done automatically for you when using `falcosidekick.enabled=true`.
 http_output:
   enabled: false
   url: http://some.url
@@ -341,6 +631,16 @@ http_output:
   # Path to a folder that will be used as the CA certificate store. CA certificate need to be
   # stored as indivitual PEM files in this directory.
   ca_path: "/etc/ssl/certs"
+  # Tell Falco to use mTLS
+  mtls: false
+  # Path to the client cert.
+  client_cert: "/etc/ssl/certs/client.crt"
+  # Path to the client key.
+  client_key: "/etc/ssl/certs/client.key"
+  # Whether to echo server answers to stdout
+  echo: false
+  compress_uploads: false
+  keep_alive: false
 
 # [Stable] `program_output`
 #
@@ -455,7 +755,14 @@ webserver:
   # the appropriate number of threads based on the number of online cores in the system.
   threadiness: 0
   listen_port: 8765
+  # Can be an IPV4 or IPV6 address, defaults to IPV4
+  listen_address: 0.0.0.0
   k8s_healthz_endpoint: /healthz
+  # [Incubating] `prometheus_metrics_enabled`
+  #
+  # Enable the metrics endpoint providing Prometheus values
+  # It will only have an effect if metrics.enabled is set to true as well.
+  prometheus_metrics_enabled: false
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem
 
@@ -492,8 +799,8 @@ log_level: info
 # operational logs. It allows you to specify the desired log level for the `libs`
 # library specifically, providing more granular control over the logging
 # behavior of the underlying components used by Falco. Only logs of a certain
-# severity level or higher will be emitted. Supported levels: "emergency",
-# "alert", "critical", "error", "warning", "notice", "info", "debug". It is not
+# severity level or higher will be emitted. Supported levels: "fatal",
+# "critical", "error", "warning", "notice", "info", "debug", "trace". It is not
 # recommended for production use.
 libs_logger:
   enabled: false
@@ -548,7 +855,7 @@ output_timeout: 2000
 syscall_event_timeouts:
   max_consecutives: 1000
 
-# [Stable] `syscall_event_drops`
+# [Stable] `syscall_event_drops` -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead
 #
 # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum
 #
@@ -595,13 +902,20 @@ syscall_event_drops:
   max_burst: 1
   simulate_drops: false
 
-# [Experimental] `metrics`
+# [Stable] `metrics`
 #
 # Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum
+# By selecting `output_file`, equivalent JSON output will be appended to a file.
 #
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
 #
+# --- [Warning]
+#
+# Due to a regression (https://github.com/falcosecurity/falco/issues/2821) some metrics
+# like `falco.host_num_cpus` or `falco.start_ts` will not be available when you use
+# source plugins (like k8saudit).
+#
 # --- [Description]
 #
 # Consider these key points about the `metrics` feature in Falco:
@@ -629,6 +943,9 @@ syscall_event_drops:
 #
 # It's important to note that the output fields and their names can be subject
 # to change until the metrics feature reaches a stable release.
+# In addition, the majority of fields represent an instant snapshot, with the
+# exception of event rates per second and drop percentage stats. These values
+# are computed based on the delta between two snapshots.
 #
 # To customize the hostname in Falco, you can set the environment variable
 # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in
@@ -672,20 +989,32 @@ syscall_event_drops:
 # must be set to `info` at a minimum.
 #
 # `output_file`: Append stats to a `jsonl` file. Use with caution in production
-# as Falco does not automatically rotate the file.
+# as Falco does not automatically rotate the file. It can be used in combination
+# with `output_rule`.
+#
+# `rules_counters_enabled`: Emit counts for each rule.
 #
 # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage
 # is reported as a percentage of one CPU and can be normalized to the total
 # number of CPUs to determine overall usage. Memory metrics are provided in raw
 # units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`)
 # and can be uniformly converted to megabytes (MB) using the
-# `convert_memory_to_mb` functionality. In environments such as Kubernetes, it
-# is crucial to track Falco's container memory usage. To customize the path of
-# the memory metric file, you can create an environment variable named
-# `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco
-# uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor
-# container memory usage, which aligns with Kubernetes'
-# `container_memory_working_set_bytes` metric.
+# `convert_memory_to_mb` functionality. In environments such as Kubernetes when 
+# deployed as daemonset, it is crucial to track Falco's container memory usage. 
+# To customize the path of the memory metric file, you can create an environment 
+# variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By 
+# default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to 
+# monitor container memory usage, which aligns with Kubernetes' 
+# `container_memory_working_set_bytes` metric. Finally, we emit the overall host 
+# CPU and memory usages, along with the total number of processes and open file 
+# descriptors (fds) on the host, obtained from the proc file system unrelated to 
+# Falco's monitoring. These metrics help assess Falco's usage in relation to the 
+# server's workload intensity.
+#
+# `state_counters_enabled`: Emit counters related to Falco's state engine, including 
+# added, removed threads or file descriptors (fds), and failed lookup, store, or 
+# retrieve actions in relation to Falco's underlying process cache table (threadtable). 
+# We also log the number of currently cached containers if applicable.
 #
 # `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as
 # an alternative to `syscall_event_drops`, but with some differences. These
@@ -708,87 +1037,38 @@ syscall_event_drops:
 # beneficial for exploring the data schema and ensuring that fields with empty
 # values are included in the output.
 #
-# todo: prometheus export option
+# `plugins_metrics_enabled`: Falco can now expose your custom plugins' 
+# metrics. Please note that if the respective plugin has no metrics implemented, 
+# there will be no metrics available. In other words, there are no default or 
+# generic plugin metrics at this time. This may be subject to change.
+#
+# If metrics are enabled, the web server can be configured to activate the
+# corresponding Prometheus endpoint using `webserver.prometheus_metrics_enabled`.
+# Prometheus output can be used in combination with the other output options.
+#
 # todo: syscall_counters_enabled option
 metrics:
   enabled: false
   interval: 1h
+  # Typically, in production, you only use `output_rule` or `output_file`, but not both. 
+  # However, if you have a very unique use case, you can use both together.
+  # Set `webserver.prometheus_metrics_enabled` for Prometheus output.
   output_rule: true
   # output_file: /tmp/falco_stats.jsonl
+  rules_counters_enabled: true
   resource_utilization_enabled: true
+  state_counters_enabled: true
   kernel_event_counters_enabled: true
   libbpf_stats_enabled: true
+  plugins_metrics_enabled: true
   convert_memory_to_mb: true
   include_empty_values: false
 
-
 #######################################
 # Falco performance tuning (advanced) #
 #######################################
 
-# [Stable] `syscall_buf_size_preset`
-#
-# --- [Description]
-#
-# The syscall buffer index determines the size of the shared space between Falco
-# and its drivers. This shared space serves as a temporary storage for syscall
-# events, allowing them to be transferred from the kernel to the userspace
-# efficiently. The buffer size for each online CPU is determined by the buffer
-# index, and each CPU has its own dedicated buffer. Adjusting this index allows
-# you to control the overall size of the syscall buffers.
-#
-# --- [Usage]
-#
-# The index 0 is reserved, and each subsequent index corresponds to an
-# increasing size in bytes. For example, index 1 corresponds to a size of 1 MB,
-# index 2 corresponds to 2 MB, and so on:
-#
-# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
-#   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
-#   |    |     |     |     |     |      |      |       |       |       |
-#   0    1     2     3     4     5      6      7       8       9       10
-#
-#
-# The buffer dimensions in bytes are determined by the following requirements:
-# (1) a power of 2.
-# (2) a multiple of your system_page_dimension.
-# (3) greater than `2 * (system_page_dimension).
-#
-# The buffer size constraints may limit the usability of certain indexes. Let's
-# consider an example to illustrate this:
-#
-# If your system has a page size of 1 MB, the first available buffer size would
-# be 4 MB because 2 MB is exactly equal to 2 * (system_page_size), which is not
-# sufficient as we require more than 2 * (system_page_size). In this example, it
-# is evident that if the page size is 1 MB, the first index that can be used is 3.
-#
-# However, in most cases, these constraints do not pose a limitation, and all
-# indexes from 1 to 10 can be used. You can check your system's page size using
-# the Falco `--page-size` command-line option.
-# 
-# --- [Suggestions]
-#
-# The buffer size was previously fixed at 8 MB (index 4). You now have the
-# option to adjust the size based on your needs. Increasing the size, such as to
-# 16 MB (index 5), can reduce syscall drops in heavy production systems, but may
-# impact performance. Decreasing the size can speed up the system but may
-# increase syscall drops. It's important to note that the buffer size is mapped
-# twice in the process' virtual memory, so a buffer of 8 MB will result in a 16
-# MB area in virtual memory. Use this parameter with caution and only modify it
-# if the default size is not suitable for your use case.
-syscall_buf_size_preset: 4
-
-# [Experimental] `syscall_drop_failed_exit`
-#
-# Enabling this option in Falco allows it to drop failed system call exit events
-# in the kernel driver before pushing them onto the ring buffer. This
-# optimization can result in lower CPU usage and more efficient utilization of
-# the ring buffer, potentially reducing the number of event losses. However, it
-# is important to note that enabling this option also means sacrificing some
-# visibility into the system.
-syscall_drop_failed_exit: false
-
-# [Experimental] `base_syscalls`, use with caution, read carefully
+# [Stable] `base_syscalls`, use with caution, read carefully
 #
 # --- [Description]
 #
@@ -903,114 +1183,28 @@ base_syscalls:
   custom_set: []
   repair: false
 
-# [Stable] `modern_bpf.cpus_for_each_syscall_buffer`, modern_bpf only
-#
-# --- [Description]
-#
-# The modern_bpf driver in Falco utilizes the new BPF ring buffer, which has a
-# different memory footprint compared to the current BPF driver that uses the
-# perf buffer. The Falco core maintainers have discussed the differences and
-# their implications, particularly in Kubernetes environments where limits need
-# to be carefully set to avoid interference with the Falco daemonset deployment
-# from the OOM killer. Based on guidance received from the kernel mailing list,
-# it is recommended to assign multiple CPUs to one buffer instead of allocating
-# a buffer for each CPU individually. This helps optimize resource allocation
-# and prevent potential issues related to memory usage.
-#
-# This is an index that controls how many CPUs you want to assign to a single
-# syscall buffer (ring buffer). By default, for modern_bpf every syscall buffer
-# is associated to 2 CPUs, so the mapping is 1:2. The modern BPF probe allows
-# you to choose different mappings, for example, changing the value to `1`
-# results in a 1:1 mapping and would mean one syscall buffer for each CPU (this
-# is the default for the `bpf` driver).
-#
-# --- [Usage]
-#
-# You can choose an index from 0 to MAX_NUMBER_ONLINE_CPUs to set the dimension
-# of the syscall buffers. The value 0 represents a single buffer shared among
-# all online CPUs. It serves as a flexible option when the exact number of
-# online CPUs is unknown. Here's an example to illustrate this:
-#
-# Consider a system with 7 online CPUs:
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#
-# - `1` means a syscall buffer for each CPU so 7 buffers
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     1  2        3  4  5  6
-#
-# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     0  1        1  2  2  3
-#
-# Please note that in this example, there are 4 buffers in total. Three of the
-# buffers are associated with pairs of CPUs, while the last buffer is mapped to
-# a single CPU. This arrangement is necessary because we have an odd number of
-# CPUs.
-#
-# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all
-#   CPUs, so 1 buffer
-#
-#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
-#                   |     |  |        |  |  |  |
-#       BUFFERs     0     0  0        0  0  0  0
-#
-# Moreover, you have the option to combine this parameter with
-# `syscall_buf_size_preset` index. For instance, you can create a large shared
-# syscall buffer of 512 MB (using syscall_buf_size_preset=10) that is
-# allocated among all the online CPUs.
-#
-# --- [Suggestions]
-#
-# The default choice of index 2 (one syscall buffer for each CPU pair) was made
-# because the modern bpf probe utilizes a different memory allocation strategy
-# compared to the other two drivers (bpf and kernel module). However, you have
-# the flexibility to experiment and find the optimal configuration for your
-# system.
-# 
-# When considering a fixed syscall_buf_size_preset and a fixed buffer dimension:
-# - Increasing this configs value results in lower number of buffers and you can
-#   speed up your system and reduce memory usage
-# - However, using too few buffers may increase contention in the kernel,
-#   leading to a slowdown.
-# 
-# If you have low event throughputs and minimal drops, reducing the number of
-# buffers (higher `cpus_for_each_syscall_buffer`) can lower the memory footprint.
-modern_bpf:
-  cpus_for_each_syscall_buffer: 2
+##############
+# Falco libs #
+##############
 
-
-#################################################
-# Falco cloud orchestration systems integration #
-#################################################
-
-# [Stable] `metadata_download`
+# [Incubating] `falco_libs`
 #
-# When connected to an orchestrator like Kubernetes, Falco has the capability to
-# collect metadata and enrich system call events with contextual data. The
-# parameters mentioned here control the downloading process of this metadata.
+# `thread_table_size`
 #
-# Please note that support for Mesos is deprecated, so these parameters
-# currently apply only to Kubernetes. When using Falco with Kubernetes, you can
-# enable this functionality by using the `-k` or `-K` command-line flag.
+# Set the maximum number of entries (the absolute maximum value can only be MAX UINT32) 
+# for Falco's internal threadtable (process cache). Please note that Falco operates at a 
+# granular level, focusing on individual threads. Falco rules reference the thread leader 
+# as the process. The size of the threadtable should typically be much higher than the 
+# number of currently alive processes. The default value should work well on modern 
+# infrastructures and be sufficient to absorb bursts.
 #
-# However, it's worth mentioning that for important Kubernetes metadata fields
-# such as namespace or pod name, these fields are automatically extracted from
-# the container runtime, providing the necessary enrichment for common use cases
-# of syscall-based threat detection.
-#
-# In summary, the `-k` flag is typically not required for most scenarios involving
-# Kubernetes workload owner enrichment. The `-k` flag is primarily used when
-# additional metadata is required beyond the standard fields, catering to more
-# specific use cases, see https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s.
-metadata_download:
-  max_mb: 100
-  chunk_wait_us: 1000
-  watch_freq_sec: 1
+# Reducing its size can help in better memory management, but as a consequence, your 
+# process tree may be more frequently disrupted due to missing threads. You can explore 
+# `metrics.state_counters_enabled` to measure how the internal state handling is performing, 
+# and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you
+# if you should increase this value for optimal performance.
+falco_libs:
+  thread_table_size: 262144
 
 # [Stable] Guidance for Kubernetes container engine command-line args settings
 #

proposals/20210501-plugin-system.md

@@ -335,7 +335,7 @@ typedef struct
 	// the type of the value they return (string, integer...).
 	// Required: no
 	// Arguments:
-	// - evtnum: the number of the event that is bein processed
+	// - evtnum: the number of the event that is being processed
 	// - id: the numeric identifier of the field to extract. It corresponds to the
 	//   position of the field in the array returned by get_fields().
 	// - arg: the field argument, if an argument has been specified for the field,

proposals/20221129-artifacts-distribution.md

@@ -69,7 +69,7 @@ The allowed publishing channels are:
 Both channels are equivalent and may publish the same artifacts. However, for historical reasons and to avoid confusion, the **`docker.io` registry should only be used for container images** and not for other kinds of artifacts (e.g., plugins, rules, etc.).
 
 
-Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal reccomends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
+Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal recommends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
 
 
 Official **channels and mirrors must be listed at [falco.org](https://falco.org/)**. 

proposals/20230620-anomaly-detection-framework.md

@@ -0,0 +1,112 @@
+# On Host Anomaly Detection Framework - New `anomalydetection` Plugin
+
+## Motivation
+
+**A Wind of Change for Threat Detection**
+
+Feel that light breeze? That is the continued advancement of cloud native security blowing steady. But despite our progress, threat actors are outpacing our innovation constantly finding new ways to thwart and tornado past our achievements — rule-based detections focus on what we *think* attackers will do, not on what they *are* doing and generate enough alerts to bury security analysts in a sandstorm of poor signal-to-noise. Can this dynamic be blown back to shift the information asymmetry in favor of defenders?
+
+This framework lays the foundation on how to create high-value, kernel signals that are difficult to bypass - but not in the traditional way. Advanced data analytics is an emerging crosswind that enables us to soar past attackers by detecting deviations in current behavior from past behavior. 
+
+## Benefits to the Ecosystem
+
+Advanced data analytics enables us to combine the intricacies of the Linux kernel with on-host anomaly detection in cloud native and cloud environments to determine patterns of past behavior in running applications. By detecting deviations in current behavior from past behavior, we can shift the focus away from relying solely on signatures and rule matching to catch attackers.
+
+Threat detection in open source and more importantly cloud native is constrained by the amount of rules we can write and the signatures we know to look for in our environments. But these have the same problem: they assume our attackers don't change what they're doing. The reality is attackers are not limited to the ways, means, and methods they employ to expose, manipulate, or even destroy our data, systems, and organizations. 
+
+This framework leverages an attacker's mindset applied to detection engineering: observing and learning about our targets to create more rich and actionable alerts so we can catch them earlier and more often - regardless if it's behavior we know about, or something we haven't seen yet.
+
+## Elevator Pitch
+
+When Falco processes events in userspace, its rules engine filters the events while the parsers simultaneously update and maintain an internal state. This state includes a process tree cache that enhances Falco alerts by providing contextual information derived from previous events. The goal is to enhance the "state engine" even further and provide an option for monitoring the behavior of applications over time.
+
+To achieve this, end users define a "behavior profile" in the configuration by combining existing event fields such as process name, file descriptor (fd), executable path, parent lineage, cmdline, and others. During event parsing on the hot path, Falco compresses and stores this information in a "filter" - an efficient probabilistic data structure that optimizes space, time, robustness and accuracy. As time progresses, Falco provides more accurate estimates of application behavior counts and identifies events as rare or heavy hitters. Instead of analyzing the original event stream, you can write Falco rules based on pre-filtered data. 
+
+This approach introduces a novel threat detection framework that analyzes abnormal application behavior in real-time, derived and observed in a data-driven fashion, without requiring operator reconfiguration of Falco. It complements the operator's expertise and extends capabilities similar to our current practices. The new capability draws inspiration from big data stream and database query optimizations, ensuring that Falco maintains a streamlined real-time one-pass stream with zero allocations.
+
+Similar to Falco rules, the analysis of events may require multiple behavior profiles of different dimensions based on sets of events. These profiles can either vote in parallel or in a cascading fashion, a common practice in established algorithms. This is just the beginning and and paves the way for more sophisticated approaches, such as running Falco in a DAST-like capacity to build a pre-state pattern file on a workload with test data and soften the cold-start via distributing it to production.
+
+## Challenges and Considerations
+
+First, The Falco Project is committed to continuously ensuring access to the most accurate data possible for on-host threat detection. As an example, recent efforts involved expanding kernel signal logging, such as verifying if an execve call is linked to a file descriptor existing exclusively in memory or improving the efficient and reliable resolution of symlinks for executable paths. Therefore, the proposed anomaly detection framework operates under the assumption of having the *correct* data, thereby complementing the ongoing efforts to expand logging coverage and improve its quality. In summary, the primary focus of the framework is to derive increased value from the existing *right* data that is currently available.
+
+There is a common perception that attacks on running cloud applications, as well as their indicators of compromise, are typically rare when the appropriate data or combination of signals is considered. While this holds true, there are inherent challenges in applying this concept of rarity to robust data analytics approaches. 
+
+On the one hand, this is due to the diverse range of attacks and attack vectors. An attacker may introduce a new malicious binary (which is comparatively easier to detect using traditional rules and high-value kernel signals) after gaining initial access. Alternatively, they may exploit existing binaries, shell built-ins, and employ obfuscation techniques to "live off the land". The Turing completeness of the latter scenario, in particular, leads to an infinite number of attack possibilities.
+
+However, what poses even more challenges in anomaly detection lies not necessarily in the nature of attacks but rather in identifying the right signals and their appropriate combinations for robust analytics to distinguish between normal and anomalous behavior. This challenge becomes particularly evident when considering the natural fluctuations in application behavior over time and the occurrence of ad-hoc legitimate debugging activities. Such fluctuations can arise from various factors, including routine deployment updates. Moreover, certain applications may produce random file names or execute arbitrary executable paths as part of their regular operations, adding to the challenge of anomaly detection. This is compounded by the inherent "cold start" issue when initially observing an application. In such cases, the algorithms must demonstrate flexibility and robustness by recognizing and encoding consistent patterns, similar to how humans can identify the sameness by examining combinations of file names, command arguments, parent process lineage, and other attributes. Furthermore, factors like data inconsistency and the diverse forms of data representations (comprising a mix of numeric data and strings with varying meanings) further complicate the task.
+
+We believe it is important to incorporate operator heuristics or domain knowledge into the algorithm's definition of rarity. For example, while current algorithms are capable of generating human faces, they used to frequently produce images with different eye colors. However, if we were to inform the machine that humans typically have matching eye colors, it could easily correct this discrepancy. This highlights the role of the security engineer as a guiding hand to the algorithms, both in terms of handling noise tolerance and choosing the appropriate data to be ingested into the algorithm. This is crucial as machines are currently limited in their ability to draw meaningful observations from limited data and constrained memory. In summary, this is where the fusion of data-driven anomaly detection and rules matching will come into play.
+
+Lastly, the value proposition of conducting real-time anomaly analysis on the host lies in the unique options it offers, which cannot be achieved through alternative methods. On the host, we can observe anomalies based on all relevant and observed kernel events. In contrast, sending a large volume of kernel events to a centralized system would be impractical, resulting in significant costs for data pipeline management and data lake compute expenses.
+
+## Initial Scope
+
+The initial scope is to implement the Count Min Sketch algorithm using n shared sketches and expose its count estimates as new filterchecks for use in Falco rules. An MVP can be explored in this libs draft PR [wip: new(userspace/libsinsp): MVP CountMinSketch Powered Probabilistic Counting and Filtering](https://github.com/falcosecurity/libs/pull/1453). Moreover, the initial anomaly detection framework will include a transparent `plugin` user interface for defining application behavior profiles and utilizing sketch count estimates in Falco rules. The primary direct benefit lies in establishing a safety boundary for Falco rules in production environments, allowing for broader rule monitoring while preventing Falco rules from blowing up in production.
+
+Furthermore, The Falco Project will provide adopters with valuable initial use cases, recommended thresholds, and callouts for known issues. One important consideration is the identification of SRE anti-patterns. Another consideration is to provide *very clear* guidance to adopters for setting and configuring parameters, including recommended minimums. Additionally, guidance should be provided on indicators to look for in order to determine if adjustments need to be made and in which direction, particularly when defining application behavior profiles.
+
+## High-Level Technical Design of a New `anomalydetection` Plugin
+
+This document provides a high-level proposal with limited technical details.
+
+*Probabilistic Data Structures*
+
+One option for implementing the probabilistic filter is by utilizing a robust two-dimensional probabilistic data structure known as the Count Min Sketch. This data structure is widely employed in distributed stream processing frameworks such as Apache Spark, Apache Storm, Apache Flink, and others, as well as databases like Redis and PostgreSQL.
+
+Technical details and implications are extensively covered in numerous research papers and textbooks. Therefore, here are some key points to consider in order to make informed choices:
+
+- The challenges posed by both hard and soft collisions can be mitigated by using multiple non-cryptographic hash functions, which has been mathematically proven to be effective.
+- Despite providing one-sided error bounds and preventing undercounting, the sketchy data structure requires adopters to define a tolerance level for overcounting. This tolerance level determines what qualifies as rare or noteworthy.
+- To enhance accuracy and reduce estimation errors, consider debiasing data (e.g. Count Min Sketch with Conservative Updates) or applying a logarithmic scale to address kernel event data skew. The logarithmic scale may suit threat detection, targeting low-frequency or long-tail attack-related items. However, only use if performance overhead is acceptable.
+- Use larger shared sketches and incorporate container IDs as part of the behavior profiles to differentiate between workloads / applications. Conversely, use separate sketches for distinct behavior profiles, also known as the "what we are counting".
+- ... and numerous other aspects that will be discussed in subsequent implementation PRs.
+
+*Plumbing and Interface*
+
+The ultimate goal is to introduce these new capabilities as plugin. A significant amount of work will be dedicated to addressing the necessary plumbing required to support the new framework and integrate it with the existing rules filtering, `libsinsp` and `plugin` mechanisms. This integration aims to provide a user-friendly interface that allows users to easily configure and utilize the opt-in framework for different use cases. 
+
+For instance, the interface should empower end users to define error tolerances and, consequently, sketch dimensions, along with other tuning parameters, bounds, and settings. Ultimately, it should enable the definition of n behavior profiles to facilitate the use of count estimates in Falco rules.
+
+## What this Framework is Not
+
+- This framework is not intended to function as an event aggregator or enhancer, such as netflow data. Its sole purpose is to serve as an anomaly filter for individual events, utilizing the existing sinsp state, the newly built state through sketches, and the current rules engine.
+- The development of this framework will not be swayed by overly specific use cases that limit its broader adoption and coverage.
+- While it may not offer flawless attack threat detection from the beginning, it serves as an initial step towards comprehensive event logging and analysis, capturing all events that exhibit any form of new or changing behavior we observe. Therefore, initially, the greatest value lies in combining it with regular Falco rules based on the anomaly-filtered event stream.
+
+## Why now?
+
+In case you haven't noticed, advanced data analytics is quite the big deal these days, and we can leverage robust established algorithms used in real production settings across various industries. The novelty lies in addressing the specific data encoding challenges unique to the field of cybersecurity, not re-inventing already established algorithms.
+
+Furthermore, over the past several Falco releases, we have significantly improved stability, configurability, and capabilities. Notably, the plugins system has been refined over the past year to efficiently access the complete `libsinsp` state, now also featuring an improved CPP SDK. Additionally, it now seamlessly collaborates with the existing primary syscalls event source, deviating from its original purpose of processing new data sources. This improvement allows for more intuitive functionality, as demonstrated by the new `k8smeta` plugin. Now is the opportune time to further enhance proven threat detection capabilities and expand the plugins system even more. 
+
+*Initial community feedback concerning the KubeCon NA 2023 Full Talk*
+
+- Overall, the feedback for [A Wind of Change for Threat Detection](https://kccncna2023.sched.com/event/1R2mX/a-wind-of-change-for-threat-detection-melissa-kilby-apple) was very positive and appreciative, particularly regarding the direct real-life benefits (a safety boundary for Falco rules enabling broader monitoring that won't blow up in production). Suggestions for future development included integrating the sketch directly into the kernel driver (which would be a remarkable achievement if feasible). Lastly, people have inquired about the timeline for the availability of this feature.
+- Refer to the [KubeCon NA 2023 Slides](https://static.sched.com/hosted_files/kccncna2023/c5/A%20Wind%20of%20Change%20for%20Threat%20Detection%20-%20Melissa%20Kilby%20-%20KubeCon%20NA%202023.pdf) or [attached PDF](kubeconna23-anomaly-detection-slides.pdf) for more information. Here's the [Talk Recording](https://www.youtube.com/watch?v=1y1m9Vz93Yo) (please note that the first four minutes of the video are missing, but the slides and audio recordings are complete).
+
+*Falco Community Call - January 17, 2024*
+
+See dedicated [HackMD](https://hackmd.io/Ss0_1avySUuxArBQm-oaGQ?view):
+
+- While not blocking the start of the plugin or an alpha dev version, there's feedback from @jasondellaluce that plugins cannot access the existing `libsinsp` filtercheck. It would be advantageous to enable this access to avoid reimplementing them and the constant risk of falling out of sync with `libs`. @leogr mentioned that supporting this over time should be possible.
+- We have discussed the plugins config and are currently undecided on whether the definition of the behavior profile per sketch, meaning the fields that are string concatenated together and counted, should reside in the plugins config or in the rules files. The latter would potentially require a new rules component. Final decisions will be deferred to a later stage to ensure the config is intuitive, and we want to guarantee proper sketch definition when attempting to run Falco rules using the `anomalydetection` plugin.  
+- One use case, namely determining if a rule has previously occurred in a container, could be addressed by this framework as well. However, we are currently unsure how to expose the rule names, as `libsinsp` is not aware of them. This may be an optimization we can address later and does not block the development of an initial version.
+- Future use cases might involve counting distinct values, utilizing the hyper log log algorithm. However, there will be additional technical challenges to overcome.
+- Finally, just to reiterate some feedback from the KubeCon talk, there's a suggestion that, perhaps in the future, we could pass intelligence back and forth between the drivers and userspace. This idea has been discussed independently, especially in the context of kernel-side filtering. However, such capabilities would be a long-term consideration.
+
+## Proposed Timelines
+
+- Falco 0.37.0: Design details and scaffolding
+- Falco 0.38.0: Experimental release
+- Falco 0.39.0: First release
+
+## Resources / References
+
+- [Probabilistic Data Structures and Algorithms
+for Big Data Applications](https://www.gakhov.com/books/pdsa.html) book
+- [Count Min Sketch blog 1](https://towardsdatascience.com/big-data-with-sketchy-structures-part-1-the-count-min-sketch-b73fb3a33e2a)
+- [Count Min Sketch blog 2](https://www.synnada.ai/blog/probabilistic-data-structures-in-streaming-count-min-sketch)
+- [Count Min Log Sketch](https://arxiv.org/pdf/1502.04885.pdf) paper
+- [Count Min Sketch with Conservative Updates](https://hal.science/hal-03613957/document#:~:text=Count%2DMin%20Sketch%20with%20Conservative%20Updates%20(CMS%2DCU),because%20of%20its%20inherent%20difficulty) paper
+- [xxHash](https://github.com/Cyan4973/xxHash) as new dependency for fast and reliable hashing (using xxh3)

proposals/20231220-features-adoption-and-deprecation.md

@@ -0,0 +1,219 @@
+# Features Adoption and Deprecation Policies Proposal
+
+This proposal aims to introduce a balance between maintaining adopter trust and the need for The Falco Project to evolve. Historically, Falco has favored rapid evolution over providing long-term support for features and interfaces. However, some project subsystems have been implicitly assumed not to allow backward-incompatible changes (e.g., we have almost never removed a condition syntax field). These implicit conventions have never been formalized, and decisions in this regard have been left unspecified.
+
+## Goals
+
+- Establish adopter expectations on the operational cost of using Falco.
+- Provide a clear path for features to be adopted and dismissed.
+- Allow quick evolution and experimentation without disrupting our adopters' deployments.
+- Detail the process for introducing new features, following a "sandbox" to "incubating" to "stable" progression.
+- Define the scope of the policy, including which aspects of Falco are covered (e.g., command line flags, configuration files, rules syntax).
+- Establish stages for deprecating features, aligning with the project's current status (pre- and post-1.0 stages).
+- Adopt a semantic versioning (semver) approach.
+
+## Non-Goals
+
+- Define the number of previous releases that will receive patches or security updates and the duration of this support.
+- Define the criteria for Falco 1.0.
+
+## Scope
+
+The proposed policies apply to Falco, its subsystems (e.g., rules, the plugin system), and all [core projects](https://github.com/falcosecurity/evolution#core) which are deemed [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable), thus officially supported by The Falco Project.
+
+## Definitions
+
+### Feature Changes
+
+A feature is a distinct and specific functionality or characteristic of Falco and its core components that provides value to the user by enabling them to perform particular tasks. Features encompass aspects such as functionality, user value, usability, integrability, scalability, configurability, and discoverability. Features can range from essential user interface elements to complex, multifunctional operations.
+
+A feature change refers to any modification or update to an existing feature or the addition of a new feature. This does not include documentation, Falco compatibility across different environments, platforms, systems, or other software or hardware, bug fixing (stated it does not require a feature change to overcome the problem), and performance (unless a change produces a measurable effect on usability).
+
+### Behavior Changes
+
+A behavior change refers to alterations in how Falco, or a specific feature within it, operates or responds under certain conditions. Unlike feature changes, behavior changes are more about tweaking the underlying logic or the way existing features interact or perform, particularly the expected behavior of Falco when run with the default configuration.
+
+Behaviors are generally documented. Any modification that does not meet the conditions and expectations of an already documented feature is assumed to be a behavior change.
+
+Undocumented behaviors may be included in this definition if there's strong evidence or suspicion that users rely on those undocumented behaviors.
+
+### User-Facing Changes
+
+User-facing changes refer to any feature changes, behavior changes, modifications, or additions that are directly noticeable and interactable by the end users. These changes affect how Falco operates from the user's perspective (notably any change that can lead to user disruption). Unlike internal changes (i.e., code refactoring, CI, maintenance-related changes), which are under-the-hood improvements not directly visible to the user, user-facing changes are evident in the Falco and its core components interface and functionality.
+
+### CLI/Config Area
+
+Falco is comprised of the Falco binary and other programs and tools cooperating (notably [falcoctl](https://github.com/falcosecurity/falcoctl)). These programs are the primary user interface for Falco. Any feature or behavior changes to the following elements of these programs are assumed to be user-facing changes to the CLI/Config area:
+
+- Program name.
+- Distribution mechanism and packaging (e.g., a container image).
+- Command line flags and options.
+- Environment variables.
+- Configurations.
+- Elements that affect the program's lifecycle (e.g., the effect of sending a SIGINT to the program).
+- Elements that allow scripting, automation, or interaction with other programs (e.g., piping and redirection).
+- Program inputs, excluding elements explicitly governed by other areas (e.g., [Falco rules](#rules-area)).
+- Program outputs excluding elements explicitly governed by other areas (e.g., [Falco outputs/alerts](#outputs-alerts-area)).
+
+### Rules System Area
+
+Rules are the primary input for Falco. Any feature or behavior changes to the following aspects or elements are assumed to be user-facing changes to the rules system area:
+
+- Syntax.
+- File format.
+- Schema (i.e., supported fields).
+- Elements that affect the way users can implement rules.
+- Elements that affect the way rules are triggered.
+
+However, any change related to the rule's output when triggered (i.e., the alert) is out of scope for this area (see next section).
+
+Note that this area does not include changes related to the ruleset files. Ruleset distributions follow their own [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) policies. 
+
+### Outputs/Alerts Area
+
+Alerts, delivered through Falco output channels, are Falco's primary output. The way and the format in which alerts are produced can have a significant impact on adopters. For example, removing a supported rule field also impacts this area, as adopters may have relied on that field when consuming Falco output.
+
+Any feature or behavior changes to the following aspects or elements are assumed to be user-facing changes to the Outputs/Alerts area:
+
+- Output and logging formats.
+- Schema of outputted data (i.e., supported fields).
+- Falco output channels.
+- Any element that might be consumed from the output.
+
+### Subsystem APIs (Plugins, gRPC Output, Metrics, etc.) Area
+
+Falco is also comprised of several subsystems providing specific APIs. These subsystems notably include plugin system API, gRPC output API, and metrics API.
+
+In the context of this proposal, only changes to **public APIs** are assumed to be user-facing changes to this area.
+
+Public APIs are defined as those supporting Falco functioning and explicitly intended for user usage. Internal APIs consumed by Falco or other tools are out of scope for this area. For instance, the driver APIs or libs APIs are intended to be mainly consumed by Falco and not by users.
+
+### Platform Support Area
+
+Platform support for Falco encompasses the range of platforms, systems, and environments it is designed to operate in. Platform support may significantly vary by Falco's data sources and use cases. For example, its compatibility differs when utilized for Kubernetes audit events versus system call events. Additionally, platform support can be influenced by deployment methods (e.g., directly on a host versus within Kubernetes) or configurations (e.g., running in privileged versus least privileged mode).
+
+Given the diversity of potential platforms and setups, only those explicitly listed in Falco's documentation are considered officially supported. While Falco may function on other platforms, official support is guaranteed solely for documented ones.
+
+Therefore, changes in platform compatibility or behavior that are documented explicitly assumed to be user-facing changes to the Platform Support area.
+
+### Release Cycle
+
+In the context of this proposal, a release cycle is the period between two consecutive major or minor releases of Falco. Hotfix/Patch releases must not be counted.
+
+The actual duration of a release cycle can vary. Still, it's assumed to be about 16 weeks (as per our current defined [Release Cycles and Development Iterations](https://github.com/falcosecurity/falco/blob/master/proposals/20230511-roadmap-management.md#release-cycles-and-development-iterations)). In case of future modification to the Falco release schedule, a period of minimum 3 months must be assumed.
+
+## Proposal
+
+### Maturation Levels
+
+Maturation levels (inspired by those we already have in place for [repositories](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#status)) are used to characterize the maturity of a feature. Each feature will have an assigned level  at any specific time (i.e., a Falco release). Levels are shown in the table below.
+
+| Maturity Level | Intended for |
+| --- | --- |
+| Sandbox |  Experimental/alpha features, not recommended for production use, can be removed at any time without further notice. |
+| Incubating | Beta features, long-term support is not guaranteed. |
+| Stable | General Availability (GA) features for which long-term support is expected. |
+| Deprecated | See the [deprecation policy](#Deprecation-policy) section below. |
+
+### Adoption Policy
+
+The adoption policy applies to any backward compatible user-facing changes which add functionalities. For non-backward compatible changes see the [deprecation policy](#Deprecation-policy) below.
+
+**Adoption rules**:
+1. A feature can be introduced at only one of the following levels:
+   - Sandbox: The feature must be opt-in (e.g., not enabled by default), labeled as *Sandbox* and the user must be proactively informed by the experimental nature of the feature (i.e. emitting a notice when the feature is being enabled).
+   - Incubating: The feature must be labeled as *Incubating*.
+2. Any functionality additions to an existing feature are inherently introduced at the same level as the feature itself unless logically separable (for instance, a sub-feature that may be enabled separately).
+3. A feature can be promoted *from Sandbox to Incubating* or *from Incubating to Stable* only after at least one release cycle has passed without user-facing changes to the feature.
+4. A feature cannot be demoted to a previous level.
+
+
+_Note about behaviors_:
+This policy indirectly applies to behaviors, too. Behavior changes are assumed to be a consequence of a feature change. The adoption level of a documented behavior is considered to be the same as the related feature. Furthermore, behavior changes are particularly relevant in the context of deprecation (see the next section).
+
+
+### Deprecation Policy
+
+The deprecation policy applies to any non-backward compatible user-facing changes. Any other changes introduced in a backward-compatible manner does not fall under the scope of this deprecation policy.
+
+**Deprecation rules**:
+1. Sandbox features can be removed or changed at any time without notice. No deprecation period is required.
+2. Incubating or Stable features and documented behaviors must enter a deprecation period and function for no less than the indicated release cycles (see tables below) after their announced deprecation. 
+   - If the change affects the feature partially, the deprecation applies only to that feature part. 
+   - If the change removes the feature entirely, the deprecation applies to the entire feature.
+3. At least for the entire deprecation period, the feature must be labeled as *Deprecated* in all relevant documentation, and:
+   - for deprecated configurations or CLI elements, a warning must be emitted warnings when the feature is being enabled or used;
+   - for deprecated APIs, when technically feasible, the API should be signal the deprecation status (this may vary depending on the specific subsystem);
+   - for deprecated behaviors the documentation must highlight the _before_ and _after_ behavior, alongside with a prominent deprecation notice.
+4. Any Pull Request introducing a deprecation notice must be labeled and include a note in the format `DEPRECATION NOTICE: ...`.
+5. Any Pull Request introducing a breaking change due to the end of the deprecation notice period must be labeled and include a note in the format `BREAKING CHANGE: ...`. 
+   - It is also recommended for code commits that introduce a breaking change to follow the related [conventional commit spec](https://www.conventionalcommits.org/en/v1.0.0/#specification).
+
+The minimum deprecation period length depends on the affected area. If a single change spans multiple areas, the area with the most extended deprecation period is assumed. Longer deprecation periods are allowed if the feature is deemed to be particularly critical or widely used.
+
+#### Deprecation Period Lengths
+
+_The units represent the number of releases._
+
+##### Before Falco 1.0
+
+| Area           | Stable | Incubating |
+| -------------- | ------ | ---------- |
+| *all areas*    | 1      | 0          |
+
+##### Since Falco 1.0 onward
+
+| Area           | Stable | Incubating |
+| -------------- | ------ | ---------- |
+| Behaviors      | 2      | 1          |
+| Rules System   | 2      | 1          |
+| Output/Alerts  | 2      | 1          |
+| Platform       | 2      | 1          |
+| CLI/Config     | 1      | 1          |
+| Subsystem APIs | 1      | 0          |
+
+### Examples
+
+**Example 1** Let's consider a feature _foo_ in the Output/Alerts Area introduced in Falco 1.0.0 and labeled as *Incubating*. The feature is promoted to *Stable* in Falco 1.1.0 (because the feature did not get any user-facing change).
+Subsequently, maintainers decide that backward-compatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
+
+**Example 2** The `--bar` flag in the CLI/Config Area has been introduced since Falco 1.1.0 and is labeled as *Stable*. Before releasing Falco 1.5.0, maintainers realize `--bar` is redundant and should be removed. The flag is labeled as *Deprecated* in Falco 1.5.0, and the deprecation period starts. The flag is removed in Falco 1.6.0.
+
+### Exceptions
+
+- Ruleset in the official distributions follow the [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) policies.
+- Subsystems or subcomponents may have additional criteria and exceptions. Stated other criteria and exceptions must not directly affect the main Falco distribution (e.g., *falcoctl* can have a different release cycle and different policies; however, if Falco relies on a specific *falcoctl* feature, that *falcoctl* feature adoption and deprecation must be strictly compatible with the rules described in this proposal).
+- Internal APIs are out of scope for this policy. Their adoption models and deprecation policies might be regulated separately.
+- Different parties may provide plugins, and each plugin may have a different maturity level. Only those plugins officially maintained by The Falco Project and identified as "core" for Falco are in scope for this policy; all others are excluded.
+- Any other exceptions to the rules provided by this policy require a formal core maintainer majority vote.
+
+### Versioning
+
+Regarding the above policies, component versioning must adhere to [Semantic Versioning 2.0.0](https://semver.org/). However, in the context of Falco core components, the scope extends beyond the strict API definition and includes any user-facing changes.
+
+Thus, given a version number `MAJOR.MINOR.PATCH` increment the:
+
+- *MAJOR* version when the deprecation period of one or more _stable_ features ends, thus introducing incompatible user-facing or API changes.
+- *MINOR* version when adding functionality in a backward-compatible manner.
+- *PATCH* version when making backward-compatible bug fixes.
+
+Moreover, *MAJOR* version zero (0.y.z) is for versioning stabilization (i.e., before defining the public set of user-facing features and APIs). At this stage, the *MINOR* version is allowed to be incremented instead of the *MAJOR* version.
+
+### Documentation
+
+Documentation must be tied to a specific release and reflect the adoption level status of a feature at that specific release. In particular:
+
+- Deprecated items must be labeled `DEPRECATED` in all relevant documentation.
+- Stable items must be sufficiently documented. Explicitly labeling the Stable status is not required or recommended.
+- Incubating items must be sufficiently documented and labeled  `INCUBATING` in all relevant documentation.
+- Sandbox items may be partially documented and labeled `SANDBOX` in all relevant documentation, if any. The relevant documentation must also explicitly state the experimental nature of the item.
+
+## Transition Phases
+
+Since software components may need to adapt to implement the requirements this proposal mandates, we assume the following stages are required to transition from the current state to the desired state fully:
+
+- Within Falco 0.38, at least stable features must be identified, and the adoption policy and relevant documentation should be implemented in Falco. Exceptions may be made temporarily for the deprecation policy.
+- Within subsequent releases and no later than Falco 1.0.0 (still not scheduled to date), all the policies must be strictly implemented in Falco and documented in [falco.org](falco.org). The [Rules Maturity Framework](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#rules-maturity-framework) must be adapted to ensure it aligns with the spirit of this proposal. Exceptions may be made temporarily for other [core projects](https://github.com/falcosecurity/evolution#core) with [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) status, assuming exceptions don't severely affect the main Falco distribution.
+- Within Falco 1.1.0, all the policies must be strictly implemented in Falco and in all [core projects](https://github.com/falcosecurity/evolution#core) with [stable](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) status.
+
+During the transition phases, maintainers can fine-tune these policies and add further exceptions, eventually. After this initial transition phases, the policy is assumed to be established. From then on, any policy modifications, updates, and exceptions must be subject to a core maintainer majority vote to ensure the policy remains relevant and practical.

scripts/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,40 +16,49 @@
 # limitations under the License.
 #
 
-# Systemd
-file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/scripts/systemd)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
-configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service"
-		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	# Systemd
+	file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/scripts/systemd)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+	configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service"
+			"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
 
-# Debian
-configure_file(debian/postinst.in debian/postinst COPYONLY)
-configure_file(debian/postrm.in debian/postrm COPYONLY)
-configure_file(debian/prerm.in debian/prerm COPYONLY)
+	# Debian
+	configure_file(debian/postinst.in debian/postinst COPYONLY)
+	configure_file(debian/postrm.in debian/postrm COPYONLY)
+	configure_file(debian/prerm.in debian/prerm COPYONLY)
 
-# Rpm
-configure_file(rpm/postinstall.in rpm/postinstall COPYONLY)
-configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY)
-configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY)
-
-configure_file(falco-driver-loader falco-driver-loader @ONLY)
+	# Rpm
+	configure_file(rpm/postinstall.in rpm/postinstall COPYONLY)
+	configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY)
+	configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY)
+endif()
 
 # Install Falcoctl config file
-if(NOT DEFINED FALCOCTL_ETC_DIR)
-	set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
-endif()
-install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
-		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
+if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
+	if(NOT DEFINED FALCOCTL_ETC_DIR)
+		set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
+    endif()
+    set(FALCOCTL_DRIVER_TYPES_LIST "")
+	if (BUILD_FALCO_MODERN_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "modern_ebpf")
+	endif()
+	if (BUILD_DRIVER)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod")
+	endif()
+	if (BUILD_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf")
+	endif()
+	string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}")
+	configure_file(${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml)
+	install(FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

scripts/debian/postinst.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +17,10 @@
 # limitations under the License.
 #
 
-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
+chosen_unit=
+CHOICE=
 
 # Every time we call this script we want to stat from a clean state.
 echo "[POST-INSTALL] Disable all possible 'falco' services:"
@@ -35,39 +39,76 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ "$1" = "configure" ]; then
-        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
-          # If dialog is installed, create a dialog to let users choose the correct driver for them
-          CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
-                1 "Manual configuration (no unit is started)" \
-                2 "Kmod" \
-                3 "eBPF" \
-                4 "Modern eBPF" \
-                2>&1 >/dev/tty)
-          case $CHOICE in
-                  2)
-                      chosen_driver="kmod"
-                      ;;
-                  3)
-                      chosen_driver="bpf"
-                      ;;
-                  4)
-                      chosen_driver="modern-bpf"
-                      ;;
-          esac
-          if [ -n "$chosen_driver" ]; then
-            CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
-                    1 "Yes" \
-                    2 "No" \
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
+        case $FALCO_DRIVER_CHOICE in
+              none)
+                  CHOICE=1
+                  ;;
+              kmod)
+                  CHOICE=3
+                  ;;
+              ebpf)
+                  CHOICE=4
+                  ;;
+              modern_ebpf)
+                  CHOICE=5
+                  ;;
+        esac     
+        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
+            # If dialog is installed, create a dialog to let users choose the correct driver for them
+            CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
+                    1 "Manual configuration (no unit is started)" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                     2>&1 >/dev/tty)
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
+        case $CHOICE in
+            1)
+                chosen_driver=""
+                ;;
+            3)
+                chosen_driver="kmod"
+                ;;
+            4)
+                chosen_driver="ebpf"
+                ;;
+            5)
+                chosen_driver="modern_ebpf"
+                ;;
+        esac
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
+            CHOICE=
+            case $FALCOCTL_ENABLED in
+                no)
+                    CHOICE=2
+                    ;;
+            esac
+            if [ -z $CHOICE ] &&  [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+                CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                        1 "Yes" \
+                        2 "No" \
+                        2>&1 >/dev/tty)
+            fi  
             case $CHOICE in
                 2)
-                # we don't want falcoctl enabled, we mask it
-                systemctl --system mask falcoctl-artifact-follow.service || true
+                    # we don't want falcoctl enabled, we mask it
+                    systemctl --system mask falcoctl-artifact-follow.service || true
                 ;;
             esac
-          fi
-          clear
-        fi
+        fi    
+        clear
 fi
 
 set -e
@@ -75,25 +116,30 @@ set -e
 echo "[POST-INSTALL] Trigger deamon-reload:"
 systemctl --system daemon-reload || true
 
-# If needed, try to load/compile the driver through falco-driver-loader
+# If needed, try to load/compile the driver through falcoctl
 case "$chosen_driver" in
     "kmod")
       # Only compile for kmod, in this way we use dkms
-      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
-      falco-driver-loader --compile module
+      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
+      falcoctl driver install --download=false
+      chosen_unit="kmod"
       ;;
-    "bpf")
-      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
-      falco-driver-loader bpf
+    "ebpf")
+      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
+      falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
       ;;
 esac
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -n "$chosen_driver" ]; then
+        if [ -n "$chosen_unit" ]; then
             # we do this in 2 steps because `enable --now` is not always supported
-            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
-            systemctl --system start "falco-$chosen_driver.service" || true           
+            echo "[POST-INSTALL] Enable 'falco-$chosen_unit.service':"
+            systemctl --system enable "falco-$chosen_unit.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_unit.service':"
+            systemctl --system start "falco-$chosen_unit.service" || true
         fi
 fi

scripts/debian/postrm.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/prerm.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,7 +31,7 @@ case "$1" in
       systemctl --system stop 'falco-custom.service' || true
       systemctl --system stop 'falcoctl-artifact-follow.service' || true
 
-      echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
-      falco-driver-loader --clean
+      echo "[PRE-REMOVE] Call 'falcoctl driver cleanup:'"
+      falcoctl driver cleanup
     ;;
 esac

scripts/falco-driver-loader

@@ -1,808 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Simple script that desperately tries to load the kernel instrumentation by
-# looking for it in a bunch of ways. Convenient when running Falco inside
-# a container or in other weird environments.
-#
-
-#
-# Returns 1 if $cos_ver > $base_ver, 0 otherwise
-#
-cos_version_greater() {
-	if [[ $cos_ver == "${base_ver}" ]]; then
-		return 0
-	fi
-
-	#
-	# COS build numbers are in the format x.y.z
-	#
-	a=$(echo "${cos_ver}" | cut -d. -f1)
-	b=$(echo "${cos_ver}" | cut -d. -f2)
-	c=$(echo "${cos_ver}" | cut -d. -f3)
-
-	d=$(echo "${base_ver}" | cut -d. -f1)
-	e=$(echo "${base_ver}" | cut -d. -f2)
-	f=$(echo "${base_ver}" | cut -d. -f3)
-
-	# Test the first component
-	if [[ $a -gt $d ]]; then
-		return 1
-	elif [[ $d -gt $a ]]; then
-		return 0
-	fi
-
-	# Test the second component
-	if [[ $b -gt $e ]]; then
-		return 1
-	elif [[ $e -gt $b ]]; then
-		return 0
-	fi
-
-	# Test the third component
-	if [[ $c -gt $f ]]; then
-		return 1
-	elif [[ $f -gt $c ]]; then
-		return 0
-	fi
-
-	# If we get here, probably malformatted version string?
-
-	return 0
-}
-
-get_kernel_config() {
-	if [ -f /proc/config.gz ]; then
-		echo "* Found kernel config at /proc/config.gz"
-		KERNEL_CONFIG_PATH=/proc/config.gz
-	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
-		echo "* Found kernel config at /boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
-	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
-		echo "* Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
-	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
-		echo "* Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
-		echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
-		# This code works both for native host and containers assuming that
-		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
-		echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
-		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
-	fi
-
-	if [ -z "${KERNEL_CONFIG_PATH}" ]; then
-		>&2 echo "Cannot find kernel config"
-		exit 1
-	fi
-
-	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
-	else
-		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
-	fi
-}
-
-get_target_id() {
-	if [ -f "${HOST_ROOT}/etc/os-release" ]; then
-		# freedesktop.org and systemd
-		# shellcheck source=/dev/null
-		source "${HOST_ROOT}/etc/os-release"
-		OS_ID=$ID
-	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
-		# Older debian distros
-		# fixme > Can this happen on older Ubuntu?
-		OS_ID=debian
-	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
-		# Older CentOS distros
-		OS_ID=centos
-	elif [ -f "${HOST_ROOT}/etc/redhat-release" ]; then
-		# Older RHEL distros
-		OS_ID=rhel
-	else
-		return 1
-	fi
-
-	# Overwrite the OS_ID if /etc/VERSION file is present.
-	# Not sure if there is a better way to detect minikube.
-	if [ -f "${HOST_ROOT}/etc/VERSION" ]; then
-		OS_ID=minikube
-	fi
-
-	case "${OS_ID}" in
-	("amzn")
-		case "${VERSION_ID}" in
-		("2")
-			TARGET_ID="amazonlinux2"
-			;;
-		("2022")
-			TARGET_ID="amazonlinux2022"
-			;;
-		("2023")
-			TARGET_ID="amazonlinux2023"
-			;;
-		(*)
-			TARGET_ID="amazonlinux"
-			;;
-		esac
-		;;
-	("debian")
-		# Workaround: debian kernelreleases might now be actual kernel running;
-		# instead, they might be the Debian kernel package
-		# providing the compatible kernel ABI
-		# See https://lists.debian.org/debian-user/2017/03/msg00485.html
-		# Real kernel release is embedded inside the kernel version.
-		# Moreover, kernel arch, when present, is attached to the former,
-		# therefore make sure to properly take it and attach it to the latter.
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		local ARCH_extra=""
-		if [[ $KERNEL_RELEASE =~ -(amd64|arm64) ]];
-		then
-			ARCH_extra="-${BASH_REMATCH[1]}"
-		fi
-		if [[ $(uname -v) =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
-		then
-			KERNEL_RELEASE="${BASH_REMATCH[1]}${ARCH_extra}"
-		fi
-		;;
-	("ubuntu")
-		# Extract the flavor from the kernelrelease
-		# Examples:
-		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
-		# 5.15.0-1009-aws -> ubuntu-aws
-		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
-		then
-			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
-		else
-			TARGET_ID="ubuntu-generic"
-		fi
-		;;
-	("flatcar")
-		KERNEL_RELEASE="${VERSION_ID}"
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		;;
-	("minikube")
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		# Extract the minikube version. Ex. With minikube version equal to "v1.26.0-1655407986-14197" the extracted version
-		# will be "1.26.0"
-		if [[ $(cat ${HOST_ROOT}/etc/VERSION) =~ ([0-9]+(\.[0-9]+){2}) ]]; then
-			# kernel version for minikube is always in "1_minikubeversion" format. Ex "1_1.26.0".
-			KERNEL_VERSION="1_${BASH_REMATCH[1]}"
-		else
-			echo "* Unable to extract minikube version from ${HOST_ROOT}/etc/VERSION"
-			exit 1
-		fi
-		;;
-	("bottlerocket")
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		# variant_id has been sourced from os-release. Get only the first variant part
-		if [[ -n ${VARIANT_ID} ]];  then
-			# take just first part (eg: VARIANT_ID=aws-k8s-1.15 -> aws)
-			VARIANT_ID_CUT=${VARIANT_ID%%-*}
-		fi
-		# version_id has been sourced from os-release. Build a kernel version like: 1_1.11.0-aws
-		KERNEL_VERSION="1_${VERSION_ID}-${VARIANT_ID_CUT}"
-		;;
-	("talos")
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		# version_id has been sourced from os-release. Build a kernel version like: 1_1.4.1
-		KERNEL_VERSION="1_${VERSION_ID}"
-		;;
-	(*)
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		;;
-	esac
-	return 0
-}
-
-flatcar_relocate_tools() {
-	local -a tools=(
-		scripts/basic/fixdep
-		scripts/mod/modpost
-		tools/objtool/objtool
-	)
-	local -r hostld=$(ls /host/usr/lib64/ld-linux-*.so.*)
-	local -r kdir=/lib/modules/$(ls /lib/modules/)/build
-	echo "** Found host dl interpreter: ${hostld}"
-	for host_tool in ${tools[@]}; do
-		t=${host_tool}
-		tool=$(basename $t)
-		tool_dir=$(dirname $t)
-		host_tool=${kdir}/${host_tool}
-		if [ ! -f ${host_tool} ]; then
-			continue
-		fi
-		umount ${host_tool} 2>/dev/null || true
-		mkdir -p /tmp/${tool_dir}/
-		cp -a ${host_tool} /tmp/${tool_dir}/
-		echo "** Setting host dl interpreter for $host_tool"
-		patchelf --set-interpreter ${hostld} --set-rpath /host/usr/lib64 /tmp/${tool_dir}/${tool}
-		mount -o bind /tmp/${tool_dir}/${tool} ${host_tool}
-	done
-}
-
-load_kernel_module_compile() {
-	# Skip dkms on UEK hosts because it will always fail
-	if [[ $(uname -r) == *uek* ]]; then
-		>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
-		return
-	fi
-
-	if ! hash dkms >/dev/null 2>&1; then
-		>&2 echo "This program requires dkms"
-		return
-	fi
-
-	if [ "${TARGET_ID}" == "flatcar" ]; then
-		KERNEL_RELEASE=$(uname -r)
-		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
-		flatcar_relocate_tools
-	fi
-
-	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
-		# Filter away gcc-{ar,nm,...}
-		# Only gcc compiler has `-print-search-dirs` option.
-		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
-		if [ "$?" -ne "0" ]; then
-			continue
-		fi
-		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
-		echo "#!/usr/bin/env bash" > "${TMPDIR}/falco-dkms-make"
-		echo "make CC=${CURRENT_GCC} \$@" >> "${TMPDIR}/falco-dkms-make"
-		chmod +x "${TMPDIR}/falco-dkms-make"
-		if dkms install --directive="MAKE='${TMPDIR}/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms"
-			KO_FILE="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}"
-			if [ -f "$KO_FILE.ko" ]; then
-				KO_FILE="$KO_FILE.ko"
-			elif [ -f "$KO_FILE.ko.gz" ]; then
-				KO_FILE="$KO_FILE.ko.gz"
-			elif [ -f "$KO_FILE.ko.xz" ]; then
-				KO_FILE="$KO_FILE.ko.xz"
-			elif [ -f "$KO_FILE.ko.zst" ]; then
-				KO_FILE="$KO_FILE.ko.zst"
-			else
-				>&2 echo "${DRIVER_NAME} module file not found"
-				return
-			fi
-			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying to insmod"
-			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if insmod "$KO_FILE" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-				exit 0
-			fi
-			echo "* Unable to insmod ${DRIVER_NAME} module"
-		else
-			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-			if [ -f "${DKMS_LOG}" ]; then
-				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-				cat "${DKMS_LOG}"
-			else
-				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-			fi
-		fi
-	done
-}
-
-load_kernel_module_download() {
-	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
-
-	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
-	if curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
-		echo "* Download succeeded"
-		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
-			echo "* Success: ${DRIVER_NAME} module found and inserted"
-			exit 0
-		fi
-		>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
-	else
-		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
-		return
-	fi
-}
-
-print_clean_termination() {
-	echo
-	echo "[SUCCESS] Cleaning phase correctly terminated."
-	echo 
-	echo "================ Cleaning phase ================"
-	echo 
-}
-
-print_filename_components() {
-	echo " - driver name: ${DRIVER_NAME}"
-	echo " - target identifier: ${TARGET_ID}"
-	echo " - kernel release: ${KERNEL_RELEASE}"
-	echo " - kernel version: ${KERNEL_VERSION}"
-}
-
-clean_kernel_module() {
-	echo 
-	echo "================ Cleaning phase ================"
-	echo 
-
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod."
-		exit 1
-	fi
-
-	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod."
-		exit 1
-	fi
-
-	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	echo "* 1. Check if kernel module '${KMOD_NAME}' is still loaded:"
-
-	if ! lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
-		echo "- OK! There is no '${KMOD_NAME}' module loaded."
-		echo
-	fi
-
-	# Wait 50s = MAX_RMMOD_WAIT * 5s
-	MAX_RMMOD_WAIT=10
-	# Remove kernel module if is still loaded.
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $MAX_RMMOD_WAIT -gt 0 ]; do
-		echo "- Kernel module '${KMOD_NAME}' is still loaded."
-		echo "- Trying to unload it with 'rmmod ${KMOD_NAME}'..."
-		if rmmod ${KMOD_NAME}; then
-			echo "- OK! Unloading '${KMOD_NAME}' module succeeded."
-			echo
-		else
-			echo "- Nothing to do...'falco-driver-loader' will wait until you remove the kernel module to have a clean termination."
-			echo "- Check that no process is using the kernel module with 'lsmod | grep ${KMOD_NAME}'."
-			echo "- Sleep 5 seconds..."
-			echo
-			((--MAX_RMMOD_WAIT))
-			sleep 5
-		fi
-	done
-
-	if [ ${MAX_RMMOD_WAIT} -eq 0 ]; then
-		echo "[WARNING] '${KMOD_NAME}' module is still loaded, you could have incompatibility issues."
-		echo
-	fi
-	
-	if ! hash dkms >/dev/null 2>&1; then
-		echo "- Skipping dkms remove (dkms not found)."
-		print_clean_termination
-		return
-	fi
-
-	# Remove all versions of this module from dkms.
-	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
-	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
-	if [ -z "${DRIVER_VERSIONS}" ]; then
-		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
-	else
-		echo "- There are some versions of '${KMOD_NAME}' module in dkms."
-		echo
-		echo "* 3. Removing all the following versions from dkms:"
-		echo "${DRIVER_VERSIONS}"
-		echo
-	fi
-
-	for CURRENT_VER in ${DRIVER_VERSIONS}; do
-		echo "- Removing ${CURRENT_VER}..."
-		if dkms remove -m ${KMOD_NAME} -v "${CURRENT_VER}" --all; then
-			echo
-			echo "- OK! Removing '${CURRENT_VER}' succeeded."
-			echo
-		else
-			echo "[WARNING] Removing '${KMOD_NAME}' version '${CURRENT_VER}' failed."
-		fi
-	done
-
-	print_clean_termination
-}
-
-load_kernel_module() {
-	clean_kernel_module
-
-	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
-
-	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
-	print_filename_components
-
-	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
-		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
-		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
-		exit $?
-	fi
-
-	if [ -n "$ENABLE_DOWNLOAD" ]; then
-		IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
-		for url in "${urls[@]}"; do
-			load_kernel_module_download $url
-		done
-	fi
-
-	if [ -n "$ENABLE_COMPILE" ]; then
-		load_kernel_module_compile
-	fi
-
-	# Last try (might load a previous driver version)
-	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
-	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
-		exit 0
-	fi
-
-	# Not able to download a prebuilt module nor to compile one on-the-fly
-	>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
-	exit 1
-}
-
-load_bpf_probe_compile() {
-	local BPF_KERNEL_SOURCES_URL=""
-	local STRIP_COMPONENTS=1
-
-	customize_kernel_build() {
-		if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
-			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
-		fi
-		make olddefconfig > /dev/null
-		make modules_prepare > /dev/null
-	}
-
-	if [ "${TARGET_ID}" == "cos" ]; then
-		echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
-
-		BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
-		KERNEL_EXTRA_VERSION="+"
-		STRIP_COMPONENTS=0
-
-		customize_kernel_build() {
-			pushd usr/src/* > /dev/null || exit
-
-			# Note: this overrides the KERNELDIR set while untarring the tarball
-			KERNELDIR=$(pwd)
-			export KERNELDIR
-
-			sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
-			sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
-
-			popd > /dev/null || exit
-
-			# Might need to configure our own sources depending on COS version
-			cos_ver=${BUILD_ID}
-			base_ver=11553.0.0
-
-			cos_version_greater
-			greater_ret=$?
-
-			if [[ greater_ret -eq 1 ]]; then
-			export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
-			fi
-		}
-	fi
-
-	if [ "${TARGET_ID}" == "minikube" ]; then
-		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
-		echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
-		local kernel_version
-		kernel_version=$(uname -r)
-		local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
-		local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
-		local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
-
-		if [ "${kernel_version_patch}" == "0" ]; then
-			kernel_version="${kernel_version_major}.${kernel_version_minor}"
-		fi
-
-		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
-	fi
-
-	if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
-		local -r kernel_version_major=$(uname -r | cut -d. -f1)
-		local -r kernel_version=$(uname -r | cut -d- -f1)
-		KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
-
-		echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
-
-		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
-	fi
-
-	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
-		get_kernel_config
-
-		echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
-
-		mkdir -p /tmp/kernel
-		cd /tmp/kernel || exit
-		cd "$(mktemp -d -p /tmp/kernel)" || exit
-		if ! curl -L -o kernel-sources.tgz --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} "${BPF_KERNEL_SOURCES_URL}"; then
-			>&2 echo "Unable to download the kernel sources"
-			return
-		fi
-
-		echo "* Extracting kernel sources"
-
-		mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
-
-		cd kernel-sources || exit
-		KERNELDIR=$(pwd)
-		export KERNELDIR
-
-		if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-			zcat "${KERNEL_CONFIG_PATH}" > .config
-		else
-			cat "${KERNEL_CONFIG_PATH}" > .config
-		fi
-
-		echo "* Configuring kernel"
-		customize_kernel_build
-	fi
-
-	echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
-
-	make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
-
-	mkdir -p "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}"
-	mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
-
-	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
-		rm -r /tmp/kernel
-	fi
-
-}
-
-load_bpf_probe_download() {
-	local URL
-	URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
-
-	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
-
-	if ! curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${URL}"; then
-		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
-		return 1
-	fi
-	return 0
-}
-
-load_bpf_probe() {
-
-	if [ ! -d /sys/kernel/debug/tracing ]; then
-		echo "* Mounting debugfs"
-		mount -t debugfs nodev /sys/kernel/debug
-	fi
-
-	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
-	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
-	print_filename_components
-
-	if [ -n "$ENABLE_DOWNLOAD" ]; then
-		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
-		else
-			IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
-			for url in "${urls[@]}"; do
-				load_bpf_probe_download $url
-				if [ $? -eq 0 ]; then
-                	break
-                fi
-			done
-		fi
-	fi
-
-	if [ -n "$ENABLE_COMPILE" ]; then
-		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
-		else
-			load_bpf_probe_compile
-		fi
-	fi
-
-	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
-		echo "* eBPF probe located in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
-
-		ln -sf "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
-			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
-		exit $?
-	else
-		>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
-		exit 1
-	fi
-}
-
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  falco-driver-loader [driver] [options]"
-	echo ""
-	echo "Available drivers:"
-	echo "  module        kernel module (default)"
-	echo "  bpf           eBPF probe"
-	echo ""
-	echo "Options:"
-	echo "  --help         show brief help"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --source-only  skip execution and allow sourcing in another script"
-	echo ""
-	echo "Environment variables:"
-	echo "  DRIVERS_REPO             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  DRIVER_NAME              specify a different name for the driver"
-	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
-	echo "  DRIVER_CURL_OPTIONS      specify additional options to be passed to curl command used to download Falco drivers"
-	echo ""
-	echo "Versions:"
-	echo "  Falco version  ${FALCO_VERSION}"
-	echo "  Driver version ${DRIVER_VERSION}"
-	echo ""
-}
-
-ARCH=$(uname -m)
-
-KERNEL_RELEASE=$(uname -r)
-
-if ! hash sed > /dev/null 2>&1; then
-	>&2 echo "This program requires sed"
-	exit 1
-fi
-KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
-
-DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
-
-FALCO_DRIVER_CURL_OPTIONS="-fsS --connect-timeout 5 --max-time 60 --retry 3 --retry-max-time 120"
-
-if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
-then
-	FALCO_DRIVER_CURL_OPTIONS+=" -k"
-fi
-
-FALCO_DRIVER_CURL_OPTIONS+=" "${DRIVER_CURL_OPTIONS}
-
-if [[ -z "$MAX_RMMOD_WAIT" ]]; then
-	MAX_RMMOD_WAIT=60
-fi
-
-DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
-DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
-FALCO_VERSION="@FALCO_VERSION@"
-
-TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
-
-DRIVER="module"
-if [ -v FALCO_BPF_PROBE ]; then
-	DRIVER="bpf"
-fi
-
-TMPDIR=${TMPDIR:-"/tmp"}
-
-ENABLE_COMPILE=
-ENABLE_DOWNLOAD=
-
-clean=
-has_args=
-has_opts=
-source_only=
-while test $# -gt 0; do
-	case "$1" in
-		module|bpf)
-			if [ -n "$has_args" ]; then
-				>&2 echo "Only one driver per invocation"
-				print_usage
-				exit 1
-			else
-				DRIVER="$1"
-				has_args="true"
-				shift
-			fi
-			;;
-		-h|--help)
-			print_usage
-			exit 0
-			;;
-		--clean)
-			clean="true"
-			shift
-			;;
-		--compile)
-			ENABLE_COMPILE="yes"
-			has_opts="true"
-			shift
-			;;
-		--download)
-			ENABLE_DOWNLOAD="yes"
-			has_opts="true"
-			shift
-			;;
-		--source-only)
-			source_only="true"
-			shift
-			;;
-		--*)
-			>&2 echo "Unknown option: $1"
-			print_usage
-			exit 1
-			;;
-		*)
-			>&2 echo "Unknown driver: $1"
-			print_usage
-			exit 1
-			;;
-	esac
-done
-
-if [ -z "$has_opts" ]; then
-	ENABLE_COMPILE="yes"
-	ENABLE_DOWNLOAD="yes"
-fi
-
-if [ -z "$source_only" ]; then
-	echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}, arch=${ARCH}, kernel release=${KERNEL_RELEASE}, kernel version=${KERNEL_VERSION}"
-
-	if [ "$(id -u)" != 0 ]; then
-		>&2 echo "This program must be run as root (or with sudo)"
-		exit 1
-	fi
-
-	get_target_id
-	res=$?
-	if [ $res != 0 ]; then
-		if [ -n "$ENABLE_COMPILE" ]; then
-			ENABLE_DOWNLOAD=
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
-		else
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
-			exit 1
-		fi
-	fi
-
-	if [ -n "$clean" ]; then
-		if [ -n "$has_opts" ]; then
-			>&2 echo "Cannot use --clean with other options"
-			exit 1
-		fi
-
-		echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
-		case $DRIVER in
-		module)
-			clean_kernel_module
-			;;
-		bpf)
-			>&2 echo "--clean not supported for driver=bpf"
-			exit 1
-		esac
-	else
-		if ! hash curl > /dev/null 2>&1; then
-			>&2 echo "This program requires curl"
-			exit 1
-		fi
-
-		echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
-		case $DRIVER in
-			module)
-				load_kernel_module
-				;;
-			bpf)
-				load_bpf_probe
-				;;
-		esac
-	fi
-fi

scripts/falcoctl/falcoctl.yaml.in

@@ -1,9 +1,16 @@
+driver:
+    type: [@FALCOCTL_DRIVER_TYPES@]
+    name: "@DRIVER_NAME@"
+    repos:
+        - "@DRIVERS_REPO@"
+    version: "@DRIVER_VERSION@"
+    hostroot: "/"
 artifact:
   follow:
     every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:0
+    - falco-rules:3
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

scripts/ignored-calls.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/publish-bin

@@ -39,9 +39,15 @@ fi
 s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
 cloudfront_path="/packages/${repo}/${arch}"
 
+# sign
+
+gpg --detach-sign --digest-algo SHA256 --armor ${file}
+
 # publish
 package=$(basename -- ${file})
 echo "Publishing ${package} to ${s3_bucket_repo}..."
 aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+aws s3 cp ${file}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
 
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc

scripts/publish-deb

@@ -121,6 +121,47 @@ update_repo() {
     popd > /dev/null
 }
 
+reduce_dir_size() {
+    local DIR=$1
+    local MAX_SIZE_GB=$2
+    local EXTENSION=$3
+    local MAX_SIZE=$((MAX_SIZE_GB*1024*1024))  # Convert GB to KB for du command
+
+    # Check if directory exists
+    if [[ ! -d "$DIR" ]]; then
+        echo "The directory $DIR does not exist."
+        return 1
+    fi
+
+    # Calculate current directory size in KB
+    local CUR_SIZE=$(du -sk "$DIR" | cut -f1)
+
+    # Check if we need to delete any files
+    if ((CUR_SIZE <= MAX_SIZE)); then
+        return 0
+    fi
+
+    # Calculate size to delete in bytes
+    local DEL_SIZE=$(( (CUR_SIZE - MAX_SIZE) * 1024 ))
+
+    local ACC_SIZE=0
+    find "$DIR" -maxdepth 1 -type f -name "*.$EXTENSION" -printf "%T+ %s %p\n" | sort | while read -r date size file; do
+        if ((ACC_SIZE + size < DEL_SIZE)); then
+            rm "$file"
+            ACC_SIZE=$((ACC_SIZE + size))
+            
+            local asc_file="$file.asc"
+            if [[ -e "$asc_file" ]]; then
+                local asc_size=$(stat --format="%s" "$asc_file")
+                rm "$asc_file"
+                ACC_SIZE=$((ACC_SIZE + asc_size))
+            fi
+        else
+            break
+        fi
+    done
+}
+
 # parse options
 while getopts ":f::r::s" opt; do
     case "${opt}" in
@@ -188,6 +229,11 @@ if [ "${sign_all}" ]; then
   sign_repo ${tmp_repo_path} ${debSuite}
 fi
 
+# remove old dev packages if necessary
+if [[ ${repo} == "deb-dev" ]]; then
+  reduce_dir_size "${tmp_repo_path}/${debSuite}" 10 deb
+fi
+
 # update the repo by adding new packages
 if ! [ ${#files[@]} -eq 0 ]; then
   for file in "${files[@]}"; do
@@ -211,4 +257,10 @@ fi
 
 # sync dists
 aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
+
+# delete packages that have been pruned
+# the dryrun option is there so we can check that we're doing the right thing, can be removed after testing
+if [[ ${repo} == "deb-dev" ]]; then
+  aws s3 sync "${tmp_repo_path}/${debSuite}" ${s3_bucket_repo} --dryrun --delete --acl public-read
+fi

scripts/publish-rpm

@@ -53,6 +53,47 @@ update_repo() {
     popd > /dev/null
 }
 
+reduce_dir_size() {
+    local DIR=$1
+    local MAX_SIZE_GB=$2
+    local EXTENSION=$3
+    local MAX_SIZE=$((MAX_SIZE_GB*1024*1024))  # Convert GB to KB for du command
+
+    # Check if directory exists
+    if [[ ! -d "$DIR" ]]; then
+        echo "The directory $DIR does not exist."
+        return 1
+    fi
+
+    # Calculate current directory size in KB
+    local CUR_SIZE=$(du -sk "$DIR" | cut -f1)
+
+    # Check if we need to delete any files
+    if ((CUR_SIZE <= MAX_SIZE)); then
+        return 0
+    fi
+
+    # Calculate size to delete in bytes
+    local DEL_SIZE=$(( (CUR_SIZE - MAX_SIZE) * 1024 ))
+
+    local ACC_SIZE=0
+    find "$DIR" -maxdepth 1 -type f -name "*.$EXTENSION" -printf "%T+ %s %p\n" | sort | while read -r date size file; do
+        if ((ACC_SIZE + size < DEL_SIZE)); then
+            rm "$file"
+            ACC_SIZE=$((ACC_SIZE + size))
+            
+            local asc_file="$file.asc"
+            if [[ -e "$asc_file" ]]; then
+                local asc_size=$(stat --format="%s" "$asc_file")
+                rm "$asc_file"
+                ACC_SIZE=$((ACC_SIZE + asc_size))
+            fi
+        else
+            break
+        fi
+    done
+}
+
 # parse options
 while getopts ":f::r::s" opt; do
     case "${opt}" in
@@ -115,6 +156,11 @@ if [ "${sign_all}" ]; then
   sign_repo ${tmp_repo_path}
 fi
 
+# remove old dev packages if necessary
+if [[ ${repo} == "rpm-dev" ]]; then
+  reduce_dir_size ${tmp_repo_path} 10 rpm
+fi
+
 # update the repo by adding new packages
 if ! [ ${#files[@]} -eq 0 ]; then
   for file in "${files[@]}"; do
@@ -138,4 +184,10 @@ fi
 
 # sync repodata
 aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
+
+# delete packages that have been pruned
+# the dryrun option is there so we can check that we're doing the right thing, can be removed after testing
+if [[ ${repo} == "rpm-dev" ]]; then
+  aws s3 sync ${tmp_repo_path} ${s3_bucket_repo} --dryrun --delete --acl public-read
+fi

scripts/publish-wasm

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.tar.gz>"
+    exit 1
+}
+
+# parse options
+while getopts ":f:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" >&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ]; then
+    usage
+fi
+
+repo="wasm-dev" 
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}

scripts/rpm/postinstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +16,10 @@
 # limitations under the License.
 #
 
-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
+chosen_unit=
+CHOICE=
 
 # Every time we call this script we want to stat from a clean state.
 echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
@@ -34,39 +38,76 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ $1 -ge 1 ]; then
-        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
+        case $FALCO_DRIVER_CHOICE in
+              none)
+                  CHOICE=1
+                  ;;
+              kmod)
+                  CHOICE=3
+                  ;;
+              ebpf)
+                  CHOICE=4
+                  ;;
+              modern_ebpf)
+                  CHOICE=5
+                  ;;
+        esac     
+        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
             # If dialog is installed, create a dialog to let users choose the correct driver for them
             CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                     1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                     2>&1 >/dev/tty)
-            case $CHOICE in
-                2)
-                    chosen_driver="kmod"
-                    ;;
-                3)
-                    chosen_driver="bpf"
-                    ;;
-                4)
-                    chosen_driver="modern-bpf"
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
+        case $CHOICE in
+            1)
+                chosen_driver=""
+                ;;
+            3)
+                chosen_driver="kmod"
+                ;;
+            4)
+                chosen_driver="ebpf"
+                ;;
+            5)
+                chosen_driver="modern_ebpf"
+                ;;
+        esac
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
+            CHOICE=
+            case $FALCOCTL_ENABLED in
+                no)
+                    CHOICE=2
                     ;;
             esac
-            if [ -n "$chosen_driver" ]; then
-              CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
-                      1 "Yes" \
-                      2 "No" \
-                      2>&1 >/dev/tty)
-              case $CHOICE in
-                  2)
-                      # we don't want falcoctl enabled, we mask it
-                      systemctl --system mask falcoctl-artifact-follow.service || true
-                  ;;
-              esac
-            fi
-            clear
-        fi
+            if [ -z $CHOICE ] &&  [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+                CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                        1 "Yes" \
+                        2 "No" \
+                        2>&1 >/dev/tty)
+            fi  
+            case $CHOICE in
+                2)
+                    # we don't want falcoctl enabled, we mask it
+                    systemctl --system mask falcoctl-artifact-follow.service || true
+                ;;
+            esac
+        fi    
+        clear
 fi
 
 set -e
@@ -74,16 +115,21 @@ set -e
 echo "[POST-INSTALL] Trigger deamon-reload:"
 systemctl --system daemon-reload || true
 
-# If needed, try to load/compile the driver through falco-driver-loader
+# If needed, try to load/compile the driver through falcoctl
 case "$chosen_driver" in
     "kmod")
       # Only compile for kmod, in this way we use dkms
-      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
-      falco-driver-loader --compile module
+      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
+      falcoctl driver install --download=false
+      chosen_unit="kmod"
       ;;
-    "bpf")
-      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
-      falco-driver-loader bpf
+    "ebpf")
+      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
+      falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
       ;;
 esac
 
@@ -94,14 +140,14 @@ esac
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post "falco-$chosen_driver.service"
+%systemd_post "falco-$chosen_unit.service"
 
 # post install/upgrade mirrored from .deb
 if [ $1 -ge 1 ]; then
-        if [ -n "$chosen_driver" ]; then
-            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
-            systemctl --system start "falco-$chosen_driver.service" || true
+        if [ -n "$chosen_unit" ]; then
+            echo "[POST-INSTALL] Enable 'falco-$chosen_unit.service':"
+            systemctl --system enable "falco-$chosen_unit.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_unit.service':"
+            systemctl --system start "falco-$chosen_unit.service" || true
         fi
 fi

scripts/rpm/postuninstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/preuninstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -24,8 +25,8 @@ systemctl --system stop 'falco-modern-bpf.service' || true
 systemctl --system stop 'falco-custom.service' || true
 systemctl --system stop 'falcoctl-artifact-follow.service' || true
 
-echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
-falco-driver-loader --clean
+echo "[PRE-REMOVE] Call 'falcoctl driver cleanup:'"
+falcoctl driver cleanup
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd

scripts/systemd/falco-bpf.service

@@ -7,8 +7,8 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-Environment=FALCO_BPF_PROBE=
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStart=/usr/bin/falco -o engine.kind=ebpf
+ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30
 RestartSec=15s

scripts/systemd/falco-custom.service

@@ -7,7 +7,8 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=%u
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStart=/usr/bin/falco
+ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30
 RestartSec=15s

scripts/systemd/falco-kmod.service

@@ -9,7 +9,8 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStart=/usr/bin/falco -o engine.kind=kmod
+ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30
 RestartSec=15s

scripts/systemd/falco-modern-bpf.service

@@ -7,7 +7,8 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
+ExecStart=/usr/bin/falco -o engine.kind=modern_ebpf
+ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30
 RestartSec=15s