update(changelog): added 0.32.0 release notes.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
update(build): updated plugins to latest versions.
2026-04-02 10:02:12 +00:00 · 2022-06-03 10:29:43 +02:00 · 2022-06-01 14:50:38 +02:00 · 2022-06-01 13:35:38 +02:00 · 2022-05-31 18:12:09 +02:00 · 2022-05-30 13:08:40 +02:00
13 changed files with 288 additions and 159 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,90 @@
 # Change Log

+## v0.32.0
+
+Released on 2022-06-03
+
+### Major Changes
+
+
+* new: added new `watch_config_files` config option, to trigger a Falco restart whenever a change is detected in the rules or config files [[#1991](https://github.com/falcosecurity/falco/pull/1991)] - [@FedeDP](https://github.com/FedeDP)
+* new(rules): add rule to detect excessively capable container [[#1963](https://github.com/falcosecurity/falco/pull/1963)] - [@loresuso](https://github.com/loresuso)
+* new(rules): add rules to detect pods sharing host pid and IPC namespaces [[#1951](https://github.com/falcosecurity/falco/pull/1951)] - [@loresuso](https://github.com/loresuso)
+* new(image): add Falco image based on RedHat UBI [[#1943](https://github.com/falcosecurity/falco/pull/1943)] - [@araujof](https://github.com/araujof)
+* new(falco): add --markdown and --list-syscall-events [[#1939](https://github.com/falcosecurity/falco/pull/1939)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(build): updated plugins to latest versions. [[#2033](https://github.com/falcosecurity/falco/pull/2033)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [[#1953](https://github.com/falcosecurity/falco/pull/1953)] - [@mstemm](https://github.com/mstemm)
+* rules: out of the box ruleset for OKTA Falco Plugin [[#1955](https://github.com/falcosecurity/falco/pull/1955)] - [@darryk10](https://github.com/darryk10)
+* update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [[#2031](https://github.com/falcosecurity/falco/pull/2031)] - [@FedeDP](https://github.com/FedeDP)
+* update!: moving out plugins ruleset files [[#1995](https://github.com/falcosecurity/falco/pull/1995)] - [@leogr](https://github.com/leogr)
+* update: added `hostname` as a field in JSON output [[#1989](https://github.com/falcosecurity/falco/pull/1989)] - [@Milkshak3s](https://github.com/Milkshak3s)
+* refactor!: remove K8S audit logs from Falco [[#1952](https://github.com/falcosecurity/falco/pull/1952)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [[#1975](https://github.com/falcosecurity/falco/pull/1975)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor!: deprecate PSP regression tests and warn for unsafe usage of <NA> in k8s audit filters [[#1976](https://github.com/falcosecurity/falco/pull/1976)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(cmake): upgrade catch2 to 2.13.9 [[#1977](https://github.com/falcosecurity/falco/pull/1977)] - [@leogr](https://github.com/leogr)
+* refactor(userspace/engine): reduce memory usage for resolving evttypes [[#1965](https://github.com/falcosecurity/falco/pull/1965)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [[#1966](https://github.com/falcosecurity/falco/pull/1966)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [[#1970](https://github.com/falcosecurity/falco/pull/1970)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor: update definitions of falco_common [[#1967](https://github.com/falcosecurity/falco/pull/1967)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: improved Falco engine event processing performance [[#1944](https://github.com/falcosecurity/falco/pull/1944)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [[#1947](https://github.com/falcosecurity/falco/pull/1947)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [[#1920](https://github.com/falcosecurity/falco/pull/1920)] - [@mstemm](https://github.com/mstemm)
+* fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [[#2019](https://github.com/falcosecurity/falco/pull/2019)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rule(Launch Excessively Capable Container): fix typo in description [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro: known_shell_spawn_cmdlines): add `sh -c /usr/share/lighttpd/create-mime.conf.pl` to macro [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro net_miner_pool): additional syscall for detection [[#2011](https://github.com/falcosecurity/falco/pull/2011)] - [@beryxz](https://github.com/beryxz)
+* rule(macro truncate_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(macro modify_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [[#1969](https://github.com/falcosecurity/falco/pull/1969)] - [@darryk10](https://github.com/darryk10)
+* rule(k8s: secret): detect `get` attempts for both successful and unsuccessful attempts [[#1949](https://github.com/falcosecurity/falco/pull/1949)] - [@Dentrax](https://github.com/Dentrax)
+* rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [[#1973](https://github.com/falcosecurity/falco/pull/1973)] - [@darryk10](https://github.com/darryk10)
+* rule(Disallowed K8s User): exclude allowed EKS users [[#1960](https://github.com/falcosecurity/falco/pull/1960)] - [@darryk10](https://github.com/darryk10)
+* rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [[#1968](https://github.com/falcosecurity/falco/pull/1968)] - [@darryk10](https://github.com/darryk10)
+* rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [[#1930](https://github.com/falcosecurity/falco/pull/1930)] - [@mmoyerfigma](https://github.com/mmoyerfigma)
+* rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [[#1938](https://github.com/falcosecurity/falco/pull/1938)] - [@claudio-vellage](https://github.com/claudio-vellage)
+
+
+### Non user-facing changes
+
+* new: update plugins [[#2023](https://github.com/falcosecurity/falco/pull/2023)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs version for Falco 0.32.0 release. [[#2022](https://github.com/falcosecurity/falco/pull/2022)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [[#2024](https://github.com/falcosecurity/falco/pull/2024)] - [@FedeDP](https://github.com/FedeDP)
+* chore(userspace/falco): do not print error code in process_events.cpp [[#2030](https://github.com/falcosecurity/falco/pull/2030)] - [@alacuku](https://github.com/alacuku)
+* fix(falco-scripts): remove driver versions with `dkms-3.0.3` [[#2027](https://github.com/falcosecurity/falco/pull/2027)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): fix punctuation typo in output message when loading plugins [[#2026](https://github.com/falcosecurity/falco/pull/2026)] - [@alacuku](https://github.com/alacuku)
+* refactor(userspace): change falco engine design to properly support multiple sources [[#2017](https://github.com/falcosecurity/falco/pull/2017)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): improve falco termination [[#2012](https://github.com/falcosecurity/falco/pull/2012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/engine): introduce new `check_plugin_requirements` API [[#2009](https://github.com/falcosecurity/falco/pull/2009)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): improve rule loader source checks [[#2010](https://github.com/falcosecurity/falco/pull/2010)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix: split filterchecks per source-idx [[#1999](https://github.com/falcosecurity/falco/pull/1999)] - [@FedeDP](https://github.com/FedeDP)
+* new: port CI builds to github actions [[#2000](https://github.com/falcosecurity/falco/pull/2000)] - [@FedeDP](https://github.com/FedeDP)
+* build(userspace/engine): cleanup unused include dir [[#1987](https://github.com/falcosecurity/falco/pull/1987)] - [@leogr](https://github.com/leogr)
+* rule(Anonymous Request Allowed): exclude {/livez, /readyz} [[#1954](https://github.com/falcosecurity/falco/pull/1954)] - [@sledigabel](https://github.com/sledigabel)
+* chore(falco_scripts): Update `falco-driver-loader` cleaning phase [[#1950](https://github.com/falcosecurity/falco/pull/1950)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): use new plugin caps API [[#1982](https://github.com/falcosecurity/falco/pull/1982)] - [@FedeDP](https://github.com/FedeDP)
+* build: correct conffiles for DEB packages [[#1980](https://github.com/falcosecurity/falco/pull/1980)] - [@leogr](https://github.com/leogr)
+* Fix exception parsing regressions [[#1985](https://github.com/falcosecurity/falco/pull/1985)] - [@mstemm](https://github.com/mstemm)
+* Add codespell GitHub Action [[#1962](https://github.com/falcosecurity/falco/pull/1962)] - [@invidian](https://github.com/invidian)
+* build: components opt-in mechanism for packages [[#1979](https://github.com/falcosecurity/falco/pull/1979)] - [@leogr](https://github.com/leogr)
+* add gVisor to ADOPTERS.md [[#1974](https://github.com/falcosecurity/falco/pull/1974)] - [@kevinGC](https://github.com/kevinGC)
+* rules: whitelist GCP's container threat detection image [[#1959](https://github.com/falcosecurity/falco/pull/1959)] - [@clmssz](https://github.com/clmssz)
+* Fix some typos [[#1961](https://github.com/falcosecurity/falco/pull/1961)] - [@invidian](https://github.com/invidian)
+* chore(rules): remove leftover [[#1958](https://github.com/falcosecurity/falco/pull/1958)] - [@leogr](https://github.com/leogr)
+* docs: readme update and plugins [[#1940](https://github.com/falcosecurity/falco/pull/1940)] - [@leogr](https://github.com/leogr)
+
+
 ## v0.31.1

 Released on 2022-03-09
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -24,8 +24,8 @@ else()
  # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
  # -DFALCOSECURITY_LIBS_VERSION=dev ..`
  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "7d9881b92efc39b1d2e261b86bd92b2c8147d8fd")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=720a5ae59deb435dcfbaf50770e8bee6cd33c1d7148559dddcb4df363ee51355")
+    set(FALCOSECURITY_LIBS_VERSION "39ae7d40496793cf3d3e7890c9bbdc202263836b")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b9034baeff4518b044574956f5768fac080c269bacad4a1e17a7f6fdb872ce66")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/plugins.cmake
+++ b/cmake/modules/plugins.cmake
@@ -19,12 +19,17 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()

-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
+set(PLUGIN_K8S_AUDIT_VERSION "0.2.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_K8S_AUDIT_HASH "8e61952eefae9e3f8906336a11c9cc3919c7fed7efa24132426b3a789f5e60d8")
+else() # aarch64
+    set(PLUGIN_K8S_AUDIT_HASH "24631e21cf5626b15fe16045068200ee9924ea64c009d9d51f5a28035ec0730d")
+endif()
+
 ExternalProject_Add(
  k8saudit-plugin
-  URL "https://download.falco.org/plugins/dev/k8saudit-0.1.0-0.0.0-0%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=d2d4080a67445b9c5db6162e18e09c4eb9a32b0324877da584f8fa936595cd43"
+  URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")
@@ -33,20 +38,25 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/

 ExternalProject_Add(
  k8saudit-rules
-  URL "https://download.falco.org/plugins/dev/k8saudit-rules-0.1.0-0.0.0-0%2B680536f.tar.gz"
-  URL_HASH "SHA256=7e283031150b650b0387c6d644a8dbbe992d3f39e35ef3e63eca955889211510"
+  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=301183e8aab6964cf2b2f5946225f571d176e68093026ec45d17249b78b7021e"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
+set(PLUGIN_CLOUDTRAIL_VERSION "0.4.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_CLOUDTRAIL_HASH "e7327046c49097b01a6b7abbf18e31584c1ef62e6ba9bf14ead0badccde9a87c")
+else() # aarch64
+    set(PLUGIN_CLOUDTRAIL_HASH "6a0dff848179e397f25ee7e6455cb108a6ec5811acaac42d718e49e0dcdd9722")
+endif()
+
 ExternalProject_Add(
  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/dev/cloudtrail-0.2.5-0.2.5-125%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=5e949b2ebebb500325d2ec5bbb1ffdf4f7461a144a8f46ab500a1733af006bc2"
+  URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")
@@ -55,20 +65,25 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu

 ExternalProject_Add(
  cloudtrail-rules
-  URL "https://download.falco.org/plugins/dev/cloudtrail-rules-0.2.5-0.2.5-125%2B680536f.tar.gz"
-  URL_HASH "SHA256=1b48708f2e948e8765c25222d3de4ebfd49ed784de72d1177382beb60c7fb343"
+  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=1ed9a72a2bc8cdf7c024cc5e383672eea2d2ebd8ffa78fa2117284bc65e99849"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

  install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

-# todo(jasondellaluce): switch this to a stable version once this plugin gets
-# released with a 1.0.0 required plugin api version
+set(PLUGIN_JSON_VERSION "0.4.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_JSON_HASH "f6acc12e695f9a05602dc941c64ca7749604be72a4e24cb179133e3513c5fac6")
+else() # aarch64
+    set(PLUGIN_JSON_HASH "da96a4ca158d0ea7a030d2b7c2a13d018e96a9e3f7fea2c399f85fd2bdd0827a")
+endif()
+
 ExternalProject_Add(
  json-plugin
-  URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-141%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=0d947f3ace8732767fffb02bcb62cc6ee685c51afadc91db7ff3a8576c13e6d6"
+  URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1917,7 +1917,7 @@
    or thread.cap_permitted contains CAP_BPF)

 - rule: Launch Excessively Capable Container
-  desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images. 
+  desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images.
  condition: >
    container_started and container
    and excessively_capable_container
@@ -2064,7 +2064,8 @@
    '"sh -c  -t -i"',
    '"sh -c openssl version"',
    '"bash -c id -Gn kafadmin"',
-    '"sh -c /bin/sh -c ''date +%%s''"'
+    '"sh -c /bin/sh -c ''date +%%s''"',
+    '"sh -c /usr/share/lighttpd/create-mime.conf.pl"'
    ]

 # This list allows for easy additions to the set of commands allowed
@@ -2838,7 +2839,7 @@
  condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))

 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg, connect) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

 - macro: trusted_images_query_miner_domain_dns
  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco))
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -282,7 +282,7 @@ clean_kernel_module() {

 	# Remove all versions of this module from dkms.
 	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
-	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr "/" " " | cut -d' ' -f2)
+	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
 	if [ -z "${DRIVER_VERSIONS}" ]; then
 		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
 	else
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -26,7 +26,7 @@ trace_files: !mux
    detect_counts:
      - Create Disallowed Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_allowed_pod:
    detect: False
@@ -35,7 +35,7 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_privileged_pod:
    detect: True
@@ -46,7 +46,7 @@ trace_files: !mux
    detect_counts:
      - Create Privileged Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  compat_engine_v4_create_privileged_trusted_pod:
    detect: False
@@ -56,7 +56,7 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  compat_engine_v4_create_unprivileged_pod:
    detect: False
@@ -64,7 +64,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  compat_engine_v4_create_hostnetwork_pod:
    detect: True
@@ -75,7 +75,7 @@ trace_files: !mux
    detect_counts:
      - Create HostNetwork Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  compat_engine_v4_create_hostnetwork_trusted_pod:
    detect: False
@@ -85,7 +85,7 @@ trace_files: !mux
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  user_outside_allowed_set:
    detect: True
@@ -97,7 +97,7 @@ trace_files: !mux
    detect_counts:
      - Disallowed K8s User: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  user_in_allowed_set:
    detect: False
@@ -108,7 +108,7 @@ trace_files: !mux
      - ./rules/k8s_audit/allow_user_some-user.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  create_disallowed_pod:
    detect: True
@@ -120,7 +120,7 @@ trace_files: !mux
    detect_counts:
      - Create Disallowed Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_allowed_pod:
    detect: False
@@ -129,7 +129,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_privileged_pod:
    detect: True
@@ -140,7 +140,7 @@ trace_files: !mux
    detect_counts:
      - Create Privileged Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  create_privileged_no_secctx_1st_container_2nd_container_pod:
    detect: True
@@ -151,7 +151,7 @@ trace_files: !mux
    detect_counts:
      - Create Privileged Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json

  create_privileged_2nd_container_pod:
    detect: True
@@ -162,7 +162,7 @@ trace_files: !mux
    detect_counts:
      - Create Privileged Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json

  create_privileged_trusted_pod:
    detect: False
@@ -171,7 +171,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json

  create_unprivileged_pod:
    detect: False
@@ -179,7 +179,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_unprivileged_trusted_pod:
    detect: False
@@ -188,7 +188,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

  create_sensitive_mount_pod:
    detect: True
@@ -199,7 +199,7 @@ trace_files: !mux
    detect_counts:
      - Create Sensitive Mount Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json

  create_sensitive_mount_2nd_container_pod:
    detect: True
@@ -210,7 +210,7 @@ trace_files: !mux
    detect_counts:
      - Create Sensitive Mount Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json

  create_sensitive_mount_trusted_pod:
    detect: False
@@ -219,7 +219,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json

  create_unsensitive_mount_pod:
    detect: False
@@ -227,7 +227,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json

  create_unsensitive_mount_trusted_pod:
    detect: False
@@ -236,7 +236,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json

  create_hostnetwork_pod:
    detect: True
@@ -247,7 +247,7 @@ trace_files: !mux
    detect_counts:
      - Create HostNetwork Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  create_hostnetwork_trusted_pod:
    detect: False
@@ -256,7 +256,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json

  create_nohostnetwork_pod:
    detect: False
@@ -264,7 +264,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json

  create_nohostnetwork_trusted_pod:
    detect: False
@@ -273,7 +273,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json

  create_nodeport_service:
    detect: True
@@ -285,7 +285,7 @@ trace_files: !mux
    detect_counts:
      - Create NodePort Service: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nodeport.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json

  create_nonodeport_service:
    detect: False
@@ -294,7 +294,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nonodeport.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json

  create_configmap_private_creds:
    detect: True
@@ -306,7 +306,7 @@ trace_files: !mux
    detect_counts:
      - Create/Modify Configmap With Private Credentials: 6
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_sensitive_values.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json

  create_configmap_no_private_creds:
    detect: False
@@ -315,7 +315,7 @@ trace_files: !mux
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_no_sensitive_values.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json

  anonymous_user:
    detect: True
@@ -326,7 +326,7 @@ trace_files: !mux
    detect_counts:
      - Anonymous Request Allowed: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/anonymous_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json

  pod_exec:
    detect: True
@@ -337,7 +337,7 @@ trace_files: !mux
    detect_counts:
      - Attach/Exec Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/exec_pod.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json

  pod_attach:
    detect: True
@@ -348,7 +348,7 @@ trace_files: !mux
    detect_counts:
      - Attach/Exec Pod: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_pod.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json

  namespace_outside_allowed_set:
    detect: True
@@ -360,7 +360,7 @@ trace_files: !mux
    detect_counts:
      - Create Disallowed Namespace: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  namespace_in_allowed_set:
    detect: False
@@ -370,7 +370,7 @@ trace_files: !mux
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/minikube_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json

  create_pod_in_kube_system_namespace:
    detect: True
@@ -381,7 +381,7 @@ trace_files: !mux
    detect_counts:
      - Pod Created in Kube Namespace: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_system_namespace.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json

  create_pod_in_kube_public_namespace:
    detect: True
@@ -392,7 +392,7 @@ trace_files: !mux
    detect_counts:
      - Pod Created in Kube Namespace: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_public_namespace.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json

  create_serviceaccount_in_kube_system_namespace:
    detect: True
@@ -403,7 +403,7 @@ trace_files: !mux
    detect_counts:
      - Service Account Created in Kube Namespace: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json

  create_serviceaccount_in_kube_public_namespace:
    detect: True
@@ -414,7 +414,7 @@ trace_files: !mux
    detect_counts:
      - Service Account Created in Kube Namespace: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json

  system_clusterrole_deleted:
    detect: True
@@ -425,7 +425,7 @@ trace_files: !mux
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json

  system_clusterrole_modified:
    detect: True
@@ -436,7 +436,7 @@ trace_files: !mux
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json

  attach_cluster_admin_role:
    detect: True
@@ -447,7 +447,7 @@ trace_files: !mux
    detect_counts:
      - Attach to cluster-admin Role: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_cluster_admin_role.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json

  create_cluster_role_wildcard_resources:
    detect: True
@@ -458,7 +458,7 @@ trace_files: !mux
    detect_counts:
      - ClusterRole With Wildcard Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json

  create_cluster_role_wildcard_verbs:
    detect: True
@@ -469,7 +469,7 @@ trace_files: !mux
    detect_counts:
      - ClusterRole With Wildcard Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json

  create_writable_cluster_role:
    detect: True
@@ -480,7 +480,7 @@ trace_files: !mux
    detect_counts:
      - ClusterRole With Write Privileges Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_write_privileges.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json

  create_pod_exec_cluster_role:
    detect: True
@@ -491,7 +491,7 @@ trace_files: !mux
    detect_counts:
      - ClusterRole With Pod Exec Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_pod_exec.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json

  create_deployment:
    detect: True
@@ -502,7 +502,7 @@ trace_files: !mux
    detect_counts:
      - K8s Deployment Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_deployment.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json

  delete_deployment:
    detect: True
@@ -513,7 +513,7 @@ trace_files: !mux
    detect_counts:
      - K8s Deployment Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_deployment.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json

  create_service:
    detect: True
@@ -524,7 +524,7 @@ trace_files: !mux
    detect_counts:
      - K8s Service Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json

  delete_service:
    detect: True
@@ -535,7 +535,7 @@ trace_files: !mux
    detect_counts:
      - K8s Service Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_service.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json

  create_configmap:
    detect: True
@@ -546,7 +546,7 @@ trace_files: !mux
    detect_counts:
      - K8s ConfigMap Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json

  delete_configmap:
    detect: True
@@ -557,7 +557,7 @@ trace_files: !mux
    detect_counts:
      - K8s ConfigMap Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_configmap.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json

  create_namespace:
    detect: True
@@ -570,7 +570,7 @@ trace_files: !mux
    detect_counts:
      - K8s Namespace Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json

  delete_namespace:
    detect: True
@@ -581,7 +581,7 @@ trace_files: !mux
    detect_counts:
      - K8s Namespace Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_namespace_foo.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json

  create_serviceaccount:
    detect: True
@@ -592,7 +592,7 @@ trace_files: !mux
    detect_counts:
      - K8s Serviceaccount Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json

  delete_serviceaccount:
    detect: True
@@ -603,7 +603,7 @@ trace_files: !mux
    detect_counts:
      - K8s Serviceaccount Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_serviceaccount.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json

  create_clusterrole:
    detect: True
@@ -614,7 +614,7 @@ trace_files: !mux
    detect_counts:
      - K8s Role/Clusterrole Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrole.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json

  delete_clusterrole:
    detect: True
@@ -625,7 +625,7 @@ trace_files: !mux
    detect_counts:
      - K8s Role/Clusterrole Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrole.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json

  create_clusterrolebinding:
    detect: True
@@ -636,7 +636,7 @@ trace_files: !mux
    detect_counts:
      - K8s Role/Clusterrolebinding Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrolebinding.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json

  delete_clusterrolebinding:
    detect: True
@@ -647,7 +647,7 @@ trace_files: !mux
    detect_counts:
      - K8s Role/Clusterrolebinding Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrolebinding.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json

  create_secret:
    detect: True
@@ -658,7 +658,7 @@ trace_files: !mux
    detect_counts:
      - K8s Secret Created: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_secret.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json

  # Should *not* result in any event as the secret rules skip service account token secrets
  create_service_account_token_secret:
@@ -668,7 +668,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service_account_token_secret.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json

  create_kube_system_secret:
    detect: False
@@ -677,7 +677,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_kube_system_secret.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json

  delete_secret:
    detect: True
@@ -688,7 +688,7 @@ trace_files: !mux
    detect_counts:
      - K8s Secret Deleted: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_secret.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json

  fal_01_003:
    detect: False
@@ -697,7 +697,7 @@ trace_files: !mux
      - ../rules/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/fal_01_003.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
    stderr_contains: 'data not recognized as a k8s audit event'

  json_pointer_correct_parse:
@@ -708,4 +708,4 @@ trace_files: !mux
    detect_counts:
      - json_pointer_example: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -21,6 +21,7 @@ set(
  app_actions/daemonize.cpp
  app_actions/init_falco_engine.cpp
  app_actions/init_inspector.cpp
+  app_actions/init_clients.cpp
  app_actions/init_outputs.cpp
  app_actions/list_fields.cpp
  app_actions/list_plugins.cpp
--- a/userspace/falco/app_actions/init_clients.cpp
+++ b/userspace/falco/app_actions/init_clients.cpp
@@ -0,0 +1,78 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "application.h"
+
+using namespace falco::app;
+
+application::run_result application::init_clients()
+{
+#ifndef MINIMAL_BUILD
+	// k8s and mesos clients are useful only if syscall source is enabled
+	if (!is_syscall_source_enabled())
+	{
+		return run_result::ok();
+	}
+
+	falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(m_state->config->m_metadata_download_max_mb) + " MB\n");
+	falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(m_state->config->m_metadata_download_chunk_wait_us) + " μs\n");
+	falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(m_state->config->m_metadata_download_watch_freq_sec) + " seconds\n");
+	m_state->inspector->set_metadata_download_params(m_state->config->m_metadata_download_max_mb * 1024 * 1024, m_state->config->m_metadata_download_chunk_wait_us, m_state->config->m_metadata_download_watch_freq_sec);
+
+	//
+	// Run k8s, if required
+	//
+	char *k8s_api_env = NULL;
+	if(!m_options.k8s_api.empty() ||
+	   (k8s_api_env = getenv("FALCO_K8S_API")))
+	{
+		// Create string pointers for some config vars
+		// and pass to inspector. The inspector then
+		// owns the pointers.
+		std::string *k8s_api_ptr = new string((!m_options.k8s_api.empty() ? m_options.k8s_api : k8s_api_env));
+		std::string *k8s_api_cert_ptr = new string(m_options.k8s_api_cert);
+		std::string *k8s_node_name_ptr = new string(m_options.k8s_node_name);
+
+		if(k8s_api_cert_ptr->empty())
+		{
+			if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
+			{
+				*k8s_api_cert_ptr = k8s_cert_env;
+			}
+		}
+		m_state->inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, m_options.verbose);
+	}
+
+	//
+	// Run mesos, if required
+	//
+	if(!m_options.mesos_api.empty())
+	{
+		// Differs from init_k8s_client in that it
+		// passes a pointer but the inspector does
+		// *not* own it and does not use it after
+		// init_mesos_client() returns.
+		m_state->inspector->init_mesos_client(&(m_options.mesos_api), m_options.verbose);
+	}
+	else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
+	{
+		std::string mesos_api_copy = mesos_api_env;
+		m_state->inspector->init_mesos_client(&mesos_api_copy, m_options.verbose);
+	}
+#endif
+
+	return run_result::ok();
+}
--- a/userspace/falco/app_actions/init_inspector.cpp
+++ b/userspace/falco/app_actions/init_inspector.cpp
@@ -54,57 +54,5 @@ application::run_result application::init_inspector()

 	m_state->inspector->set_hostname_and_port_resolution_mode(false);

-#ifndef MINIMAL_BUILD
-
-		falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(m_state->config->m_metadata_download_max_mb) + " MB\n");
-		falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(m_state->config->m_metadata_download_chunk_wait_us) + " μs\n");
-		falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(m_state->config->m_metadata_download_watch_freq_sec) + " seconds\n");
-		m_state->inspector->set_metadata_download_params(m_state->config->m_metadata_download_max_mb * 1024 * 1024, m_state->config->m_metadata_download_chunk_wait_us, m_state->config->m_metadata_download_watch_freq_sec);
-
-#endif
-
-#ifndef MINIMAL_BUILD
-	//
-	// Run k8s, if required
-	//
-	char *k8s_api_env = NULL;
-	if(!m_options.k8s_api.empty() ||
-	   (k8s_api_env = getenv("FALCO_K8S_API")))
-	{
-		// Create string pointers for some config vars
-		// and pass to inspector. The inspector then
-		// owns the pointers.
-		std::string *k8s_api_ptr = new string((!m_options.k8s_api.empty() ? m_options.k8s_api : k8s_api_env));
-		std::string *k8s_api_cert_ptr = new string(m_options.k8s_api_cert);
-		std::string *k8s_node_name_ptr = new string(m_options.k8s_node_name);
-
-		if(k8s_api_cert_ptr->empty())
-		{
-			if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
-			{
-				*k8s_api_cert_ptr = k8s_cert_env;
-			}
-		}
-		m_state->inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, m_options.verbose);
-	}
-
-	//
-	// Run mesos, if required
-	//
-	if(!m_options.mesos_api.empty())
-	{
-		// Differs from init_k8s_client in that it
-		// passes a pointer but the inspector does
-		// *not* own it and does not use it after
-		// init_mesos_client() returns.
-		m_state->inspector->init_mesos_client(&(m_options.mesos_api), m_options.verbose);
-	}
-	else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
-	{
-		std::string mesos_api_copy = mesos_api_env;
-		m_state->inspector->init_mesos_client(&mesos_api_copy, m_options.verbose);
-	}
-
-#endif
 	return run_result::ok();
 }
--- a/userspace/falco/app_actions/list_plugins.cpp
+++ b/userspace/falco/app_actions/list_plugins.cpp
@@ -34,7 +34,7 @@ application::run_result application::list_plugins()
 			os << "Capabilities: " << std::endl;
 			if(p->caps() & CAP_SOURCING)
 			{
-				os << "  - Event Sourcing: (ID=" << p->id();
+				os << "  - Event Sourcing (ID=" << p->id();
 				os << ", source='" << p->event_source() << "')" << std::endl;
 			}
 			if(p->caps() & CAP_EXTRACTION)
--- a/userspace/falco/app_actions/process_events.cpp
+++ b/userspace/falco/app_actions/process_events.cpp
@@ -131,7 +131,6 @@ application::run_result application::do_inspect(syscall_evt_drop_mgr &sdropmgr,
 			//
 			// Event read error.
 			//
-			cerr << "rc = " << rc << endl;
 			return run_result::fatal(m_state->inspector->getlasterr());
 		}

--- a/userspace/falco/application.cpp
+++ b/userspace/falco/application.cpp
@@ -139,6 +139,7 @@ bool application::run(std::string &errstr, bool &restart)
 		std::bind(&application::attach_inotify_signals, this),
 		std::bind(&application::daemonize, this),
 		std::bind(&application::init_outputs, this),
+		std::bind(&application::init_clients, this),
 #ifndef MINIMAL_BUILD
 		std::bind(&application::start_grpc_server, this),
 		std::bind(&application::start_webserver, this),
--- a/userspace/falco/application.h
+++ b/userspace/falco/application.h
@@ -140,26 +140,27 @@ private:
 	// order in which the methods run is in application.cpp.
 	run_result create_signal_handlers();
 	run_result attach_inotify_signals();
- 	run_result daemonize();
- 	run_result init_falco_engine();
- 	run_result init_inspector();
- 	run_result init_outputs();
- 	run_result list_fields();
- 	run_result list_plugins();
- 	run_result load_config();
- 	run_result load_plugins();
- 	run_result load_rules_files();
- 	run_result open_inspector();
- 	run_result print_help();
+	run_result daemonize();
+	run_result init_falco_engine();
+	run_result init_inspector();
+	run_result init_clients();
+	run_result init_outputs();
+	run_result list_fields();
+	run_result list_plugins();
+	run_result load_config();
+	run_result load_plugins();
+	run_result load_rules_files();
+	run_result open_inspector();
+	run_result print_help();
 	run_result print_ignored_events();
- 	run_result print_support();
- 	run_result print_version();
- 	run_result process_events();
+	run_result print_support();
+	run_result print_version();
+	run_result process_events();
 #ifndef MINIMAL_BUILD
- 	run_result start_grpc_server();
- 	run_result start_webserver();
+	run_result start_grpc_server();
+	run_result start_webserver();
 #endif
- 	run_result validate_rules_files();
+	run_result validate_rules_files();

 	// These methods comprise application teardown. The order in
 	// which the methods run is in application.cpp.
Author	SHA1	Message	Date
Federico Di Pierro	f9b0568187	update(changelog): added 0.32.0 release notes. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-06-03 10:29:43 +02:00
Federico Di Pierro	13eb8d2d48	update(build): updated plugins to latest versions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-06-01 14:50:38 +02:00
Aldo Lacuku	7a774f6b2e	chore(userpace/falco): do not print error code in process_events.cpp Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>	2022-06-01 13:35:38 +02:00
Federico Di Pierro	3fef329d11	update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b for Falco 0.32.0. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-05-31 18:12:09 +02:00
Andrea Terzolo	9392c0295a	fix(falco-scripts): remove driver versions with `dkms-3.0.3` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>	2022-05-30 13:08:40 +02:00
Aldo Lacuku	765ef5daaf	chore(userspace/falco): fix punctuation typo in output message when loading plugins Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>	2022-05-30 10:46:40 +02:00
Matan Monitz	9f163f3fe0	Update rules/falco_rules.yaml Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Matan Monitz <mmonitz@gmail.com>	2022-05-28 10:13:30 +02:00
Matan Monitz	4c95c717d2	known_shell_spawn_cmdlines - lighttpd Signed-off-by: Matan Monitz <mmonitz@gmail.com>	2022-05-28 10:13:30 +02:00
beryxz	54a2f7bdaa	rule(macro net_miner_pool): additional syscall for detection Signed-off-by: beryxz <coppi.lore@gmail.com>	2022-05-28 09:29:30 +02:00
Federico Di Pierro	eb9a9c6e7d	update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-05-26 18:19:26 +02:00
Federico Di Pierro	75712caa9a	fix(test): dropped `file://` from k8s audit log tests. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-05-26 12:37:26 +02:00
Federico Di Pierro	db5f1bec3d	update(cmake): updated plugins. Moreover, add support for aarch64 plugins, even if Falco 0.32 won't be distributed with official arm64 support. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-05-26 12:37:26 +02:00
Federico Di Pierro	1d343c93f3	update(build): updated libs version for Falco 0.32.0 release. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2022-05-26 11:07:27 +02:00
Jason Dellaluce	3b462af58e	fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-05-25 19:23:26 +02:00
Jason Dellaluce	09eae35f3a	refactor(userspace/falco): create action for initializing k8s and mesos clients (step 2) Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-05-25 19:23:26 +02:00
Jason Dellaluce	383b8f9660	refactor(userspace/falco): create action for initializing k8s and mesos clients Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2022-05-25 19:23:26 +02:00