fix(userspace/falco): output needs to be initialized after fork

Co-Authored-By: Leonardo Grasso <me@leonardograsso.com>
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>

.circleci/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+  - jonahjon
+reviewers:
+  - jonahjon

.circleci/config.yml

@@ -452,6 +452,25 @@ jobs:
             docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push falcosecurity/falco-driver-loader:master
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:master"
   # Publish the packages
   "publish/packages":
     docker:
@@ -518,6 +537,26 @@ jobs:
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
             docker push "falcosecurity/falco-driver-loader:latest"
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco:latest"
 workflows:
   version: 2
   build_and_test:
@@ -577,7 +616,16 @@ workflows:
           requires:
             - "publish/packages-dev"
             - "tests/driver-loader/integration"
-      - "quality/static-analysis"
+      - "publish/container-images-aws-dev":
+          context: test-infra # contains Falco AWS credentials
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - publish/docker-dev
+      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
   release:
     jobs:
       - "build/musl":
@@ -620,3 +668,12 @@ workflows:
               only: /.*/
             branches:
               ignore: /.*/
+      - "publish/container-images-aws":
+          context: test-infra # contains Falco AWS credentials
+          requires:
+            - "publish/docker"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/

CHANGELOG.md

@@ -1,5 +1,71 @@
 # Change Log
 
+## v0.27.0
+
+Released on 2021-01-18
+
+### Major Changes
+
+* new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
+* BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
+* new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
+* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
+* docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
+* docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
+* docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
+* docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
+* fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
+* fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
+* fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
+* fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
+* rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
+* rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
+* rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
+
+
+### Non user-facing changes
+
+* chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
+* remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
+* chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
+* build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
+* build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
+* further improvements outputs impl.  [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
+* fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
+* Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
+
+
+
 ## v0.26.2
 
 Released on 2020-11-10

CMakeLists.txt

@@ -19,6 +19,15 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
+# We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
+option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
+if (${EP_UPDATE_DISCONNECTED})
+  set_property(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+endif()
+
+
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
 
@@ -176,12 +185,9 @@ if(NOT MINIMAL_BUILD)
     INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 endif()
 
-# string-view-lite
+#string-view-lite
 include(DownloadStringViewLite)
 
-# cxxopts
-include(DownloadCxxOpts)
-
 if(NOT MINIMAL_BUILD)
   # gRPC
   include(gRPC)

README.md

@@ -26,16 +26,16 @@ If a rule is violated in a system, Falco will send an alert notifying the user o
 
 ### Installing Falco
 
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
 
 ##### Kubernetes
 
 | Tool     | Link                                                                                       | Note                                                               |
 |----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
 | Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
 
 ### Developing
 

RELEASE.md

@@ -29,7 +29,7 @@ Before cutting a release we need to do some homework in the Falco repository. Th
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+- Generate the change log https://github.com/leodido/rn2md:
     - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -69,13 +69,12 @@ Now assume `x.y.z` is the new version.
     | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
     | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
 
-    | Images                                                          |
-    | --------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
-
-    <!-- Copy the relevant part of the changelog here -->
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
 
     ### Statistics
 

cmake/modules/DownloadCxxOpts.cmake

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(CXXOPTS_PREFIX ${CMAKE_BINARY_DIR}/cxxopts-prefix)
-set(CXXOPTS_INCLUDE ${CXXOPTS_PREFIX}/include)
-message(STATUS "Using bundled cxxopts in ${CXXOPTS_INCLUDE}")
-
-ExternalProject_Add(
-  cxxopts
-  PREFIX ${CXXOPTS_PREFIX}
-  GIT_REPOSITORY "https://github.com/jarro2783/cxxopts.git"
-  GIT_TAG "master"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CXXOPTS_PREFIX}/src/cxxopts/include/cxxopts.hpp
-                  ${CXXOPTS_INCLUDE}/cxxopts.hpp)

cmake/modules/OpenSSL.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(OPENSSL_BINARY)
 if(NOT USE_BUNDLED_DEPS)
   find_package(OpenSSL REQUIRED)
   message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -20,6 +21,8 @@ if(NOT USE_BUNDLED_DEPS)
     message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
   endif()
 else()
+  mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
+    OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
   set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
   set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
   set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")

cmake/modules/gRPC.cmake

@@ -22,6 +22,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # c-ares
+  mark_as_advanced(CARES_INCLUDE CARES_LIB)
   find_path(CARES_INCLUDE NAMES ares.h)
   find_library(CARES_LIB NAMES libcares.so)
   if(CARES_INCLUDE AND CARES_LIB)
@@ -31,6 +32,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # protobuf
+  mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
   find_program(PROTOC NAMES protoc)
   find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
   find_library(PROTOBUF_LIB NAMES libprotobuf.so)
@@ -43,6 +45,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # gpr
+  mark_as_advanced(GPR_LIB)
   find_library(GPR_LIB NAMES gpr)
 
   if(GPR_LIB)
@@ -52,12 +55,16 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
+  mark_as_advanced(GRPC_INCLUDE GRPC_SRC
+    GRPC_LIB GRPC_LIBS_ABSOLUTE  GRPCPP_LIB GRPC_CPP_PLUGIN)
   find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
   if(GRPCXX_INCLUDE)
     set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+    unset(GRPCXX_INCLUDE CACHE)
   else()
     find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
     set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+    unset(GRPCPP_INCLUDE CACHE)
     add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
   endif()
   find_library(GRPC_LIB NAMES grpc)

cmake/modules/jq.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(JQ_INCLUDE JQ_LIB)
 if (NOT USE_BUNDLED_DEPS)
     find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
     find_library(JQ_LIB NAMES jq)

cmake/modules/static-analysis.cmake

@@ -3,6 +3,7 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
 
 # cppcheck
+mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
 find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
 

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -38,17 +38,6 @@ index 6f51588e..5f9ea84e 100644
  				}
  				else
  				{
-@@ -579,8 +579,8 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
- 	//
- 	// Map the ppm_ring_buffer_info that contains the buffer pointers
- 	//
--	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd), 
--		&handle->m_devs[0].m_bufinfo, 
-+	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
-+		&handle->m_devs[0].m_bufinfo,
- 		&handle->m_devs[0].m_bufstatus,
- 		error) != SCAP_SUCCESS)
- 	{
 @@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
  
  const char* scap_get_host_root()

cmake/modules/yaml-cpp.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
   find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
   find_library(YAMLCPP_LIB NAMES yaml-cpp)

falco.yaml

@@ -87,6 +87,23 @@ syscall_event_drops:
   rate: .03333
   max_burst: 10
 
+# Falco continuously monitors outputs performance. When an output channel does not allow
+# to deliver an alert within a given deadline, an error is reported indicating
+# which output is blocking notifications.
+# The timeout error will be reported to the log according to the above log_* settings.
+# Note that the notification will not be discarded from the output queue; thus,
+# output channels may indefinitely remain blocked.
+# An output timeout error indeed indicate a misconfiguration issue or I/O problems
+# that cannot be recovered by Falco and should be fixed by the user.
+#
+# The "output_timeout" value specifies the duration in milliseconds to wait before
+# considering the deadline exceed.
+#
+# With a 2000ms default, the notification consumer can block the Falco output
+# for up to 2 seconds without reaching the timeout.
+
+output_timeout: 2000
+
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:

proposals/20200828-structured-exception-handling.md

@@ -0,0 +1,240 @@
+# Proposal for First Class Structured Exceptions in Falco Rules
+
+## Summary
+
+## Motivation
+
+Almost all Falco Rules have cases where the behavior detected by the
+rule should be allowed. For example, The rule Write Below Binary Dir
+has exceptions for specific programs that are known to write below
+these directories as a part of software installation/management:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+...
+```
+In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
+
+```yaml
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+```
+
+The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
+
+A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
+
+```
+...
+    and not sed_temporary_file
+    and not exe_running_docker_save
+    and not ansible_running_python
+    and not python_running_denyhosts
+    and not fluentd_writing_conf_files
+    and not user_known_write_etc_conditions
+    and not run_by_centrify
+    and not run_by_adclient
+    and not qualys_writing_conf_files
+    and not git_writing_nssdb
+...
+```
+
+The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
+
+### Using Appends/Overwrites to Customize Rules
+
+An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+
+- macro: user_known_update_package_registry
+  condition: (never_true)
+
+- rule: Update Package Repository
+  desc: Detect package repositories get updated
+  condition: >
+    ((open_write and access_repositories) or (modify and modify_repositories))
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not user_known_update_package_registry
+```
+
+If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [puppet]
+  append: true
+
+- macro: package_mgmt_procs
+  condition: and not proc.pname=chef
+  append: true
+
+- macro: user_known_update_package_registry
+  condition: (proc.name in (npm))
+  append: false
+```
+
+This adds an 3 different exceptions:
+* an additional binary to package_mgmt_binaries (because append is true),
+* adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
+* overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
+
+### Problems with Appends/Overrides to Define Exceptions
+
+Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
+
+* Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
+
+```yaml
+rule: my_rule
+condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
+
+rule: my_rule
+condition: or fd.name=/tmp/baz
+append: true
+```
+
+Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
+
+* A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
+
+* Appends and overrides can get confusing if you try to apply them multiple times. For example:
+
+```yaml
+macro: allowed_files
+condition: fd.name=/tmp/foo
+
+...
+
+macro: allowed_files
+condition: and fd.name=/tmp/bar
+append: true
+```
+
+If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
+
+## Solution: Exceptions as first class objects
+
+To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+  exceptions:
+   - name: proc_writer
+     fields: [proc.name, fd.directory]
+   - name: container_writer
+     fields: [container.image.repository, fd.directory]
+     comps: [=, startswith]
+   - name: proc_filenames
+     fields: [proc.name, fd.name]
+     comps: [=, in]
+   - name: filenames
+     fields: fd.filename
+     comps: in
+```
+
+This rule defines four kinds of exceptions:
+  * proc_writer: uses a combination of proc.name and fd.directory
+  * container_writer: uses a combination of container.image.repository and fd.directory
+  * proc_filenames: uses a combination of process and list of filenames.
+  * filenames: uses a list of filenames
+
+The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
+
+proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
+
+proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
+
+filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
+
+Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
+
+Exception values will most commonly be defined in rules with append: true. Here's an example:
+
+```yaml
+- list: apt_files
+  items: [/bin/ls, /bin/rm]
+
+- rule: Write below binary dir
+  exceptions:
+  - name: proc_writer
+    values:
+    - [apk, /usr/lib/alpine]
+    - [npm, /usr/node/bin]
+  - name: container_writer
+    values:
+    - [docker.io/alpine, /usr/libexec/alpine]
+  - name: proc_filenames
+    values:
+    - [apt, apt_files]
+    - [rpm, [/bin/cp, /bin/pwd]]
+  - name: filenames
+    values: [python, go]
+```
+
+A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
+
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
+
+Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
+
+### Implementation
+
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+
+When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
+
+```
+(<Write below binary dir condition>) and not (
+    (proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
+	(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
+	(proc.name=apt and fd.name in (apt_files))) or
+	(fd.filename in (python, go))))
+```
+
+The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
+
+### Advantages
+
+Adding Exception objects as described here has several advantages:
+
+* All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
+* The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
+* With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
+
+## Backwards compatibility
+
+To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
+
+This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
+
+This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
+
+However, there are a few changes we'll have to make to Falco rules file parsing:
+
+* Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
+* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.
+
+

rules/falco_rules.yaml

@@ -1601,7 +1601,12 @@
 
 - rule: Mkdir binary dirs
   desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
+  condition: >
+    mkdir
+    and bin_dir_mkdir
+    and not package_mgmt_procs
+    and not user_known_mkdir_bin_dir_activities
+    and not exe_running_docker_save
   output: >
     Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
@@ -1612,7 +1617,7 @@
 # to change thread namespace without having to copy and override the
 # entire change thread namespace rule.
 - list: user_known_change_thread_namespace_binaries
-  items: []
+  items: [crio, multus]
 
 - macro: user_known_change_thread_namespace_activities
   condition: (never_true)
@@ -2725,6 +2730,7 @@
      (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
     consider_hidden_file_creation and
     not user_known_create_hidden_file_activities
+    and not exe_running_docker_save
   output: >
     Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -3070,6 +3076,22 @@
   priority: WARNING
   tags: [process]
 
+- list: run_as_root_image_list
+  items: []
+
+- macro: user_known_run_as_root_container
+  condition: (container.image.repository in (run_as_root_image_list))
+
+# The rule is disabled by default and should be enabled when non-root container policy has been applied.
+# Note the rule will not work as expected when usernamespace is applied, e.g. userns-remap is enabled.
+- rule: Container Run as Root User
+  desc: Detected container running as root user
+  condition: spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container
+  enabled: false
+  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: INFO
+  tags: [container, process]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

userspace/falco/CMakeLists.txt

@@ -15,7 +15,6 @@ configure_file(config_falco.h.in config_falco.h)
 
 set(
   FALCO_SOURCES
-  cli.cpp
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
@@ -35,7 +34,6 @@ set(
   "${PROJECT_BINARY_DIR}/userspace/falco"
   "${PROJECT_BINARY_DIR}/driver/src"
   "${STRING_VIEW_LITE_INCLUDE}"
-  "${CXXOPTS_INCLUDE}"
   "${YAMLCPP_INCLUDE_DIR}"
   "${CMAKE_CURRENT_BINARY_DIR}"
   "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
@@ -43,7 +41,6 @@ set(
 
 set(
   FALCO_DEPENDENCIES
-  cxxopts
   string-view-lite
   libyaml
   b64
@@ -126,16 +123,16 @@ target_include_directories(
   ${FALCO_INCLUDE_DIRECTORIES}
 )
 
-# if(NOT MINIMAL_BUILD)
-#   add_custom_command(
-#     TARGET falco
-#     COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
-#     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-#     COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
-#   )
-# else()
-#   message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
-# endif()
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    TARGET falco
+    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
+  )
+else()
+  message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()
 
 if(NOT MINIMAL_BUILD)
   add_custom_command(

userspace/falco/cli.cpp

@@ -1,22 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "cli.h"
-
-namespace falco
-{
-
-} // namespace falco

userspace/falco/cli.h

@@ -1,188 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <cxxopts.hpp>
-
-namespace falco
-{
-
-class option_requires_specific_argument_exception : public cxxopts::OptionParseException
-{
-public:
-	explicit option_requires_specific_argument_exception(const std::string& option, const std::string& values):
-		OptionParseException("Option " + cxxopts::LQUOTE + option + cxxopts::RQUOTE + " requires an argument equal to " + values)
-	{
-	}
-};
-
-class option_cannot_be_specified_exception : public cxxopts::OptionParseException
-{
-public:
-	explicit option_cannot_be_specified_exception(const std::string& option1, const std::string& option2):
-		OptionParseException("Options " + cxxopts::LQUOTE + option1 + cxxopts::RQUOTE + " and " + cxxopts::LQUOTE + option2 + cxxopts::RQUOTE + " can not be specified together")
-	{
-	}
-};
-
-class cli
-{
-public:
-	cli(int argc, const char** argv):
-		m_argc(argc), m_argv(argv), m_options("falco", "Cloud-Native Runtime Security")
-	{
-	}
-	virtual ~cli()
-	{
-	}
-
-	void run()
-	{
-		// These options give some info about Falco (Falco exits).
-		m_options.add_options(
-			"help",
-			{
-				{"h,help", "Print help page."},
-				{"support", "Print support information (version, rules files, etc.)."},
-				{"version", "Print version info."},
-			});
-
-		// These are options responsible for listing Falco elements (Falco exits).
-		m_options.add_options(
-			"list",
-			{
-				{"L", "Show name and description of all rules."},
-				{"l", "Show name and description of a specific rule.", cxxopts::value<std::string>(), "rule name"},
-				{"list", "Show all fields.", cxxopts::value<std::string>()->implicit_value("all"), "sycall|k8s_audit"},
-				{"N", "Show field names only."},
-			});
-
-		// m_options.add_options(
-		// 	"output",
-		// 	{
-		// 		{},
-		// 	});
-
-		// m_options.add_options(
-		// 	"input",
-		// 	{
-		// 		{},
-		// 	});
-
-		m_options.add_options(
-			"filtering",
-			{
-				{"D", "Disable any rules with names having the given substring. Can be specified multiple times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "substring"},
-				{"T", "Disable any rules with a specific tag. Can be specified several times. Can not be specified with -t.", cxxopts::value<std::vector<std::string>>(), "tag"},
-				{"t", "Only run those rules with a specific tag. Can be specified several times. Can not be specified with -T or -D.", cxxopts::value<std::vector<std::string>>(), "tag"},
-			});
-
-		m_result = m_options.parse(m_argc, m_argv);
-
-		process();
-	}
-
-private:
-	void process()
-	{
-		if(m_result.count("help") && m_result["help"].as<bool>())
-		{
-			std::cout << m_options.help() << std::endl;
-			// todo: print > exit
-		}
-
-		if(m_result.count("support") && m_result["support"].as<bool>())
-		{
-			// todo: argv + config rule filenames > cmdline > print > exit
-		}
-
-		if(m_result.count("version") && m_result["version"].as<bool>())
-		{
-			// todo: print > exit
-		}
-
-		if(m_result.count("L") && m_result["L"].as<bool>())
-		{
-			// todo: engine > print > exit
-			// engine->describe_rule(NULL)
-		}
-
-		if(m_result.count("l"))
-		{
-			// todo: engine > print > exit
-			// engine->describe_rule(m_result["l"].as<string>());
-		}
-
-		if(m_result.count("list"))
-		{
-			auto source = m_result["list"].as<std::string>();
-			// todo: retrieve implicit value
-			if(source.empty() || (source != "syscall" && source != "k8s_audit" && source != "all"))
-			{
-				throw falco::option_requires_specific_argument_exception(
-					"list",
-					cxxopts::LQUOTE + "syscall" + cxxopts::RQUOTE + " or " + cxxopts::LQUOTE + "k8s_audit" + cxxopts::RQUOTE);
-			}
-
-			bool names_only = false;
-			if(m_result.count("N"))
-			{
-				names_only = m_result["N"].as<bool>();
-			}
-
-			// todo: engine + names_only + source
-			// se valore == syscall ==> + [-V]
-		}
-
-		bool count_D = m_result.count("D");
-		bool count_t = m_result.count("t");
-		bool count_T = m_result.count("T");
-		if(count_D > 0)
-		{
-			if(count_t > 0)
-			{
-				throw falco::option_cannot_be_specified_exception("D", "t");
-			}
-			// todo
-			// engine > not exit
-		}
-		if(count_T > 0)
-		{
-			if(count_t > 0)
-			{
-				throw falco::option_cannot_be_specified_exception("T", "t");
-			}
-			// todo
-			// engine > not exit
-		}
-		if(count_t > 0)
-		{
-			// todo
-			// engine > not exit
-		}
-	}
-
-	int m_argc;
-	const char** m_argv;
-	cxxopts::Options m_options;
-	cxxopts::ParseResult m_result;
-};
-
-} // namespace falco
-
-// 3 tipi di azioni
-// quelle che una volta date devono farlo uscire e non hanno bisogno di nessuna istanza
-// quelle che hanno bisogno di inspector e/o engine e poi falco esce
-// quelle che hanno bisogno di inspector e/o engine e poi falco esegue

userspace/falco/configuration.cpp

@@ -47,16 +47,6 @@ falco_configuration::~falco_configuration()
 	}
 }
 
-// If we don't have a configuration file, we just use stdout output and all other defaults
-void falco_configuration::init(list<string> &cmdline_options)
-{
-	init_cmdline_options(cmdline_options);
-
-	falco::outputs::config stdout_output;
-	stdout_output.name = "stdout";
-	m_outputs.push_back(stdout_output);
-}
-
 void falco_configuration::init(string conf_filename, list<string> &cmdline_options)
 {
 	string m_config_file = conf_filename;
@@ -176,6 +166,8 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 
 	falco_logger::set_level(m_log_level);
 
+	m_output_timeout = m_config->get_scalar<uint32_t>("output_timeout", 2000);
+
 	m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);
 
@@ -346,4 +338,4 @@ void falco_configuration::set_cmdline_option(const string &opt)
 	{
 		m_config->set_scalar(keyval.first, keyval.second);
 	}
-}
+}

userspace/falco/configuration.h

@@ -204,6 +204,7 @@ public:
 
 	bool m_buffered_outputs;
 	bool m_time_format_iso_8601;
+	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;
 	uint32_t m_grpc_threadiness;

userspace/falco/falco.cpp

@@ -43,7 +43,6 @@ limitations under the License.
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
-#include "cli.h"
 #ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
@@ -75,102 +74,106 @@ static void restart_falco(int signal)
 	g_restart = true;
 }
 
-// //
-// // Program help
-// //
-// static void usage()
-// {
-//     printf(
-// 	   "Falco version: " FALCO_VERSION "\n"
-// 	   "Usage: falco [options]\n\n"
-// 	   "Options:\n"
-
-// 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
-// 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
-// 	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
-// 	   " -b, --print-base64            Print data buffers in base64.\n"
-// 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
-// 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
-// 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
-// 	   " -d, --daemon                  Run as a daemon.\n"
-// 	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
-// 	   "                               This is useful to let the input event wait for the container metadata fetch\n"
-// 	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
-// 	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
-// 	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
-// 	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
-// 	   " --disable-source <event_source>\n"
-// 	   "                               Disable a specific event source.\n"
-// 	   "                               Available event sources are: syscall, k8s_audit.\n"
-// 	   "                               It can be passed multiple times.\n"
-// 	   "                               Can not disable both the event sources.\n"
-
-// 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
-// 	   "                               k8s audit events) instead of tapping into live.\n"
-// #ifndef MINIMAL_BUILD
-// 	   " -k <url>, --k8s-api <url>\n"
-// 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
-//        "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
-// 	   "                               The API server can also be specified via the environment variable FALCO_K8S_API.\n"
-// 	   " -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
-// 	   "                               Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
-// 	   "                               Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
-// 	   "                               Private key password is optional (needed only if key is password protected).\n"
-// 	   "                               CA certificate is optional. For all files, only PEM file format is supported. \n"
-// 	   "                               Specifying CA certificate only is obsoleted - when single entry is provided \n"
-// 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
-// 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
-// 	   "                               ':' or '#' characters in the file name.\n"
-// #endif
-
-
-
-
-// #ifndef MINIMAL_BUILD
-// 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
-// 	   "                               Enable Mesos support by connecting to the API server\n"
-// 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
-// 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
-// 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
-// #endif
-// 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
-
-// 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
-// 	   "                               <key> can be a two-part <key>.<subkey>\n"
-// 	   " -p <output_format>, --print <output_format>\n"
-// 	   "                               Add additional information to each falco notification's output.\n"
-// 	   "                               With -pc or -pcontainer will use a container-friendly format.\n"
-// 	   "                               With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
-// 	   "                               With -pm or -pmesos will use a mesos-friendly format.\n"
-// 	   "                               Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
-// 	   "                               of %%container.info in rule output fields.\n"
-// 	   " -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
-//        " -r <rules_file>               Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
-//        "                               Can be specified multiple times to read from multiple files/directories.\n"
-// 	   " -s <stats_file>               If specified, append statistics related to Falco's reading/processing of events\n"
-// 	   "                               to this file (only useful in live mode).\n"
-// 	   " --stats-interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
-// 	   "                               This uses signals, so don't recommend intervals below 200 ms.\n"
-// 	   "                               Defaults to 5000 (5 seconds).\n"
-// 	   " -S <len>, --snaplen <len>\n"
-// 	   "                               Capture the first <len> bytes of each I/O buffer.\n"
-// 	   "                               By default, the first 80 bytes are captured. Use this\n"
-// 	   "                               option with caution, it can generate huge trace files.\n"
-
-
-// 	   " -U,--unbuffered               Turn off output buffering to configured outputs.\n"
-// 	   "                               This causes every single line emitted by falco to be flushed,\n"
-// 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
-// 	   "                               into another process or into a script.\n"
-// 	   " -u, --userspace               Parse events from userspace.\n"
-// 	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
-// 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
-// 	   "                               Can be specified multiple times to validate multiple files.\n"
-// 	   " -v                            Verbose output.\n"
-
-// 	   "\n"
-//     );
-// }
+//
+// Program help
+//
+static void usage()
+{
+    printf(
+	   "Falco version: " FALCO_VERSION "\n"
+	   "Usage: falco [options]\n\n"
+	   "Options:\n"
+	   " -h, --help                    Print this page\n"
+	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
+	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
+	   " -b, --print-base64            Print data buffers in base64.\n"
+	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
+	   " --cri <path>                  Path to CRI socket for container metadata.\n"
+	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
+	   " -d, --daemon                  Run as a daemon.\n"
+	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
+	   "                               This is useful to let the input event wait for the container metadata fetch\n"
+	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
+	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
+	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
+	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
+	   " --disable-source <event_source>\n"
+	   "                               Disable a specific event source.\n"
+	   "                               Available event sources are: syscall, k8s_audit.\n"
+	   "                               It can be passed multiple times.\n"
+	   "                               Can not disable both the event sources.\n"
+	   " -D <substring>                Disable any rules with names having the substring <substring>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -t.\n"
+	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
+	   "                               k8s audit events) instead of tapping into live.\n"
+#ifndef MINIMAL_BUILD
+	   " -k <url>, --k8s-api <url>\n"
+	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
+       "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
+	   "                               The API server can also be specified via the environment variable FALCO_K8S_API.\n"
+	   " -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]\n"
+	   "                               Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.\n"
+	   "                               Each entry must specify full (absolute, or relative to the current directory) path to the respective file.\n"
+	   "                               Private key password is optional (needed only if key is password protected).\n"
+	   "                               CA certificate is optional. For all files, only PEM file format is supported. \n"
+	   "                               Specifying CA certificate only is obsoleted - when single entry is provided \n"
+	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
+	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
+	   "                               ':' or '#' characters in the file name.\n"
+#endif
+	   " -L                            Show the name and description of all rules and exit.\n"
+	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
+	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
+	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
+#ifndef MINIMAL_BUILD
+	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
+	   "                               Enable Mesos support by connecting to the API server\n"
+	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
+	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
+	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
+#endif
+	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
+	   " -N                            When used with --list, only print field names.\n"
+	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
+	   "                               <key> can be a two-part <key>.<subkey>\n"
+	   " -p <output_format>, --print <output_format>\n"
+	   "                               Add additional information to each falco notification's output.\n"
+	   "                               With -pc or -pcontainer will use a container-friendly format.\n"
+	   "                               With -pk or -pkubernetes will use a kubernetes-friendly format.\n"
+	   "                               With -pm or -pmesos will use a mesos-friendly format.\n"
+	   "                               Additionally, specifying -pc/-pk/-pm will change the interpretation\n"
+	   "                               of %%container.info in rule output fields.\n"
+	   " -P, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
+       " -r <rules_file>               Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
+       "                               Can be specified multiple times to read from multiple files/directories.\n"
+	   " -s <stats_file>               If specified, append statistics related to Falco's reading/processing of events\n"
+	   "                               to this file (only useful in live mode).\n"
+	   " --stats-interval <msec>       When using -s <stats_file>, write statistics every <msec> ms.\n"
+	   "                               This uses signals, so don't recommend intervals below 200 ms.\n"
+	   "                               Defaults to 5000 (5 seconds).\n"
+	   " -S <len>, --snaplen <len>\n"
+	   "                               Capture the first <len> bytes of each I/O buffer.\n"
+	   "                               By default, the first 80 bytes are captured. Use this\n"
+	   "                               option with caution, it can generate huge trace files.\n"
+	   " --support                     Print support information including version, rules files used, etc. and exit.\n"
+	   " -T <tag>                      Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -t.\n"
+	   " -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -T/-D.\n"
+	   " -U,--unbuffered               Turn off output buffering to configured outputs.\n"
+	   "                               This causes every single line emitted by falco to be flushed,\n"
+	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
+	   "                               into another process or into a script.\n"
+	   " -u, --userspace               Parse events from userspace.\n"
+	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
+	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
+	   "                               Can be specified multiple times to validate multiple files.\n"
+	   " -v                            Verbose output.\n"
+       " --version                     Print version number.\n"
+	   "\n"
+    );
+}
 
 static void display_fatal_err(const string &msg)
 {
@@ -392,7 +395,8 @@ static void print_all_ignored_events(sinsp *inspector)
 
 static void list_source_fields(falco_engine *engine, bool verbose, bool names_only, std::string &source)
 {
-	if(!source.empty() && !(source == "syscall" || source == "k8s_audit"))
+	if(source.size() > 0 &&
+	   !(source == "syscall" || source == "k8s_audit"))
 	{
 		throw std::invalid_argument("Value for --list must be \"syscall\" or \"k8s_audit\"");
 	}
@@ -409,7 +413,7 @@ static void list_source_fields(falco_engine *engine, bool verbose, bool names_on
 //
 // ARGUMENT PARSING AND PROGRAM SETUP
 //
-int falco_init()
+int falco_init(int argc, char **argv)
 {
 	int result = EXIT_SUCCESS;
 	sinsp* inspector = NULL;
@@ -510,197 +514,198 @@ int falco_init()
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
-		// 		//
-		// 		// Parse the args
-		// 		//
-		// 		while((op = getopt_long(argc, argv,
-		//                                         "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
-		//                                         long_options, &long_index)) != -1)
-		// 		{
-		// 			switch(op)
-		// 			{
-		// 			case 'h':
-		// 				usage();
-		// 				goto exit;
-		// 			case 'c':
-		// 				conf_filename = optarg;
-		// 				break;
-		// 			case 'A':
-		// 				all_events = true;
-		// 				break;
-		// 			case 'b':
-		// 				event_buffer_format = sinsp_evt::PF_BASE64;
-		// 				break;
-		// 			case 'd':
-		// 				daemon = true;
-		// 				break;
-		// 			case 'D':
-		// 				substring = optarg;
-		// 				disabled_rule_substrings.insert(substring);
-		// 				break;
-		// 			case 'e':
-		// 				trace_filename = optarg;
-		// #ifndef MINIMAL_BUILD
-		// 				k8s_api = new string();
-		// 				mesos_api = new string();
-		// #endif
-		// 				break;
-		// 			case 'F':
-		// 				list_flds = optarg;
-		// 				break;
-		// 			case 'i':
-		// 				print_ignored_events = true;
-		// 				break;
-		// #ifndef MINIMAL_BUILD
-		// 			case 'k':
-		// 				k8s_api = new string(optarg);
-		// 				break;
-		// 			case 'K':
-		// 				k8s_api_cert = new string(optarg);
-		// 				break;
-		// #endif
-		// 			case 'L':
-		// 				describe_all_rules = true;
-		// 				break;
-		// 			case 'l':
-		// 				describe_rule = optarg;
-		// 				break;
-		// #ifndef MINIMAL_BUILD
-		// 			case 'm':
-		// 				mesos_api = new string(optarg);
-		// 				break;
-		// #endif
-		// 			case 'M':
-		// 				duration_to_tot = atoi(optarg);
-		// 				if(duration_to_tot <= 0)
-		// 				{
-		// 					throw sinsp_exception(string("invalid duration") + optarg);
-		// 				}
-		// 				break;
-		// 			case 'N':
-		// 				names_only = true;
-		// 				break;
-		// 			case 'o':
-		// 				cmdline_options.push_back(optarg);
-		// 				break;
-		// 			case 'P':
-		// 				pidfilename = optarg;
-		// 				break;
-		// 			case 'p':
-		// 				if(string(optarg) == "c" || string(optarg) == "container")
-		// 				{
-		// 					output_format = "container=%container.name (id=%container.id)";
-		// 					replace_container_info = true;
-		// 				}
-		// 				else if(string(optarg) == "k" || string(optarg) == "kubernetes")
-		// 				{
-		// 					output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
-		// 					replace_container_info = true;
-		// 				}
-		// 				else if(string(optarg) == "m" || string(optarg) == "mesos")
-		// 				{
-		// 					output_format = "task=%mesos.task.name container=%container.id";
-		// 					replace_container_info = true;
-		// 				}
-		// 				else
-		// 				{
-		// 					output_format = optarg;
-		// 					replace_container_info = false;
-		// 				}
-		// 				break;
-		// 			case 'r':
-		// 				falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
-		// 				break;
-		// 			case 'S':
-		// 				snaplen = atoi(optarg);
-		// 				break;
-		// 			case 's':
-		// 				stats_filename = optarg;
-		// 				break;
-		// 			case 'T':
-		// 				disabled_rule_tags.insert(optarg);
-		// 				break;
-		// 			case 't':
-		// 				enabled_rule_tags.insert(optarg);
-		// 				break;
-		// 			case 'U':
-		// 				buffered_outputs = false;
-		// 				buffered_cmdline = true;
-		// 				break;
-		// 			case 'u':
-		// 				userspace = true;
-		// 				break;
-		// 			case 'v':
-		// 				verbose = true;
-		// 				break;
-		// 			case 'V':
-		// 				validate_rules_filenames.push_back(optarg);
-		// 				break;
-		// 			case 'w':
-		// 				outfile = optarg;
-		// 				break;
-		// 			case '?':
-		// 				result = EXIT_FAILURE;
-		// 				goto exit;
+		//
+		// Parse the args
+		//
+		while((op = getopt_long(argc, argv,
+                                        "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:",
+                                        long_options, &long_index)) != -1)
+		{
+			switch(op)
+			{
+			case 'h':
+				usage();
+				goto exit;
+			case 'c':
+				conf_filename = optarg;
+				break;
+			case 'A':
+				all_events = true;
+				break;
+			case 'b':
+				event_buffer_format = sinsp_evt::PF_BASE64;
+				break;
+			case 'd':
+				daemon = true;
+				break;
+			case 'D':
+				substring = optarg;
+				disabled_rule_substrings.insert(substring);
+				break;
+			case 'e':
+				trace_filename = optarg;
+#ifndef MINIMAL_BUILD
+				k8s_api = new string();
+				mesos_api = new string();
+#endif
+				break;
+			case 'F':
+				list_flds = optarg;
+				break;
+			case 'i':
+				print_ignored_events = true;
+				break;
+#ifndef MINIMAL_BUILD
+			case 'k':
+				k8s_api = new string(optarg);
+				break;
+			case 'K':
+				k8s_api_cert = new string(optarg);
+				break;
+#endif
+			case 'L':
+				describe_all_rules = true;
+				break;
+			case 'l':
+				describe_rule = optarg;
+				break;
+#ifndef MINIMAL_BUILD
+			case 'm':
+				mesos_api = new string(optarg);
+				break;
+#endif
+			case 'M':
+				duration_to_tot = atoi(optarg);
+				if(duration_to_tot <= 0)
+				{
+					throw sinsp_exception(string("invalid duration") + optarg);
+				}
+				break;
+			case 'N':
+				names_only = true;
+				break;
+			case 'o':
+				cmdline_options.push_back(optarg);
+				break;
+			case 'P':
+				pidfilename = optarg;
+				break;
+			case 'p':
+				if(string(optarg) == "c" || string(optarg) == "container")
+				{
+					output_format = "container=%container.name (id=%container.id)";
+					replace_container_info = true;
+				}
+				else if(string(optarg) == "k" || string(optarg) == "kubernetes")
+				{
+					output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
+					replace_container_info = true;
+				}
+				else if(string(optarg) == "m" || string(optarg) == "mesos")
+				{
+					output_format = "task=%mesos.task.name container=%container.id";
+					replace_container_info = true;
+				}
+				else
+				{
+					output_format = optarg;
+					replace_container_info = false;
+				}
+				break;
+			case 'r':
+				falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
+				break;
+			case 'S':
+				snaplen = atoi(optarg);
+				break;
+			case 's':
+				stats_filename = optarg;
+				break;
+			case 'T':
+				disabled_rule_tags.insert(optarg);
+				break;
+			case 't':
+				enabled_rule_tags.insert(optarg);
+				break;
+			case 'U':
+				buffered_outputs = false;
+				buffered_cmdline = true;
+				break;
+			case 'u':
+				userspace = true;
+				break;
+			case 'v':
+				verbose = true;
+				break;
+			case 'V':
+				validate_rules_filenames.push_back(optarg);
+				break;
+			case 'w':
+				outfile = optarg;
+				break;
+			case '?':
+				result = EXIT_FAILURE;
+				goto exit;
 
-		// 			case 0:
-		// 				if(string(long_options[long_index].name) == "version")
-		// 				{
-		// 					printf("Falco version: %s\n", FALCO_VERSION);
-		// 					printf("Driver version: %s\n", DRIVER_VERSION);
-		// 					return EXIT_SUCCESS;
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "cri")
-		// 				{
-		// 					if(optarg != NULL)
-		// 					{
-		// 						cri_socket_path = optarg;
-		// 					}
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "disable-cri-async")
-		// 				{
-		// 				  cri_async = false;
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "list")
-		// 				{
-		// 					list_flds = true;
-		// 					if(optarg != NULL)
-		// 					{
-		// 						list_flds_source = optarg;
-		// 					}
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "stats-interval")
-		// 				{
-		// 					stats_interval = atoi(optarg);
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "support")
-		// 				{
-		// 					print_support = true;
-		// 				}
-		// 				else if (string(long_options[long_index].name) == "disable-source")
-		// 				{
-		// 					if(optarg != NULL)
-		// 					{
-		// 						disable_sources.insert(optarg);
-		// 					}
-		// 				}
-		// 				else if (string(long_options[long_index].name)== "alternate-lua-dir")
-		// 				{
-		// 					if(optarg != NULL)
-		// 					{
-		// 						alternate_lua_dir = optarg;
-		// 						if (alternate_lua_dir.back() != '/') {
-		// 							alternate_lua_dir += '/';
-		// 						}
-		// 					}
-		// 				}
-		// 				break;
+			case 0:
+				if(string(long_options[long_index].name) == "version")
+				{
+					printf("Falco version: %s\n", FALCO_VERSION);
+					printf("Driver version: %s\n", DRIVER_VERSION);
+					return EXIT_SUCCESS;
+				}
+				else if (string(long_options[long_index].name) == "cri")
+				{
+					if(optarg != NULL)
+					{
+						cri_socket_path = optarg;
+					}
+				}
+				else if (string(long_options[long_index].name) == "disable-cri-async")
+				{
+				  cri_async = false;
+				}
+				else if (string(long_options[long_index].name) == "list")
+				{
+					list_flds = true;
+					if(optarg != NULL)
+					{
+						list_flds_source = optarg;
+					}
+				}
+				else if (string(long_options[long_index].name) == "stats-interval")
+				{
+					stats_interval = atoi(optarg);
+				}
+				else if (string(long_options[long_index].name) == "support")
+				{
+					print_support = true;
+				}
+				else if (string(long_options[long_index].name) == "disable-source")
+				{
+					if(optarg != NULL)
+					{
+						disable_sources.insert(optarg);
+					}
+				}
+				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+				{
+					if(optarg != NULL)
+					{
+						alternate_lua_dir = optarg;
+						if (alternate_lua_dir.back() != '/') {
+							alternate_lua_dir += '/';
+						}
+					}
+				}
+				break;
 
-				// 			default:
-				// 				break;
-				// 			}
+			default:
+				break;
+			}
+
+		}
 
-						// 		}
 		inspector = new sinsp();
 		inspector->set_buffer_format(event_buffer_format);
 
@@ -757,8 +762,6 @@ int falco_init()
 			}
 		}
 
-		outputs = new falco_outputs();
-
 		// Some combinations of arguments are not allowed.
 		if (daemon && pidfilename == "") {
 			throw std::invalid_argument("If -d is provided, a pid file must also be provided");
@@ -789,7 +792,7 @@ int falco_init()
 				}
 				else
 				{
-					conf_filename = "";
+					throw std::invalid_argument("You must create a config file at " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE " or by passing -c\n");
 				}
 			}
 		}
@@ -831,12 +834,7 @@ int falco_init()
 		}
 		else
 		{
-			config.init(cmdline_options);
-			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
-
-			// log after config init because config determines where logs go
-			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
-			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
+			throw std::runtime_error("Could not find configuration file at " + conf_filename);
 		}
 
 		if (rules_filenames.size())
@@ -916,14 +914,14 @@ int falco_init()
 				throw std::runtime_error(string("Could not uname() to find system info: %s\n") + strerror(errno));
 			}
 
-			// for(char **arg = argv; *arg; arg++)
-			// {
-			// 	if(cmdline.size() > 0)
-			// 	{
-			// 		cmdline += " ";
-			// 	}
-			// 	cmdline += *arg;
-			// }
+			for(char **arg = argv; *arg; arg++)
+			{
+				if(cmdline.size() > 0)
+				{
+					cmdline += " ";
+				}
+				cmdline += *arg;
+			}
 
 			support["version"] = FALCO_VERSION;
 			support["system_info"]["sysname"] = sysinfo.sysname;
@@ -965,13 +963,6 @@ int falco_init()
 			hostname = c_hostname;
 		}
 
-		outputs->init(config.m_json_output,
-			      config.m_json_include_output_property,
-			      config.m_notifications_rate, config.m_notifications_max_burst,
-			      config.m_buffered_outputs,
-			      config.m_time_format_iso_8601,
-			      hostname);
-
 		if(!all_events)
 		{
 			inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
@@ -991,11 +982,6 @@ int falco_init()
 
 		inspector->set_hostname_and_port_resolution_mode(false);
 
-		for(auto output : config.m_outputs)
-		{
-			outputs->add_output(output);
-		}
-
 		if(signal(SIGINT, signal_callback) == SIG_ERR)
 		{
 			fprintf(stderr, "An error occurred while setting SIGINT signal handler.\n");
@@ -1081,6 +1067,21 @@ int falco_init()
 			g_daemonized = true;
 		}
 
+		outputs = new falco_outputs();
+
+		outputs->init(config.m_json_output,
+			config.m_json_include_output_property,
+			config.m_output_timeout,
+			config.m_notifications_rate, config.m_notifications_max_burst,
+			config.m_buffered_outputs,
+			config.m_time_format_iso_8601,
+			hostname);
+
+		for(auto output : config.m_outputs)
+		{
+			outputs->add_output(output);
+		}
+
 		if(trace_filename.size())
 		{
 			// Try to open the trace file as a sysdig
@@ -1176,8 +1177,8 @@ int falco_init()
 						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
-				}
-				else
+				} 
+				else 
 				{
 					rethrow_exception(current_exception());
 				}
@@ -1286,7 +1287,7 @@ int falco_init()
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD
+#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
@@ -1373,23 +1374,13 @@ exit:
 //
 // MAIN
 //
-int main(int argc, const char **argv)
+int main(int argc, char **argv)
 {
-	try
-	{
-		auto cli = new falco::cli(argc, argv);
-		cli->run();
-	}
-	catch(const cxxopts::OptionException &e)
-	{
-		display_fatal_err("Error parsing options: " + string(e.what()) + "\n");
-		return EXIT_FAILURE;
-	}
-
 	int rc;
+
 	// g_restart will cause the falco loop to exit, but we
 	// should reload everything and start over.
-	while((rc = falco_init()) == EXIT_SUCCESS && g_restart)
+	while((rc = falco_init(argc, argv)) == EXIT_SUCCESS && g_restart)
 	{
 		g_restart = false;
 		optind = 1;

userspace/falco/falco_outputs.cpp

@@ -24,6 +24,7 @@ limitations under the License.
 
 #include "formats.h"
 #include "logger.h"
+#include "watchdog.h"
 
 #include "outputs_file.h"
 #include "outputs_program.h"
@@ -51,18 +52,26 @@ falco_outputs::~falco_outputs()
 {
 	if(m_initialized)
 	{
-		for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
+		this->stop_worker();
+		for(auto o : m_outputs)
 		{
-			(*it)->cleanup();
+			delete o;
 		}
 	}
 }
 
 void falco_outputs::init(bool json_output,
-			 bool json_include_output_property,
-			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname)
+		  bool json_include_output_property,
+		  uint32_t timeout,
+		  uint32_t rate, uint32_t max_burst, bool buffered,
+		  bool time_format_iso_8601, std::string hostname)
 {
+	// Cannot be initialized more than one time.
+	if(m_initialized)
+	{
+		throw falco_exception("falco_outputs already initialized");
+	}
+
 	m_json_output = json_output;
 
 	// Note that falco_formats is already initialized by the engine,
@@ -71,17 +80,29 @@ void falco_outputs::init(bool json_output,
 	falco_formats::s_json_output = json_output;
 	falco_formats::s_json_include_output_property = json_include_output_property;
 
+	m_timeout = std::chrono::milliseconds(timeout);
+
 	m_notifications_tb.init(rate, max_burst);
 
 	m_buffered = buffered;
 	m_time_format_iso_8601 = time_format_iso_8601;
 	m_hostname = hostname;
 
+	m_worker_thread = std::thread(&falco_outputs::worker, this);
+
 	m_initialized = true;
 }
 
+// This function has to be called after init() since some configuration settings
+// need to be passed to the output plugins. Then, although the worker has started,
+// the worker is still on hold, waiting for a message.
+// Thus it is still safe to call add_output() before any message has been enqueued.
 void falco_outputs::add_output(falco::outputs::config oc)
 {
+	if(!m_initialized)
+	{
+		throw falco_exception("cannot add output: falco_outputs not initialized yet");
+	}
 
 	falco::outputs::abstract_output *oo;
 
@@ -129,6 +150,12 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 		return;
 	}
 
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = evt->get_ts();
+	cmsg.priority = priority;
+	cmsg.source = source;
+	cmsg.rule = rule;
+
 	string sformat;
 	if(source == "syscall")
 	{
@@ -163,35 +190,38 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 		sformat += " " + format;
 	}
 
-	string msg;
-	msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
 
-	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
-	{
-		(*it)->output_event(evt, rule, source, priority, sformat, msg);
-	}
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
 }
 
-void falco_outputs::handle_msg(uint64_t now,
+void falco_outputs::handle_msg(uint64_t ts,
 			       falco_common::priority_type priority,
 			       std::string &msg,
 			       std::string &rule,
 			       std::map<std::string, std::string> &output_fields)
 {
-	std::string full_msg;
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = ts;
+	cmsg.priority = priority;
+	cmsg.source = "internal";
+	cmsg.rule = rule;
+	cmsg.fields = output_fields;
 
 	if(m_json_output)
 	{
 		nlohmann::json jmsg;
 
 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = now / 1000000000;
+		time_t evttime = ts / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
 		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;
 
 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
-		snprintf(time_ns, sizeof(time_ns), ".%09luZ", now % 1000000000);
+		snprintf(time_ns, sizeof(time_ns), ".%09luZ", ts % 1000000000);
 		iso8601evttime = time_sec;
 		iso8601evttime += time_ns;
 
@@ -201,15 +231,15 @@ void falco_outputs::handle_msg(uint64_t now,
 		jmsg["time"] = iso8601evttime;
 		jmsg["output_fields"] = output_fields;
 
-		full_msg = jmsg.dump();
+		cmsg.msg = jmsg.dump();
 	}
 	else
 	{
 		std::string timestr;
 		bool first = true;
 
-		sinsp_utils::ts_to_string(now, &timestr, false, true);
-		full_msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
+		sinsp_utils::ts_to_string(ts, &timestr, false, true);
+		cmsg.msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
 		for(auto &pair : output_fields)
 		{
 			if(first)
@@ -218,23 +248,95 @@ void falco_outputs::handle_msg(uint64_t now,
 			}
 			else
 			{
-				full_msg += " ";
+				cmsg.msg += " ";
 			}
-			full_msg += pair.first + "=" + pair.second;
+			cmsg.msg += pair.first + "=" + pair.second;
 		}
-		full_msg += ")";
+		cmsg.msg += ")";
 	}
 
-	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
-	{
-		(*it)->output_msg(priority, full_msg);
-	}
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
+}
+
+void falco_outputs::cleanup_outputs()
+{
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_CLEANUP);
 }
 
 void falco_outputs::reopen_outputs()
 {
-	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_REOPEN);
+}
+
+void falco_outputs::stop_worker()
+{
+	watchdog<void *> wd;
+	wd.start([&](void *) -> void {
+		falco_logger::log(LOG_NOTICE, "output channels still blocked, discarding all remaining notifications\n");
+		m_queue.clear();
+		this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	});
+	wd.set_timeout(m_timeout, nullptr);
+
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	if(m_worker_thread.joinable())
 	{
-		(*it)->reopen();
+		m_worker_thread.join();
 	}
 }
+
+inline void falco_outputs::push(ctrl_msg_type cmt)
+{
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.type = cmt;
+	m_queue.push(cmsg);
+}
+
+// todo(leogr,leodido): this function is not supposed to throw exceptions, and with "noexcept",
+// the program is terminated if that occurs. Although that's the wanted behavior,
+// we still need to improve the error reporting since some inner functions can throw exceptions.
+void falco_outputs::worker() noexcept
+{
+	watchdog<std::string> wd;
+	wd.start([&](std::string payload) -> void {
+		falco_logger::log(LOG_CRIT, "\"" + payload + "\" output timeout, all output channels are blocked\n");
+	});
+
+	auto timeout = m_timeout;
+
+	falco_outputs::ctrl_msg cmsg;
+	do
+	{
+		// Block until a message becomes available.
+		m_queue.pop(cmsg);
+
+		for(const auto o : m_outputs)
+		{
+			wd.set_timeout(timeout, o->get_name());
+			try
+			{
+				switch(cmsg.type)
+				{
+					case ctrl_msg_type::CTRL_MSG_OUTPUT:
+						o->output(&cmsg);
+						break;
+					case ctrl_msg_type::CTRL_MSG_CLEANUP:
+					case ctrl_msg_type::CTRL_MSG_STOP:
+						o->cleanup();
+						break;
+					case ctrl_msg_type::CTRL_MSG_REOPEN:
+						o->reopen();
+						break;
+					default:
+						falco_logger::log(LOG_DEBUG, "Outputs worker received an unknown message type\n");	
+				}
+			}
+			catch(const exception &e)
+			{
+				falco_logger::log(LOG_ERR, o->get_name() + ": " + string(e.what()) + "\n");
+			}
+		}
+		wd.cancel_timeout();
+	} while(cmsg.type != ctrl_msg_type::CTRL_MSG_STOP);
+}

userspace/falco/falco_outputs.h

@@ -25,6 +25,7 @@ limitations under the License.
 #include "token_bucket.h"
 #include "falco_engine.h"
 #include "outputs.h"
+#include "tbb/concurrent_queue.h"
 
 //
 // This class acts as the primary interface between a program and the
@@ -39,25 +40,25 @@ public:
 
 	void init(bool json_output,
 		  bool json_include_output_property,
+		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);
 
 	void add_output(falco::outputs::config oc);
 
-	//
-	// evt is an event that has matched some rule. Pass the event
-	// to all configured outputs.
-	//
+	// Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
 	void handle_event(gen_event *evt, std::string &rule, std::string &source,
 			  falco_common::priority_type priority, std::string &format);
 
-	// Send a generic message to all outputs. Not necessarily associated with any event.
+	// Format then send a generic message to all outputs. Not necessarily associated with any event.
 	void handle_msg(uint64_t now,
 			falco_common::priority_type priority,
 			std::string &msg,
 			std::string &rule,
 			std::map<std::string, std::string> &output_fields);
 
+	void cleanup_outputs();
+
 	void reopen_outputs();
 
 private:
@@ -71,5 +72,28 @@ private:
 	bool m_buffered;
 	bool m_json_output;
 	bool m_time_format_iso_8601;
+	std::chrono::milliseconds m_timeout;
 	std::string m_hostname;
+
+	enum ctrl_msg_type
+	{
+		CTRL_MSG_STOP = 0,
+		CTRL_MSG_OUTPUT = 1,
+		CTRL_MSG_CLEANUP = 2,
+		CTRL_MSG_REOPEN = 3,
+	};
+
+	struct ctrl_msg : falco::outputs::message
+	{
+		ctrl_msg_type type;
+	};
+
+	typedef tbb::concurrent_bounded_queue<ctrl_msg> falco_outputs_cbq;
+
+	falco_outputs_cbq m_queue;
+
+	std::thread m_worker_thread;
+	inline void push(ctrl_msg_type cmt);
+	void worker() noexcept;
+	void stop_worker();
 };

userspace/falco/grpc_server_impl.cpp

@@ -15,6 +15,7 @@ limitations under the License.
 */
 
 #include "config_falco.h"
+#include "falco_engine_version.h"
 #include "grpc_server_impl.h"
 #include "grpc_queue.h"
 #include "logger.h"
@@ -75,6 +76,9 @@ void falco::grpc::server_impl::version(const context& ctx, const version::reques
 	auto& version = *res.mutable_version();
 	version = FALCO_VERSION;
 
+	res.set_engine_version(FALCO_ENGINE_VERSION);
+	res.set_engine_fields_checksum(FALCO_FIELDS_CHECKSUM); 
+
 	res.set_major(FALCO_VERSION_MAJOR);
 	res.set_minor(FALCO_VERSION_MINOR);
 	res.set_patch(FALCO_VERSION_PATCH);

userspace/falco/outputs.h

@@ -37,6 +37,21 @@ struct config
 	std::map<std::string, std::string> options;
 };
 
+//
+// The message to be outputted. It can either refer to:
+//  - an event that has matched some rule,
+//  - or a generic message (e.g., a drop alert).
+//
+struct message
+{
+	uint64_t ts;
+	falco_common::priority_type priority;
+	std::string msg;
+	std::string rule;
+	std::string source;
+	map<std::string, std::string> fields;
+};
+
 //
 // This class acts as the primary interface for implementing
 // a Falco output class.
@@ -45,6 +60,8 @@ struct config
 class abstract_output
 {
 public:
+	virtual ~abstract_output() {}
+
 	void init(config oc, bool buffered, std::string hostname)
 	{
 		m_oc = oc;
@@ -52,15 +69,19 @@ public:
 		m_hostname = hostname;
 	}
 
-	// Output an event that has matched some rule.
-	virtual void output_event(gen_event *evt, std::string &rule, std::string &source,
-				  falco_common::priority_type priority, std::string &format, std::string &msg) = 0;
+	// Return the output's name as per its configuration.
+	const std::string get_name() const
+	{
+		return m_oc.name;
+	}
 
-	// Output a generic message. Not necessarily associated with any event.
-	virtual void output_msg(falco_common::priority_type priority, std::string &msg) = 0;
+	// Output a message.
+	virtual void output(const message *msg) = 0;
 
+	// Possibly close the output and open it again.
 	virtual void reopen() {}
 
+	// Possibly flush the output.
 	virtual void cleanup() {}
 
 protected:

userspace/falco/outputs_file.cpp

@@ -31,16 +31,10 @@ void falco::outputs::output_file::open_file()
 	}
 }
 
-void falco::outputs::output_file::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_file::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_file::output(const message *msg)
 {
 	open_file();
-	m_outfile << msg + "\n";
+	m_outfile << msg->msg + "\n";
 
 	if(m_oc.options["keep_alive"] != "true")
 	{

userspace/falco/outputs_file.h

@@ -27,10 +27,7 @@ namespace outputs
 
 class output_file : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 
 	void cleanup();
 

userspace/falco/outputs_grpc.cpp

@@ -21,44 +21,41 @@ limitations under the License.
 #include "formats.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format,
-					       std::string &msg)
+void falco::outputs::output_grpc::output(const message *msg)
 {
 	falco::outputs::response grpc_res;
 
 	// time
 	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
+	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(msg->ts);
 
 	// rule
 	auto r = grpc_res.mutable_rule();
-	*r = rule;
+	*r = msg->rule;
 
 	// source
 	falco::schema::source s = falco::schema::source::SYSCALL;
-	if(!falco::schema::source_Parse(source, &s))
+	if(!falco::schema::source_Parse(msg->source, &s))
 	{
-		throw falco_exception("Unknown source passed to output_grpc::output_event()");
+		throw falco_exception("Unknown source passed to output_grpc::output()");
 	}
 	grpc_res.set_source(s);
 
 	// priority
 	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	if(!falco::schema::priority_Parse(falco_common::priority_names[priority], &p))
+	if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p))
 	{
-		throw falco_exception("Unknown priority passed to output_grpc::output_event()");
+		throw falco_exception("Unknown priority passed to output_grpc::output()");
 	}
 	grpc_res.set_priority(p);
 
 	// output
 	auto output = grpc_res.mutable_output();
-	*output = msg;
+	*output = msg->msg;
 
 	// output fields
 	auto &fields = *grpc_res.mutable_output_fields();
-	auto resolvedTkns = falco_formats::resolve_tokens(evt, source, format);
-	for(const auto &kv : resolvedTkns)
+	for(const auto &kv : msg->fields)
 	{
 		fields[kv.first] = kv.second;
 	}
@@ -68,9 +65,4 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule
 	*host = m_hostname;
 
 	falco::grpc::queue::get().push(grpc_res);
-}
-
-void falco::outputs::output_grpc::output_msg(falco_common::priority_type priority, std::string &msg)
-{
-	// todo(fntlnz, leodido, leogr) > gRPC does not support subscribing to dropped events yet
 }

userspace/falco/outputs_grpc.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_grpc : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };
 
 } // namespace outputs

userspace/falco/outputs_http.cpp

@@ -18,13 +18,7 @@ limitations under the License.
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_http::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_http::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_http::output(const message *msg)
 {
 	CURL *curl = NULL;
 	CURLcode res = CURLE_FAILED_INIT;
@@ -37,7 +31,7 @@ void falco::outputs::output_http::output_msg(falco_common::priority_type priorit
 		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
 		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
 		curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
+		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
 		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
 
 		res = curl_easy_perform(curl);

userspace/falco/outputs_http.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_http : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };
 
 } // namespace outputs

userspace/falco/outputs_program.cpp

@@ -31,17 +31,11 @@ void falco::outputs::output_program::open_pfile()
 	}
 }
 
-void falco::outputs::output_program::output_event(gen_event *evt, std::string &rule, std::string &source,
-						  falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_program::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_program::output(const message *msg)
 {
 	open_pfile();
 
-	fprintf(m_pfile, "%s\n", msg.c_str());
+	fprintf(m_pfile, "%s\n", msg->msg.c_str());
 
 	if(m_oc.options["keep_alive"] != "true")
 	{

userspace/falco/outputs_program.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_program : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 
 	void cleanup();
 

userspace/falco/outputs_stdout.cpp

@@ -18,16 +18,10 @@ limitations under the License.
 #include <iostream>
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_stdout::output_event(gen_event *evt, std::string &rule, std::string &source,
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_stdout::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_stdout::output(const message *msg)
 {
 	//
-	// By default, the stdout stream is fully buffered or line buffered 
+	// By default, the stdout stream is fully buffered or line buffered
 	// (if the stream can be determined to refer to an interactive device, e.g. in a TTY).
 	// Just enable automatic flushing when unbuffered output is desired.
 	// Note that it is set every time since other writings to the stdout can disable it.
@@ -36,7 +30,7 @@ void falco::outputs::output_stdout::output_msg(falco_common::priority_type prior
 	{
 		std::cout << std::unitbuf;
 	}
-	std::cout << msg + "\n";
+	std::cout << msg->msg + "\n";
 }
 
 void falco::outputs::output_stdout::cleanup()

userspace/falco/outputs_stdout.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_stdout : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 
 	void cleanup();
 };

userspace/falco/outputs_syslog.cpp

@@ -18,14 +18,8 @@ limitations under the License.
 #include <syslog.h>
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-void falco::outputs::output_syslog::output_event(gen_event *evt, std::string &rule, std::string &source,
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_syslog::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_syslog::output(const message *msg)
 {
 	// Syslog output should not have any trailing newline
-	::syslog(priority, "%s", msg.c_str());
+	::syslog(msg->priority, "%s", msg->msg.c_str());
 }

userspace/falco/outputs_syslog.h

@@ -25,10 +25,7 @@ namespace outputs
 
 class output_syslog : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };
 
 } // namespace outputs

userspace/falco/schema.proto

@@ -57,4 +57,7 @@ enum source {
   k8s_audit = 1;
   K8s_audit = 1;
   K8S_audit = 1;
+  INTERNAL = 2;
+  internal = 2;
+  Internal = 2;
 }

userspace/falco/version.proto

@@ -36,10 +36,14 @@ message request
 // its parts as per semver 2.0 specification (https://semver.org).
 message response
 {
+// falco version
   string version = 1;
   uint32 major = 2;
   uint32 minor = 3;
   uint32 patch = 4;
   string prerelease = 5;
   string build = 6;
-}
+// falco engine version
+  uint32 engine_version = 7;
+  string engine_fields_checksum = 8;
+}

userspace/falco/watchdog.h

@@ -0,0 +1,96 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <chrono>
+#include <thread>
+#include <functional>
+#include <atomic>
+
+template<typename _T>
+class watchdog
+{
+public:
+	watchdog():
+		m_timeout(nullptr),
+		m_is_running(false)
+	{
+	}
+
+	~watchdog()
+	{
+		stop();
+	}
+
+	void start(std::function<void(_T)> cb,
+		   std::chrono::milliseconds resolution = std::chrono::milliseconds(100))
+	{
+		stop();
+		m_is_running.store(true, std::memory_order_release);
+		m_thread = std::thread([this, cb, resolution]() {
+			const auto no_deadline = time_point{};
+			timeout_data curr;
+			while(m_is_running.load(std::memory_order_acquire))
+			{
+				auto t = m_timeout.exchange(nullptr, std::memory_order_release);
+				if(t)
+				{
+					curr = *t;
+					delete t;
+				}
+				if(curr.deadline != no_deadline && curr.deadline < std::chrono::steady_clock::now())
+				{
+					cb(curr.payload);
+					curr.deadline = no_deadline;
+				}
+				std::this_thread::sleep_for(resolution);
+			}
+		});
+	}
+
+	void stop()
+	{
+		if(m_is_running.load(std::memory_order_acquire))
+		{
+			m_is_running.store(false, std::memory_order_release);
+			if(m_thread.joinable())
+			{
+				m_thread.join();
+			}
+			delete m_timeout.exchange(nullptr, std::memory_order_release);
+		}
+	}
+
+	inline void set_timeout(std::chrono::milliseconds timeout, _T payload) noexcept
+	{
+		delete m_timeout.exchange(new timeout_data{std::chrono::steady_clock::now() + timeout, payload}, std::memory_order_release);
+	}
+
+	inline void cancel_timeout() noexcept
+	{
+		delete m_timeout.exchange(new timeout_data, std::memory_order_release);
+	}
+
+private:
+	typedef std::chrono::time_point<std::chrono::steady_clock> time_point;
+	struct timeout_data
+	{
+		time_point deadline;
+		_T payload;
+	};
+	std::atomic<timeout_data *> m_timeout;
+	std::atomic<bool> m_is_running;
+	std::thread m_thread;
+};