rule (EphemeralContainers Created): add new rule to detect ephemeral container created

Signed-off-by: kaizhe <derek0405@gmail.com>
macro(trusted_pod): add new list k8s_image_list
2026-03-20 11:42:06 +00:00 · 2020-08-06 22:42:18 +02:00 · 2020-07-31 10:40:48 +02:00 · 2020-07-28 09:58:39 +02:00 · 2020-07-25 08:53:06 +02:00 · 2020-07-25 08:53:06 +02:00
415 changed files with 29068 additions and 2893 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -0,0 +1,383 @@
+version: 2
+jobs:
+  # Build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal-debug":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release
+            - source
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build/release/*.deb /tmp/packages
+            cp /build/release/*.tar.gz /tmp/packages
+            cp /build/release/*.rpm /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+  # Debug build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7-debug":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "debug"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
+  # Execute integration tests based on the build results coming from the "build/centos7" job
+  "tests/integration":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source"
+          BUILD_DIR: "/build"
+          BUILD_TYPE: "release"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
+  "tests/driver-loader/integration":
+    machine:
+      image: ubuntu-1604:202004-01
+    steps:
+      - attach_workspace:
+          at: /tmp/ws
+      - run:
+          name: Execute driver-loader integration tests
+          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Sign rpm packages
+  "rpm/sign":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Install rpmsign
+          command: |
+            yum update -y
+            yum install rpm-sign -y
+      - run:
+          name: Sign rpm
+          command: |
+            echo "%_signature gpg" > ~/.rpmmacros
+            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+            cd /build/release/
+            echo '#!/usr/bin/expect -f' > sign
+            echo 'spawn rpmsign --addsign {*}$argv' >> sign
+            echo 'expect -exact "Enter pass phrase: "' >> sign
+            echo 'send -- "\n"' >> sign
+            echo 'expect eof' >> sign
+            chmod +x sign
+            echo $GPG_KEY | base64 -d | gpg --import
+            ./sign *.rpm
+            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release/*.rpm
+  # Publish the packages
+  "publish/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
+            docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-no-driver:master
+            docker push falcosecurity/falco:master-slim
+      - run:
+          name: Build and publish dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master
+      - run:
+          name: Build and publish dev falco-driver-loader-dev
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-driver-loader:master
+  # Publish the packages
+  "publish/packages":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish no-driver
+          command: |
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-no-driver:latest"
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "falcosecurity/falco:latest-slim"
+      - run:
+          name: Build and publish falco
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-driver-loader:latest"
+workflows:
+  version: 2
+  build_and_test:
+    jobs:
+      - "build/ubuntu-focal"
+      - "build/ubuntu-focal-debug"
+      - "build/centos7"
+      - "build/centos7-debug"
+      - "tests/integration":
+          requires:
+            - "build/centos7"
+      - "tests/driver-loader/integration":
+          requires:
+            - "build/centos7"
+      - "rpm/sign":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "tests/integration"
+      - "publish/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "rpm/sign"
+      - "publish/docker-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
+            - "tests/driver-loader/integration"
+  release:
+    jobs:
+      - "build/centos7":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "rpm/sign":
+          context: falco
+          requires:
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/packages":
+          context: falco
+          requires:
+            - "rpm/sign"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/docker":
+          context: falco
+          requires:
+            - "publish/packages"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
--- a/.clang-format
+++ b/.clang-format
@@ -0,0 +1,16 @@
+---
+Language: Cpp
+BasedOnStyle: LLVM
+AccessModifierOffset: -8
+BreakBeforeBraces: Allman
+BreakConstructorInitializers: AfterColon
+ColumnLimit: 0
+ConstructorInitializerIndentWidth: 8
+ContinuationIndentWidth: 8
+DerivePointerAlignment: true
+IndentWidth: 8
+SortIncludes: false
+SpaceAfterTemplateKeyword: false
+SpaceBeforeCtorInitializerColon: false
+SpaceBeforeParens: Never
+UseTab: Always
--- a/.cmake-format
+++ b/.cmake-format
@@ -0,0 +1,119 @@
+# --------------------------
+# General Formatting Options
+# --------------------------
+# How wide to allow formatted cmake files
+line_width = 120
+
+# How many spaces to tab for indent
+tab_size = 2
+
+# If arglists are longer than this, break them always
+max_subargs_per_line = 3
+
+# If true, separate flow control names from their parentheses with a space
+separate_ctrl_name_with_space = False
+
+# If true, separate function names from parentheses with a space
+separate_fn_name_with_space = False
+
+# If a statement is wrapped to more than one line, than dangle the closing
+# parenthesis on it's own line
+dangle_parens = False
+
+# If the statement spelling length (including space and parenthesis is larger
+# than the tab width by more than this amoung, then force reject un-nested
+# layouts.
+max_prefix_chars = 2
+
+# If a candidate layout is wrapped horizontally but it exceeds this many lines,
+# then reject the layout.
+max_lines_hwrap = 2
+
+# What style line endings to use in the output.
+line_ending = 'unix'
+
+# Format command names consistently as 'lower' or 'upper' case
+command_case = 'canonical'
+
+# Format keywords consistently as 'lower' or 'upper' case
+keyword_case = 'unchanged'
+
+# Specify structure for custom cmake functions
+additional_commands = {
+  "pkg_find": {
+    "kwargs": {
+      "PKG": "*"
+    }
+  }
+}
+
+# A list of command names which should always be wrapped
+always_wrap = []
+
+# Specify the order of wrapping algorithms during successive reflow attempts
+algorithm_order = [0, 1, 2, 3, 4]
+
+# If true, the argument lists which are known to be sortable will be sorted
+# lexicographicall
+enable_sort = True
+
+# If true, the parsers may infer whether or not an argument list is sortable
+# (without annotation).
+autosort = False
+
+# If a comment line starts with at least this many consecutive hash characters,
+# then don't lstrip() them off. This allows for lazy hash rulers where the first
+# hash char is not separated by space
+hashruler_min_length = 10
+
+# A dictionary containing any per-command configuration overrides. Currently
+# only `command_case` is supported.
+per_command = {}
+
+
+# --------------------------
+# Comment Formatting Options
+# --------------------------
+# What character to use for bulleted lists
+bullet_char = '*'
+
+# What character to use as punctuation after numerals in an enumerated list
+enum_char = '.'
+
+# enable comment markup parsing and reflow
+enable_markup = True
+
+# If comment markup is enabled, don't reflow the first comment block in each
+# listfile. Use this to preserve formatting of your copyright/license
+# statements.
+first_comment_is_literal = False
+
+# If comment markup is enabled, don't reflow any comment block which matches
+# this (regex) pattern. Default is `None` (disabled).
+literal_comment_pattern = None
+
+# Regular expression to match preformat fences in comments
+# default=r'^\s*([`~]{3}[`~]*)(.*)$'
+fence_pattern = '^\\s*([`~]{3}[`~]*)(.*)$'
+
+# Regular expression to match rulers in comments
+# default=r'^\s*[^\w\s]{3}.*[^\w\s]{3}$'
+ruler_pattern = '^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'
+
+# If true, then insert a space between the first hash char and remaining hash
+# chars in a hash ruler, and normalize it's length to fill the column
+canonicalize_hashrulers = True
+
+
+# ---------------------------------
+# Miscellaneous Options
+# ---------------------------------
+# If true, emit the unicode byte-order mark (BOM) at the start of the file
+emit_byteorder_mark = False
+
+# Specify the encoding of the input file. Defaults to utf-8.
+input_encoding = 'utf-8'
+
+# Specify the encoding of the output file. Defaults to utf-8. Note that cmake
+# only claims to support utf-8 so be careful when using anything else
+output_encoding = 'utf-8'
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,79 @@
+<!--  Thanks for sending a pull request!  Here are some tips for you:
+
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+2. Please label this pull request according to what type of issue you are addressing.
+3. . Please add a release note!
+4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
+-->
+
+**What type of PR is this?**
+
+> Uncomment one (or more) `/kind <>` lines:
+
+> /kind bug
+
+> /kind cleanup
+
+> /kind design
+
+> /kind documentation
+
+> /kind failing-test
+
+> /kind feature
+
+> If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
+
+> /kind rule-update
+
+> /kind rule-create
+
+<!--
+Please remove the leading whitespace before the `/kind <>` you uncommented.
+-->
+
+**Any specific area of the project related to this PR?**
+
+> Uncomment one (or more) `/area <>` lines:
+
+> /area build
+
+> /area engine
+
+> /area rules
+
+> /area tests
+
+> /area proposals
+
+<!--
+Please remove the leading whitespace before the `/area <>` you uncommented.
+-->
+
+**What this PR does / why we need it**:
+
+**Which issue(s) this PR fixes**:
+
+<!--
+Automatically closes linked issue when PR is merged.
+Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
+-->
+
+Fixes #
+
+**Special notes for your reviewer**:
+
+**Does this PR introduce a user-facing change?**:
+
+<!--
+If no, just write "NONE" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below.
+If the PR requires additional action from users switching to the new release, prepend the string "action required:".
+For example, `action required: change the API interface of the rule engine`.
+-->
+
+```release-note
+
+```
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,20 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - cncf
+  - roadmap
+  - "help wanted"
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
+  Please refer to a maintainer to get such label added if you think this should be kept open.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,23 @@
 /build*
+*~
+*.pyc
+
+test/falco_tests.yaml
+test/traces-negative
+test/traces-positive
+test/traces-info
+test/job-results
+test/.phoronix-test-suite
+test/results*.json.*
+test/build

 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so
+userspace/engine/lua/lyaml
+userspace/engine/lua/lyaml.lua
+
+.vscode/*
+
+.luacheckcache
+
+*.idea*
--- a/.luacheckrc
+++ b/.luacheckrc
@@ -0,0 +1,9 @@
+std = "min"
+cache = true
+include_files = {
+    "userspace/falco/lua/*.lua",
+    "userspace/engine/lua/*.lua",
+    "userspace/engine/lua/lyaml/*.lua",
+    "*.luacheckrc"
+}
+exclude_files = {"build"}
--- a/.yamllint.conf
+++ b/.yamllint.conf
@@ -0,0 +1,8 @@
+extends: default
+
+rules:
+  indentation: disable
+  document-start: disable
+  comments: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -0,0 +1,30 @@
+# Adopters
+
+This is a list of production adopters of Falco (in alphabetical order):
+
+* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
+
+* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
+
+* [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
+
+* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
+
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+
+* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
+  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
+
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
+
+* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
+
+* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
+
+* [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.
+
+* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
+
+*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,23 +1,66 @@
-cmake_minimum_required(VERSION 2.8.2)
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+cmake_minimum_required(VERSION 3.5.1)

 project(falco)

-if(NOT DEFINED FALCO_VERSION)
-	set(FALCO_VERSION "0.1.1dev")
+option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+
+# Elapsed time
+# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
+
+# Make flag for parallel processing
+include(ProcessorCount)
+processorcount(PROCESSOR_COUNT)
+if(NOT PROCESSOR_COUNT EQUAL 0)
+  set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
 endif()

-if(NOT DEFINED DIR_ETC)
-	set(DIR_ETC "/etc")
+# Custom CMake modules
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
+
+# GNU standard installation directories' definitions
+include(GNUInstallDirs)
+
+if(NOT DEFINED FALCO_ETC_DIR)
+  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()

-if(NOT CMAKE_BUILD_TYPE)
-	SET(CMAKE_BUILD_TYPE Release)
+if(NOT DRAIOS_DEBUG_FLAGS)
+  set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
 endif()

-set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+  set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
+else()
+  set(CMAKE_BUILD_TYPE "release")
+  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

-set(CMAKE_C_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
-set(CMAKE_CXX_FLAGS "-Wall -ggdb --std=c++0x ${DRAIOS_FEATURE_FLAGS}")
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+
+if(BUILD_WARNINGS_AS_ERRORS)
+  set(CMAKE_SUPPRESSED_WARNINGS
+      "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
+  )
+  set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
+endif()
+
+set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
+set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")

 set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
@@ -25,195 +68,186 @@ set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")

-add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
-add_definitions(-DK8S_DISABLE_THREAD)
-add_definitions(-DHAS_CAPTURE)
-
-if(CMAKE_BUILD_TYPE STREQUAL "Debug")
-	set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
-else()
-	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
-endif()
+include(GetFalcoVersion)

 set(PACKAGE_NAME "falco")
-set(PROBE_VERSION "${FALCO_VERSION}")
-set(PROBE_NAME "sysdig-probe")
-set(PROBE_DEVICE_NAME "sysdig")
+set(PROBE_NAME "falco")
+set(PROBE_DEVICE_NAME "falco")
+set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+  set(CMAKE_INSTALL_PREFIX
+      /usr
+      CACHE PATH "Default install path" FORCE)
+endif()

 set(CMD_MAKE make)

-set(SYSDIG_DIR ${PROJECT_SOURCE_DIR}/../sysdig)
-
 include(ExternalProject)

-set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
-message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
-set(ZLIB_INCLUDE "${ZLIB_SRC}")
-set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
-ExternalProject_Add(zlib
-		URL "http://download.draios.com/dependencies/zlib-1.2.8.tar.gz"
-		URL_MD5 "44d667c142d7cda120332623eab69f40"
-		CONFIGURE_COMMAND "./configure"
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+# jq
+include(jq)

-set(JSONCPP_SRC "${SYSDIG_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
+# nlohmann-json
+set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+ExternalProject_Add(
+  njson
+  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")

-# we pull this in because libsinsp won't build without it
-set(CURSES_BUNDLE_DIR "${PROJECT_BINARY_DIR}/ncurses-prefix/src/ncurses")
-set(CURSES_INCLUDE_DIR "${CURSES_BUNDLE_DIR}/include/")
-set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
-message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
-ExternalProject_Add(ncurses
-		URL "http://download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
-		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
-		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+# curses
+# We pull this in because libsinsp won't build without it
+set(CURSES_NEED_NCURSES TRUE)
+find_package(Curses REQUIRED)
+message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")

+# libb64

 set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
 message(STATUS "Using bundled b64 in '${B64_SRC}'")
 set(B64_INCLUDE "${B64_SRC}/include")
 set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(b64
-		URL "http://download.draios.com/dependencies/libb64-1.2.src.zip"
-		URL_MD5 "a609809408327117e2c643bed91b76c5"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+ExternalProject_Add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
+  URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  INSTALL_COMMAND "")

+# yaml-cpp
+include(yaml-cpp)

-set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-# Once the next version of yaml-cpp is released (first version not requiring
-# boost), we can switch to that and no longer pull from github.
-ExternalProject_Add(yamlcpp
-		GIT_REPOSITORY "https://github.com/jbeder/yaml-cpp.git"
-		GIT_TAG "7d2873ce9f2202ea21b6a8c5ecbc9fe38032c229"
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+# OpenSSL
+include(OpenSSL)

-set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-
-message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-ExternalProject_Add(openssl
-		URL "http://download.draios.com/dependencies/openssl-1.0.2d.tar.gz"
-		URL_MD5 "38dd619b2e77cbac69b99f52a053d25a"
-		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND ${CMD_MAKE} install)
-
-set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-
-
-set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-
-ExternalProject_Add(curl
-		DEPENDS openssl
-		URL "http://download.draios.com/dependencies/curl-7.45.0.tar.bz2"
-		URL_MD5 "62c1a352b28558f25ba6209214beadc8"
-		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+# libcurl
+include(cURL)

+# LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
 message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
 set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(luajit
-		URL "http://download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ${CMD_MAKE}
-		BUILD_IN_SOURCE 1
-		INSTALL_COMMAND "")
+ExternalProject_Add(
+  luajit
+  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
+  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  INSTALL_COMMAND "")

-set (LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-ExternalProject_Add(lpeg
-                    DEPENDS luajit
-		    URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-                    URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
-                    BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} ${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh
-                    BUILD_IN_SOURCE 1
-		    CONFIGURE_COMMAND ""
-                    INSTALL_COMMAND "")
+# Lpeg
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")

+# libyaml
+include(libyaml)

-set (LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/src")
-set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
-ExternalProject_Add(libyaml
-		    URL "http://download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
-                    URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
-                    BUILD_COMMAND ${CMD_MAKE}
-                    BUILD_IN_SOURCE 1
-		    CONFIGURE_COMMAND ./bootstrap && ./configure
-                    INSTALL_COMMAND "")
-
-set (LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+# lyaml
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-ExternalProject_Add(lyaml
-		    URL "http://download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-                    URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
-                    BUILD_COMMAND ${CMD_MAKE}
-                    BUILD_IN_SOURCE 1
-		    CONFIGURE_COMMAND ./configure --enable-static LIBS=-L../../../libyaml-prefix/src/libyaml/src/.libs CFLAGS=-I../../../libyaml-prefix/src/libyaml/include CPPFLAGS=-I../../../libyaml-prefix/src/libyaml/include LUA_INCLUDE=-I../../../luajit-prefix/src/luajit/src LUA=../../../luajit-prefix/src/luajit/src/luajit
-                    INSTALL_COMMAND sh -c "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/falco/lua")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+set(LYAML_DEPENDENCIES "")
+list(APPEND LYAML_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lyaml
+  DEPENDS ${LYAML_DEPENDENCIES}
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
+  INSTALL_COMMAND sh -c
+                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")

-install(FILES falco.yaml
-	DESTINATION "${DIR_ETC}")
+# One TBB
+set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")

-add_subdirectory(${SYSDIG_DIR}/driver ${PROJECT_BINARY_DIR}/driver)
-add_subdirectory(${SYSDIG_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/userspace/libscap)
-add_subdirectory(${SYSDIG_DIR}/userspace/libsinsp ${PROJECT_BINARY_DIR}/userspace/libsinsp)
+message(STATUS "Using bundled tbb in '${TBB_SRC}'")

+set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
+set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
+ExternalProject_Add(
+  tbb
+  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
+  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${TBB_LIB}
+  INSTALL_COMMAND "")
+
+# civetweb
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+ExternalProject_Add(
+  civetweb
+  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+  BUILD_IN_SOURCE 1
+  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+
+#string-view-lite
+include(DownloadStringViewLite)
+
+# gRPC
+include(gRPC)
+
+# sysdig
+include(sysdig)
+
+# Installation
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
+
+# Coverage
+include(Coverage)
+
+# Tests
+add_subdirectory(test)
+
+# Rules
 add_subdirectory(rules)
+
+# Dockerfiles
+add_subdirectory(docker)
+
+# Clang format
+# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
+
+# Shared build variables
+set(FALCO_SINSP_LIBRARY sinsp)
+set(FALCO_SHARE_DIR share/falco)
+set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
+set(FALCO_BIN_DIR bin)
+
 add_subdirectory(scripts)
+add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
+add_subdirectory(tests)

-
-set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
-set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool")
-set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
-set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
-set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
-set(CPACK_PACKAGE_RELOCATABLE "OFF")
-
-set(CPACK_GENERATOR DEB RPM TGZ)
-
-set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Sysdig <support@sysdig.com>")
-set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "http://www.sysdig.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "sysdig")
-set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${PROJECT_SOURCE_DIR}/scripts/debian/postinst;${PROJECT_SOURCE_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm")
-
-set(CPACK_RPM_PACKAGE_LICENSE "GPLv2")
-set(CPACK_RPM_PACKAGE_URL "http://www.sysdig.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "sysdig")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
-set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/src /usr/share/man /usr/share/man/man8 /etc /usr /usr/bin /usr/share /etc/rc.d /etc/rc.d/init.d )
-set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
-
-include(CPack)
+# Packages configuration
+include(CPackConfig)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,38 @@
+# CNCF Community Code of Conduct v1.0
+
+## Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering
+an open and welcoming community, we pledge to respect all people who contribute
+through reporting issues, posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for
+everyone, regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
+religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses,
+ without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are not
+aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
+commit themselves to fairly and consistently applying these principles to every aspect
+of managing this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
+http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,150 @@
+# Contributing to Falco
+
+- [Contributing to Falco](#contributing-to-falco)
+  - [Code of Conduct](#code-of-conduct)
+  - [Issues](#issues)
+    - [Triage issues](#triage-issues)
+      - [More about labels](#more-about-labels)
+    - [Slack](#slack)
+  - [Pull Requests](#pull-requests)
+    - [Commit convention](#commit-convention)
+      - [Rule type](#rule-type)
+  - [Coding Guidelines](#coding-guidelines)
+    - [C++](#c)
+    - [Unit testing](/tests/README.md)
+  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
+
+## Code of Conduct
+
+Falco has a
+[Code of Conduct](CODE_OF_CONDUCT.md)
+to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
+
+## Issues
+
+Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
+
+- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
+creating an issue with the **bug report template** is the best way to do so.
+- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
+- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
+
+The best way to get **involved** in the project is through issues, you can help in many ways:
+
+- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
+sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
+- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
+
+### Triage issues
+
+We need help in categorizing issues. Thus any help is welcome!
+
+When you triage an issue, you:
+
+* assess whether it has merit or not
+
+* quickly close it by correctly answering a question
+
+* point the reporter to a resource or documentation answering the issue
+
+* tag it via labels, projects, or milestones
+
+* take ownership submitting a PR for it, in case you want 😇
+
+#### More about labels
+
+These guidelines are not set in stone and are subject to change.
+
+Anyway a `kind/*` label for any issue is mandatory.
+
+This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
+
+You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
+
+The commands available are the following ones:
+
+```
+/[remove-](area|kind|priority|triage|label)
+```
+
+Some examples:
+
+* `/area rules`
+* `/remove-area rules`
+* `/kind kernel-module`
+* `/label good-first-issue`
+* `/triage duplicate`
+* `/triage unresolved`
+* `/triage not-reproducible`
+* `/triage support`
+* ...
+
+### Slack
+
+Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
+
+## Pull Requests
+
+Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
+
+In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
+need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
+
+The list of labels is [here](https://github.com/falcosecurity/falco/labels).
+
+Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
+
+Once your reviewer is happy, they will say `/lgtm` which will apply the
+`lgtm` label, and will apply the `approved` label if they are an
+[owner](/OWNERS).
+
+Your PR will be automatically merged once it has the `lgtm` and `approved`
+labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
+
+### Commit convention
+
+As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
+of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
+
+#### Rule type
+
+Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
+Example:
+
+```
+rule(Write below monitored dir): make sure monitored dirs are monitored.
+```
+
+Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
+
+If you are changing only a macro, the commit will look like this:
+
+```
+rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
+```
+
+## Coding Guidelines
+
+### C++
+
+* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
+
+  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
+
+## Developer Certificate Of Origin
+
+The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
+
+Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
+
+```
+This is my commit message
+
+Signed-off-by: John Poiana <jpoiana@falco.org>
+```
+
+Git even has a `-s` command line option to append this automatically to your commit message:
+
+```
+$ git commit -s -m 'This is my commit message'
+```
--- a/487
+++ b/487
@@ -1,351 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991

- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/

-                            Preamble
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
+   1. Definitions.

-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.

-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.

-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.

-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.

-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.

-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.

-  The precise terms and conditions for copying, distribution and
-modification follow.
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).

-                    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.

-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."

-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.

-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.

-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.

-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:

-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and

-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and

-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and

-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.

-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.

-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.

-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.

-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.

-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.

-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.

-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
+   END OF TERMS AND CONDITIONS

-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
+   APPENDIX: How to apply the Apache License to your work.

-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.

-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
+   Copyright 2019 The Falco Authors

-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at

-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
+       http://www.apache.org/licenses/LICENSE-2.0

-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                            NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-* In addition, as a special exception, the copyright holders give
-* permission to link the code of portions of this program with the
-* OpenSSL library under certain conditions as described in each
-* individual source file, and distribute linked combinations
-* including the two.
-* You must obey the GNU General Public License in all respects
-* for all of the code used other than OpenSSL.  If you modify
-* file(s) with this exception, you may extend this exception to your
-* version of the file(s), but you are not obligated to do so.  If you
-* do not wish to do so, delete this exception statement from your
-* version.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -0,0 +1,55 @@
+# Process for becoming a maintainer
+
+* Express interest to the existing maintainers that you or your organization is interested in becoming a
+  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
+  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
+  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
+  organization.
+* We will expect you to start contributing increasingly complicated PRs, under the guidance
+  of the existing maintainers.
+* We may ask you to do some PRs from our backlog.
+* As you gain experience with the code base and our standards, we will ask you to do code reviews
+  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
+  community reviews).
+* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
+  the existing maintainers will confer and decide whether to grant maintainer status or not.
+  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
+  goal.
+
+## Maintainer responsibilities
+
+* Monitor Slack (delayed response is perfectly acceptable).
+* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
+* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
+  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
+  is somewhat subjective so just use your best judgment.
+* Make sure that ongoing PRs are moving forward at the right pace or closing them.
+* Participate when called upon in the security releases. Note that although this should be a rare
+  occurrence, if a serious vulnerability is found, the process may take up to several full days of
+  work to implement. This reality should be taken into account when discussing time commitment
+  obligations with employers.
+* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
+  business days per week).
+
+## When does a maintainer lose maintainer status
+
+If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
+should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
+the maintainers per the voting process below.
+
+# Conflict resolution and voting
+
+In general, we prefer that technical issues and maintainer membership are amicably worked out
+between the persons involved. If a dispute cannot be decided independently, the maintainers can be
+called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
+be resolved by voting. The voting process is a simple majority in which each senior maintainer
+receives two votes and each normal maintainer receives one vote.
+
+# Adding new projects to the falcosecurity GitHub organization
+
+New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
+existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
+days but depending on the volume of conversation), the maintainers of *the project where the issue
+was opened* (since different projects in the organization may have different maintainers) will
+decide whether the new project should be added. See the section above on voting if the maintainers
+cannot easily decide.
--- a/14
+++ b/14
@@ -0,0 +1,14 @@
+approvers:
+  - fntlnz
+  - kris-nova
+  - leodido
+  - mstemm
+  - leogr
+reviewers:
+  - fntlnz
+  - kaizhe
+  - kris-nova
+  - leodido
+  - mfdii
+  - mstemm
+  - leogr
--- a/README.md
+++ b/README.md
@@ -1,330 +1,84 @@
-# Sysdig Falco
-### *Host Activity Monitoring using Sysdig Event Filtering*
+<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>

-**Table of Contents**
+<hr>

- [Overview](#overview)
- [Rules](#rules)
- [Configuration](#configuration)
- [Installation](#installation)
- [Running Falco](#running-falco)
+# The Falco Project

+[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-## Overview
-Sysdig Falco is a behavioral activity monitor designed to secure your applications. Powered by Sysdig’s universal system level visibility, write simple and powerful rules, and then output warnings in the format you need. Continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
+#### Latest releases

+Read the [change log](CHANGELOG.md).
+
+|        | development                                                                                                                 | stable                                                                                                              |
+|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
+| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
+| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
+| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
+
+---
+
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+
+Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).

 #### What kind of behaviors can Falco detect?

-Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig's core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
- A shell is run inside a container
- A server process spawns a child process of an unexpected type
- Unexpected read of a sensitive file (like `/etc/passwd`)
- A non-device file is written to `/dev`
- A standard system binary (like `ls`) makes an outbound network connection
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

-#### How you use it
+- A shell is running inside a container.
+- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
+- A server process is spawning a child process of an unexpected type.
+- Unexpected read of a sensitive file, such as `/etc/shadow`.
+- A non-device file is written to `/dev`.
+- A standard system binary, such as `ls`, is making an outbound network connection.

-Falco is deployed as a long-running daemon. You can install it as a debian/rpm
-package on a regular host or container host, or you can deploy it as a
-container.

-Falco is configured via a rules file defining the behaviors and events to
-watch for, and a general configuration file. Rules are expressed in a
-high-level, human-readable language. We've provided a sample rule file
-`./rules/falco_rules.yaml` as a starting point - you can (and will likely
-want!) to adapt it to your environment.
+### Installing Falco

-When developing rules, one helpful feature is Falco's ability to read trace
-files saved by sysdig. This allows you to "record" the offending behavior
-once, and replay it with Falco as many times as needed while tweaking your
-rules.
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)

-Once deployed, Falco uses the Sysdig kernel module and userspace libraries to
-watch for any events matching one of the conditions defined in the rule
-file. If a matching event occurs, a notification is written to the the
-configured output(s).
+Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.

+#### How do you compare Falco with other security tools?

-## Rules
+One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.

-_Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_

-A Falco rules file is comprised of two kinds of elements: rules and macro definitions. Macros are simply definitions that can be re-used inside rules and other macros, providing a way to factor out and name common patterns.
+Documentation
+---

-#### Conditions
-
-The key part of a rule is the _condition_ field. A condition is simply a boolean predicate on sysdig events.
-Conditions are expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering). Any Sysdig filter is a valid Falco condition (with the caveat of certain excluded system calls, discussed below). In addition, Falco expressions can contain _macro_ terms, which are not present in Sysdig syntax.
-
-Here's an example of a condition that alerts whenever a bash shell is run inside a container:
-
-`container.id != host and proc.name = bash`
-
-The first clause checks that the event happened in a container (sysdig events have a `container` field that is equal to "host" if the event happened on a regular host). The second clause checks that the process name is `bash`. Note that this condition does not even include a clause with system call! It only uses event metadata. As such, if a bash shell does start up in a container, Falco will output events for every syscall that is done by that shell.
-
-_Tip: If you're new to sysdig and unsure what fields are available, run `sysdig -l` to see the list of supported fields._
-
-#### Rules
-
-Along with a condition, each rule includes the following fields:
-
-* _rule_: a short unique name for the rule
-* _desc_: a longer description of what the rule detects
-* _output_ and _priority_: The output format specifies the message that should be output if a matching event occurs, and follows the Sysdig [output format syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#output-formatting). The priority is a case-insensitive representation of severity and should be one of "emergency", "alert", "critical", "error", "warning", "notice", "informational", or "debug".
-
-A complete rule using the above condition might be:
-
-```yaml
- condition: container.id != host and proc.name = bash
-  output: "shell in a container (%user.name %container.id %proc.name %evt.dir %evt.type %evt.args %fd.name)"
-  priority: WARNING
-```
-
-#### Macros
-As noted above, macros provide a way to define common sub-portions of rules in a reusable way. As a very simple example, if we had many rules for events happening in containers, we might to define a `in_container` macro:
-
-```yaml
- macro: in_container
-  condition: container.id != host
-```
-
-With this macro defined, we can then rewrite the above rule's condition as `in_container and proc.name = bash`.
-
-For many more examples of rules and macros, please take a look at the accompanying [rules file](rules/falco_rules.yaml).
-
-
-#### Ignored system calls
-
-For performance reasons, some system calls are currently discarded before Falco processing. The current list is:
-`clock_getres,clock_gettime,clock_nanosleep,clock_settime,close,epoll_create,epoll_create1,epoll_ctl,epoll_pwait,epoll_wait,eventfd,fcntl,fcntl64,fstat,fstat64,fstatat64,fstatfs,fstatfs64,futex,getitimer,gettimeofday,ioprio_get,ioprio_set,llseek,lseek,lstat,lstat64,mmap,mmap2,munmap,nanosleep,poll,ppoll,pread64,preadv,procinfo,pselect6,pwrite64,pwritev,read,readv,recv,recvfrom,recvmmsg,recvmsg,sched_yield,select,send,sendfile,sendfile64,sendmmsg,sendmsg,sendto,setitimer,settimeofday,shutdown,splice,stat,stat64,statfs,statfs64,switch,tee,timer_create,timer_delete,timerfd_create,timerfd_gettime,timerfd_settime,timer_getoverrun,timer_gettime,timer_settime,wait4,write,writev`
-
-
-## Configuration
-
-General configuration is done via a separate yaml file. The
-[config file](falco.yaml) in this repo has comments describing the various
-configuration options.
-
-
-## Installation
-#### Scripted install
-
-To install Falco automatically in one step, simply run the following command as root or with sudo:
-
-`curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash`
-
-#### Package install
-
-##### RHEL
-
- Trust the Draios GPG key and configure the yum repository
-```
-rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
-curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/draios.repo
-```
- Install the EPEL repository
-
-Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms
-
-`rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm`
-
- Install kernel headers
-
-Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly
-
-`yum -y install kernel-devel-$(uname -r)`
-
- Install Falco
-
-`yum -y install falco`
-
-
-To uninstall, just do `yum erase falco`.
-
-##### Debian
-
- Trust the Draios GPG key, configure the apt repository, and update the package list
-
-```
-curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
-curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
-apt-get update
-```
-
- Install kernel headers
-
-Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly
-
-`apt-get -y install linux-headers-$(uname -r)`
-
- Install Falco
-
-`apt-get -y install falco`
-
-To uninstall, just do `apt-get remove falco`.
-
-
-##### Container install (general)
-
-If you have full control of your host operating system, then installing Falco using the normal installation method is the recommended best practice. This method allows full visibility into all containers on the host OS. No changes to the standard automatic/manual installation procedures are required.
-
-However, Falco can also run inside a Docker container. To guarantee a smooth deployment, the kernel headers must be installed in the host operating system, before running Falco.
-
-This can usually be done on Debian-like distributions with:
-`apt-get -y install linux-headers-$(uname -r)`
-
-Or, on RHEL-like distributions:
-`yum -y install kernel-devel-$(uname -r)`
-
-Falco can then be run with:
-
-```
-docker pull sysdig/falco
-docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco
-```
-
-##### Container install (CoreOS)
-
-The recommended way to run Falco on CoreOS is inside of its own Docker container using the install commands in the paragraph above. This method allows full visibility into all containers on the host OS.
-
-This method is automatically updated, includes some nice features such as automatic setup and bash completion, and is a generic approach that can be used on other distributions outside CoreOS as well.
-
-However, some users may prefer to run Falco in the CoreOS toolbox. While not the recommended method, this can be achieved by installing Falco inside the toolbox using the normal installation method, and then manually running the sysdig-probe-loader script:
-
-```
-toolbox --bind=/dev --bind=/var/run/docker.sock
-curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | bash
-sysdig-probe-loader
-```
-
-
-
-## Running Falco
-
-Falco is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line.
-
-#### Running Falco as a service (after installing package)
-
-`service falco start`
-
-#### Running Falco in a container
-
-`docker run -i -t --name falco --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco`
-
-#### Running Falco manually
-
-Do `falco --help` to see the command-line options available when running manually.
-
-
-## Building and running Falco locally from source
-Building Falco requires having `cmake` and `g++` installed.
-
-
-#### Building Falco
-Clone this repo in a directory that also contains the sysdig source repo. The result should be something like:
-
-```
-22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
-$ pwd
-/sysdig
-22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig
-$ ls -l
-total 20
-drwxr-xr-x  1 vagrant vagrant  238 Feb 21 21:44 falco
-drwxr-xr-x  1 vagrant vagrant  646 Feb 21 17:41 sysdig
-```
-
-create a build dir, then setup cmake and run make from that dir:
-
-```
-$ mkdir build
-$ cd build
-$ cmake ..
-$ make
-```
-
-as a result, you should have a falco executable in `build/userspace/falco/falco`.
-
-#### Load latest sysdig kernel module
-
-If you have a binary version of sysdig installed, an older sysdig kernel module may already be loaded. To ensure you are using the latest version, you should unload any existing sysdig kernel module and load the locally built version.
-
-Unload any existing kernel module via:
-
-`$ rmmod sysdig_probe`
-
-To load the locally built version, assuming you are in the `build` dir, use:
-
-`$ insmod driver/sysdig-probe.ko`
-
-#### Running Falco
-
-Assuming you are in the `build` dir, you can run Falco as:
-
-`$ sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml`
-
-Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this:
-
-Create a file with some [Falco rules](Rule-syntax-and-design). For example:
-```
- macro: open_write
-  condition: >
-    (evt.type=open or evt.type=openat) and
-    fd.typechar='f' and
-    (evt.arg.flags contains O_WRONLY or
-    evt.arg.flags contains O_RDWR or
-    evt.arg.flags contains O_CREAT or
-    evt.arg.flags contains O_TRUNC)
-
- macro: bin_dir
-  condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
-
- rule: write_binary_dir
-  desc: an attempt to write to any file below a set of binary directories
-  condition: evt.dir = > and open_write and bin_dir
-  output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
-  priority: WARNING
-
-```
-
-And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!
+See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.

 Join the Community
 ---
-* Contact the [official mailing list] (https://groups.google.com/forum/#!forum/falco) for support and to talk with other users.
-* Follow us on [Twitter] (https://twitter.com/sysdig) for general falco and sysdig news.
-* This is our [blog] (https://sysdig.com/blog/), where you can find the latest [falco](https://sysdig.com/blog/tag/falco/) posts.
-* Join our [Public Slack](https://sysdig.slack.com) channel for sysdig and falco announcements and discussions.
+
+To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

 License Terms
 ---
-Falco is licensed to you under the [GPL 2.0](./COPYING) open source license.

-Contributor License Agreements
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+Contributing
 ---
-###Background
- As we did for sysdig, we are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.

- We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
+See the [CONTRIBUTING.md](./CONTRIBUTING.md).

- For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:
- - [Django’s excellent CLA FAQ](https://www.djangoproject.com/foundation/cla/faq/)
- - [A well-written chapter from Karl Fogel’s Producing Open Source Software on CLAs](http://producingoss.com/en/copyright-assignment.html)
- - [The Wikipedia article on CLAs](http://en.wikipedia.org/wiki/Contributor_license_agreement)
+Security
+---

- As always, we are grateful for your past and present contributions to falco.
+### Security Audit

- ###What do I need to do in order to contribute code?
- **Individual contributions**: Individuals who wish to make contributions must review the [Individual Contributor License Agreement](./cla/falco_contributor_agreement.txt) and indicate agreement by adding the following line to every GIT commit message:
+A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).

-  falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+### Reporting security vulnerabilities
+Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).

-  Use your real name; pseudonyms or anonymous contributions are not allowed.
-
-  **Corporate contributions**: Employees of corporations, members of LLCs or LLPs, or others acting on behalf of a contributing entity, must review the [Corporate Contributor License Agreement](./cla/falco_corp_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
-
-   falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
-   falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-
-   Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+[1]: https://dl.bintray.com/falcosecurity/rpm-dev
+[2]: https://dl.bintray.com/falcosecurity/rpm
+[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
+[4]: https://dl.bintray.com/falcosecurity/deb/stable
+[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -0,0 +1,81 @@
+# Falco Release Process
+
+Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
+
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+
+Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+
+## Pre-Release Checklist
+
+### 1. Release notes
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - If the PR has no milestone, assign it to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+
+### 2. Milestones
+
+- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
+
+### 3. Release PR
+
+- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
+    - If any, manually correct it then open an issue to automate version number bumping later
+    - Versions table in the `README.md` update itself automatically
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+- Add the lastest changes on top the previous `CHANGELOG.md`
+- Submit a PR with the above modifications
+- Await PR approval
+- Close the completed milestone as soon PR is merged
+
+## Release
+
+Let `x.y.z` the new version.
+
+### 1. Create a tag
+
+- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
+
+    ```
+    git pull
+    git checkout master
+    git tag x.y.z
+    git push origin x.y.z
+    ```
+
+> **N.B.**: do NOT use an annotated tag
+
+- Wait for the CI to complete
+
+### 2. Update the GitHub release
+
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `x.y.z` both as tag version and release title
+- Use the following template to fill the release description:
+    ```
+    <!-- Copy the relevant part of the changelog here -->
+
+    ### Statistics
+
+    | Merged PRs        | Number  |
+    |-------------------|---------|
+    | Not user-facing   | x       |
+    | Release note      | x       |
+    | Total             | x       |
+
+    <!-- Calculate stats and fill the above table -->
+    ```
+
+- Finally, publish the release!
+
+## Post-Release tasks
+
+Announce the new release to the world!
+
+- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
+- Let folks in the slack #falco channel know about a new release came out
--- a/audits/SECURITY_AUDIT_2019_07.pdf
+++ b/audits/SECURITY_AUDIT_2019_07.pdf
--- a/brand/README.md
+++ b/brand/README.md
@@ -0,0 +1,142 @@
+<p align="center"><img src="primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>
+
+# Falco Branding Guidelines
+
+This document describes The Falco Project's branding guidelines, language, and message.
+
+Content in this document can be used to publically share about Falco.
+
+
+
+### Logo
+
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+
+The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
+
+### Slogan
+
+> Cloud Native Runtime Security
+
+### What is Falco?
+
+Falco is a runtime security project originally created by Sysdig, Inc.
+Falco was contributed to the CNCF in October 2018.
+The CNCF now owns The Falco Project.
+
+### What is Runtime Security?
+
+Runtime security refers to an approach to preventing unwanted activity on a computer system. 
+With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
+Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
+
+### What does Falco do?
+
+Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
+Falco parses the signals and asserts them against security rules.
+If a rule has been violated, Falco triggers an alert. 
+
+### How does Falco work?
+
+Falco traces kernel events and reports information about the system calls being executed at runtime.
+Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco enriches these kernel events with information about containers running on the system.
+Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
+At runtime, Falco will reason about these events and assert them against configured security rules.
+Based on the severity of a violation an alert is triggered.
+These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
+
+### Benefits of using Falco
+
+ - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
+ - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
+ - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
+    
+### Falco and securing Kubernetes
+
+Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
+
+Examples of malicious behavior include: 
+
+ - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
+ - Insecure configurations in applications or Kubernetes itself. 
+ - Leaked or weak credentials or secret material.
+ - Insider threats from adjacent applications running at the same layer. 
+
+Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
+By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
+                                 
+### Writing about Falco
+
+##### Yes
+
+Notice the capitalization of the following terms.
+
+ - The Falco Project
+ - Falco
+
+##### No
+
+ - falco
+ - the falco project
+ - the Falco project
+
+### Encouraged Phrasing
+
+Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
+Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
+
+##### Falco as a factory
+
+This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
+
+##### The engine that powers...
+
+Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
+
+##### Anomaly detection
+
+This refers to an event that occurs with something unsual, concerning, or odd occurs.
+We can associate anomalies with unwanted behavior, and alert in their presence.
+
+##### Detection tooling
+
+Falco does not prevent unwanted behavior.
+Falco however alerts when unusual behavior occurs.
+This is commonly referred to as **detection** or **forensics**.
+
+
+---
+
+# Glossary 
+
+#### Probe
+
+Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `module`.
+
+#### Module
+
+Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `probe`.
+
+#### Driver 
+
+The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+
+#### Falco
+
+The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
+
+#### Sysdig, Inc
+
+The name of the company that originally created The Falco Project, and later donated to the CNCF.
+
+#### sysdig 
+
+A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+
--- a/brand/primary-logo.png
+++ b/brand/primary-logo.png
--- a/brand/teal-logo.svg
+++ b/brand/teal-logo.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>
--- a/brand/white-logo.png
+++ b/brand/white-logo.png
--- a/cla/falco_contributor_agreement.txt
+++ b/cla/falco_contributor_agreement.txt
@@ -1,30 +0,0 @@
-DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT (“Agreement”)
-
-Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
-
-1. Definitions.  "You" (or "Your") shall mean the individual natural person and copyright owner who is making this Agreement with Draios/Sysdig. “You” excludes legal entities such as corporations, and Draios/Sysdig provides a separate CLA for corporations or other entities. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
-
-2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-4. You represent to Draios/Sysdig that You are legally entitled to grant the licenses set forth above.
-
-5. You represent that each of Your Contributions is Your original creation unless you act according to section 7 below. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes your real name and not a pseudonym, and that you shall not attempt or make an anonymous Contribution.
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
-
-9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that I submit with it, including my sign-off, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay you any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that you are independent of Draios/Sysdig and you are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
-
-TO AGREE:
-Add the following line to every GIT commit message:
-
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-
-Use your real name; pseudonyms or anonymous contributions are not allowed.
--- a/cla/falco_corp_contributor_agreement.txt
+++ b/cla/falco_corp_contributor_agreement.txt
@@ -1,33 +0,0 @@
-DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT FOR CONTRIBUTING ENTITIES (SUCH AS CORPORATIONS) (“Agreement”)
-
-Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
-
-A “contributing entity” means a corporation, limited liability company, partnership, or other entity that is organized and recognized under the laws of a state of the United States or another country (a “contributing entity”). We provide a separate CLA for individual contributors.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
-
-1. Definitions.  "You" (or "Your") shall mean the contributing entity that owns for copyright purposes or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig, and all other entities that control, are controlled by, or are under common control with the contributing entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
-
-2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the licenses set forth above.
-
-5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
-
-9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
-
-TO AGREE:
-Add the following lines to every GIT commit message:
-
-falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-
-Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
--- a/cmake/cpack/debian/conffiles
+++ b/cmake/cpack/debian/conffiles
@@ -0,0 +1,4 @@
+/etc/falco/falco.yaml
+/etc/falco/falco_rules.yaml
+/etc/falco/rules.available/application_rules.yaml
+/etc/falco/falco_rules.local.yaml
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -0,0 +1,57 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
+set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
+set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
+set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
+set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
+set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
+set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
+set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
+set(CPACK_STRIP_FILES "ON")
+set(CPACK_PACKAGE_RELOCATABLE "OFF")
+
+set(CPACK_GENERATOR DEB RPM TGZ)
+
+set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
+set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+)
+
+set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
+    /usr/src
+    /usr/share/man
+    /usr/share/man/man8
+    /etc
+    /usr
+    /usr/bin
+    /usr/share
+    /etc/rc.d
+    /etc/rc.d/init.d)
+set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
+
+include(CPack)
--- a/cmake/modules/Catch.cmake
+++ b/cmake/modules/Catch.cmake
@@ -0,0 +1,159 @@
+# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
+# https://cmake.org/licensing for details.
+
+#[=======================================================================[.rst:
+Catch
+-----
+
+This module defines a function to help use the Catch test framework.
+
+The :command:`catch_discover_tests` discovers tests by asking the compiled test
+executable to enumerate its tests.  This does not require CMake to be re-run
+when tests change.  However, it may not work in a cross-compiling environment,
+and setting test properties is less convenient.
+
+This command is intended to replace use of :command:`add_test` to register
+tests, and will create a separate CTest test for each Catch test case.  Note
+that this is in some cases less efficient, as common set-up and tear-down logic
+cannot be shared by multiple test cases executing in the same instance.
+However, it provides more fine-grained pass/fail information to CTest, which is
+usually considered as more beneficial.  By default, the CTest test name is the
+same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.
+
+.. command:: catch_discover_tests
+
+  Automatically add tests with CTest by querying the compiled test executable
+  for available tests::
+
+    catch_discover_tests(target
+                         [TEST_SPEC arg1...]
+                         [EXTRA_ARGS arg1...]
+                         [WORKING_DIRECTORY dir]
+                         [TEST_PREFIX prefix]
+                         [TEST_SUFFIX suffix]
+                         [PROPERTIES name1 value1...]
+                         [TEST_LIST var]
+    )
+
+  ``catch_discover_tests`` sets up a post-build command on the test executable
+  that generates the list of tests by parsing the output from running the test
+  with the ``--list-test-names-only`` argument.  This ensures that the full
+  list of tests is obtained.  Since test discovery occurs at build time, it is
+  not necessary to re-run CMake when the list of tests changes.
+  However, it requires that :prop_tgt:`CROSSCOMPILING_EMULATOR` is properly set
+  in order to function in a cross-compiling environment.
+
+  Additionally, setting properties on tests is somewhat less convenient, since
+  the tests are not available at CMake time.  Additional test properties may be
+  assigned to the set of tests as a whole using the ``PROPERTIES`` option.  If
+  more fine-grained test control is needed, custom content may be provided
+  through an external CTest script using the :prop_dir:`TEST_INCLUDE_FILES`
+  directory property.  The set of discovered tests is made accessible to such a
+  script via the ``<target>_TESTS`` variable.
+
+  The options are:
+
+  ``target``
+    Specifies the Catch executable, which must be a known CMake executable
+    target.  CMake will substitute the location of the built executable when
+    running the test.
+
+  ``TEST_SPEC arg1...``
+    Specifies test cases, wildcarded test cases, tags and tag expressions to
+    pass to the Catch executable with the ``--list-test-names-only`` argument.
+
+  ``EXTRA_ARGS arg1...``
+    Any extra arguments to pass on the command line to each test case.
+
+  ``WORKING_DIRECTORY dir``
+    Specifies the directory in which to run the discovered test cases.  If this
+    option is not provided, the current binary directory is used.
+
+  ``TEST_PREFIX prefix``
+    Specifies a ``prefix`` to be prepended to the name of each discovered test
+    case.  This can be useful when the same test executable is being used in
+    multiple calls to ``catch_discover_tests()`` but with different
+    ``TEST_SPEC`` or ``EXTRA_ARGS``.
+
+  ``TEST_SUFFIX suffix``
+    Similar to ``TEST_PREFIX`` except the ``suffix`` is appended to the name of
+    every discovered test case.  Both ``TEST_PREFIX`` and ``TEST_SUFFIX`` may
+    be specified.
+
+  ``PROPERTIES name1 value1...``
+    Specifies additional properties to be set on all tests discovered by this
+    invocation of ``catch_discover_tests``.
+
+  ``TEST_LIST var``
+    Make the list of tests available in the variable ``var``, rather than the
+    default ``<target>_TESTS``.  This can be useful when the same test
+    executable is being used in multiple calls to ``catch_discover_tests()``.
+    Note that this variable is only available in CTest.
+
+#]=======================================================================]
+
+# ------------------------------------------------------------------------------
+function(catch_discover_tests TARGET)
+  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
+                        ${ARGN})
+
+  if(NOT _WORKING_DIRECTORY)
+    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
+  endif()
+  if(NOT _TEST_LIST)
+    set(_TEST_LIST ${TARGET}_TESTS)
+  endif()
+
+  # Generate a unique name based on the extra arguments
+  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
+  string(SUBSTRING ${args_hash} 0 7 args_hash)
+
+  # Define rule to generate test list for aforementioned test executable
+  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
+  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
+  get_property(
+    crosscompiling_emulator
+    TARGET ${TARGET}
+    PROPERTY CROSSCOMPILING_EMULATOR)
+  add_custom_command(
+    TARGET ${TARGET}
+    POST_BUILD
+    BYPRODUCTS "${ctest_tests_file}"
+    COMMAND
+      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
+      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
+      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
+      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
+      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
+    VERBATIM)
+
+  file(
+    WRITE "${ctest_include_file}"
+    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
+    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")
+
+  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
+    # Add discovered tests to directory TEST_INCLUDE_FILES
+    set_property(
+      DIRECTORY
+      APPEND
+      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
+  else()
+    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
+    get_property(
+      test_include_file_set
+      DIRECTORY
+      PROPERTY TEST_INCLUDE_FILE
+      SET)
+    if(NOT ${test_include_file_set})
+      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
+    else()
+      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
+    endif()
+  endif()
+
+endfunction()
+
+# ######################################################################################################################
+
+set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)
--- a/cmake/modules/CatchAddTests.cmake
+++ b/cmake/modules/CatchAddTests.cmake
@@ -0,0 +1,61 @@
+# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
+# https://cmake.org/licensing for details.
+
+set(prefix "${TEST_PREFIX}")
+set(suffix "${TEST_SUFFIX}")
+set(spec ${TEST_SPEC})
+set(extra_args ${TEST_EXTRA_ARGS})
+set(properties ${TEST_PROPERTIES})
+set(script)
+set(suite)
+set(tests)
+
+function(add_command NAME)
+  set(_args "")
+  foreach(_arg ${ARGN})
+    if(_arg MATCHES "[^-./:a-zA-Z0-9_]")
+      set(_args "${_args} [==[${_arg}]==]") # form a bracket_argument
+    else()
+      set(_args "${_args} ${_arg}")
+    endif()
+  endforeach()
+  set(script
+      "${script}${NAME}(${_args})\n"
+      PARENT_SCOPE)
+endfunction()
+
+# Run test executable to get list of available tests
+if(NOT EXISTS "${TEST_EXECUTABLE}")
+  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
+endif()
+execute_process(
+  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
+  OUTPUT_VARIABLE output
+  RESULT_VARIABLE result)
+# Catch --list-test-names-only reports the number of tests, so 0 is... surprising
+if(${result} EQUAL 0)
+  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
+elseif(${result} LESS 0)
+  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
+                      "  Output: ${output}\n")
+endif()
+
+string(REPLACE "\n" ";" output "${output}")
+
+# Parse output
+foreach(line ${output})
+  set(test ${line})
+  # use escape commas to handle properly test cases with commans inside the name
+  string(REPLACE "," "\\," test_name ${test})
+  # ...and add to script
+  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
+  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
+              ${properties})
+  list(APPEND tests "${prefix}${test}${suffix}")
+endforeach()
+
+# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
+add_command(set ${TEST_LIST} ${tests})
+
+# Write CTest script
+file(WRITE "${CTEST_FILE}" "${script}")
--- a/cmake/modules/Coverage.cmake
+++ b/cmake/modules/Coverage.cmake
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# Tests coverage
+option(FALCO_COVERAGE "Build test suite with coverage information" OFF)
+if(FALCO_COVERAGE)
+  if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")))
+    message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
+  endif()
+
+  message(STATUS "Building with coverage information")
+  add_compile_options(-g --coverage)
+  set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
+endif()
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+include(ExternalProject)
+
+set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
+
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
+                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
+
+ExternalProject_Add(
+  catch2
+  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
+  ${CATCH_EXTERNAL_URL}
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
+                  ${CATCH2_INCLUDE}/catch.hpp)
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+include(ExternalProject)
+
+set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
+
+set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
+                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
+
+ExternalProject_Add(
+  fakeit-external
+  PREFIX ${CMAKE_BINARY_DIR}/fakeit-prefix
+  ${FAKEIT_EXTERNAL_URL}
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND
+    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
+    ${FAKEIT_INCLUDE}/fakeit.hpp)
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
+set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
+message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
+
+ExternalProject_Add(
+  string-view-lite
+  PREFIX ${STRING_VIEW_LITE_PREFIX}
+  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
+  GIT_TAG "v1.4.0"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND
+    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
+    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
+# Usage: In your CMakeLists.txt include(FindMakedev)
+#
+# In your source code:
+#
+# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
+#
+include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
+
+check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
+check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
+
+if(HAVE_SYS_MKDEV_H)
+  add_definitions(-DHAVE_SYS_MKDEV_H)
+endif()
+if(HAVE_SYS_SYSMACROS_H)
+  add_definitions(-DHAVE_SYS_SYSMACROS_H)
+endif()
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+# Retrieve git ref and commit hash
+include(GetGitRevisionDescription)
+
+# Create the falco version variable according to git index
+if(NOT FALCO_VERSION)
+  string(STRIP "${FALCO_HASH}" FALCO_HASH)
+  # Try to obtain the exact git tag
+  git_get_exact_tag(FALCO_TAG)
+  if(NOT FALCO_TAG)
+    # Obtain the closest tag
+    git_describe(FALCO_VERSION "--always" "--tags")
+    # Fallback version
+    if(FALCO_VERSION MATCHES "NOTFOUND$")
+      set(FALCO_VERSION "0.0.0")
+    endif()
+    # Format FALCO_VERSION to be semver with prerelease and build part
+    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+  else()
+    # A tag has been found: use it as the Falco version
+    set(FALCO_VERSION "${FALCO_TAG}")
+    # Remove the starting "v" in case there is one
+    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
+  endif()
+  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
+  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                       "${FALCO_VERSION}")
+  string(
+    REGEX
+    REPLACE
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+      "\\5"
+      FALCO_VERSION_PRERELEASE
+      "${FALCO_VERSION}")
+  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_PRERELEASE "")
+  endif()
+  if(NOT FALCO_VERSION_BUILD)
+    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+  endif()
+  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_BUILD "")
+  endif()
+endif()
+message(STATUS "Falco version: ${FALCO_VERSION}")
--- a/cmake/modules/GetGitRevisionDescription.cmake
+++ b/cmake/modules/GetGitRevisionDescription.cmake
@@ -0,0 +1,169 @@
+# * Returns a version string from Git
+#
+# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
+# build system.
+#
+# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
+#
+# Returns the refspec and sha hash of the current head revision
+#
+# git_describe(<var> [<additional arguments to git describe> ...])
+#
+# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
+# occurs.
+#
+# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
+#
+# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
+# if there was no exact matching tag.
+#
+# git_local_changes(<var>)
+#
+# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
+# HEAD --". Does not regard untracked files.
+#
+# Requires CMake 2.6 or newer (uses the 'function' command)
+#
+# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
+# Iowa State University HCI Graduate Program/VRAC
+#
+# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
+# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+
+if(__get_git_revision_description)
+  return()
+endif()
+set(__get_git_revision_description YES)
+
+# We must run the following at "include" time, not at function call time, to find the path to this module rather than
+# the path to a calling list file
+get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
+
+function(get_git_head_revision _refspecvar _hashvar)
+  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
+  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
+  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
+    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
+    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
+    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
+      # We have reached the root directory, we are not in git
+      set(${_refspecvar}
+          "GITDIR-NOTFOUND"
+          PARENT_SCOPE)
+      set(${_hashvar}
+          "GITDIR-NOTFOUND"
+          PARENT_SCOPE)
+      return()
+    endif()
+    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
+  endwhile()
+  # check if this is a submodule
+  if(NOT IS_DIRECTORY ${GIT_DIR})
+    file(READ ${GIT_DIR} submodule)
+    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
+    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
+    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
+  endif()
+  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
+  if(NOT EXISTS "${GIT_DATA}")
+    file(MAKE_DIRECTORY "${GIT_DATA}")
+  endif()
+
+  if(NOT EXISTS "${GIT_DIR}/HEAD")
+    return()
+  endif()
+  set(HEAD_FILE "${GIT_DATA}/HEAD")
+  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
+
+  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
+  include("${GIT_DATA}/grabRef.cmake")
+
+  set(${_refspecvar}
+      "${HEAD_REF}"
+      PARENT_SCOPE)
+  set(${_hashvar}
+      "${HEAD_HASH}"
+      PARENT_SCOPE)
+endfunction()
+
+function(git_describe _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+        "GIT-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+        "HEAD-HASH-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    describe
+    ${hash}
+    ${ARGN}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()
+
+  set(${_var}
+      "${out}"
+      PARENT_SCOPE)
+endfunction()
+
+function(git_get_exact_tag _var)
+  git_describe(out --exact-match ${ARGN})
+  set(${_var}
+      "${out}"
+      PARENT_SCOPE)
+endfunction()
+
+function(git_local_changes _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+        "GIT-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+        "HEAD-HASH-NOTFOUND"
+        PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(
+    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
+    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE res
+    OUTPUT_VARIABLE out
+    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(res EQUAL 0)
+    set(${_var}
+        "CLEAN"
+        PARENT_SCOPE)
+  else()
+    set(${_var}
+        "DIRTY"
+        PARENT_SCOPE)
+  endif()
+endfunction()
--- a/cmake/modules/GetGitRevisionDescription.cmake.in
+++ b/cmake/modules/GetGitRevisionDescription.cmake.in
@@ -0,0 +1,41 @@
+#
+# Internal file for GetGitRevisionDescription.cmake
+#
+# Requires CMake 2.6 or newer (uses the 'function' command)
+#
+# Original Author:
+# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
+# http://academic.cleardefinition.com
+# Iowa State University HCI Graduate Program/VRAC
+#
+# Copyright Iowa State University 2009-2010.
+# Distributed under the Boost Software License, Version 1.0.
+# (See accompanying file LICENSE_1_0.txt or copy at
+# http://www.boost.org/LICENSE_1_0.txt)
+
+set(HEAD_HASH)
+
+file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
+
+string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
+if(HEAD_CONTENTS MATCHES "ref")
+	# named branch
+	string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
+	if(EXISTS "@GIT_DIR@/${HEAD_REF}")
+		configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
+	else()
+		configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
+		file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
+		if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
+			set(HEAD_HASH "${CMAKE_MATCH_1}")
+		endif()
+	endif()
+else()
+	# detached HEAD
+	configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
+endif()
+
+if(NOT HEAD_HASH)
+	file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
+	string(STRIP "${HEAD_HASH}" HEAD_HASH)
+endif()
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_package(OpenSSL REQUIRED)
+  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+  find_program(OPENSSL_BINARY openssl)
+  if(NOT OPENSSL_BINARY)
+    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
+  else()
+    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
+  endif()
+else()
+  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
+  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
+  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
+  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
+
+  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+  ExternalProject_Add(
+    openssl
+    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
+    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
+    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    BUILD_COMMAND ${CMD_MAKE}
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND ${CMD_MAKE} install)
+endif()
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -0,0 +1,80 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+if(NOT USE_BUNDLED_DEPS)
+  find_package(CURL REQUIRED)
+  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
+else()
+  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
+  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
+
+  if(NOT USE_BUNDLED_OPENSSL)
+    set(CURL_SSL_OPTION "--with-ssl")
+  else()
+    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+  endif()
+
+  externalproject_add(
+    curl
+    DEPENDS openssl
+    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
+    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
+    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+    CONFIGURE_COMMAND
+      ./configure
+      ${CURL_SSL_OPTION}
+      --disable-shared
+      --enable-optimize
+      --disable-curldebug
+      --disable-rt
+      --enable-http
+      --disable-ftp
+      --disable-file
+      --disable-ldap
+      --disable-ldaps
+      --disable-rtsp
+      --disable-telnet
+      --disable-tftp
+      --disable-pop3
+      --disable-imap
+      --disable-smb
+      --disable-smtp
+      --disable-gopher
+      --disable-sspi
+      --disable-ntlm-wb
+      --disable-tls-srp
+      --without-winssl
+      --without-darwinssl
+      --without-polarssl
+      --without-cyassl
+      --without-nss
+      --without-axtls
+      --without-ca-path
+      --without-ca-bundle
+      --without-libmetalink
+      --without-librtmp
+      --without-winidn
+      --without-libidn2
+      --without-libpsl
+      --without-nghttp2
+      --without-libssh2
+      --disable-threaded-resolver
+      --without-brotli
+    BUILD_COMMAND ${CMD_MAKE}
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -0,0 +1,131 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+if(NOT USE_BUNDLED_DEPS)
+  # zlib
+  include(FindZLIB)
+  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
+  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
+
+  if(ZLIB_INCLUDE AND ZLIB_LIB)
+    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
+  endif()
+
+  # c-ares
+  find_path(CARES_INCLUDE NAMES ares.h)
+  find_library(CARES_LIB NAMES libcares.so)
+  if(CARES_INCLUDE AND CARES_LIB)
+    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system c-ares")
+  endif()
+
+  # protobuf
+  find_program(PROTOC NAMES protoc)
+  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
+  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
+  if(PROTOC
+     AND PROTOBUF_INCLUDE
+     AND PROTOBUF_LIB)
+    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system protobuf")
+  endif()
+
+  # gpr
+  find_library(GPR_LIB NAMES gpr)
+
+  if(GPR_LIB)
+    message(STATUS "Found gpr lib: ${GPR_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system gpr")
+  endif()
+
+  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
+  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+  if(GRPCXX_INCLUDE)
+    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+  else()
+    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+  endif()
+  find_library(GRPC_LIB NAMES grpc)
+  find_library(GRPCPP_LIB NAMES grpc++)
+  if(GRPC_INCLUDE
+     AND GRPC_LIB
+     AND GRPCPP_LIB)
+    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system grpc")
+  endif()
+  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+  if(NOT GRPC_CPP_PLUGIN)
+    message(FATAL_ERROR "System grpc_cpp_plugin not found")
+  endif()
+
+else()
+  find_package(PkgConfig)
+    if(NOT PKG_CONFIG_FOUND)
+      message(FATAL_ERROR "pkg-config binary not found")
+  endif()
+  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
+  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+  set(GRPC_INCLUDE "${GRPC_SRC}/include")
+  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
+  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
+  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
+  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
+
+  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
+  # likely that protobuf will be very outdated
+  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
+  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
+  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
+  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that zlib will be very outdated
+  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
+  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+
+  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
+  message(
+    STATUS
+      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
+
+  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+  ExternalProject_Add(
+    grpc
+    DEPENDS openssl
+    GIT_REPOSITORY https://github.com/grpc/grpc.git
+    GIT_TAG v1.25.0
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    BUILD_IN_SOURCE 1
+    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
+    INSTALL_COMMAND ""
+    CONFIGURE_COMMAND ""
+    BUILD_COMMAND
+      CFLAGS=-Wno-implicit-fallthrough
+      HAS_SYSTEM_ZLIB=false
+      HAS_SYSTEM_PROTOBUF=false
+      HAS_SYSTEM_CARES=false
+      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
+      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
+      PATH=${PROTOC_DIR}:$ENV{PATH}
+      make
+      static_cxx
+      static_c
+      grpc_cpp_plugin)
+endif()
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+  find_library(JQ_LIB NAMES jq)
+  if(JQ_INCLUDE AND JQ_LIB)
+    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system jq")
+  endif()
+else()
+  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+  message(STATUS "Using bundled jq in '${JQ_SRC}'")
+  set(JQ_INCLUDE "${JQ_SRC}")
+  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
+  ExternalProject_Add(
+    jq
+    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
+    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
+    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+    BUILD_IN_SOURCE 1
+    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
+    INSTALL_COMMAND "")
+endif()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+    find_library(LIBYAML_LIB NAMES libyaml.so)
+    if(LIBYAML_LIB)
+    message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
+    else()
+    message(FATAL_ERROR "Couldn't find system libyaml")
+    endif()
+else()
+    set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+    message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+    set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+    ExternalProject_Add(
+    libyaml
+    URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+    URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+    CONFIGURE_COMMAND ./configure --enable-static=true --enable-shared=false
+    BUILD_COMMAND ${CMD_MAKE} 
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+cmake_minimum_required(VERSION 3.5.1)
+
+project(sysdig-repo NONE)
+
+include(ExternalProject)
+message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
+ExternalProject_Add(
+  sysdig
+  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
+  URL_HASH "${SYSDIG_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -0,0 +1,31 @@
+diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
+index e9faea51..a1b3b501 100644
+--- a/userspace/libscap/scap.c
+++ b/userspace/libscap/scap.c
+@@ -52,7 +52,7 @@ limitations under the License.
+ //#define NDEBUG
+ #include <assert.h>
+ 
+-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
+ 
+ //
+ // Probe version string size
+@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				return NULL;
+ 			}
+ 
+-			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
+ 			bpf_probe = buf;
+ 		}
+ 	}
+@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+ 
+ const char* scap_get_host_root()
+ {
+-	char* p = getenv("SYSDIG_HOST_ROOT");
+	char* p = getenv("HOST_ROOT");
+ 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
+ 	static bool inited = false;
+ 	if (! inited) {
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -0,0 +1,68 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
+set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
+
+# this needs to be here at the top
+if(USE_BUNDLED_DEPS)
+  # explicitly force this dependency to use the bundled OpenSSL
+  set(USE_BUNDLED_OPENSSL ON)
+endif()
+
+file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+# The sysdig git reference (branch name, commit hash, or tag)
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "85c88952b018fdbce2464222c3303229f5bfcfad")
+  set(SYSDIG_CHECKSUM "SHA256=6c3f5f2d699c9540e281f50cbc5cb6b580f0fc689798bc65d4a77f57f932a71c")
+endif()
+set(PROBE_VERSION "${SYSDIG_VERSION}")
+
+# cd /path/to/build && cmake /path/to/source
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+
+# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
+
+# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
+# "${SYSDIG_CMAKE_SOURCE_DIR}")
+
+execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
+set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
+
+# jsoncpp
+set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
+set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
+set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
+
+# Add driver directory
+add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
+
+# Add libscap directory
+add_definitions(-D_GNU_SOURCE)
+add_definitions(-DHAS_CAPTURE)
+add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
+
+# Add libsinsp directory
+add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
+add_dependencies(sinsp tbb b64 luajit)
+
+# explicitly disable the tests of this dependency
+set(CREATE_TEST_TARGETS OFF)
+
+if(USE_BUNDLED_DEPS)
+  add_dependencies(scap grpc curl jq)
+endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+if(NOT USE_BUNDLED_DEPS)
+  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
+  find_library(YAMLCPP_LIB NAMES yaml-cpp)
+  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
+    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system yamlcpp")
+  endif()
+else()
+  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
+  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
+  set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
+  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
+  ExternalProject_Add(
+    yamlcpp
+    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
+    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()
--- a/docker/CMakeLists.txt
+++ b/docker/CMakeLists.txt
@@ -0,0 +1 @@
+add_subdirectory(local)
--- a/docker/OWNERS
+++ b/docker/OWNERS
@@ -0,0 +1,6 @@
+labels:
+  - area/integration
+approvers:
+  - leogr
+reviewers:
+  - leogr
--- a/docker/README.md
+++ b/docker/README.md
@@ -0,0 +1,17 @@
+# Falco Dockerfiles
+
+This directory contains various ways to package Falco as a container and related tools. 
+
+## Currently Supported Images
+
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -0,0 +1,45 @@
+FROM centos:7
+
+LABEL name="falcosecurity/falco-builder"
+LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG BUILD_TYPE=release
+ARG BUILD_DRIVER=OFF
+ARG BUILD_BPF=OFF
+ARG BUILD_WARNINGS_AS_ERRORS=ON
+ARG MAKE_JOBS=4
+ARG FALCO_VERSION
+
+ENV BUILD_TYPE=${BUILD_TYPE}
+ENV BUILD_DRIVER=${BUILD_DRIVER}
+ENV BUILD_BPF=${BUILD_BPF}
+ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
+ENV MAKE_JOBS=${MAKE_JOBS}
+ENV FALCO_VERSION=${FALCO_VERSION}
+
+# build toolchain
+RUN yum -y install centos-release-scl && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
+    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
+    rpm -V $INSTALL_PKGS
+
+ARG CMAKE_VERSION=3.5.1
+RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
+    cd /tmp && \
+    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
+    cd cmake-${CMAKE_VERSION} && \
+    ./bootstrap --system-curl && \
+    make -j${MAKE_JOBS} && \
+    make install && \
+    rm -rf /tmp/cmake-${CMAKE_VERSION}
+
+COPY ./root /
+
+# DTS
+ENV BASH_ENV=/usr/bin/scl_enable \
+    ENV=/usr/bin/scl_enable \
+    PROMPT_COMMAND=". /usr/bin/scl_enable"
+
+ENTRYPOINT ["entrypoint"]
+CMD ["usage"]
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SOURCE_DIR=/source
+BUILD_DIR=/build
+CMD=${1:-usage}
+shift
+
+# Build type can be "debug" or "release", fallbacks to "release" by default
+BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
+DRAIOS_DEBUG_FLAGS=
+case "$BUILD_TYPE" in
+"debug")
+    DRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
+    ;;
+*)
+    BUILD_TYPE="release"
+    ;;
+esac
+
+case "$CMD" in
+"cmake")
+    # Check that source directory contains Falco
+    if [ ! -d "$SOURCE_DIR/falco" ]; then
+        echo "Missing falco source." >&2
+        exit 1
+    fi
+    # Prepare build directory
+    mkdir -p "$BUILD_DIR/$BUILD_TYPE"
+    cd "$BUILD_DIR/$BUILD_TYPE"
+
+    cmake \
+    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
+    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DBUILD_DRIVER="$BUILD_DRIVER" \
+    -DBUILD_BPF="$BUILD_BPF" \
+    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
+    -DFALCO_VERSION="$FALCO_VERSION" \
+    -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
+    -DUSE_BUNDLED_DEPS=ON \
+    "$SOURCE_DIR/falco"
+    exit "$(printf '%d\n' $?)"
+    ;;
+"bash")
+    CMD=/bin/bash
+    ;& # fallthrough
+"usage")
+    exec "$CMD" "$@"
+    ;;
+*)
+    if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
+        echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
+        exit 1
+    fi
+    cd "$BUILD_DIR/$BUILD_TYPE"
+    make -j"$MAKE_JOBS" "$CMD"
+    ;;
+esac
--- a/docker/builder/root/usr/bin/scl_enable
+++ b/docker/builder/root/usr/bin/scl_enable
@@ -0,0 +1,6 @@
+# IMPORTANT: Do not add more content to this file unless you know what you are doing.
+#            This file is sourced everytime the shell session is opened.
+#
+# This will make scl collection binaries work out of box.
+unset BASH_ENV PROMPT_COMMAND ENV
+source scl_source enable devtoolset-7 llvm-toolset-7
--- a/docker/builder/root/usr/bin/usage
+++ b/docker/builder/root/usr/bin/usage
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+gccversion=$(gcc --version | head -n1)
+cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
+cmakeversion=$(cmake --version | head -n1)
+clangversion=$(clang --version | head -n1)
+
+cat <<EOF
+Hello, this is the Falco builder container.
+
+How to use.
+
+    The default commands for the Falco builder image reports usage and environment info.
+    * docker run falcosecurity/falco-builder
+    * docker run falcosecurity/falco-builder usage
+
+    It supports bash.
+    * docker run -ti falcosecurity/falco-builder bash
+
+    To build Falco it needs:
+    - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings)
+
+    Optionally, you can also bind-mount the build directory.
+    So, you can execute it from the Falco root directory as follows.
+
+    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
+    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
+
+    Eg.,
+    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
+    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
+
+How to build.
+
+    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
+
+    In case you want to customise the builder at build time the following build arguments are provided:
+    - BUILD_TYPE                whether you want a "release" or "debug" build (defaults to "release").
+    - BUILD_DRIVER              whether to build the driver or not (defaults to "OFF")
+    - BUILD_BPF                 whether to build the BPF driver or not (defaults to "OFF")
+    - BUILD_WARNINGS_AS_ERRORS  whether to intend warnings as errors or not (defaults to "ON")
+    - MAKE_JOBS                 the number of jobs to use during make (defaults to "4")
+    - FALCO_VERSION             the version to label the build (built from git index in case it is missing)
+
+    It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
+
+Environment.
+
+    * ${gccversion}
+    * cplusplus ${cppversion}
+    * ${cmakeversion}
+    * ${clangversion}
+EOF
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -1,49 +0,0 @@
-FROM debian:unstable
-
-MAINTAINER Sysdig <support@sysdig.com>
-
-ENV FALCO_REPOSITORY dev
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV SYSDIG_HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-	bash-completion \
-	curl \
-	ca-certificates \
-	gcc \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
-
-# Terribly terrible hacks: since our base Debian image ships with GCC 5.0 which breaks older kernels,
-# revert the default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7 by symlinking
-# it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
- && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
- && apt-get update \
- && apt-get install -y --no-install-recommends falco \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/dev/docker-entrypoint.sh
+++ b/docker/dev/docker-entrypoint.sh
@@ -1,13 +0,0 @@
-#!/bin/bash
-#set -e
-
-echo "* Setting up /usr/src links from host"
-
-for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
-do 
-	ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
-done
-
-/usr/bin/sysdig-probe-loader
-
-exec "$@"
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -0,0 +1,13 @@
+ARG FALCO_IMAGE_TAG=latest
+FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/driver-loader/docker-entrypoint.sh
+++ b/docker/driver-loader/docker-entrypoint.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+echo "* Setting up /usr/src links from host"
+
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
+
+/usr/bin/falco-driver-loader "$@"
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -0,0 +1,110 @@
+FROM debian:stable
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libmpx2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian stable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian stable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+# debian:stable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# todo(leogr): remove deprecation notice within a couple of releases
+if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
+fi
+
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+
+if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
+    done
+
+    /usr/bin/falco-driver-loader
+fi
+
+exec "$@"
--- a/docker/local/CMakeLists.txt
+++ b/docker/local/CMakeLists.txt
@@ -0,0 +1,17 @@
+add_subdirectory(traces)
+add_subdirectory(rules)
+
+add_custom_target(local-Dockerfile ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
+
+add_custom_target(local-docker-entrypoint ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
+
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -0,0 +1,120 @@
+FROM debian:stable
+
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libyaml-0-2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	libmpc3 \
+	binutils \
+	libgomp1 \
+	libitm1 \
+	libatomic1 \
+	liblsan0 \
+	libtsan0 \
+	libmpx2 \
+	libquadmath0 \
+	libcc1-0 \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian stable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian stable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+ADD falco-${FALCO_VERSION}-x86_64.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# debian:stable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+# The local container also copies some test trace files and
+# corresponding rules that are used when running regression tests.
+COPY rules/*.yaml /rules/
+COPY traces/*.scap /traces/
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
+    done
+
+    /usr/bin/falco-driver-loader
+fi
+
+exec "$@"
--- a/docker/local/rules/CMakeLists.txt
+++ b/docker/local/rules/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Note: list of rules is created at cmake time, not build time
+file(GLOB test_rule_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
+
+foreach(rule_file_path ${test_rule_files})
+	get_filename_component(rule_file ${rule_file_path} NAME)
+	add_custom_target(docker-local-rule-${rule_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		DEPENDS ${rule_file_path})
+endforeach()
+
--- a/docker/local/traces/CMakeLists.txt
+++ b/docker/local/traces/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Note: list of traces is created at cmake time, not build time
+file(GLOB test_trace_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
+
+foreach(trace_file_path ${test_trace_files})
+	get_filename_component(trace_file ${trace_file_path} NAME)
+	add_custom_target(docker-local-trace-${trace_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		DEPENDS ${trace_file_path})
+endforeach()
+
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -0,0 +1,58 @@
+FROM ubuntu:18.04 as ubuntu
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+WORKDIR /
+
+ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+
+RUN apt-get update -y && \
+    apt-get install -y binutils && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
+    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
+
+FROM scratch
+
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
+COPY --from=ubuntu /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -1,49 +0,0 @@
-FROM debian:unstable
-
-MAINTAINER Sysdig <support@sysdig.com>
-
-ENV FALCO_REPOSITORY stable
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV SYSDIG_HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-	bash-completion \
-	curl \
-	ca-certificates \
-	gcc \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
-
-# Terribly terrible hacks: since our base Debian image ships with GCC 5.0 which breaks older kernels,
-# revert the default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7 by symlinking
-# it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
- && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
- && apt-get update \
- && apt-get install -y --no-install-recommends falco \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -1,13 +0,0 @@
-#!/bin/bash
-#set -e
-
-echo "* Setting up /usr/src links from host"
-
-for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
-do 
-	ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
-done
-
-/usr/bin/sysdig-probe-loader
-
-exec "$@"
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -0,0 +1,22 @@
+FROM fedora:31
+
+LABEL name="falcosecurity/falco-tester"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ENV FALCO_VERSION=
+ENV BUILD_TYPE=release
+
+ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+ENV PATH="/root/.local/bin/:${PATH}"
+RUN pip install --user avocado-framework==69.0
+RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user watchdog==0.10.2
+RUN pip install --user pathtools==0.1.2
+RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
+
+COPY ./root /
+
+ENTRYPOINT ["entrypoint"]
+CMD ["usage"]
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN apt update -y
+RUN apt install dkms -y
+
+ADD falco-${FALCO_VERSION}-x86_64.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/rpm.Dockerfile
+++ b/docker/tester/root/runners/rpm.Dockerfile
@@ -0,0 +1,22 @@
+FROM centos:7
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN yum update -y
+RUN yum install epel-release -y
+
+ADD falco-${FALCO_VERSION}-x86_64.rpm /
+RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN apt update -y
+RUN apt install dkms curl -y
+
+ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SOURCE_DIR=/source
+BUILD_DIR=/build
+CMD=${1:-test}
+shift
+
+# build type can be "debug" or "release", fallbacks to "release" by default
+BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
+case "$BUILD_TYPE" in
+"debug")
+    ;;
+*)
+    BUILD_TYPE="release"
+    ;;
+esac
+
+build_image() {
+    BUILD_DIR=$1
+    BUILD_TYPE=$2
+    FALCO_VERSION=$3
+    PACKAGE_TYPE=$4
+    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
+    if [ ! -f "$PACKAGE" ]; then
+        echo "Package not found: ${PACKAGE}." >&2
+        exit 1
+    fi
+    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
+    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
+
+    mkdir -p /runner-rootfs
+    cp "$PACKAGE" /runner-rootfs
+    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
+    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
+    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
+}
+
+clean_image() {
+    PACKAGE_TYPE=$1
+    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
+    docker rmi -f "$DOCKER_IMAGE_NAME"
+}
+
+case "$CMD" in
+"test")
+    if [ -z "$FALCO_VERSION" ]; then
+        echo "Automatically figuring out Falco version."
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        echo "Falco version: $FALCO_VERSION"
+    fi
+    if [ -z "$FALCO_VERSION" ]; then
+        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
+        exit 1
+    fi
+
+    # build docker images
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+
+    # check that source directory contains Falco
+    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
+        echo "Missing $SOURCE_DIR/falco/test directory." >&2
+        exit 1
+    fi
+
+    # run tests
+    echo "Running regression tests ..."
+    cd "$SOURCE_DIR/falco/test"
+    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+
+    # clean docker images
+    clean_image "deb"
+    clean_image "rpm"
+    clean_image "tar.gz"
+    ;;
+"bash")
+    CMD=/bin/bash
+    ;& # fallthrough
+"usage")
+    exec "$CMD" "$@"
+    ;;
+esac
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
+pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
+dockerversion=$(docker --version)
+avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=${avocadoversion#"Version: "}
+
+cat <<EOF
+Hello, this is the Falco tester container.
+
+How to use.
+
+    The default commands for the Falco tester image reports usage and environment info.
+    * docker run falcosecurity/falco-tester
+    * docker run falcosecurity/falco-tester usage
+
+    It supports bash.
+    * docker run -ti falcosecurity/falco-tester bash
+
+    To run Falco regression tests you need to provide:
+    - the docker socket
+    - the boot directory
+    - the source directory
+    - the directory where Falco has been built
+    - the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
+
+    Assuming you are running it from the Falco root directory, you can run it as follows.
+    * docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
+
+How to build.
+
+    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
+
+Environment.
+
+    * python ${pythonversion}
+    * ${pipversion}
+    * avocado ${avocadoversion}
+    * ${dockerversion}
+EOF
--- a/falco.yaml
+++ b/falco.yaml
@@ -1,14 +1,107 @@
-# File containing Falco rules, loaded at startup.
-rules_file: /etc/falco_rules.yaml
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File(s) or Directories containing Falco rules, loaded at startup.
+# The name "rules_file" is only for backwards compatibility.
+# If the entry is a file, it will be read directly. If the entry is a directory,
+# every file in that directory will be read, in alphabetical order.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file:
+  - /etc/falco/falco_rules.yaml
+  - /etc/falco/falco_rules.local.yaml
+  - /etc/falco/k8s_audit_rules.yaml
+  - /etc/falco/rules.d
+
+# If true, the times displayed in log messages and output messages
+# will be in ISO 8601. By default, times are displayed in the local
+# time zone, as governed by /etc/localtime.
+time_format_iso_8601: false

 # Whether to output events in json or text
 json_output: false

+# When using json output, whether or not to include the "output" property
+# itself (e.g. "File below a known binary directory opened for writing
+# (user=root ....") in the json output.
+json_include_output_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
 log_syslog: true

+# Minimum log level to include in logs. Note: these levels are
+# separate from the priority field of rules. This refers only to the
+# log level of falco's internal logging. Can be one of "emergency",
+# "alert", "critical", "error", "warning", "notice", "info", "debug".
+log_level: info
+
+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: debug
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to false
+buffered_outputs: false
+
+# Falco uses a shared buffer between the kernel and userspace to pass
+# system call information. When falco detects that this buffer is
+# full and system calls have been dropped, it can take one or more of
+# the following actions:
+#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
+#   - "log": log a CRITICAL message noting that the buffer was full.
+#   - "alert": emit a falco alert noting that the buffer was full.
+#   - "exit": exit falco with a non-zero rc.
+#
+# The rate at which log/alert messages are emitted is governed by a
+# token bucket. The rate corresponds to one message every 30 seconds
+# with a burst of 10 messages.
+
+syscall_event_drops:
+  actions:
+    - log
+    - alert
+  rate: .03333
+  max_burst: 10
+
+# A throttling mechanism implemented as a token bucket limits the
+# rate of falco notifications. This throttling is controlled by the following configuration
+# options:
+#  - rate: the number of tokens (i.e. right to send a notification)
+#    gained per second. Defaults to 1.
+#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+#
+# With these defaults, falco could send up to 1000 notifications after
+# an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.
+
+outputs:
+  rate: 1
+  max_burst: 1000

 # Where security notifications should go.
 # Multiple outputs can be enabled.
@@ -16,10 +109,95 @@ log_syslog: true
 syslog_output:
  enabled: true

+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+#
+# Also, the file will be closed and reopened if falco is signaled with
+# SIGUSR1.
+
 file_output:
  enabled: false
+  keep_alive: false
  filename: ./events.txt

 stdout_output:
  enabled: true

+# Falco contains an embedded webserver that can be used to accept K8s
+# Audit Events. These config options control the behavior of that
+# webserver. (By default, the webserver is enabled).
+#
+# The ssl_certificate is a combination SSL Certificate and corresponding
+# key contained in a single file. You can generate a key/cert as follows:
+#
+# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# $ cat certificate.pem key.pem > falco.pem
+# $ sudo cp falco.pem /etc/falco/falco.pem
+
+webserver:
+  enabled: true
+  listen_port: 8765
+  k8s_audit_endpoint: /k8s-audit
+  ssl_enabled: false
+  ssl_certificate: /etc/falco/falco.pem
+
+# Possible additional things you might want to do with program output:
+#   - send to a slack webhook:
+#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+#   - logging (alternate method than syslog):
+#         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80
+
+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+#
+# Also, the program will be closed and reopened if falco is signaled with
+# SIGUSR1.
+program_output:
+  enabled: false
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+
+http_output:
+  enabled: false
+  url: http://some.url
+
+# Falco supports running a gRPC server with two main binding types
+# 1. Over the network with mandatory mutual TLS authentication (mTLS)
+# 2. Over a local unix socket with no authentication
+# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
+# please comment/uncomment and change accordingly the options below to configure it.
+# Important note: if Falco has any troubles creating the gRPC server
+# this information will be logged, however the main Falco daemon will not be stopped.
+# gRPC server over network with (mandatory) mutual TLS configuration.
+# This gRPC server is secure by default so you need to generate certificates and update their paths here.
+# By default the gRPC server is off.
+# You can configure the address to bind and expose it.
+# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
+# grpc:
+#   enabled: true
+#   bind_address: "0.0.0.0:5060"
+#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
+#   threadiness: 0
+#   private_key: "/etc/falco/certs/server.key"
+#   cert_chain: "/etc/falco/certs/server.crt"
+#   root_certs: "/etc/falco/certs/ca.crt"
+
+# gRPC server using an unix socket
+grpc:
+  enabled: false
+  bind_address: "unix:///var/run/falco.sock"
+  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 0
+
+# gRPC output service.
+# By default it is off.
+# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
+# Make sure to have a consumer for them or leave this disabled.
+grpc_output:
+  enabled: false
--- a/proposals/20190826-grpc-output-single-alert-sequence.png
+++ b/proposals/20190826-grpc-output-single-alert-sequence.png
--- a/proposals/20190826-grpc-outputs.md
+++ b/proposals/20190826-grpc-outputs.md
@@ -0,0 +1,115 @@
+# Falco gRPC Outputs
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+
+<!-- tocstop -->
+
+## Summary
+
+We intend to build a simple gRPC server and SDKs - eg., [falco#785](https://github.com/falcosecurity/falco/issues/785) - to allow users receive and consume the alerts regarding the violated rules.
+
+## Motivation
+
+The most valuable information that Falco can give to its users are the alerts.
+
+An alert is an "output" when it goes over a transport, and it is emitted by Falco every time a rule is matched.
+
+At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.
+
+For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://slack.k8s.io) if we can find a more consumable way to implement Falco outputs in an extensible way.
+
+The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
+
+### Goals
+
+- To decouple the outputs from the Falco code base
+- To design and implement an additional output mode by mean of a gRPC **streaming** server
+- To keep it as simple as possible
+- To have a simple contract interface
+- To only have the responsibility to route Falco output requests and responses
+- To continue supporting the old output formats by implementing their same interface
+- To be secure by default (**mutual TLS** authentication)
+- To be **asynchronous** and **non-blocking**
+- To provide a connection over unix socket (no authentication)
+- To implement a Go client
+- To implement a Rust client
+- To implement a Python client
+
+### Non-Goals
+
+- To substitute existing outputs (stdout, syslog, etc.)
+- To support different queing systems than the default (round-robin) one
+- To support queuing mechanisms for message retransmission
+  - Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
+- To change the output format
+- To make the message context (text, fields, etc.) and format configurable
+  - Users can already override rules changing their output messages
+- To act as an orchestrator for Falco instances
+
+## Proposal
+
+### Use cases
+
+- Receive Falco events with a well-defined contract over wire
+- Integrate Falco events with existing alerting/paging mechanisms
+- Integrate Falco events with existing monitoring infrastructures/tools
+- Falco outputs SDKs for different languages
+
+### Diagrams
+
+The following sequence diagram illustrates the flow happening for a single rule being matched and the consequent alert through the gRPC output client.
+
+![Single alert sequence diagram](20190826-grpc-output-single-alert-sequence.png)
+
+### Design Details
+
+Here is the proto3 contracts definitions for the client and the server SDK.
+
+```proto3
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+import "schema.proto";
+
+package falco.outputs;
+
+option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
+
+// This service defines the RPC methods
+// to `request` a stream of output `response`s.
+service service {
+  // Subscribe to a stream of Falco outputs by sending a stream of requests.
+  rpc sub(stream request) returns (stream response);
+  // Get all the Falco outputs present in the system up to this call.
+  rpc get(request) returns (stream response);
+}
+
+// The `request` message is the logical representation of the request model.
+// It is the input of the `output.service` service.
+message request {
+}
+
+// The `response` message is the representation of the output model.
+// It contains all the elements that Falco emits in an output along with the
+// definitions for priorities and source.
+message response {
+  google.protobuf.Timestamp time = 1;
+  falco.schema.priority priority = 2;
+  falco.schema.source source = 3;
+  string rule = 4;
+  string output = 5;
+  map<string, string> output_fields = 6;
+  string hostname = 7;
+}
+```
+
+---
--- a/proposals/20190909-psp-rules-support.md
+++ b/proposals/20190909-psp-rules-support.md
@@ -0,0 +1,56 @@
+# Support for K8s Pod Security Policies (PSPs) in Falco
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+
+<!-- tocstop -->
+
+## Summary
+
+We want to make it easier for K8s Cluster Operators to Author Pod Security Policies by providing a way to read a PSP, convert it to a set of Falco rules, and then run Falco with those rules.
+
+## Motivation
+
+PSPs provide a rich powerful framework to restrict the behavior of pods and apply consistent security policies across a cluster, but it’s difficult to know the gap between what you want your security policy to be and what your cluster is actually doing. Additionally, since PSPs enforce once applied, they might prevent pods from running, and the process of tuning a PSP live on a cluster can be disruptive and painful.
+
+That's where Falco comes in. We want to make it possible for Falco to perform a "dry run" evaluation of a PSP, translating it to Falco rules that observe the behaviour of deployed pods and sending alerts for violations, *without* blocking. This helps accelerate the authoring cycle, providing a complete authoring framework for PSPs without deploying straight to the cluster.
+
+### Goals
+
+Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
+
+The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
+
+### Non-Goals
+
+Falco will not automatically read PSPs from a cluster, will not install PSPs, and will not provide guidance on the parts of your infrastructure that are already covered by PSPs. This feature only helps with the testing part of a candidate PSP. For coming up with an initial PSP, you can use tools like [https://github.com/sysdiglabs/kube-psp-advisor](Kube PSP Advisor).
+
+The use case here is for cluster operators who want to author PSPs, but don't want to just put it in a cluster and see what breaks. For example, if your PSP sets privileged to false, but it turns out some of your pods are running privileged, they won't be able to start.
+
+With this feature, they could iterate without enforcement until they have a PSP that matches the actual behaviour of their cluster. Some of that will come from changing the PSP, some of that will come from changing the behaviour of the cluster. The important part is that it's not mistakenly preventing things from running while you're figuring it out.
+
+## Proposal
+
+### Use cases
+
+You'll be able to run falco with a `--psp` argument that provides a single PSP yaml file. Falco will automatically convert the PSP into an equivalent set of Falco rules, load the rules, and then run with the loaded rules. You can optionally provide a `--psp_save=<path>` command line option to save the converted rules to a file.
+
+### Diagrams
+
+No diagrams yet.
+
+### Design Details
+
+* We'll use [inja](https://github.com/pantor/inja) as the templating engine.
+
+* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
+
+* This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.
--- a/proposals/20191030-api.md
+++ b/proposals/20191030-api.md
@@ -0,0 +1,126 @@
+# Falco APIs
+
+## Summary
+
+This is a proposal to better structure the Falco API.
+
+The Falco API is a set of contracts describing how users can interacts with Falco.
+
+By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible.
+
+Thus, this document intent is to propose a list of services that contistute the Falco API (targeting the first stable version of Falco, v1.0.0).
+
+## Motivation
+
+We want to enable users to use thirdy-party clients to interface with Falco outputs, inputs, rules, and configurations.
+
+Such ability would enable the community to create a whole set of OSS tools, built on top of Falco.
+
+Some examples, already in place, are:
+
+- [falcoctl](https://github.com/falcosecurity/falcoctl)
+- [falco-exporter](https://github.com/falcosecurity/falco-exporter)
+
+## Goals
+
+- To design and implement an API to make Falco more configurable
+- To design and implement an API to make Falco more consumable
+- To have an API so that users are able to interface with Falco
+- To design a set of simple contract interfaces
+- To have an API which is secure by default
+- To implement this API in C++ using gRPC as a first implementation
+
+## Non-Goals
+
+- To replace the existing inputs: the **inputs** will be only for new source events users may want to add, initially
+- To document the API: to be approached as separate task
+- To create/update the API client: to be approached as a separate task
+
+## Proposal
+
+### Use cases
+
+- Receive Falco events with a well-defined contract --> **outputs**
+- Receive Falco drops with a well-defined contract --> **drops**
+- Receive current Falco version and related meta information (commit hash, built type, etc.) --> **version**
+- Configure Falco via API (CRUD) -> **configs**
+- Inject and/or modify Falco rules via API (CRUD) --> **rules**
+- Send input events to Falco --> **inputs**
+
+### Unary services
+
+1. Version
+2. Rules
+3. Configs
+
+### Streaming (server or client) services
+
+1. Outputs
+2. Drops
+
+### Bidirectional streaming services
+
+1. Inputs
+
+### Architecture
+
+We propose to have:
+- 1 gRPC server
+- 1 service grouping services
+
+This translates in having the following set of `proto` files.
+
+- a `.proto` containing the **request** and **response messages** for each service - eg., `version.proto`, `outputs.proto` etc.
+
+    For example,
+    ```proto3
+    # version.proto
+    message request
+    {
+      ...
+    }
+
+    // The `response` message contains the version of Falco.
+    // It provides the whole version as a string and also
+    // its parts as per semver 2.0 specification (https://semver.org).
+    message response
+    {
+    string version = 1;
+      uint32 major = 2;
+      uint32 minor = 3;
+      uint32 patch = 4;
+      string prerelease = 5;
+      string build = 6;
+    }
+    ```
+
+- one or more `.proto` containing the commond models - ie., the already existing `schema.proto` containing source enum, etc.
+
+    ```proto3
+    # schema.proto
+    enum priority {
+      ..
+    }
+    enum source {
+    option allow_alias = true;
+      SYSCALL = 0;
+      syscall = 0;
+      Syscall = 0;
+      K8S_AUDIT = 1;
+      k8s_audit = 1;
+      K8s_audit = 1;
+      K8S_audit = 1;
+    }
+    ```
+
+- a `.proto` for service definitions
+
+    For example,
+    ```proto3
+    service api {
+      rpc version(request) returns (response);
+      rpc outputs(request) returns (stream response);
+      rpc drops(request) returns (stream response);
+      ...
+    }
+    ```
--- a/proposals/20191217-rules-naming-convention.md
+++ b/proposals/20191217-rules-naming-convention.md
@@ -0,0 +1,57 @@
+# Falco rule naming convention
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+    + [Rule](#rule)
+    + [Macro](#macro)
+    + [List](#list)
+
+<!-- tocstop -->
+
+## Summary
+
+Propose some basic naming conventions when new lists, macros, rules are introduced. 
+
+## Motivation
+
+We want to help people from the community to contribute to falco rules. It will help improving the security content provided by Falco out of the box. Since people have different preference of naming things, it's necessary to set forth some basic naming convention for people to follow when creating new rules, macros and lists.
+
+### Goals
+
+People will have to follow the naming conventions rules when introducing new Falco rules, macros and lists.
+
+### Non-Goals
+
+There will be no intention to cover Falco rule syntax in this proposal.
+
+## Proposal
+
+### Use cases
+
+When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
+
+### Diagrams
+
+N/A
+
+### Design Details
+
+#### Rule
+- Rule Name: Use phrases with capitalizing every word except preposition (e.g. `Search Private Keys or Passwords`)
+- Description: Use sentence always starting with "Detect" and ending with period. (e.g. `Detect grep private keys or passwords activity.`)
+- Output: Use sentence. Must at least include output fields (user=%user.name command=%proc.cmdline container_id=%container.id)
+- Tags: Use at least one of the following: [network, process, filesystem]. Also encourage to use mitre_* tags if applicable
+
+#### Macro
+- Macro Name: Use lowercase_separated_by_underscores (e.g. `parent_java_running_zookeeper`)
+
+#### List
+- List Name: Use lowercase_separated_by_underscores (e.g. `protected_shell_spawning_binaries`)
--- a/proposals/20200506-artifacts-scope-part-1.md
+++ b/proposals/20200506-artifacts-scope-part-1.md
@@ -0,0 +1,114 @@
+# Falco Artifacts Scope - Part 1
+
+The **Falco Artifact Scope** proposal is divided in two parts:
+1. the Part 1 - *this document*: the State of Art of Falco artifacts
+2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
+
+## Summary 
+
+As a project we would like to support the following artifacts.
+
+Everything else will be moved to [contrib](https://github.com/falcosecurity/contrib).
+
+As a project we will build, change, rename, and move files, documents, scripts, configurations according to the new state of the art described into [Part 2](./20200506-artifacts-scope-part-2.md).
+
+Inspired by many previous issues and many of the weekly community calls.
+
+## Terms
+
+**falco** 
+
+*The Falco binary*
+
+**driver**
+
+*System call provider from the Linux kernel. Either (`bpf`, `module`)*
+
+**falco-driver-loader**
+
+*The bash script found [here](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) that tries to compile else download the driver (kernel module or eBPF probe).*
+
+**package**
+
+*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
+
+**image**
+
+*OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
+ 
+
+# Packages
+
+List of currently official packages (for x86 64bits only):
+
+- `falco-x.y.z-x86_64.deb` for debian like systems, it installs the kernel module by default
+- `falco-x.y.z-x86_64.rpm` for rpm like systems, it installs the kernel module by default
+- `falco-x.y.z-x86_64.tar.gz` for binary installation, it contains `falco` binary, `falco-driver-loader` script, drivers source, and related dependencies
+
+
+# Images
+
+List of currently official container images (for X86 64bits only):
+
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+
+**Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+
+
+# Falco Project Evolution
+
+We will modeling a loosely defined adoption of the Kubernetes and CNCF incubator efforts.
+
+The criteria will remain loose, and tighten as needed at the discretion of the Falco open source community.
+
+### contrib
+
+"_Sandbox level_"
+
+This new [contrib](https://github.com/falcosecurity/contrib) repository will be equivalent to the `Falco Sandbox` and serves as a place for the community to `test-drive` ideas/projects/code.
+
+### repository
+
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
+
+This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
+
+### official support
+
+As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Offical support_."
+
+The artifacts listed above are part of the official Falco release process. These artifact will be refined and amended by the [Part 2](./20200506-artifacts-scope-part-2.md).
+
+# Action
+
+The *Part 1* is mainly intended as a cleanup process.
+For each item not listed above, ask if it needs to be moved or deleted.
+After the cleanup process, all items will match the *Part 1* of this proposal.
+
+    
+### Action Items
+
+Here are SOME of the items that would need to be done, for example:
+
+ - Remove `minimal` from `falco` repository (it's almost similar to `slim`, we don't need two images for the same purpose)
+ - Rename `driverloader` image to `falco-driver-loader` (since it has not been release yet, we can rename it without breaking things)
+ - Move everything else to contrib
+     - Move [/integrations](https://github.com/falcosecurity/falco/tree/master/integrations) to contrib
+     - Move [/examples](https://github.com/falcosecurity/falco/tree/master/examples) to contrib
+     - Old documentation
+
+### Documentation
+
+Update documentation in [falco-website#184](https://github.com/falcosecurity/falco-website/pull/184).
+
+### Adjusting projects
+
+ - YAML manifest documentation to be moved to `contrib`
+ - Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`
--- a/proposals/20200506-artifacts-scope-part-2.md
+++ b/proposals/20200506-artifacts-scope-part-2.md
@@ -0,0 +1,139 @@
+# Falco Artifacts Scope - Part 2
+
+The **Falco Artifact Scope** proposal is divided in two parts:
+1. the [Part 1](./20200506-artifacts-scope-part-1.md): the State of Art of Falco artifacts
+2. the Part 2 - *this document*: the intended state moving forward
+
+## Summary 
+
+See [Part 1](./20200506-artifacts-scope-part-1.md).
+
+## Terms
+
+See [Part 1](./20200506-artifacts-scope-part-1.md).
+
+## Packages
+
+Official packages for x86 64bits only.
+
+The following convention MUST be used for all packages.
+
+_All package names MUST contain a version._
+
+_If a package installs the Falco kernel module it MUST contain `module`._
+
+_If a package installs the Falco BPF probe it MUST contain `bpf`._
+
+_In general, if a package installs a Falco driver it MUST contain the driver name._
+
+
+### .deb
+
+ Falco running in debian like systems that will default to the kernel module.
+
+- falco-*x.y.z*-amd64.deb
+     - alias to ` falco-*x.y.z*-module-amd64.deb`
+ - falco-*x.y.z*-module-amd64.deb
+     - `falco` and `module`
+ - falco-*x.y.z*-bpf-amd64.deb
+     - `falco` and `bpf`
+
+
+We reserve the right to change the naming convention of deb packages accordingly to deb conventions.
+
+### .rpm
+
+ Falco running in rpm like systems that will default to the kernel module.
+
+- falco-*x.y.z*-x86_64.rpm
+     - alias to ` falco-*x.y.z*-module-x86_64.rpm`
+ - falco-*x.y.z*-module-x86_64.rpm
+     - `falco` and `module`
+ - falco-*x.y.z*-bpf-x86_64.rpm
+     - `falco` and `bpf`
+
+We reserve the right to change the naming convention of rpm packages accordingly to rpm conventions.
+
+### .tar.gz
+
+- falco-bin-x86.tar.gz
+    - `falco` binary, `falco-loader-script`, drivers source, and related dependencies
+    - `INSTALL` file
+    - `Makefile` file
+- falco-src-x86.tar.gz
+    - No binaries
+    - `INSTALL` file
+- falco-module-src-x86.tar.gz
+    - `module` sources with `Makefile`
+    - `INSTALL` file
+- falco-bpf-src-x86.tar.gz
+    - `bpf` sources with `Makefile`
+    - `INSTALL` file
+
+## Images
+
+The following convention MUST be used for all container images.
+
+
+ - falcosecurity/falco:TAG
+     - First runs `falco-driver-loader` and then runs `falco`
+     - Can be run with `--privileged`
+     - Can be run with `-e SKIP_DRIVER_LOADER=true` to skip the execution of `falco-driver-loader`
+     - TAG can be `latest` to refer to the latest release
+     - TAG can be `master` to refer to the latest master
+     - TAG can be `x.y.z` to refer to a specific release
+ - falcosecurity/falco-driver-loader:TAG
+     - Runs `falco-driver-loader` and exit
+     - Needs to be run with `--privileged`
+ - falcosecurity/falco-no-driver
+     - Runs `falco` (only userspace)
+ - falcosecurity/falco-tester:TAG 
+     - Runs the Falco integration test suite
+ - falcosecurity/falco-builder:TAG
+     - Contains the Falco tool chain for development
+
+The image usage MUST be documented in the Dockerfile and in the [website](https://falco.org/docs/).
+If an image does not take any action by default, a command usage MUST printed out.
+We reserve the right to add image aliases if it was needed.
+
+## Official support
+
+These artifacts will be amended to the ones listed above, and will become a part of the official Falco release process.
+
+## Action
+
+For each item, ask if this already exists. If so we need to rename, and update it to match this new convention. If does not exist, add it.
+
+    
+### Action Items
+
+Here are SOME of the items that would need to be done for example:
+
+ - Rename package accordingly 
+ - Rename docker images accordingly 
+     - Evaluate how to call what's currently called `falcosecurity/falco:latest-slim`
+ - Documentation in all packages with `INSTALL` file
+ - Add `Makefile` where needed
+ - Implement missing packages
+    - Rename `SKIP_MODULE_LOAD` environment variable of docker images to `SKIP_DRIVER_LOADER`
+    - Create `usage` commands for every docker image
+    
+### Documentation
+
+Update documentation in [falco-website](https://github.com/falcosecurity/falco-website/)
+
+#### Note:
+
+This could break the current helm chart, and maybe other dependencies.
+
+We owe existing users of the Falco project some courtesy if we will break their usage of how Falco has traditionally been advertised. 
+
+Some things we owe the community.
+
+ - Announcement on Falco mailing list
+ - Issues/Pull Request to Helm chart
+     - Note: At the very least open an issue and document how to make the existing helm chart work with the new changes if needed. [Nova Volunteers]
+     - We should at least open a PR and update the helm chart with these new expectations if needed. [Nova Volunteers]
+     - We should revisit the helm chart OWNERS
+ - Twitter
+ - Documentation
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -1,3 +1,64 @@
-install(FILES falco_rules.yaml
-	DESTINATION "${DIR_ETC}")
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#

+# GNU standard installation directories' definitions
+include(GNUInstallDirs)
+
+if(NOT DEFINED FALCO_ETC_DIR)
+  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+endif()
+
+if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
+  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
+  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
+  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
+  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
+endif()
+
+if(DEFINED FALCO_COMPONENT)
+  install(
+    FILES falco_rules.yaml
+    COMPONENT "${FALCO_COMPONENT}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_RULES_DEST_FILENAME}")
+
+  install(
+    FILES falco_rules.local.yaml
+    COMPONENT "${FALCO_COMPONENT}"
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+
+  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+else()
+  install(
+    FILES falco_rules.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_RULES_DEST_FILENAME}")
+
+  install(
+    FILES falco_rules.local.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+
+  install(
+    FILES k8s_audit_rules.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_K8S_AUDIT_RULES_DEST_FILENAME}")
+
+  install(
+    FILES application_rules.yaml
+    DESTINATION "/etc/falco/rules.available"
+    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
+
+  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
+endif()
--- a/rules/OWNERS
+++ b/rules/OWNERS
@@ -0,0 +1,12 @@
+approvers:
+  - mstemm
+  - kaizhe
+reviewers:
+  - leodido
+  - fntlnz
+  - mfdii
+  - kaizhe
+  - mstemm
+labels:
+  - area/rules
+
--- a/rules/application_rules.yaml
+++ b/rules/application_rules.yaml
@@ -0,0 +1,188 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- required_engine_version: 2
+
+################################################################
+# By default all application-related rules are disabled for
+# performance reasons. Depending on the application(s) you use,
+# uncomment the corresponding rule definitions for
+# application-specific activity monitoring.
+################################################################
+
+# Elasticsearch ports
+- macro: elasticsearch_cluster_port
+  condition: fd.sport=9300
+- macro: elasticsearch_api_port
+  condition: fd.sport=9200
+- macro: elasticsearch_port
+  condition: elasticsearch_cluster_port or elasticsearch_api_port
+
+# - rule: Elasticsearch unexpected network inbound traffic
+#   desc: inbound network traffic to elasticsearch on a port other than the standard ports
+#   condition: user.name = elasticsearch and inbound and not elasticsearch_port
+#   output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Elasticsearch unexpected network outbound traffic
+#   desc: outbound network traffic from elasticsearch on a port other than the standard ports
+#   condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
+#   output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+
+# ActiveMQ ports
+- macro: activemq_cluster_port
+  condition: fd.sport=61616
+- macro: activemq_web_port
+  condition: fd.sport=8161
+- macro: activemq_port
+  condition: activemq_web_port or activemq_cluster_port
+
+# - rule: Activemq unexpected network inbound traffic
+#   desc: inbound network traffic to activemq on a port other than the standard ports
+#   condition: user.name = activemq and inbound and not activemq_port
+#   output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Activemq unexpected network outbound traffic
+#   desc: outbound network traffic from activemq on a port other than the standard ports
+#   condition: user.name = activemq and outbound and not activemq_cluster_port
+#   output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+
+# Cassandra ports
+# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
+- macro: cassandra_thrift_client_port
+  condition: fd.sport=9160
+- macro: cassandra_cql_port
+  condition: fd.sport=9042
+- macro: cassandra_cluster_port
+  condition: fd.sport=7000
+- macro: cassandra_ssl_cluster_port
+  condition: fd.sport=7001
+- macro: cassandra_jmx_port
+  condition: fd.sport=7199
+- macro: cassandra_port
+  condition: >
+    cassandra_thrift_client_port or
+    cassandra_cql_port or cassandra_cluster_port or
+    cassandra_ssl_cluster_port or cassandra_jmx_port
+
+# - rule: Cassandra unexpected network inbound traffic
+#   desc: inbound network traffic to cassandra on a port other than the standard ports
+#   condition: user.name = cassandra and inbound and not cassandra_port
+#   output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Cassandra unexpected network outbound traffic
+#   desc: outbound network traffic from cassandra on a port other than the standard ports
+#   condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
+#   output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Couchdb ports
+# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
+- macro: couchdb_httpd_port
+  condition: fd.sport=5984
+- macro: couchdb_httpd_ssl_port
+  condition: fd.sport=6984
+# xxx can't tell what clustering ports are used. not writing rules for this
+# yet.
+
+# Fluentd ports
+- macro: fluentd_http_port
+  condition: fd.sport=9880
+- macro: fluentd_forward_port
+  condition: fd.sport=24224
+
+# - rule: Fluentd unexpected network inbound traffic
+#   desc: inbound network traffic to fluentd on a port other than the standard ports
+#   condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
+#   output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Tdagent unexpected network outbound traffic
+#   desc: outbound network traffic from fluentd on a port other than the standard ports
+#   condition: user.name = td-agent and outbound and not fluentd_forward_port
+#   output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Gearman ports
+# http://gearman.org/protocol/
+# - rule: Gearman unexpected network outbound traffic
+#   desc: outbound network traffic from gearman on a port other than the standard ports
+#   condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
+#   output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Zookeeper
+- macro: zookeeper_port
+  condition: fd.sport = 2181
+
+# Kafka ports
+# - rule: Kafka unexpected network inbound traffic
+#   desc: inbound network traffic to kafka on a port other than the standard ports
+#   condition: user.name = kafka and inbound and fd.sport != 9092
+#   output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Memcached ports
+# - rule: Memcached unexpected network inbound traffic
+#   desc: inbound network traffic to memcached on a port other than the standard ports
+#   condition: user.name = memcached and inbound and fd.sport != 11211
+#   output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Memcached unexpected network outbound traffic
+#   desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
+#   condition: user.name = memcached and outbound
+#   output: "Unexpected Memcached outbound connection (connection=%fd.name)"
+#   priority: WARNING
+
+
+# MongoDB ports
+- macro: mongodb_server_port
+  condition: fd.sport = 27017
+- macro: mongodb_shardserver_port
+  condition: fd.sport = 27018
+- macro: mongodb_configserver_port
+  condition: fd.sport = 27019
+- macro: mongodb_webserver_port
+  condition: fd.sport = 28017
+
+# - rule: Mongodb unexpected network inbound traffic
+#   desc: inbound network traffic to mongodb on a port other than the standard ports
+#   condition: >
+#     user.name = mongodb and inbound and not (mongodb_server_port or
+#     mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
+#   output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# MySQL ports
+# - rule: Mysql unexpected network inbound traffic
+#   desc: inbound network traffic to mysql on a port other than the standard ports
+#   condition: user.name = mysql and inbound and fd.sport != 3306
+#   output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: HTTP server unexpected network inbound traffic
+#   desc: inbound network traffic to a http server program on a port other than the standard ports
+#   condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
+#   output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
+#   priority: WARNING
--- a/rules/falco_rules.local.yaml
+++ b/rules/falco_rules.local.yaml
@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+####################
+# Your custom rules!
+####################
+
+# Add new rules, like this one
+# - rule: The program "sudo" is run in a container
+#   desc: An event will trigger every time you run sudo in a container
+#   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
+#   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
+#   priority: ERROR
+#   tags: [users, container]
+
+# Or override/append to any rule, macro, or list from the Default Rules
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -0,0 +1,592 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- required_engine_version: 2
+
+# Like always_true/always_false, but works with k8s audit events
+- macro: k8s_audit_always_true
+  condition: (jevt.rawtime exists)
+
+- macro: k8s_audit_never_true
+  condition: (jevt.rawtime=0)
+
+# Generally only consider audit events once the response has completed
+- list: k8s_audit_stages
+  items: ["ResponseComplete"]
+
+# Generally exclude users starting with "system:"
+- macro: non_system_user
+  condition: (not ka.user.name startswith "system:")
+
+# This macro selects the set of Audit Events used by the below rules.
+- macro: kevt
+  condition: (jevt.value[/stage] in (k8s_audit_stages))
+
+- macro: kevt_started
+  condition: (jevt.value[/stage]=ResponseStarted)
+
+# If you wish to restrict activity to a specific set of users, override/append to this list.
+# users created by kops are included
+- list: vertical_pod_autoscaler_users
+  items: ["vpa-recommender", "vpa-updater"]
+
+- list: allowed_k8s_users
+  items: [
+    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
+    "kubernetes-admin",
+    vertical_pod_autoscaler_users,
+    ]
+
+- rule: Disallowed K8s User
+  desc: Detect any k8s operation by users outside of an allowed set of users.
+  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
+  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# In a local/user rules file, you could override this macro to
+# explicitly enumerate the container images that you want to run in
+# your environment. In this main falco rules file, there isn't any way
+# to know all the containers that can run, so any container is
+# allowed, by using the always_true macro. In the overridden macro, the condition
+# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
+- macro: allowed_k8s_containers
+  condition: (k8s_audit_always_true)
+
+- macro: response_successful
+  condition: (ka.response.code startswith 2)
+
+- macro: kcreate
+  condition: ka.verb=create
+
+- macro: kmodify
+  condition: (ka.verb in (create,update,patch))
+
+- macro: kdelete
+  condition: ka.verb=delete
+
+- macro: pod
+  condition: ka.target.resource=pods and not ka.target.subresource exists
+
+- macro: pod_subresource
+  condition: ka.target.resource=pods and ka.target.subresource exists
+
+- macro: deployment
+  condition: ka.target.resource=deployments
+
+- macro: service
+  condition: ka.target.resource=services
+
+- macro: configmap
+  condition: ka.target.resource=configmaps
+
+- macro: namespace
+  condition: ka.target.resource=namespaces
+
+- macro: serviceaccount
+  condition: ka.target.resource=serviceaccounts
+
+- macro: clusterrole
+  condition: ka.target.resource=clusterroles
+
+- macro: clusterrolebinding
+  condition: ka.target.resource=clusterrolebindings
+
+- macro: role
+  condition: ka.target.resource=roles
+
+- macro: secret
+  condition: ka.target.resource=secrets
+
+- macro: health_endpoint
+  condition: ka.uri=/healthz
+
+- rule: Create Disallowed Pod
+  desc: >
+    Detect an attempt to start a pod with a container image outside of a list of allowed images.
+  condition: kevt and pod and kcreate and not allowed_k8s_containers
+  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: Create Privileged Pod
+  desc: >
+    Detect an attempt to start a pod with a privileged container
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
+  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: sensitive_vol_mount
+  condition: >
+    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
+
+- rule: Create Sensitive Mount Pod
+  desc: >
+    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
+    Exceptions are made for known trusted images.
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
+  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# Corresponds to K8s CIS Benchmark 1.7.4
+- rule: Create HostNetwork Pod
+  desc: Detect an attempt to start a pod using the host network.
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
+  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: user_known_node_port_service
+  condition: (k8s_audit_never_true)
+
+- rule: Create NodePort Service
+  desc: >
+    Detect an attempt to start a service with a NodePort service type
+  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
+  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: contains_private_credentials
+  condition: >
+    (ka.req.configmap.obj contains "aws_access_key_id" or
+     ka.req.configmap.obj contains "aws-access-key-id" or
+     ka.req.configmap.obj contains "aws_s3_access_key_id" or
+     ka.req.configmap.obj contains "aws-s3-access-key-id" or
+     ka.req.configmap.obj contains "password" or
+     ka.req.configmap.obj contains "passphrase")
+
+- rule: Create/Modify Configmap With Private Credentials
+  desc: >
+     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
+  condition: kevt and configmap and kmodify and contains_private_credentials
+  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# Corresponds to K8s CIS Benchmark, 1.1.1.
+- rule: Anonymous Request Allowed
+  desc: >
+    Detect any request made by the anonymous user that was allowed
+  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
+  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
+# notifies an attempt to exec/attach to a privileged container.
+
+# Ideally, we'd add a more stringent rule that detects attaches/execs
+# to a privileged pod, but that requires the engine for k8s audit
+# events to be stateful, so it could know if a container named in an
+# attach request was created privileged or not. For now, we have a
+# less severe rule that detects attaches/execs to any pod.
+
+- macro: user_known_exec_pod_activities
+  condition: (k8s_audit_never_true)
+
+- rule: Attach/Exec Pod
+  desc: >
+    Detect any attempt to attach/exec to a pod
+  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
+  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: user_known_pod_debug_activities
+  condition: (k8s_audit_never_true)
+
+# Only works when feature gate EphemeralContainers is enabled
+- rule: EphemeralContainers Created
+  desc: >
+    Detect any ephemeral container created
+  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
+  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
+# In a local/user rules fie, you can append to this list to add additional allowed namespaces
+- list: allowed_namespaces
+  items: [kube-system, kube-public, default]
+
+- rule: Create Disallowed Namespace
+  desc: Detect any attempt to create a namespace outside of a set of known namespaces
+  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
+  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- list: user_trusted_image_list
+  items: []
+
+- list: k8s_image_list
+  items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
+
+- macro: trusted_pod
+  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
+              ka.req.pod.containers.image.repository in (k8s_image_list))
+
+# Detect any new pod created in the kube-system namespace
+- rule: Pod Created in Kube Namespace
+  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
+  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- list: user_known_sa_list
+  items: []
+
+- macro: trusted_sa
+  condition: (ka.target.name in (user_known_sa_list))
+
+# Detect creating a service account in the kube-system/kube-public namespace
+- rule: Service Account Created in Kube Namespace
+  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
+  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# Detect any modify/delete to any ClusterRole starting with
+# "system:". "system:coredns" is excluded as changes are expected in
+# normal operation.
+- rule: System ClusterRole Modified/Deleted
+  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
+  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
+# (exapand this to any built-in cluster role that does "sensitive" things)
+- rule: Attach to cluster-admin Role
+  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
+  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
+  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: ClusterRole With Wildcard Created
+  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
+  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
+  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: writable_verbs
+  condition: >
+    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
+
+- rule: ClusterRole With Write Privileges Created
+  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
+  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
+  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: ClusterRole With Pod Exec Created
+  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
+  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
+  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+# The rules below this point are less discriminatory and generally
+# represent a stream of activity for a cluster. If you wish to disable
+# these events, modify the following macro.
+- macro: consider_activity_events
+  condition: (k8s_audit_always_true)
+
+- macro: kactivity
+  condition: (kevt and consider_activity_events)
+
+- rule: K8s Deployment Created
+  desc: Detect any attempt to create a deployment
+  condition: (kactivity and kcreate and deployment and response_successful)
+  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Deployment Deleted
+  desc: Detect any attempt to delete a deployment
+  condition: (kactivity and kdelete and deployment and response_successful)
+  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Service Created
+  desc: Detect any attempt to create a service
+  condition: (kactivity and kcreate and service and response_successful)
+  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Service Deleted
+  desc: Detect any attempt to delete a service
+  condition: (kactivity and kdelete and service and response_successful)
+  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s ConfigMap Created
+  desc: Detect any attempt to create a configmap
+  condition: (kactivity and kcreate and configmap and response_successful)
+  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s ConfigMap Deleted
+  desc: Detect any attempt to delete a configmap
+  condition: (kactivity and kdelete and configmap and response_successful)
+  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Namespace Created
+  desc: Detect any attempt to create a namespace
+  condition: (kactivity and kcreate and namespace and response_successful)
+  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Namespace Deleted
+  desc: Detect any attempt to delete a namespace
+  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
+  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Serviceaccount Created
+  desc: Detect any attempt to create a service account
+  condition: (kactivity and kcreate and serviceaccount and response_successful)
+  output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Serviceaccount Deleted
+  desc: Detect any attempt to delete a service account
+  condition: (kactivity and kdelete and serviceaccount and response_successful)
+  output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Role/Clusterrole Created
+  desc: Detect any attempt to create a cluster role/role
+  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
+  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Role/Clusterrole Deleted
+  desc: Detect any attempt to delete a cluster role/role
+  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
+  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Role/Clusterrolebinding Created
+  desc: Detect any attempt to create a clusterrolebinding
+  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
+  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Role/Clusterrolebinding Deleted
+  desc: Detect any attempt to delete a clusterrolebinding
+  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
+  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Secret Created
+  desc: Detect any attempt to create a secret. Service account tokens are excluded.
+  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Secret Deleted
+  desc: Detect any attempt to delete a secret Service account tokens are excluded.
+  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+# This rule generally matches all events, and as a result is disabled
+# by default. If you wish to enable these events, modify the
+# following macro.
+#  condition: (jevt.rawtime exists)
+- macro: consider_all_events
+  condition: (k8s_audit_never_true)
+
+- macro: kall
+  condition: (kevt and consider_all_events)
+
+- rule: All K8s Audit Events
+  desc: Match all K8s Audit Events
+  condition: kall
+  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
+  priority: DEBUG
+  source: k8s_audit
+  tags: [k8s]
+
+
+# This macro disables following rule, change to k8s_audit_never_true to enable it
+- macro: allowed_full_admin_users
+  condition: (k8s_audit_always_true)
+
+# This list includes some of the default user names for an administrator in several K8s installations
+- list: full_admin_k8s_users
+  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+
+# This rules detect an operation triggered by an user name that is 
+# included in the list of those that are default administrators upon 
+# cluster creation. This may signify a permission setting too broader. 
+# As we can't check for role of the user on a general ka.* event, this 
+# may or may not be an administrator. Customize the full_admin_k8s_users 
+# list to your needs, and activate at your discrection.
+
+# # How to test:
+# # Execute any kubectl command connected using default cluster user, as:
+# kubectl create namespace rule-test
+
+- rule: Full K8s Administrative Access
+  desc: Detect any k8s operation by a user name that may be an administrator with full access.
+  condition: >
+    kevt 
+    and non_system_user 
+    and ka.user.name in (admin_k8s_users) 
+    and not allowed_full_admin_users
+  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+- macro: ingress
+  condition: ka.target.resource=ingresses
+
+- macro: ingress_tls
+  condition: (jevt.value[/requestObject/spec/tls] exists)
+
+# # How to test:
+# # Create an ingress.yaml file with content:
+# apiVersion: networking.k8s.io/v1beta1
+# kind: Ingress
+# metadata:
+#   name: test-ingress
+#   annotations:
+#     nginx.ingress.kubernetes.io/rewrite-target: /
+# spec:
+#   rules:
+#   - http:
+#       paths:
+#       - path: /testpath
+#         backend:
+#           serviceName: test
+#           servicePort: 80
+# # Execute: kubectl apply -f ingress.yaml
+
+- rule: Ingress Object without TLS Certificate Created
+  desc: Detect any attempt to create an ingress without TLS certification.
+  condition: >
+    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
+  output: >
+    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
+    namespace=%ka.target.namespace)
+  source: k8s_audit    
+  priority: WARNING
+  tags: [k8s, network]
+
+- macro: node
+  condition: ka.target.resource=nodes
+
+- macro: allow_all_k8s_nodes
+  condition: (k8s_audit_always_true)
+
+- list: allowed_k8s_nodes
+  items: []
+
+# # How to test:
+# # Create a Falco monitored cluster with Kops
+# # Increase the number of minimum nodes with:
+# kops edit ig nodes
+# kops apply --yes
+
+- rule: Untrusted Node Successfully Joined the Cluster
+  desc: >
+    Detect a node successfully joined the cluster outside of the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
+  priority: ERROR
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
+  desc: >
+    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and not response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -1,5 +1,37 @@
-file(COPY ${PROJECT_SOURCE_DIR}/scripts/debian/falco
-	DESTINATION ${PROJECT_BINARY_DIR}/scripts/debian)
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#

-file(COPY ${PROJECT_SOURCE_DIR}/scripts/rpm/falco
-	DESTINATION ${PROJECT_BINARY_DIR}/scripts/rpm)
+configure_file(debian/postinst.in debian/postinst)
+configure_file(debian/postrm.in debian/postrm)
+configure_file(debian/prerm.in debian/prerm)
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
+configure_file(rpm/postinstall.in rpm/postinstall)
+configure_file(rpm/postuninstall.in rpm/postuninstall)
+configure_file(rpm/preuninstall.in rpm/preuninstall)
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
+configure_file(falco-driver-loader falco-driver-loader @ONLY)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
+		DESTINATION ${FALCO_BIN_DIR})
+endif()
--- a/scripts/build-lpeg.sh
+++ b/scripts/build-lpeg.sh
@@ -1,17 +1,45 @@
-#!/bin/sh
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#

-gcc -O2 -fPIC -I$LUA_INCLUDE -c lpcap.c -o lpcap.o
-gcc -O2 -fPIC -I$LUA_INCLUDE -c lpcode.c -o lpcode.o
-gcc -O2 -fPIC -I$LUA_INCLUDE -c lpprint.c -o lpprint.o
-gcc -O2 -fPIC -I$LUA_INCLUDE -c lptree.c -o lptree.o
-gcc -O2 -fPIC -I$LUA_INCLUDE -c lpvm.c -o lpvm.o
+set -ex
+
+PREFIX=$1
+
+if [ -z "$PREFIX" ]; then
+    PREFIX=.
+fi
+
+mkdir -p $PREFIX
+
+gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcap.c -o $PREFIX/lpcap.o
+gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcode.c -o $PREFIX/lpcode.o
+gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpprint.c -o $PREFIX/lpprint.o
+gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lptree.c -o $PREFIX/lptree.o
+gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpvm.c -o $PREFIX/lpvm.o


 # For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco
 #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
 #gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o

+pushd $PREFIX
 /usr/bin/ar cr lpeg.a lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
 /usr/bin/ranlib lpeg.a
+popd

 chmod ug+w re.lua
--- a/scripts/debian/falco
+++ b/scripts/debian/falco
@@ -1,4 +1,20 @@
 #! /bin/sh
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 ### BEGIN INIT INFO
 # Provides:          falco
 # Required-Start:    $remote_fs $syslog
@@ -10,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO

-# Author: Sysdig <support@sysdig.com>
+# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>

 # Do NOT "set -e"

@@ -48,6 +64,9 @@ do_start()
 	#   2 if daemon could not be started
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
 		|| return 1
+	if [ ! -d /sys/module/falco ]; then
+		/sbin/modprobe falco || exit 1
+	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
 		$DAEMON_ARGS \
 		|| return 2
@@ -77,6 +96,7 @@ do_stop()
 	# sleep for some time.
 	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
 	[ "$?" = 2 ] && return 2
+	/sbin/rmmod falco
 	# Many daemons don't delete their pidfiles when they exit.
 	rm -f $PIDFILE
 	return "$RETVAL"
--- a/scripts/debian/postinst
+++ b/scripts/debian/postinst
@@ -1,9 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-        update-rc.d $NAME defaults >/dev/null
-fi
-
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -e
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+NAME="@PACKAGE_NAME@"
+
+postinst_found=0
+
+case "$1" in
+	configure)
+		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+			if [ -f $DKMS_POSTINST ]; then
+				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+				postinst_found=1
+				break
+			fi
+		done
+		if [ "$postinst_found" -eq 0 ]; then
+			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
+			echo "built with legacy DKMS support."
+			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
+			echo "support or upgrade DKMS to a more current version."
+			exit 1
+		fi
+	;;
+esac
+
+if [ -x "/etc/init.d/$NAME" ]; then
+		update-rc.d $NAME defaults >/dev/null
+fi
+
--- a/scripts/debian/postrm
+++ b/scripts/debian/postrm
@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ "$1" = "purge" ] ; then
-	update-rc.d $NAME remove >/dev/null
-fi
--- a/scripts/debian/postrm.in
+++ b/scripts/debian/postrm.in
@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -e
+
+NAME=falco
+
+if [ "$1" = "purge" ] ; then
+	update-rc.d $NAME remove >/dev/null
+fi
--- a/scripts/debian/prerm
+++ b/scripts/debian/prerm
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-				invoke-rc.d $NAME stop || exit $?
-		else
-				/etc/init.d/$NAME stop || exit $?
-		fi
-fi
-
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -e
+
+NAME="@PACKAGE_NAME@"
+
+if [ -x "/etc/init.d/$NAME" ]; then
+		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+				invoke-rc.d $NAME stop || exit $?
+		else
+				/etc/init.d/$NAME stop || exit $?
+		fi
+fi
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+
+case "$1" in
+	remove|upgrade|deconfigure)
+		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
+			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
+		fi
+	;;
+esac
--- a/scripts/description.txt
+++ b/scripts/description.txt
@@ -1,3 +1 @@
-Sysdig Falco instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events.
-Then, using a rule-based configuration, you can specify filters for events of interest that you would like to log or be notified of.
-
+Falco, the open source cloud-native runtime security project, is the defacto Kubernetes threat detection engine. Falco detects unexpected application behavior and alerts on threats at runtime.
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -0,0 +1,563 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Simple script that desperately tries to load the kernel instrumentation by
+# looking for it in a bunch of ways. Convenient when running falco inside
+# a container or in other weird environments.
+#
+
+#
+# Returns 1 if $cos_ver > $base_ver, 0 otherwise
+#
+cos_version_greater() {
+	if [[ $cos_ver == "${base_ver}" ]]; then
+		return 0
+	fi
+
+	#
+	# COS build numbers are in the format x.y.z
+	#
+	a=$(echo "${cos_ver}" | cut -d. -f1)
+	b=$(echo "${cos_ver}" | cut -d. -f2)
+	c=$(echo "${cos_ver}" | cut -d. -f3)
+
+	d=$(echo "${base_ver}" | cut -d. -f1)
+	e=$(echo "${base_ver}" | cut -d. -f2)
+	f=$(echo "${base_ver}" | cut -d. -f3)
+
+	# Test the first component
+	if [[ $a -gt $d ]]; then
+		return 1
+	elif [[ $d -gt $a ]]; then
+		return 0
+	fi
+
+	# Test the second component
+	if [[ $b -gt $e ]]; then
+		return 1
+	elif [[ $e -gt $b ]]; then
+		return 0
+	fi
+
+	# Test the third component
+	if [[ $c -gt $f ]]; then
+		return 1
+	elif [[ $f -gt $c ]]; then
+		return 0
+	fi
+
+	# If we get here, probably malformatted version string?
+
+	return 0
+}
+
+get_kernel_config() {
+	if [ -f /proc/config.gz ]; then
+		echo "* Found kernel config at /proc/config.gz"
+		KERNEL_CONFIG_PATH=/proc/config.gz
+	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at /boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
+		# this code works both for native host and agent container assuming that
+		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
+		echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
+		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
+	fi
+
+	if [ -z "${KERNEL_CONFIG_PATH}" ]; then
+		>&2 echo "Cannot find kernel config"
+		exit 1
+	fi
+
+	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
+	else
+		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
+	fi
+}
+
+get_target_id() {
+	if [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# freedesktop.org and systemd
+		# shellcheck source=/dev/null
+		source "${HOST_ROOT}/etc/os-release"
+		OS_ID=$ID
+	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
+		# Older Debian
+		# fixme > can this happen on older Ubuntu?
+		OS_ID=debian
+	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
+		# Older CentOS
+		OS_ID=centos
+	else
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
+		exit 1
+	fi
+
+	case "${OS_ID}" in
+	("amzn")
+		if [[ $VERSION_ID == "2" ]]; then
+			TARGET_ID="amazonlinux2"
+		else
+			TARGET_ID="amazonlinux"
+		fi
+		;;
+	("ubuntu")
+		if [[ $KERNEL_RELEASE == *"aws"* ]]; then
+			TARGET_ID="ubuntu-aws"
+		else
+			TARGET_ID="ubuntu-generic"
+		fi
+		;;
+	(*)
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
+	esac
+}
+
+load_kernel_module_compile() {
+	# skip dkms on UEK hosts because it will always fail
+	if [[ $(uname -r) == *uek* ]]; then
+		echo "* Skipping dkms install for UEK host"
+	else
+		if hash dkms &>/dev/null; then
+				echo "* Trying to dkms install ${DRIVER_NAME} module"
+			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+					exit 0
+				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+					exit 0
+				else
+					echo "* Unable to insmod ${DRIVER_NAME} module"
+				fi
+			else
+				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+				if [ -f "${DKMS_LOG}" ]; then
+					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
+					cat "${DKMS_LOG}"
+				else
+					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
+				fi
+			fi
+		else
+			echo "* Skipping dkms install (dkms not found)"
+		fi
+	fi
+}
+
+load_kernel_module_download() {
+
+	get_target_id
+
+	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
+
+	local URL
+	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
+
+	echo "* Trying to download prebuilt module from ${URL}"
+	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
+		echo "* Download succeeded"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		exit $?
+	else
+		>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
+		exit 1
+	fi
+}
+
+load_kernel_module() {
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod"
+		exit 1
+	fi
+
+	if ! hash modprobe > /dev/null 2>&1; then
+		>&2 echo "This program requires modprobe"
+		exit 1
+	fi
+
+	if ! hash rmmod > /dev/null 2>&1; then
+		>&2 echo "This program requires rmmod"
+		exit 1
+	fi
+
+	echo "* Unloading ${DRIVER_NAME} module, if present"
+	rmmod "${DRIVER_NAME}" 2>/dev/null
+	WAIT_TIME=0
+	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
+	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
+		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
+			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
+			break
+		fi
+		((++WAIT_TIME))
+		if (( WAIT_TIME % 5 == 0 )); then
+			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
+		fi
+		sleep 1
+	done
+
+	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
+		exit 0
+	fi
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		load_kernel_module_compile
+	fi
+
+
+	echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
+	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
+		exit 0
+	fi		
+
+
+	echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
+
+	get_target_id
+
+	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
+
+	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
+		echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		exit $?
+	fi
+
+	if [ -n "$ENABLE_DOWNLOAD" ]; then
+		load_kernel_module_download
+	fi
+}
+
+load_bpf_probe_compile() {
+	local BPF_KERNEL_SOURCES_URL=""
+	local STRIP_COMPONENTS=1
+
+	customize_kernel_build() {
+		if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
+		sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
+		fi
+		make olddefconfig > /dev/null
+		make modules_prepare > /dev/null
+	}
+
+	if [ -n "${COS}" ]; then
+		echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
+
+		BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
+		KERNEL_EXTRA_VERSION="+"
+		STRIP_COMPONENTS=0
+
+		customize_kernel_build() {
+			pushd usr/src/* > /dev/null || exit
+
+			# Note: this overrides the KERNELDIR set while untarring the tarball
+			KERNELDIR=$(pwd)
+			export KERNELDIR
+
+			sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
+			sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
+
+			popd > /dev/null || exit
+
+			# Might need to configure our own sources depending on COS version
+			cos_ver=${BUILD_ID}
+			base_ver=11553.0.0
+
+			cos_version_greater
+			greater_ret=$?
+
+			if [[ greater_ret -eq 1 ]]; then
+			export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
+			fi
+		}
+	fi
+
+	if [ -n "${MINIKUBE}" ]; then
+		echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
+		local kernel_version
+		kernel_version=$(uname -r)
+		local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
+		local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
+		local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
+
+		if [ "${kernel_version_patch}" == "0" ]; then
+			kernel_version="${kernel_version_major}.${kernel_version_minor}"
+		fi
+
+		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+	fi
+
+	if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
+		local -r kernel_version_major=$(uname -r | cut -d. -f1)
+		local -r kernel_version=$(uname -r | cut -d- -f1)
+		KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
+
+		echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
+
+		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+	fi
+
+	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
+
+		mkdir -p /tmp/kernel
+		cd /tmp/kernel || exit
+		cd "$(mktemp -d -p /tmp/kernel)" || exit
+		if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
+			>&2 echo "Download failed"
+			exit 1;
+		fi
+
+		echo "* Extracting kernel sources"
+
+		mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
+
+		cd kernel-sources || exit
+		KERNELDIR=$(pwd)
+		export KERNELDIR
+
+		if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+			zcat "${KERNEL_CONFIG_PATH}" > .config
+		else
+			cat "${KERNEL_CONFIG_PATH}" > .config
+		fi
+
+		echo "* Configuring kernel"
+		customize_kernel_build
+	fi
+
+	echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
+
+	make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
+
+	mkdir -p "${HOME}/.falco"
+	mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+
+	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		rm -r /tmp/kernel
+	fi
+
+}
+
+load_bpf_probe_download() {
+	local URL
+	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+
+	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
+
+	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
+		>&2 echo "Download failed"
+		exit 1;
+	fi
+}
+
+load_bpf_probe() {
+
+	echo "* Mounting debugfs"
+
+	if [ ! -d /sys/kernel/debug/tracing ]; then
+		mount -t debugfs nodev /sys/kernel/debug
+	fi
+
+	get_kernel_config
+
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# shellcheck source=/dev/null
+		source "${HOST_ROOT}/etc/os-release"
+
+		if [ "${ID}" == "cos" ]; then
+			COS=1
+		fi
+	fi
+
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		MINIKUBE=1
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
+	fi
+
+	get_target_id
+
+	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		else
+			load_bpf_probe_compile
+		fi
+	fi
+
+	if [ -n "$ENABLE_DOWNLOAD" ]; then
+		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		else
+			load_bpf_probe_download
+		fi
+	fi
+
+	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+		echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+
+		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
+			echo "******************************************************************"
+			echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
+			echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **"
+			echo "******************************************************************"
+		fi
+
+		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
+			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
+		exit $?
+	else
+		>&2 echo "Failure to find an eBPF probe"
+		exit 1
+	fi
+}
+
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  falco-driver-loader [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  module        kernel module (default)"
+	echo "  bpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help         show brief help"
+	echo "  --compile      try to compile the driver locally"
+	echo "  --download     try to download a prebuilt driver"
+	echo "  --source-only  skip execution and allow sourcing in another script"
+	echo ""
+}
+
+ARCH=$(uname -m)
+KERNEL_RELEASE=$(uname -r)
+KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
+DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
+
+if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
+then
+	FALCO_DRIVER_CURL_OPTIONS=-fsSk
+else
+	FALCO_DRIVER_CURL_OPTIONS=-fsS
+fi
+
+if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+	MAX_RMMOD_WAIT=60
+fi
+
+DRIVER_VERSION="@PROBE_VERSION@"
+DRIVER_NAME="@PROBE_NAME@"
+
+DRIVER="module"
+if [ -v FALCO_BPF_PROBE ]; then
+	DRIVER="bpf"
+fi
+
+ENABLE_COMPILE=
+ENABLE_DOWNLOAD=
+
+has_args=
+has_opts=
+source_only=
+while test $# -gt 0; do
+	case "$1" in
+		module|bpf)
+			if [ -n "$has_args" ]; then
+				>&2 echo "Only one driver can be passed"
+				print_usage
+				exit 1
+			else
+				DRIVER="$1"
+				has_args="true"
+				shift
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--compile)
+			ENABLE_COMPILE="yes"
+			has_opts="true"
+			shift
+			;;
+		--download)
+			ENABLE_DOWNLOAD="yes"
+			has_opts="true"
+			shift
+			;;
+		--source-only)
+			source_only="true"
+			shift
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+done
+
+if [ -z "$has_opts" ]; then
+	ENABLE_COMPILE="yes"
+	ENABLE_DOWNLOAD="yes"
+fi
+
+if [ -z "$source_only" ]; then
+	if [ "$(id -u)" != 0 ]; then
+		>&2 echo "This program must be run as root (or with sudo)"
+		exit 1
+	fi
+
+	if ! hash curl > /dev/null 2>&1; then
+		>&2 echo "This program requires curl"
+		exit 1
+	fi
+
+	echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
+	case $DRIVER in 
+		module)
+			load_kernel_module
+			;;
+		bpf)
+			load_bpf_probe
+			;;
+	esac
+fi
--- a/scripts/ignored-calls.sh
+++ b/scripts/ignored-calls.sh
@@ -1,16 +1,25 @@
-#!/bin/bash
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+parentdir="$(dirname "$scriptdir")"
+sysdigdir="${parentdir}/build/sysdig-repo/sysdig-prefix/src/sysdig"
+cat "${sysdigdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
+cat "${sysdigdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt

-cat ../sysdig/userspace/libscap/syscall_info_table.c | grep EF_DROP_FALCO | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > ignored_syscall_info_table.txt
-cat ../sysdig/driver/event_table.c | grep EF_DROP_FALCO | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > ignored_driver_event_table.txt
-cat ../sysdig/userspace/libscap/event_table.c | grep EF_DROP_FALCO | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > ignored_userspace_event_table.txt
-
-
-diff -up ignored_driver_event_table.txt ignored_userspace_event_table.txt
-
-if [ $? -ne 0 ]; then
-    echo "Expected ignored_driver_event_table.txt and ignored_userspace_event_table.txt to have same calls"
-fi
-
-
-cat ignored_userspace_event_table.txt ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '
+cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>