diff --git a/driver/event_table.c b/driver/event_table.c
index 614d83f978..a5186dbfb3 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -58,16 +58,16 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_RECVFROM_X */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_SHUTDOWN_E */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 2, {{"fd", PT_FD, PF_DEC}, {"how", PT_FLAGS8, PF_HEX, shutdown_how} } },
 	/* PPME_SOCKET_SHUTDOWN_X */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SOCKET_GETSOCKNAME_E */{"getsockname", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKNAME_X */{"getsockname", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETPEERNAME_E */{"getpeername", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETPEERNAME_X */{"getpeername", EC_NET, EF_NONE, 0},
+	/* PPME_SOCKET_GETSOCKNAME_E */{"getsockname", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETSOCKNAME_X */{"getsockname", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETPEERNAME_E */{"getpeername", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETPEERNAME_X */{"getpeername", EC_NET, EF_DROP_FALCO, 0},
 	/* PPME_SOCKET_SOCKETPAIR_E */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"domain", PT_FLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC} } },
 	/* PPME_SOCKET_SOECKETPAIR_X */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"source", PT_UINT64, PF_HEX}, {"peer", PT_UINT64, PF_HEX} } },
 	/* PPME_SOCKET_SETSOCKOPT_E */{"setsockopt", EC_NET, EF_NONE, 0},
 	/* PPME_SOCKET_SETSOCKOPT_X */{"setsockopt", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_NONE, 0},
+	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_DROP_FALCO, 0},
 	/* PPME_SOCKET_SENDMSG_E */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_SENDMSG_X */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SOCKET_SENDMMSG_E */{"sendmmsg", EC_IO_WRITE, EF_DROP_FALCO, 0},
@@ -112,9 +112,9 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_LLSEEK_X */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_IOCTL_2_E */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX} } },
 	/* PPME_SYSCALL_IOCTL_2_X */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_GETCWD_E */{"getcwd", EC_FILE, EF_NONE, 0},
+	/* PPME_SYSCALL_GETCWD_E */{"getcwd", EC_FILE, EF_DROP_FALCO, 0},
 	/* Note: path is PT_CHARBUF and not PT_FSPATH because we assume it's abosulte and will never need resolution */
-	/* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
+	/* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
 	/* Note: path is PT_CHARBUF and not PT_FSPATH because we don't want it to be resolved, since the event handler already changes it */
 	/* PPME_SYSCALL_CHDIR_E */{"chdir", EC_FILE, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_CHDIR_X */{"chdir", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
@@ -134,10 +134,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_UNLINK_X */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_UNLINKAT_E */{"unlinkat", EC_FILE, EF_OLD_VERSION, 2, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA} } },
 	/* PPME_SYSCALL_UNLINKAT_X */{"unlinkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
-	/* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
-	/* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
-	/* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
+	/* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
+	/* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
+	/* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
+	/* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SYSCALL_READV_E */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 1, {{"fd", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_READV_X */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SYSCALL_WRITEV_E */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } },
@@ -162,10 +162,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_TIMERFD_CREATE_X */{"timerfd_create", EC_TIME, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 1, {{"res", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_INOTIFY_INIT_E */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS8, PF_HEX} } },
 	/* PPME_SYSCALL_INOTIFY_INIT_X */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
-	/* PPME_SYSCALL_GETRLIMIT_E */{"getrlimit", EC_PROCESS, EF_NONE, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
-	/* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
-	/* PPME_SYSCALL_SETRLIMIT_E */{"setrlimit", EC_PROCESS, EF_NONE, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
-	/* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
+	/* PPME_SYSCALL_GETRLIMIT_E */{"getrlimit", EC_PROCESS, EF_DROP_FALCO, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
+	/* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
+	/* PPME_SYSCALL_SETRLIMIT_E */{"setrlimit", EC_PROCESS, EF_DROP_FALCO, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
+	/* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
 	/* PPME_SYSCALL_PRLIMIT_E */{"prlimit", EC_PROCESS, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
 	/* PPME_SYSCALL_PRLIMIT_X */{"prlimit", EC_PROCESS, EF_NONE, 5, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC} } },
 	/* PPME_SCHEDSWITCH_1_E */{"switch", EC_SCHEDULER, EF_SKIPPARSERESET | EF_OLD_VERSION | EF_DROP_FALCO, 1, {{"next", PT_PID, PF_DEC} } },
@@ -180,16 +180,16 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_EXECVE_13_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 13, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_CLONE_16_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	/* PPME_CLONE_16_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_BRK_4_E */{"brk", EC_MEMORY, EF_NONE, 1, {{"addr", PT_UINT64, PF_HEX} } },
-	/* PPME_SYSCALL_BRK_4_X */{"brk", EC_MEMORY, EF_NONE, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
+	/* PPME_SYSCALL_BRK_4_E */{"brk", EC_MEMORY, EF_DROP_FALCO, 1, {{"addr", PT_UINT64, PF_HEX} } },
+	/* PPME_SYSCALL_BRK_4_X */{"brk", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP_E */{"mmap", EC_MEMORY, EF_DROP_FALCO, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP_X */{"mmap", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP2_E */{"mmap2", EC_MEMORY, EF_DROP_FALCO, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP2_X */{"mmap2", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MUNMAP_E */{"munmap", EC_MEMORY, EF_DROP_FALCO, 2, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MUNMAP_X */{"munmap", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD, 4, {{"fd_in", PT_FD, PF_DEC}, {"fd_out", PT_FD, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } },
-	/* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_FALCO, 4, {{"fd_in", PT_FD, PF_DEC}, {"fd_out", PT_FD, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } },
+	/* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_PTRACE_E */{"ptrace", EC_PROCESS, EF_NONE, 2, {{"request", PT_FLAGS16, PF_DEC, ptrace_requests}, {"pid", PT_PID, PF_DEC} } },
 	/* PPME_SYSCALL_PTRACE_X */{"ptrace", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX}, {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX} } },
 	/* PPME_SYSCALL_IOCTL_3_E */{"ioctl", EC_IO_OTHER, EF_USES_FD, 3, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}, {"argument", PT_UINT64, PF_HEX} } },
@@ -224,18 +224,18 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_SETUID_X */ {"setuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_SETGID_E */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"gid", PT_GID, PF_DEC} } },
 	/* PPME_SYSCALL_SETGID_X */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_GETUID_E */ {"getuid", EC_USER, EF_NONE, 0},
-	/* PPME_SYSCALL_GETUID_X */ {"getuid", EC_USER, EF_NONE, 1, {{"uid", PT_UID, PF_DEC} } },
-	/* PPME_SYSCALL_GETEUID_E */ {"geteuid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETEUID_X */ {"geteuid", EC_USER, EF_NONE, 1, {{"euid", PT_UID, PF_DEC} } },
-	/* PPME_SYSCALL_GETGID_E */ {"getgid", EC_USER, EF_NONE, 0},
-	/* PPME_SYSCALL_GETGID_X */ {"getgid", EC_USER, EF_NONE, 1, {{"gid", PT_GID, PF_DEC} } },
-	/* PPME_SYSCALL_GETEGID_E */ {"getegid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETEGID_X */ {"getegid", EC_USER, EF_NONE, 1, {{"egid", PT_GID, PF_DEC} } },
-	/* PPME_SYSCALL_GETRESUID_E */ {"getresuid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } },
-	/* PPME_SYSCALL_GETRESGID_E */ {"getresgid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } },
+	/* PPME_SYSCALL_GETUID_E */ {"getuid", EC_USER, EF_DROP_FALCO, 0},
+	/* PPME_SYSCALL_GETUID_X */ {"getuid", EC_USER, EF_DROP_FALCO, 1, {{"uid", PT_UID, PF_DEC} } },
+	/* PPME_SYSCALL_GETEUID_E */ {"geteuid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETEUID_X */ {"geteuid", EC_USER, EF_DROP_FALCO, 1, {{"euid", PT_UID, PF_DEC} } },
+	/* PPME_SYSCALL_GETGID_E */ {"getgid", EC_USER, EF_DROP_FALCO, 0},
+	/* PPME_SYSCALL_GETGID_X */ {"getgid", EC_USER, EF_DROP_FALCO, 1, {{"gid", PT_GID, PF_DEC} } },
+	/* PPME_SYSCALL_GETEGID_E */ {"getegid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETEGID_X */ {"getegid", EC_USER, EF_DROP_FALCO, 1, {{"egid", PT_GID, PF_DEC} } },
+	/* PPME_SYSCALL_GETRESUID_E */ {"getresuid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } },
+	/* PPME_SYSCALL_GETRESGID_E */ {"getresgid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } },
 	/* PPME_SYSCALL_EXECVE_15_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	/* PPME_SYSCALL_EXECVE_15_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 15, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } },
 	/* PPME_CLONE_17_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
@@ -254,7 +254,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_CONTAINER_X */{"container", EC_INTERNAL, EF_UNUSED, 0},
 	/* PPME_SYSCALL_EXECVE_16_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_EXECVE_16_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 16, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } },
-	/* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_NONE, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } },
+	/* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_DROP_FALCO, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } },
 	/* PPME_SIGNALDELIVER_X */ {"signaldeliver", EC_SIGNAL, EF_UNUSED, 0 },
 	/* PPME_PROCINFO_E */{"procinfo", EC_INTERNAL, EF_SKIPPARSERESET | EF_DROP_FALCO, 2, {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC} } },
 	/* PPME_PROCINFO_X */{"NA2", EC_INTERNAL, EF_UNUSED, 0},
@@ -272,10 +272,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_ACCEPT_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
 	/* PPME_SOCKET_ACCEPT4_5_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } },
 	/* PPME_SOCKET_ACCEPT4_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMOP_E */ {"semop", EC_PROCESS, EF_NONE, 1, {{"semid", PT_INT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_NONE, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } },
-	/* PPME_SYSCALL_SEMCTL_E */{"semctl", EC_PROCESS, EF_NONE, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_SEMOP_E */ {"semop", EC_PROCESS, EF_DROP_FALCO, 1, {{"semid", PT_INT32, PF_DEC} } },
+	/* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_DROP_FALCO, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } },
+	/* PPME_SYSCALL_SEMCTL_E */{"semctl", EC_PROCESS, EF_DROP_FALCO, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } },
+	/* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_PPOLL_E */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_FALCO, 3, {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_RELTIME, PF_DEC}, {"sigmask", PT_SIGSET, PF_DEC} } },
 	/* PPME_SYSCALL_PPOLL_X */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	/* PPME_SYSCALL_MOUNT_E */{"mount", EC_FILE, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
@@ -284,10 +284,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_UMOUNT_X */{"umount", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	/* PPME_K8S_E */{"k8s", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	/* PPME_K8S_X */{"NA3", EC_SYSTEM, EF_UNUSED, 0},
-	/* PPME_SYSCALL_SEMGET_E */{"semget", EC_PROCESS, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
-	/* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_ACCESS_E */{"access", EC_FILE, EF_NONE, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } },
-	/* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
+	/* PPME_SYSCALL_SEMGET_E */{"semget", EC_PROCESS, EF_DROP_FALCO, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
+	/* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_ACCESS_E */{"access", EC_FILE, EF_DROP_FALCO, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } },
+	/* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	/* PPME_SYSCALL_CHROOT_E */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_CHROOT_X */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_TRACER_E */{"tracer", EC_OTHER, EF_NONE, 3, {{"id", PT_INT64, PF_DEC}, {"tags", PT_CHARBUFARRAY, PF_NA}, {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA} } },
diff --git a/userspace/libscap/event_table.c b/userspace/libscap/event_table.c
index 9b6202a9ca..19fc3a3035 100644
--- a/userspace/libscap/event_table.c
+++ b/userspace/libscap/event_table.c
@@ -58,16 +58,16 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_RECVFROM_X */{"recvfrom", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_SHUTDOWN_E */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 2, {{"fd", PT_FD, PF_DEC}, {"how", PT_FLAGS8, PF_HEX, shutdown_how} } },
 	/* PPME_SOCKET_SHUTDOWN_X */{"shutdown", EC_NET, EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SOCKET_GETSOCKNAME_E */{"getsockname", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKNAME_X */{"getsockname", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETPEERNAME_E */{"getpeername", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETPEERNAME_X */{"getpeername", EC_NET, EF_NONE, 0},
+	/* PPME_SOCKET_GETSOCKNAME_E */{"getsockname", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETSOCKNAME_X */{"getsockname", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETPEERNAME_E */{"getpeername", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETPEERNAME_X */{"getpeername", EC_NET, EF_DROP_FALCO, 0},
 	/* PPME_SOCKET_SOCKETPAIR_E */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"domain", PT_FLAGS32, PF_DEC, socket_families}, {"type", PT_UINT32, PF_DEC}, {"proto", PT_UINT32, PF_DEC} } },
 	/* PPME_SOCKET_SOECKETPAIR_X */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"source", PT_UINT64, PF_HEX}, {"peer", PT_UINT64, PF_HEX} } },
 	/* PPME_SOCKET_SETSOCKOPT_E */{"setsockopt", EC_NET, EF_NONE, 0},
 	/* PPME_SOCKET_SETSOCKOPT_X */{"setsockopt", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_NONE, 0},
-	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_NONE, 0},
+	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_DROP_FALCO, 0},
+	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_DROP_FALCO, 0},
 	/* PPME_SOCKET_SENDMSG_E */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_SENDMSG_X */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SOCKET_SENDMMSG_E */{"sendmmsg", EC_IO_WRITE, EF_DROP_FALCO, 0},
@@ -112,9 +112,9 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_LLSEEK_X */{"llseek", EC_FILE, EF_USES_FD | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_IOCTL_2_E */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX} } },
 	/* PPME_SYSCALL_IOCTL_2_X */{"ioctl", EC_IO_OTHER, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_GETCWD_E */{"getcwd", EC_FILE, EF_NONE, 0},
+	/* PPME_SYSCALL_GETCWD_E */{"getcwd", EC_FILE, EF_DROP_FALCO, 0},
 	/* Note: path is PT_CHARBUF and not PT_FSPATH because we assume it's abosulte and will never need resolution */
-	/* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
+	/* PPME_SYSCALL_GETCWD_X */{"getcwd", EC_FILE, EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
 	/* Note: path is PT_CHARBUF and not PT_FSPATH because we don't want it to be resolved, since the event handler already changes it */
 	/* PPME_SYSCALL_CHDIR_E */{"chdir", EC_FILE, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_CHDIR_X */{"chdir", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_CHARBUF, PF_NA} } },
@@ -130,14 +130,14 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_LINK_X */{"link", EC_FILE, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_LINKAT_E */{"linkat", EC_FILE, EF_NONE, 4, {{"olddir", PT_FD, PF_DEC}, {"oldpath", PT_CHARBUF, PF_NA}, {"newdir", PT_FD, PF_DEC}, {"newpath", PT_CHARBUF, PF_NA} } },
 	/* PPME_SYSCALL_LINKAT_X */{"linkat", EC_FILE, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_UNLINK_E */{"unlink", EC_FILE, EF_NONE, 1, {{"path", PT_FSPATH, PF_NA} } },
-	/* PPME_SYSCALL_UNLINK_X */{"unlink", EC_FILE, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_UNLINKAT_E */{"unlinkat", EC_FILE, EF_NONE, 2, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA} } },
-	/* PPME_SYSCALL_UNLINKAT_X */{"unlinkat", EC_FILE, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
-	/* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
-	/* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
-	/* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
+	/* PPME_SYSCALL_UNLINK_E */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA} } },
+	/* PPME_SYSCALL_UNLINK_X */{"unlink", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_UNLINKAT_E */{"unlinkat", EC_FILE, EF_OLD_VERSION, 2, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA} } },
+	/* PPME_SYSCALL_UNLINKAT_X */{"unlinkat", EC_FILE, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_PREAD_E */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
+	/* PPME_SYSCALL_PREAD_X */{"pread", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
+	/* PPME_SYSCALL_PWRITE_E */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"pos", PT_UINT64, PF_DEC} } },
+	/* PPME_SYSCALL_PWRITE_X */{"pwrite", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SYSCALL_READV_E */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 1, {{"fd", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_READV_X */{"readv", EC_IO_READ, EF_USES_FD | EF_READS_FROM_FD | EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SYSCALL_WRITEV_E */{"writev", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_DROP_FALCO, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } },
@@ -162,10 +162,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_TIMERFD_CREATE_X */{"timerfd_create", EC_TIME, EF_CREATES_FD | EF_MODIFIES_STATE | EF_DROP_FALCO, 1, {{"res", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_INOTIFY_INIT_E */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS8, PF_HEX} } },
 	/* PPME_SYSCALL_INOTIFY_INIT_X */{"inotify_init", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
-	/* PPME_SYSCALL_GETRLIMIT_E */{"getrlimit", EC_PROCESS, EF_NONE, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
-	/* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
-	/* PPME_SYSCALL_SETRLIMIT_E */{"setrlimit", EC_PROCESS, EF_NONE, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
-	/* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
+	/* PPME_SYSCALL_GETRLIMIT_E */{"getrlimit", EC_PROCESS, EF_DROP_FALCO, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
+	/* PPME_SYSCALL_GETRLIMIT_X */{"getrlimit", EC_PROCESS, EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
+	/* PPME_SYSCALL_SETRLIMIT_E */{"setrlimit", EC_PROCESS, EF_DROP_FALCO, 1, {{"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
+	/* PPME_SYSCALL_SETRLIMIT_X */{"setrlimit", EC_PROCESS, EF_DROP_FALCO, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
 	/* PPME_SYSCALL_PRLIMIT_E */{"prlimit", EC_PROCESS, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_FLAGS8, PF_DEC, rlimit_resources} } },
 	/* PPME_SYSCALL_PRLIMIT_X */{"prlimit", EC_PROCESS, EF_NONE, 5, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC} } },
 	/* PPME_SCHEDSWITCH_1_E */{"switch", EC_SCHEDULER, EF_SKIPPARSERESET | EF_OLD_VERSION | EF_DROP_FALCO, 1, {{"next", PT_PID, PF_DEC} } },
@@ -180,16 +180,16 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_EXECVE_13_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 13, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_CLONE_16_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	/* PPME_CLONE_16_X */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_BRK_4_E */{"brk", EC_MEMORY, EF_NONE, 1, {{"addr", PT_UINT64, PF_HEX} } },
-	/* PPME_SYSCALL_BRK_4_X */{"brk", EC_MEMORY, EF_NONE, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
+	/* PPME_SYSCALL_BRK_4_E */{"brk", EC_MEMORY, EF_DROP_FALCO, 1, {{"addr", PT_UINT64, PF_HEX} } },
+	/* PPME_SYSCALL_BRK_4_X */{"brk", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP_E */{"mmap", EC_MEMORY, EF_DROP_FALCO, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP_X */{"mmap", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP2_E */{"mmap2", EC_MEMORY, EF_DROP_FALCO, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MMAP2_X */{"mmap2", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	/* PPME_SYSCALL_MUNMAP_E */{"munmap", EC_MEMORY, EF_DROP_FALCO, 2, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC} } },
 	/* PPME_SYSCALL_MUNMAP_X */{"munmap", EC_MEMORY, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD, 4, {{"fd_in", PT_FD, PF_DEC}, {"fd_out", PT_FD, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } },
-	/* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_SPLICE_E */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_FALCO, 4, {{"fd_in", PT_FD, PF_DEC}, {"fd_out", PT_FD, PF_DEC}, {"size", PT_UINT64, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, splice_flags} } },
+	/* PPME_SYSCALL_SPLICE_X */{"splice", EC_IO_OTHER, EF_USES_FD | EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_PTRACE_E */{"ptrace", EC_PROCESS, EF_NONE, 2, {{"request", PT_FLAGS16, PF_DEC, ptrace_requests}, {"pid", PT_PID, PF_DEC} } },
 	/* PPME_SYSCALL_PTRACE_X */{"ptrace", EC_PROCESS, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX}, {"data", PT_DYN, PF_HEX, ptrace_dynamic_param, PPM_PTRACE_IDX_MAX} } },
 	/* PPME_SYSCALL_IOCTL_3_E */{"ioctl", EC_IO_OTHER, EF_USES_FD, 3, {{"fd", PT_FD, PF_DEC}, {"request", PT_UINT64, PF_HEX}, {"argument", PT_UINT64, PF_HEX} } },
@@ -224,18 +224,18 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_SETUID_X */ {"setuid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_SETGID_E */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"gid", PT_GID, PF_DEC} } },
 	/* PPME_SYSCALL_SETGID_X */ {"setgid", EC_USER, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_GETUID_E */ {"getuid", EC_USER, EF_NONE, 0},
-	/* PPME_SYSCALL_GETUID_X */ {"getuid", EC_USER, EF_NONE, 1, {{"uid", PT_UID, PF_DEC} } },
-	/* PPME_SYSCALL_GETEUID_E */ {"geteuid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETEUID_X */ {"geteuid", EC_USER, EF_NONE, 1, {{"euid", PT_UID, PF_DEC} } },
-	/* PPME_SYSCALL_GETGID_E */ {"getgid", EC_USER, EF_NONE, 0},
-	/* PPME_SYSCALL_GETGID_X */ {"getgid", EC_USER, EF_NONE, 1, {{"gid", PT_GID, PF_DEC} } },
-	/* PPME_SYSCALL_GETEGID_E */ {"getegid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETEGID_X */ {"getegid", EC_USER, EF_NONE, 1, {{"egid", PT_GID, PF_DEC} } },
-	/* PPME_SYSCALL_GETRESUID_E */ {"getresuid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } },
-	/* PPME_SYSCALL_GETRESGID_E */ {"getresgid", EC_USER, EF_NONE, 0 },
-	/* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } },
+	/* PPME_SYSCALL_GETUID_E */ {"getuid", EC_USER, EF_DROP_FALCO, 0},
+	/* PPME_SYSCALL_GETUID_X */ {"getuid", EC_USER, EF_DROP_FALCO, 1, {{"uid", PT_UID, PF_DEC} } },
+	/* PPME_SYSCALL_GETEUID_E */ {"geteuid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETEUID_X */ {"geteuid", EC_USER, EF_DROP_FALCO, 1, {{"euid", PT_UID, PF_DEC} } },
+	/* PPME_SYSCALL_GETGID_E */ {"getgid", EC_USER, EF_DROP_FALCO, 0},
+	/* PPME_SYSCALL_GETGID_X */ {"getgid", EC_USER, EF_DROP_FALCO, 1, {{"gid", PT_GID, PF_DEC} } },
+	/* PPME_SYSCALL_GETEGID_E */ {"getegid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETEGID_X */ {"getegid", EC_USER, EF_DROP_FALCO, 1, {{"egid", PT_GID, PF_DEC} } },
+	/* PPME_SYSCALL_GETRESUID_E */ {"getresuid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETRESUID_X */ {"getresuid", EC_USER, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } },
+	/* PPME_SYSCALL_GETRESGID_E */ {"getresgid", EC_USER, EF_DROP_FALCO, 0 },
+	/* PPME_SYSCALL_GETRESGID_X */ {"getresgid", EC_USER, EF_DROP_FALCO, 4, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } },
 	/* PPME_SYSCALL_EXECVE_15_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	/* PPME_SYSCALL_EXECVE_15_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 15, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } },
 	/* PPME_CLONE_17_E */{"clone", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
@@ -254,7 +254,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_CONTAINER_X */{"container", EC_INTERNAL, EF_UNUSED, 0},
 	/* PPME_SYSCALL_EXECVE_16_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_EXECVE_16_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 16, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA} } },
-	/* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_NONE, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } },
+	/* PPME_SIGNALDELIVER_E */ {"signaldeliver", EC_SIGNAL, EF_DROP_FALCO, 3, {{"spid", PT_PID, PF_DEC}, {"dpid", PT_PID, PF_DEC}, {"sig", PT_SIGTYPE, PF_DEC} } },
 	/* PPME_SIGNALDELIVER_X */ {"signaldeliver", EC_SIGNAL, EF_UNUSED, 0 },
 	/* PPME_PROCINFO_E */{"procinfo", EC_INTERNAL, EF_SKIPPARSERESET | EF_DROP_FALCO, 2, {{"cpu_usr", PT_UINT64, PF_DEC}, {"cpu_sys", PT_UINT64, PF_DEC} } },
 	/* PPME_PROCINFO_X */{"NA2", EC_INTERNAL, EF_UNUSED, 0},
@@ -272,10 +272,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_ACCEPT_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
 	/* PPME_SOCKET_ACCEPT4_5_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } },
 	/* PPME_SOCKET_ACCEPT4_5_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMOP_E */ {"semop", EC_PROCESS, EF_NONE, 1, {{"semid", PT_INT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_NONE, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } },
-	/* PPME_SYSCALL_SEMCTL_E */{"semctl", EC_PROCESS, EF_NONE, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } },
-	/* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_SEMOP_E */ {"semop", EC_PROCESS, EF_DROP_FALCO, 1, {{"semid", PT_INT32, PF_DEC} } },
+	/* PPME_SYSCALL_SEMOP_X */ {"semop", EC_PROCESS, EF_DROP_FALCO, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } },
+	/* PPME_SYSCALL_SEMCTL_E */{"semctl", EC_PROCESS, EF_DROP_FALCO, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } },
+	/* PPME_SYSCALL_SEMCTL_X */{"semctl", EC_PROCESS, EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	/* PPME_SYSCALL_PPOLL_E */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_FALCO, 3, {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_RELTIME, PF_DEC}, {"sigmask", PT_SIGSET, PF_DEC} } },
 	/* PPME_SYSCALL_PPOLL_X */{"ppoll", EC_WAIT, EF_WAITS | EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	/* PPME_SYSCALL_MOUNT_E */{"mount", EC_FILE, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
@@ -284,10 +284,10 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_UMOUNT_X */{"umount", EC_FILE, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	/* PPME_K8S_E */{"k8s", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	/* PPME_K8S_X */{"NA3", EC_SYSTEM, EF_UNUSED, 0},
-	/* PPME_SYSCALL_SEMGET_E */{"semget", EC_PROCESS, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
-	/* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_SYSCALL_ACCESS_E */{"access", EC_FILE, EF_NONE, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } },
-	/* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
+	/* PPME_SYSCALL_SEMGET_E */{"semget", EC_PROCESS, EF_DROP_FALCO, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
+	/* PPME_SYSCALL_SEMGET_X */{"semget", EC_PROCESS, EF_DROP_FALCO, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_ACCESS_E */{"access", EC_FILE, EF_DROP_FALCO, 1, {{"mode", PT_FLAGS32, PF_HEX, access_flags} } },
+	/* PPME_SYSCALL_ACCESS_X */{"access", EC_FILE, EF_DROP_FALCO, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	/* PPME_SYSCALL_CHROOT_E */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_CHROOT_X */{"chroot", EC_PROCESS, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_TRACER_E */{"tracer", EC_OTHER, EF_NONE, 3, {{"id", PT_INT64, PF_DEC}, {"tags", PT_CHARBUFARRAY, PF_NA}, {"args", PT_CHARBUF_PAIR_ARRAY, PF_NA} } },
@@ -308,7 +308,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } },
 	/* PPME_SYSCALL_UNSHARE_E */ {"unshare", EC_PROCESS, EF_NONE, 1, {{"flags", PT_FLAGS32, PF_HEX, clone_flags} } },
 	/* PPME_SYSCALL_UNSHARE_X */ {"unshare", EC_PROCESS, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
-	/* PPME_INFRASTRUCTURE_EVENT_E */{"infra", EC_OTHER, EF_SKIPPARSERESET, 4, {{"source", PT_CHARBUF, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"description", PT_CHARBUF, PF_NA}, {"scope", PT_CHARBUF, PF_NA} } },
+	/* PPME_INFRASTRUCTURE_EVENT_E */{"infra", EC_INTERNAL, EF_SKIPPARSERESET, 4, {{"source", PT_CHARBUF, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"description", PT_CHARBUF, PF_NA}, {"scope", PT_CHARBUF, PF_NA} } },
 	/* PPME_INFRASTRUCTURE_EVENT_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
 	/* PPME_SYSCALL_EXECVE_18_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"filename", PT_FSPATH, PF_NA}} },
 	/* PPME_SYSCALL_EXECVE_18_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE | EF_OLD_VERSION, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } },
diff --git a/userspace/libscap/syscall_info_table.c b/userspace/libscap/syscall_info_table.c
index e0decf944f..3b1a423683 100644
--- a/userspace/libscap/syscall_info_table.c
+++ b/userspace/libscap/syscall_info_table.c
@@ -35,19 +35,19 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_LINK*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "link" },
 	/*PPM_SC_UNLINK*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "unlink" },
 	/*PPM_SC_CHDIR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "chdir" },
-	/*PPM_SC_TIME*/ { EC_TIME, (enum ppm_event_flags)(EF_NONE), "time" },
+	/*PPM_SC_TIME*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "time" },
 	/*PPM_SC_MKNOD*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "mknod" },
 	/*PPM_SC_CHMOD*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "chmod" },
 	/*PPM_SC_STAT*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "stat" },
 	/*PPM_SC_LSEEK*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "lseek" },
-	/*PPM_SC_GETPID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getpid" },
+	/*PPM_SC_GETPID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getpid" },
 	/*PPM_SC_MOUNT*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "mount" },
 	/*PPM_SC_PTRACE*/ { EC_OTHER, (enum ppm_event_flags)(EF_NONE), "ptrace" },
-	/*PPM_SC_ALARM*/ { EC_TIME, (enum ppm_event_flags)(EF_NONE), "alarm" },
+	/*PPM_SC_ALARM*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "alarm" },
 	/*PPM_SC_FSTAT*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fstat" },
-	/*PPM_SC_PAUSE*/ { EC_WAIT, (enum ppm_event_flags)(EF_NONE), "pause" },	/* WAIT UNTIL A SIGNAL ARRIVES */
+	/*PPM_SC_PAUSE*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "pause" },	/* WAIT UNTIL A SIGNAL ARRIVES */
 	/*PPM_SC_UTIME*/ { EC_TIME, (enum ppm_event_flags)(EF_NONE), "utime" },
-	/*PPM_SC_ACCESS*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "access" },	/* checks whether the calling process can access the file pathname */
+	/*PPM_SC_ACCESS*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "access" },	/* checks whether the calling process can access the file pathname */
 	/*PPM_SC_SYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "sync" },	/* causes all buffered modifications to file metadata and data to be written to the underlying file systems. */
 	/*PPM_SC_KILL*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "kill" },
 	/*PPM_SC_RENAME*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "rename" },
@@ -55,22 +55,22 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_RMDIR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "rmdir" },
 	/*PPM_SC_DUP*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "dup" },
 	/*PPM_SC_PIPE*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "pipe" },
-	/*PPM_SC_TIMES*/ { EC_TIME, (enum ppm_event_flags)(EF_NONE), "times" },
-	/*PPM_SC_BRK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "brk" },
+	/*PPM_SC_TIMES*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "times" },
+	/*PPM_SC_BRK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "brk" },
 	/*PPM_SC_ACCT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "acct" },
 	/*PPM_SC_IOCTL*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "ioctl" },
 	/*PPM_SC_FCNTL*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "fcntl" },
 	/*PPM_SC_SETPGID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "setpgid" },
-	/*PPM_SC_UMASK*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "umask" },	/* sets the calling process's file mode creation mask */
+	/*PPM_SC_UMASK*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "umask" },	/* sets the calling process's file mode creation mask */
 	/*PPM_SC_CHROOT*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "chroot" }, /* changes the root directory of the calling process to that specified in path. This directory will be used for path names beginning with /. The root directory is inherited by all children of the calling process. */
-	/*PPM_SC_USTAT*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "ustat" }, /* returns information about a mounted file system. */
+	/*PPM_SC_USTAT*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "ustat" }, /* returns information about a mounted file system. */
 	/*PPM_SC_DUP2*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "dup2" },
-	/*PPM_SC_GETPPID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getppid" },
-	/*PPM_SC_GETPGRP*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getpgrp" },
+	/*PPM_SC_GETPPID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getppid" },
+	/*PPM_SC_GETPGRP*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getpgrp" },
 	/*PPM_SC_SETSID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "setsid" }, /* creates a session and sets the process group ID */
 	/*PPM_SC_SETHOSTNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "sethostname" },
-	/*PPM_SC_SETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "setrlimit" }, /* get/set resource (CPU, FDs, memory...) limits */
-	/*PPM_SC_GETRUSAGE*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getrusage" }, /* returns resource usage measures for who */
+	/*PPM_SC_SETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "setrlimit" }, /* get/set resource (CPU, FDs, memory...) limits */
+	/*PPM_SC_GETRUSAGE*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getrusage" }, /* returns resource usage measures for who */
 	/*PPM_SC_GETTIMEOFDAY*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "gettimeofday" },
 	/*PPM_SC_SETTIMEOFDAY*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "settimeofday" },
 	/*PPM_SC_SYMLINK*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "symlink" },
@@ -84,26 +84,26 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_TRUNCATE*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "truncate" }, /* truncate a file to a specified length */
 	/*PPM_SC_FTRUNCATE*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "ftruncate" }, /* truncate a file to a specified length */
 	/*PPM_SC_FCHMOD*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fchmod" },
-	/*PPM_SC_GETPRIORITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getpriority" }, /* get/set program scheduling priority */
+	/*PPM_SC_GETPRIORITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getpriority" }, /* get/set program scheduling priority */
 	/*PPM_SC_SETPRIORITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "setpriority" }, /* get/set program scheduling priority */
 	/*PPM_SC_STATFS*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "statfs" }, /* returns information about a mounted file system */
 	/*PPM_SC_FSTATFS*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fstatfs" }, /* returns information about a mounted file system */
 	/*PPM_SC_SYSLOG*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "syslog" }, /* read and/or clear kernel message ring buffer; set console_loglevel */
 	/*PPM_SC_SETITIMER*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "setitimer" },
 	/*PPM_SC_GETITIMER*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "getitimer" },
-	/*PPM_SC_UNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "uname" }, /* get name and information about current kernel */
+	/*PPM_SC_UNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_DROP_FALCO), "uname" }, /* get name and information about current kernel */
 	/*PPM_SC_VHANGUP*/ { EC_OTHER , (enum ppm_event_flags)(EF_NONE), "vhangup" }, /* simulates a hangup on the current terminal. This call arranges for other users to have a "clean" terminal at login time. */
 	/*PPM_SC_WAIT4*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "wait4" }, /* OBSOLETE */
 	/*PPM_SC_SWAPOFF*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "swapoff" }, /* start/stop swapping to file/device */
 	/*PPM_SC_SYSINFO*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "sysinfo" }, /* returns information on overall system statistics */
-	/*PPM_SC_FSYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "fsync" },	/* sync file content */
+	/*PPM_SC_FSYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "fsync" },	/* sync file content */
 	/*PPM_SC_SETDOMAINNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "setdomainname" },
 	/*PPM_SC_ADJTIMEX*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "adjtimex" }, /* tune kernel clock */
-	/*PPM_SC_MPROTECT*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "mprotect" }, /* set protection on a region of memory */
+	/*PPM_SC_MPROTECT*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "mprotect" }, /* set protection on a region of memory */
 	/*PPM_SC_INIT_MODULE*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "init_module" }, /* load a kernel module */
 	/*PPM_SC_DELETE_MODULE*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "delete_module" },
 	/*PPM_SC_QUOTACTL*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "quotactl" },
-	/*PPM_SC_GETPGID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getpgid" },
+	/*PPM_SC_GETPGID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getpgid" },
 	/*PPM_SC_FCHDIR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fchdir" },
 	/*PPM_SC_SYSFS*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "sysfs" }, /* get file system type information */
 	/*PPM_SC_PERSONALITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "personality" }, /* set the process execution domain */
@@ -113,86 +113,86 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_MSYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "msync" }, /* synchronize a file with a memory map */
 	/*PPM_SC_READV*/ { EC_IO_READ, (enum ppm_event_flags)(EF_DROP_FALCO), "readv" },
 	/*PPM_SC_WRITEV*/ { EC_IO_WRITE, (enum ppm_event_flags)(EF_DROP_FALCO), "writev" },
-	/*PPM_SC_GETSID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getsid" }, /* returns the session ID of the calling process */
-	/*PPM_SC_FDATASYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "fdatasync" }, /* synchronize a file's in-core state with storage device */
-	/*PPM_SC_MLOCK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "mlock" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
-	/*PPM_SC_MUNLOCK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "munlock" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
-	/*PPM_SC_MLOCKALL*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "mlockall" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
-	/*PPM_SC_MUNLOCKALL*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "munlockall" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
+	/*PPM_SC_GETSID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getsid" }, /* returns the session ID of the calling process */
+	/*PPM_SC_FDATASYNC*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "fdatasync" }, /* synchronize a file's in-core state with storage device */
+	/*PPM_SC_MLOCK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "mlock" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
+	/*PPM_SC_MUNLOCK*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "munlock" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
+	/*PPM_SC_MLOCKALL*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "mlockall" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
+	/*PPM_SC_MUNLOCKALL*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "munlockall" }, /* mlock() and mlockall() respectively lock part or all of the calling process's virtual address space into RAM */
 	/*PPM_SC_SCHED_SETPARAM*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_setparam" },
-	/*PPM_SC_SCHED_GETPARAM*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_getparam" },
+	/*PPM_SC_SCHED_GETPARAM*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_getparam" },
 	/*PPM_SC_SCHED_SETSCHEDULER*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_setscheduler" },
-	/*PPM_SC_SCHED_GETSCHEDULER*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_getscheduler" },
+	/*PPM_SC_SCHED_GETSCHEDULER*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_getscheduler" },
 	/*PPM_SC_SCHED_YIELD*/ { EC_SLEEP, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_yield" },
-	/*PPM_SC_SCHED_GET_PRIORITY_MAX*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_get_priority_max" },
-	/*PPM_SC_SCHED_GET_PRIORITY_MIN*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_get_priority_min" },
+	/*PPM_SC_SCHED_GET_PRIORITY_MAX*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_get_priority_max" },
+	/*PPM_SC_SCHED_GET_PRIORITY_MIN*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_get_priority_min" },
 	/*PPM_SC_SCHED_RR_GET_INTERVAL*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_rr_get_interval" },
-	/*PPM_SC_NANOSLEEP*/ { EC_SLEEP, (enum ppm_event_flags)(EF_NONE), "nanosleep" },
-	/*PPM_SC_MREMAP*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "mremap" },
+	/*PPM_SC_NANOSLEEP*/ { EC_SLEEP, (enum ppm_event_flags)(EF_DROP_FALCO), "nanosleep" },
+	/*PPM_SC_MREMAP*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "mremap" },
 	/*PPM_SC_POLL*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "poll" },
 	/*PPM_SC_PRCTL*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "prctl" }, /* operations on a process */
-	/*PPM_SC_RT_SIGACTION*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigaction" },
-	/*PPM_SC_RT_SIGPROCMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigprocmask" },
-	/*PPM_SC_RT_SIGPENDING*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigpending" },
-	/*PPM_SC_RT_SIGTIMEDWAIT*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigtimedwait" },
+	/*PPM_SC_RT_SIGACTION*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "rt_sigaction" },
+	/*PPM_SC_RT_SIGPROCMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "rt_sigprocmask" },
+	/*PPM_SC_RT_SIGPENDING*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "rt_sigpending" },
+	/*PPM_SC_RT_SIGTIMEDWAIT*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "rt_sigtimedwait" },
 	/*PPM_SC_RT_SIGQUEUEINFO*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigqueueinfo" },
-	/*PPM_SC_RT_SIGSUSPEND*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "rt_sigsuspend" },
-	/*PPM_SC_GETCWD*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "getcwd" },
-	/*PPM_SC_CAPGET*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "capget" }, /* set/get capabilities of thread(s) */
+	/*PPM_SC_RT_SIGSUSPEND*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "rt_sigsuspend" },
+	/*PPM_SC_GETCWD*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "getcwd" },
+	/*PPM_SC_CAPGET*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "capget" }, /* set/get capabilities of thread(s) */
 	/*PPM_SC_CAPSET*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "capset" }, /* set/get capabilities of thread(s) */
 	/*PPM_SC_SENDFILE*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "sendfile" }, /* transfer data between file descriptors */
-	/*PPM_SC_GETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getrlimit" },
+	/*PPM_SC_GETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getrlimit" },
 	/*PPM_SC_LCHOWN*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "lchown" },
-	/*PPM_SC_GETUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getuid" },
-	/*PPM_SC_GETGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getgid" },
-	/*PPM_SC_GETEUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "geteuid" },
-	/*PPM_SC_GETEGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getegid" },
+	/*PPM_SC_GETUID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getuid" },
+	/*PPM_SC_GETGID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getgid" },
+	/*PPM_SC_GETEUID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "geteuid" },
+	/*PPM_SC_GETEGID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getegid" },
 	/*PPM_SC_SETREUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setreuid" },
 	/*PPM_SC_SETREGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setregid" },
-	/*PPM_SC_GETGROUPS*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getgroups" }, /* returns the supplementary group IDs of the calling process */
+	/*PPM_SC_GETGROUPS*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getgroups" }, /* returns the supplementary group IDs of the calling process */
 	/*PPM_SC_SETGROUPS*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setgroups" }, /* returns the supplementary group IDs of the calling process */
 	/*PPM_SC_FCHOWN*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fchown" },
 	/*PPM_SC_SETRESUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setresuid" },
-	/*PPM_SC_GETRESUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getresuid" },
+	/*PPM_SC_GETRESUID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getresuid" },
 	/*PPM_SC_SETRESGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setresgid" },
-	/*PPM_SC_GETRESGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "getresgid" },
+	/*PPM_SC_GETRESGID*/ { EC_USER, (enum ppm_event_flags)(EF_DROP_FALCO), "getresgid" },
 	/*PPM_SC_CHOWN*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "chown" },
 	/*PPM_SC_SETUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setuid" },
 	/*PPM_SC_SETGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setgid" },
 	/*PPM_SC_SETFSUID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setfsuid" },
 	/*PPM_SC_SETFSGID*/ { EC_USER, (enum ppm_event_flags)(EF_NONE), "setfsgid" },
 	/*PPM_SC_PIVOT_ROOT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "pivot_root" },
-	/*PPM_SC_MINCORE*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "mincore" }, /* determine whether pages are resident in memory */
-	/*PPM_SC_MADVISE*/ { EC_MEMORY, (enum ppm_event_flags)(EF_NONE), "madvise" }, /* give advice about use of memory */
-	/*PPM_SC_GETTID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "gettid" },	/* returns the caller's thread ID (TID) */
+	/*PPM_SC_MINCORE*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "mincore" }, /* determine whether pages are resident in memory */
+	/*PPM_SC_MADVISE*/ { EC_MEMORY, (enum ppm_event_flags)(EF_DROP_FALCO), "madvise" }, /* give advice about use of memory */
+	/*PPM_SC_GETTID*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "gettid" },	/* returns the caller's thread ID (TID) */
 	/*PPM_SC_SETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "setxattr" }, /* set inode attribute */
 	/*PPM_SC_LSETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "lsetxattr" },
 	/*PPM_SC_FSETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fsetxattr" },
-	/*PPM_SC_GETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "getxattr" },
-	/*PPM_SC_LGETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "lgetxattr" },
-	/*PPM_SC_FGETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fgetxattr" },
-	/*PPM_SC_LISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "listxattr" },
-	/*PPM_SC_LLISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "llistxattr" },
-	/*PPM_SC_FLISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "flistxattr" },
+	/*PPM_SC_GETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "getxattr" },
+	/*PPM_SC_LGETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "lgetxattr" },
+	/*PPM_SC_FGETXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fgetxattr" },
+	/*PPM_SC_LISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "listxattr" },
+	/*PPM_SC_LLISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "llistxattr" },
+	/*PPM_SC_FLISTXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "flistxattr" },
 	/*PPM_SC_REMOVEXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "removexattr" },
 	/*PPM_SC_LREMOVEXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "lremovexattr" },
 	/*PPM_SC_FREMOVEXATTR*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "fremovexattr" },
 	/*PPM_SC_TKILL*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "tkill" }, /* send a signal to a thread */
 	/*PPM_SC_FUTEX*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "futex" },
 	/*PPM_SC_SCHED_SETAFFINITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_setaffinity" },
-	/*PPM_SC_SCHED_GETAFFINITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "sched_getaffinity" },
+	/*PPM_SC_SCHED_GETAFFINITY*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "sched_getaffinity" },
 	/*PPM_SC_SET_THREAD_AREA*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "set_thread_area" },
-	/*PPM_SC_GET_THREAD_AREA*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "get_thread_area" },
-	/*PPM_SC_IO_SETUP*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "io_setup" }, /* create an asynchronous I/O context (for libaio) */
-	/*PPM_SC_IO_DESTROY*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "io_destroy" },
-	/*PPM_SC_IO_GETEVENTS*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "io_getevents" },
-	/*PPM_SC_IO_SUBMIT*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "io_submit" },
-	/*PPM_SC_IO_CANCEL*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "io_cancel" },
-	/*PPM_SC_EXIT_GROUP*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "exit_group" },
+	/*PPM_SC_GET_THREAD_AREA*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "get_thread_area" },
+	/*PPM_SC_IO_SETUP*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "io_setup" }, /* create an asynchronous I/O context (for libaio) */
+	/*PPM_SC_IO_DESTROY*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "io_destroy" },
+	/*PPM_SC_IO_GETEVENTS*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "io_getevents" },
+	/*PPM_SC_IO_SUBMIT*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "io_submit" },
+	/*PPM_SC_IO_CANCEL*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "io_cancel" },
+	/*PPM_SC_EXIT_GROUP*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "exit_group" },
 	/*PPM_SC_EPOLL_CREATE*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "epoll_create" },
 	/*PPM_SC_EPOLL_CTL*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "epoll_ctl" },
 	/*PPM_SC_EPOLL_WAIT*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "epoll_wait" },
-	/*PPM_SC_REMAP_FILE_PAGES*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "remap_file_pages" }, /* create a nonlinear file mapping */
+	/*PPM_SC_REMAP_FILE_PAGES*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "remap_file_pages" }, /* create a nonlinear file mapping */
 	/*PPM_SC_SET_TID_ADDRESS*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "set_tid_address" }, /* set pointer to thread ID */
 	/*PPM_SC_TIMER_CREATE*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "timer_create" },
 	/*PPM_SC_TIMER_SETTIME*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "timer_settime" },
@@ -207,12 +207,12 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_UTIMES*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "utimes" }, /* change file last access and modification times */
 	/*PPM_SC_MQ_OPEN*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_open" }, /* Message queues. See http://linux.die.net/man/7/mq_overview. */
 	/*PPM_SC_MQ_UNLINK*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_unlink" },
-	/*PPM_SC_MQ_TIMEDSEND*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_timedsend" },
-	/*PPM_SC_MQ_TIMEDRECEIVE*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_timedreceive" },
-	/*PPM_SC_MQ_NOTIFY*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_notify" },
-	/*PPM_SC_MQ_GETSETATTR*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "mq_getsetattr" },
+	/*PPM_SC_MQ_TIMEDSEND*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "mq_timedsend" },
+	/*PPM_SC_MQ_TIMEDRECEIVE*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "mq_timedreceive" },
+	/*PPM_SC_MQ_NOTIFY*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "mq_notify" },
+	/*PPM_SC_MQ_GETSETATTR*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "mq_getsetattr" },
 	/*PPM_SC_KEXEC_LOAD*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "kexec_load" }, /* load a new kernel for later execution */
-	/*PPM_SC_WAITID*/ { EC_WAIT, (enum ppm_event_flags)(EF_NONE), "waitid" },
+	/*PPM_SC_WAITID*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "waitid" },
 	/*PPM_SC_ADD_KEY*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "add_key" }, /* add a key to the kernel's key management facility */
 	/*PPM_SC_REQUEST_KEY*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "request_key" },
 	/*PPM_SC_KEYCTL*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "keyctl" },
@@ -237,20 +237,20 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_PPOLL*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "ppoll" },
 	/*PPM_SC_UNSHARE*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "unshare" }, /* disassociate parts of the process execution context */
 	/*PPM_SC_SET_ROBUST_LIST*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "set_robust_list" }, /* get/set list of robust futexes */
-	/*PPM_SC_GET_ROBUST_LIST*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "get_robust_list" }, /* get/set list of robust futexes */
+	/*PPM_SC_GET_ROBUST_LIST*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "get_robust_list" }, /* get/set list of robust futexes */
 	/*PPM_SC_SPLICE*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "splice" }, /* transfers up to len bytes of data from the file descriptor fd_in to the file descriptor fd_out, where one of the descriptors must refer to a pipe. */
 	/*PPM_SC_TEE*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "tee" }, /* tee() duplicates up to len bytes of data from the pipe referred to by the file descriptor fd_in to the pipe referred to by the file descriptor fd_out. It does not consume the data that is duplicated from fd_in. */
-	/*PPM_SC_VMSPLICE*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "vmsplice" }, /* splice user pages into a pipe */
-	/*PPM_SC_GETCPU*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "getcpu" }, /* determine CPU and NUMA node on which the calling thread is running */
+	/*PPM_SC_VMSPLICE*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "vmsplice" }, /* splice user pages into a pipe */
+	/*PPM_SC_GETCPU*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "getcpu" }, /* determine CPU and NUMA node on which the calling thread is running */
 	/*PPM_SC_EPOLL_PWAIT*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "epoll_pwait" },
 	/*PPM_SC_UTIMENSAT*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "utimensat" }, /* change file timestamps with nanosecond precision */
-	/*PPM_SC_SIGNALFD*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "signalfd" }, /* create a pollable file descriptor for accepting signals */
+	/*PPM_SC_SIGNALFD*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "signalfd" }, /* create a pollable file descriptor for accepting signals */
 	/*PPM_SC_TIMERFD_CREATE*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "timerfd_create" }, /* // create and operate on a timer that delivers timer expiration notifications via a file descriptor */
 	/*PPM_SC_EVENTFD*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "eventfd" }, /* create a file descriptor for event notification */
 	/*PPM_SC_TIMERFD_SETTIME*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "timerfd_settime" }, /* create and operate on a timer that delivers timer expiration notifications via a file descriptor */
 	/*PPM_SC_TIMERFD_GETTIME*/ { EC_TIME, (enum ppm_event_flags)(EF_DROP_FALCO), "timerfd_gettime" }, /* create and operate on a timer that delivers timer expiration notifications via a file descriptor */
-	/*PPM_SC_SIGNALFD4*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "signalfd4" }, /* create a pollable file descriptor for accepting signals */
-	/*PPM_SC_EVENTFD2*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "eventfd2" }, /* create a file descriptor for event notification */
+	/*PPM_SC_SIGNALFD4*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "signalfd4" }, /* create a pollable file descriptor for accepting signals */
+	/*PPM_SC_EVENTFD2*/ { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "eventfd2" }, /* create a file descriptor for event notification */
 	/*PPM_SC_EPOLL_CREATE1*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "epoll_create1" }, /* variant of epoll_create */
 	/*PPM_SC_DUP3*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "dup3" },
 	/*PPM_SC_PIPE2*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "pipe2" },
@@ -273,28 +273,28 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_CONNECT*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "connect" },
 	/*PPM_SC_LISTEN*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "listen" },
 	/*PPM_SC_ACCEPT*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "accept" },
-	/*PPM_SC_GETSOCKNAME*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "getsockname" },
-	/*PPM_SC_GETPEERNAME*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "getpeername" },
+	/*PPM_SC_GETSOCKNAME*/ { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "getsockname" },
+	/*PPM_SC_GETPEERNAME*/ { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "getpeername" },
 	/*PPM_SC_SOCKETPAIR*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "socketpair" },
-	/*PPM_SC_SENDTO*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "sendto" },
-	/*PPM_SC_RECVFROM*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "recvfrom" },
+	/*PPM_SC_SENDTO*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "sendto" },
+	/*PPM_SC_RECVFROM*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "recvfrom" },
 	/*PPM_SC_SHUTDOWN*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "shutdown" },
 	/*PPM_SC_SETSOCKOPT*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "setsockopt" },
-	/*PPM_SC_GETSOCKOPT*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "getsockopt" },
-	/*PPM_SC_SENDMSG*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "sendmsg" },
+	/*PPM_SC_GETSOCKOPT*/ { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "getsockopt" },
+	/*PPM_SC_SENDMSG*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "sendmsg" },
 	/*PPM_SC_SENDMMSG*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "sendmmsg" },
-	/*PPM_SC_RECVMSG*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "recvmsg" },
+	/*PPM_SC_RECVMSG*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "recvmsg" },
 	/*PPM_SC_RECVMMSG*/  { EC_NET, (enum ppm_event_flags)(EF_DROP_FALCO), "recvmmsg" },
 	/*PPM_SC_ACCEPT4*/  { EC_NET, (enum ppm_event_flags)(EF_NONE), "accept4" },
 	/*
 	 * Non-multiplexed IPC family
 	 */
-	/*PPM_SC_SEMOP*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "semop" },
-	/*PPM_SC_SEMGET*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "semget" },
-	/*PPM_SC_SEMCTL*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "semctl" },
-	/*PPM_SC_MSGSND*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "msgsnd" },
-	/*PPM_SC_MSGRCV*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "msgrcv" },
-	/*PPM_SC_MSGGET*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "msgget" },
+	/*PPM_SC_SEMOP*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "semop" },
+	/*PPM_SC_SEMGET*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "semget" },
+	/*PPM_SC_SEMCTL*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "semctl" },
+	/*PPM_SC_MSGSND*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "msgsnd" },
+	/*PPM_SC_MSGRCV*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "msgrcv" },
+	/*PPM_SC_MSGGET*/  { EC_IPC, (enum ppm_event_flags)(EF_DROP_FALCO), "msgget" },
 	/*PPM_SC_MSGCTL*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "msgctl" },
 	/*PPM_SC_SHMDT*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "shmdt" },
 	/*PPM_SC_SHMGET*/  { EC_IPC, (enum ppm_event_flags)(EF_NONE), "shmget" },
@@ -303,9 +303,9 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_FSTATFS64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fstatfs64" },
 	/*PPM_SC_FSTATAT64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fstatat64" },
 	/*PPM_SC_SENDFILE64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "sendfile64" },
-	/*PPM_SC_UGETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "ugetrlimit" },
+	/*PPM_SC_UGETRLIMIT*/ { EC_PROCESS, (enum ppm_event_flags)(EF_DROP_FALCO), "ugetrlimit" },
 	/*PPM_SC_BDFLUSH*/ { EC_OTHER, (enum ppm_event_flags)(EF_NONE), "bdflush" },	/* deprecated */
-	/*PPM_SC_SIGPROCMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "sigprocmask" }, /* examine and change blocked signals */
+	/*PPM_SC_SIGPROCMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "sigprocmask" }, /* examine and change blocked signals */
 	/*PPM_SC_IPC*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "ipc" },
 	/*PPM_SC_SOCKETCALL*/ { EC_NET, (enum ppm_event_flags)(EF_NONE), "socketcall" },
 	/*PPM_SC_STAT64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "stat64" },
@@ -313,37 +313,37 @@ const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX] = {
 	/*PPM_SC_FSTAT64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fstat64" },
 	/*PPM_SC_FCNTL64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "fcntl64" },
 	/*PPM_SC_MMAP2*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "mmap2" },
-	/*PPM_SC__NEWSELECT*/ { EC_WAIT, (enum ppm_event_flags)(EF_NONE), "newselect" },
-	/*PPM_SC_SGETMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "sgetmask" }, /* manipulation of signal mask (obsolete) */
+	/*PPM_SC__NEWSELECT*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "newselect" },
+	/*PPM_SC_SGETMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "sgetmask" }, /* manipulation of signal mask (obsolete) */
 	/*PPM_SC_SSETMASK*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "ssetmask" }, /* manipulation of signal mask (obsolete) */
-	/*PPM_SC_SIGPENDING*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "sigpending" }, /* examine pending signals */
-	/*PPM_SC_OLDUNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "olduname" },
+	/*PPM_SC_SIGPENDING*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "sigpending" }, /* examine pending signals */
+	/*PPM_SC_OLDUNAME*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_DROP_FALCO), "olduname" },
 	/*PPM_SC_UMOUNT*/ { EC_FILE, (enum ppm_event_flags)(EF_NONE), "umount" },
 	/*PPM_SC_SIGNAL*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "signal" },
 	/*PPM_SC_NICE*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "nice" }, /* change process priority */
 	/*PPM_SC_STIME*/ { EC_TIME, (enum ppm_event_flags)(EF_NONE), "stime" },
 	/*PPM_SC__LLSEEK*/	{ EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "llseek" },
-	/*PPM_SC_WAITPID*/ { EC_WAIT, (enum ppm_event_flags)(EF_NONE), "waitpid" },
+	/*PPM_SC_WAITPID*/ { EC_WAIT, (enum ppm_event_flags)(EF_DROP_FALCO), "waitpid" },
 	/*PPM_SC_PREAD64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "pread64" },
 	/*PPM_SC_PWRITE64*/ { EC_FILE, (enum ppm_event_flags)(EF_DROP_FALCO), "pwrite64" },
 	/*PPM_SC_ARCH_PRCTL*/ { EC_PROCESS, (enum ppm_event_flags)(EF_NONE), "arch_prctl" },
 	/*PPM_SC_SHMAT*/ { EC_IPC, (enum ppm_event_flags)(EF_NONE), "shmat" },
-	/*PPM_SC_SIGRETURN*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_NONE), "sigreturn" }, /* return from signal handler and cleanup stack frame */
+	/*PPM_SC_SIGRETURN*/ { EC_SIGNAL, (enum ppm_event_flags)(EF_DROP_FALCO), "sigreturn" }, /* return from signal handler and cleanup stack frame */
 	/*PPM_SC_FALLOCATE*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "fallocate" }, /* manipulate file space */
-	/*PPM_SC_NEWFSSTAT*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "newfstatat" },
+	/*PPM_SC_NEWFSSTAT*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "newfstatat" },
 	/*PPM_SC_PROCESS_VM_READV*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "process_vm_readv" },
 	/*PPM_SC_PROCESS_VM_WRITEV*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "process_vm_writev" },
 	/*PPM_SC_FORK*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "fork" },
 	/*PPM_SC_VFORK*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "vfork" },
 	/*PPM_SC_SETUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "setuid" },
-	/*PPM_SC_GETUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "getuid" },
+	/*PPM_SC_GETUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "getuid" },
 	/*PPM_SC_SETGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "setgid" },
-	/*PPM_SC_GETEUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "geteuid" },
-	/*PPM_SC_GETGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "getgid" },
+	/*PPM_SC_GETEUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "geteuid" },
+	/*PPM_SC_GETGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "getgid" },
 	/*PPM_SC_SETRESUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "setresuid" },
-	/*PPM_SC_SETRESGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "setresgid" },
-	/*PPM_SC_GETRESUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "getresuid" },
-	/*PPM_SC_GETRESGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_NONE), "getresgid" },
+	/*PPM_SC_SETRESGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "setresgid" },
+	/*PPM_SC_GETRESUID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "getresuid" },
+	/*PPM_SC_GETRESGID32*/ { EC_IO_OTHER, (enum ppm_event_flags)(EF_DROP_FALCO), "getresgid" },
 	/*PPM_SC_FINIT_MODULE*/ { EC_SYSTEM, (enum ppm_event_flags)(EF_NONE), "finit_module" }, /* load a kernel module */
 	/*PPM_SC_BPF*/ { EC_OTHER, (enum ppm_event_flags)(EF_NONE), "bpf" },
 	/*PPM_SC_SECCOMP*/ { EC_OTHER, (enum ppm_event_flags)(EF_NONE), "seccomp" }
diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp
index 0e245aa055..8bb6300f5d 100644
--- a/userspace/libsinsp/event.cpp
+++ b/userspace/libsinsp/event.cpp
@@ -2474,3 +2474,19 @@ scap_dump_flags sinsp_evt::get_dump_flags(OUT bool* should_drop)
 	return (scap_dump_flags)dflags;
 }
 #endif
+
+bool sinsp_evt::falco_consider()
+{
+	uint16_t etype = get_type();
+
+	if(etype == PPME_GENERIC_E || etype == PPME_GENERIC_X)
+	{
+		sinsp_evt_param *parinfo = get_param(0);
+		ASSERT(parinfo->m_len == sizeof(uint16_t));
+		uint16_t scid = *(uint16_t *)parinfo->m_val;
+
+		return sinsp::falco_consider_syscallid(scid);
+	}
+
+	return sinsp::falco_consider_evtnum(etype);
+}
diff --git a/userspace/libsinsp/event.h b/userspace/libsinsp/event.h
index 51085f4bf6..46bdb76325 100644
--- a/userspace/libsinsp/event.h
+++ b/userspace/libsinsp/event.h
@@ -325,6 +325,14 @@ class SINSP_PUBLIC sinsp_evt
 	scap_dump_flags get_dump_flags(OUT bool* should_drop);
 #endif
 
+	/*!
+	  \brief Return whether or not falco should consider this
+	  event. (Generally, these events are automatically filtered
+	  out, but some events related to internal tracking are returned by next() anyway).
+	*/
+
+	bool falco_consider();
+
 // Doxygen doesn't understand VISIBILITY_PRIVATE
 #ifdef _DOXYGEN
 private:
diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
index 7f951b91e8..253798ba6b 100644
--- a/userspace/libsinsp/sinsp.cpp
+++ b/userspace/libsinsp/sinsp.cpp
@@ -45,7 +45,6 @@ along with sysdig.  If not, see <http://www.gnu.org/licenses/>.
 #include "analyzer.h"
 #endif
 
-extern sinsp_evttables g_infotables;
 #ifdef HAS_CHISELS
 extern vector<chiseldir_info>* g_chisel_dirs;
 #endif
diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
index c067f51280..05c5869609 100644
--- a/userspace/libsinsp/sinsp.h
+++ b/userspace/libsinsp/sinsp.h
@@ -829,8 +829,27 @@ class SINSP_PUBLIC sinsp
 		return scap_get_wmi_handle(m_h);
 	}
 #endif
+
+	static inline bool falco_consider_evtnum(uint16_t etype)
+	{
+		enum ppm_event_flags flags = g_infotables.m_event_info[etype].flags;
+
+		return ! (flags & sinsp::falco_skip_flags());
+	}
+
+	static inline bool falco_consider_syscallid(uint16_t scid)
+	{
+		enum ppm_event_flags flags = g_infotables.m_syscall_info_table[scid].flags;
+
+		return ! (flags & sinsp::falco_skip_flags());
+	}
+
 VISIBILITY_PRIVATE
 
+        static inline ppm_event_flags falco_skip_flags()
+        {
+		return (ppm_event_flags) (EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION | EF_DROP_FALCO);
+        }
 // Doxygen doesn't understand VISIBILITY_PRIVATE
 #ifdef _DOXYGEN
 private:
diff --git a/userspace/libsinsp/utils.h b/userspace/libsinsp/utils.h
index 6c19e51381..313c27ee56 100644
--- a/userspace/libsinsp/utils.h
+++ b/userspace/libsinsp/utils.h
@@ -37,6 +37,8 @@ typedef struct ipv4serverinfo ipv4serverinfo;
 typedef struct ipv6serverinfo ipv6serverinfo;
 class filter_check_info;
 
+extern sinsp_evttables g_infotables;
+
 ///////////////////////////////////////////////////////////////////////////////
 // Initializer class.
 // An instance of this class is created when the library is loaded.