You are viewing documentation for Falco version: v0.33.1

Falco v0.33.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Install

Last modified January 19, 2023
Setting up Falco on a Linux system

Falco is a Linux security tool that uses system calls to secure and monitor a system.

Falco can be used for Kubernetes runtime security. The most secure way to run Falco is to install Falco directly on the host system so that Falco is isolated from Kubernetes in the case of compromise. Then the Falco alerts can be consumed through read-only agents running in Kubernetes.

You can also run Falco directly in Kubernetes as a daemonset using Helm, see the third party integrations

If Falco is installed using the package manager artifacts below, you will have the following in place:

  • Falco userspace program scheduled and watched via systemd
  • Falco driver installed via the package manager (either kernel module or eBPF depending on the host)
  • Sane and default configuration file installed in /etc/falco

Alternatively, it is also possible to use a binary package as explained below.

Installing

On January 18th, 2023 the GPG key used to sign Falco packages has been rotated. Check out the related blog post and make sure you're using the most up-to-date key available at falco.org/repo/falcosecurity-packages.asc, and that you read the section below about package signing.

Debian/Ubuntu

  1. Trust the falcosecurity GPG key, configure the apt repository, and update the package list:

    curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add -
    echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
    apt-get update -y
    
  2. Install kernel headers:

    apt-get -y install linux-headers-$(uname -r)
    
  3. Install Falco:

    apt-get install -y falco
    

    Falco, the kernel module driver, and a default configuration are now installed. Falco is being ran as a systemd unit.

    See running for information on how to manage, run, and debug with Falco.

  4. Uninstall Falco:

    apt-get remove falco
    

CentOS/RHEL/Fedora/Amazon Linux

  1. Trust the falcosecurity GPG key and configure the yum repository:

    rpm --import https://falco.org/repo/falcosecurity-packages.asc
    curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
    

    Note — The following command is required only if DKMS and make are not available in the distribution. You can verify if DKMS is available using yum list make dkms. If necessary install it using: yum install epel-release (or amazon-linux-extras install epel in case of amzn2), then yum install make dkms.

  2. Install kernel headers:

    yum -y install kernel-devel-$(uname -r)
    

    Note — If the package was not found by the above command, you might need to run yum distro-sync in order to fix it. Rebooting the system may be required.

  3. Install Falco:

    yum -y install falco
    

    Falco, the kernel module driver, and a default configuration are now installed. Falco is being ran as a systemd unit.

    See running for information on how to manage, run, and debug with Falco.

  4. Uninstall Falco:

    yum erase falco
    

openSUSE

  1. Trust the falcosecurity GPG key and configure the zypper repository:

    rpm --import https://falco.org/repo/falcosecurity-packages.asc
    curl -s -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
    
  2. Install kernel headers:

    zypper -n install kernel-default-devel-$(uname -r | sed s/\-default//g)
    

    Note — If the package was not found by the above command, you might need to run zypper -n dist-upgrade in order to fix it. Rebooting the system may be required.

  3. Install Falco:

    zypper -n install falco
    

    Falco, the kernel module driver, and a default configuration are now installed. Falco is being ran as a systemd unit.

    See running for information on how to manage, run, and debug with Falco.

  4. Uninstall Falco:

    zypper rm falco
    

Linux generic (binary package)

  1. Download the latest binary:

    curl -L -O https://download.falco.org/packages/bin/x86_64/falco-0.33.1-x86_64.tar.gz
    
  2. Install Falco:

    tar -xvf falco-0.33.1-x86_64.tar.gz
    cp -R falco-0.33.1-x86_64/* /
    
  3. Install the following dependencies:

    • kernel headers for your distribution
  4. Install the driver as explained below.

Once the driver has been installed, you can manually run falco.

Installing the driver

The easiest way to install the driver is using the falco-driver-loader script.

By default, it first tries to locally build the kernel module with dkms. If not possible, then it tries to download a prebuilt one into ~/.falco/. If a kernel module is found, then it gets inserted.

In case you want to install the eBPF probe driver, run falco-driver-loader bpf. It first tries to build the eBPF probe locally, otherwise to download a prebuilt into ~/.falco/.

If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that

  • Your kernel has CONFIG_BPF_JIT enabled
  • net.core.bpf_jit_enable is set to 1 (enable the BPF JIT Compiler)
  • This can be verified via sysctl -n net.core.bpf_jit_enable

Configurable options:

  • DRIVERS_REPO - Set this environment variable to override the default repository URL for prebuilt kernel modules and eBPF probes, without the trailing slash.

    Ie., https://myhost.mydomain.com or if the server has a subdirectories structure https://myhost.mydomain.com/drivers.

    The drivers will need to be hosted with the following structure: /${driver_version}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o] where ko and o stands for Kernel module and eBPF probe respectively.

    Eg., /a259b4bf49c3330d9ad6c3eed9eb1a31954259a6/falco_amazonlinux2_4.14.128-112.105.amzn2.x86_64_1.ko.

    The falco-driver-loader script fetches the drivers using the above format.

Package signing

Most Falco packages available at download.falco.org are provided with a detatched signature that can be used to verify that the package information downloaded from the remote repository can be trusted.

The latest trusted public GPG key used for packages signing can be downloaded from falco.org/repo/falcosecurity-packages.asc. The following table lists all the keys employed by the organization currently and in the past, including the revoked ones. We recommend to update the revoked keys to download their revocation certificate, and eventually remove them from your package verification system due to signature made with them not being trustable anymore.

FingerprintExpirationUsageStatusDownload
2005399002D5E8FF59F28CE64021833E14CB7A8D2026-01-17Signing Falco PackagesTrustedfalcosecurity-14CB7A8D.asc
15ED05F191E40D74BA47109F9F76B25B3672BA8F2023-02-24Signing Falco PackagesRevokedfalcosecurity-3672BA8F.asc

Last modified January 19, 2023: chore(cocs): minor cosmetic fixes (d9ded3f)