Install on a host (tarball)
Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the host, a driver needs to be installed.
For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.
There are two main methods to install Falco on your host using the released Falco packages:
- RPM or DEB package (includes Systemd setup): For instructions, refer to the Install on a host (DEB, RPM) page.
- Tarball archive: This method is detailed on this page.
Install
In these steps, we are targeting a Debian-like system on x86_64
architecture. You can easily extrapolate similar steps for other distros or architectures.
Download the latest binary:
curl -L -O https://download.falco.org/packages/bin/x86_64/falco-0.38.2-x86_64.tar.gz
Install Falco:
tar -xvf falco-0.38.2-x86_64.tar.gz cp -R falco-0.38.2-x86_64/* /
Install some required dependencies that are needed to build the kernel module and the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins, you can skip this step.
apt update -y apt install -y dkms make linux-headers-$(uname -r) # If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain apt install -y clang llvm
Use the
falcoctl driver
tool to configure Falco and install the kernel module or the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins, you can skip this step.
To install the driver, write and execute permissions on the /tmp
directory are required, since falcoctl
will try to create and execute a script from there.
# If you want to use the kernel module, configure Falco for it
falcoctl driver config --type kmod
# If you want to use the eBPF probe, configure Falco for it
falcoctl driver config --type ebpf
# Install the chosen driver
falcoctl driver install
By default, the falcoctl driver install
command tries to download a prebuilt driver from the official Falco download s3 bucket. If a driver is found, it is inserted into ${HOME}/.falco/
. Otherwise, the script tries to compile the driver locally; for this reason, you need the dependencies in step [3].
You can use the environment variable FALCOCTL_DRIVER_REPOS
to override the default repository URL for prebuilt drivers. The URL must not have a trailing slash, i.e., https://myhost.mydomain.com
or, if the server has a subdirectory structure, https://myhost.mydomain.com/drivers
. The drivers must be hosted with the following structure:
/${driver_version}/${arch}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o]
where ko
and o
stand for Kernel module and eBPF
probe, respectively. This is an example:
/7.0.0+driver/x86_64/falco_amazonlinux2022_5.10.75-82.359.amzn2022.x86_64_1.ko
If you wish to print some debug info, you can use:
# If you want to use the kernel module, configure Falco for it
falcoctl driver printenv
Manual Systemd setup
The Falco .tar.gz
archive doesn't include the Systemd setup. If you want to enable Falco to start automatically at boot time, you can still download systemd
files from the Falco repo and place them in the /lib/systemd/system
directory. Finally, you can follow the same instructions for enabling Systemd manually under the Install on a host (DEB, RPM) section.
Configuration
The Falco configuration file is located at /etc/falco/falco.yaml
. You can edit it to customize Falco's behavior.
Since Falco 0.38.0, a new config key, config_files
, allows the user to load additional configuration files to override main config entries; it allows users to keep local customization between Falco upgrades. Its default value points to a new folder, /etc/falco/config.d/
, that gets installed by Falco and will be processed to look for local configuration files.
You can also override the default configuration by passing options to the falco
binary. For example, to force the eBPF probe or the kernel module:
# Force eBPF probe
falco -o engine.kind=ebpf
# Force kernel module
falco -o engine.kind=kmod
Hot Reload
By default, with the watch_config_files
configuration option enabled, Falco automatically monitors changes to configuration and rule files. When these files are modified, Falco will automatically reload the updated configuration without requiring a restart.
If this option is disabled, you can manually reload the configuration by sending a SIGHUP
signal to the Falco process. To do this, use the following command:
kill -1 $(pidof falco)
Upgrade
If you are using the Kernel Module driver, please remove it with root privileges before upgrading Falco to avoid issues during the upgrade.
rmmod falco
When utilizing the eBPF probe driver, although not strictly required, you can remove the corresponding previous object files:
rm /root/.falco/*.o
With Modern eBPF, there is no requirement when updating Falco, as the driver is bundled within the Falco binary.
Once the driver is removed, ensure the falco
daemon is not running, then you can follow the same steps as the Install section.
Uninstall
For the Falco binary, we don't provide specific update paths; you just have to remove files installed by the old tar.gz
.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.