-
Notifications
You must be signed in to change notification settings - Fork 56
Building Falco
linuxonz edited this page Oct 17, 2024
·
36 revisions
The instructions provided below specify the steps to build Falco version 0.39.0 on Linux on IBM Z for following distributions:
- RHEL (8.8, 8.10, 9.2, 9.4)
- SLES (15 SP5, 15 SP6)
- Ubuntu (20.04, 22.04, 24.04)
Falco supports all three kernel drivers starting with 0.34.x releases on s390x: Kernel module, eBPF probe and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.
General Notes:
- When following the steps below please use standard permission user unless otherwise specified.
- A directory
/<source_root>/will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.
If you want to build Falco using manual steps, go to step 2.
Use the following commands to build Falco using the build script. Please make sure you have wget installed.
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.39.0/build_falco.sh
# Run bash build_falco.sh -h to see all available options
bash build_falco.sh
In case of error, check logs for more details or go to Step 2 to follow manual build steps.
export SOURCE_ROOT=/<source_root>/
-
RHEL (8.8, 8.10)
sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core clang llvm bpftool -
RHEL (9.2, 9.4)
sudo yum install --allowerasing -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-IPC-Cmd perl-bignum perl-core perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) go clang llvm bpftool -
SLES 15 SP5
SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//') SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]') sudo zypper install -y gcc gcc-c++ gcc12-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static go1.21 "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang14 llvm14 bpftool sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 50 export CC=$(which gcc) export CXX=$(which g++)
-
SLES 15 SP6
SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//') SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]') sudo zypper install -y gcc gcc-c++ gcc9 gcc9-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static go1.21 "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang17 llvm17 bpftool sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 50 export CC=$(which gcc) export CXX=$(which g++)
-
Ubuntu 20.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod #Install clang 14 cd $SOURCE_ROOT sudo apt install -y lsb-release wget software-properties-common gnupg wget https://apt.llvm.org/llvm.sh sed -i 's,add-apt-repository "${REPO_NAME}",add-apt-repository "${REPO_NAME}" -y,g' llvm.sh chmod +x llvm.sh sudo ./llvm.sh 14 rm ./llvm.sh export CC=clang-14 export CXX=clang++-14 sudo ln -sf /usr/bin/clang-14 /usr/bin/clang sudo ln -sf /usr/bin/clang++-14 /usr/bin/clang++
-
Ubuntu 22.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm
-
Ubuntu 24.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-12 g++-12 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100 --slave /usr/bin/g++ g++ /usr/bin/g++-12 export CC=$(which gcc) export CXX=$(which g++)
-
Install Go v1.22.4 (Only for RHEL 8.x and Ubuntu)
cd $SOURCE_ROOT export GO_VERSION="1.22.4" wget -q https://storage.googleapis.com/golang/go"$GO_VERSION".linux-s390x.tar.gz chmod ugo+r go"$GO_VERSION".linux-s390x.tar.gz sudo tar -C /usr/local -xzf go"$GO_VERSION".linux-s390x.tar.gz sudo ln -sf /usr/local/go/bin/go /usr/bin/ sudo ln -sf /usr/local/go/bin/gofmt /usr/bin/ sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc # (Only on RHEL and SLES) export GOPATH=$SOURCE_ROOT export PATH=$GOPATH/bin:$PATH export CC=$(which gcc) export CXX=$(which g++) go version
cd $SOURCE_ROOT
git clone --depth 1 -b 0.39.0 https://github.com/falcosecurity/falco.git
cd falco
curl -sSL https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.39.0/patch/modern_bpf.patch | git apply -
mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build
-
Configure Falco
CMAKE_TEST_FLAG="-DBUILD_FALCO_UNIT_TESTS=On" # Only when unit tests are expected to be run after building Falco CMAKE_TEST_FLAG="" # Only when unit tests are not needed CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On ${CMAKE_TEST_FLAG}" # Only for RHEL 8.x, SLES 12 SP5 and Ubuntu 20.04 CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=ON ${CMAKE_TEST_FLAG}" # Only for RHEL 9.x, SLES 15.x and Ubuntu (22.04, 24.04) cmake $CMAKE_FLAGS ../
-
Build and Install
cd $SOURCE_ROOT/falco/build # Fix c-ares download link sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules/cares.cmake sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./c-ares-prefix/src/c-ares-stamp/c-ares-urlinfo.txt sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./c-ares-prefix/src/c-ares-stamp/download-c-ares.cmake make -j$(nproc) make package # build deb/rpm packages (optional and only on Ubuntu and RHEL) sudo make install
-
Unload any existing module using
sudo rmmod falco
-
Insert locally built version
cd $SOURCE_ROOT/falco/build sudo insmod driver/falco.ko
3.5. Copy eBPF driver object file to the default location (Only on RHEL 9.x, SLES 15.x and Ubuntu (22.04, 24.04))
sudo mkdir /root/.falco
sudo cp -f $SOURCE_ROOT/falco/build/driver/bpf/probe.o /root/.falco/falco-bpf.ocd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_tests
A separate falco project https://github.com/falcosecurity/event-generator can be used to run further tests.
-
Run Falco with Kernel module (default driver)
sudo falco
Note: Run
sudo falco --helpto see available options to run falco. By default, falco logs events to standard error.Output similar to following will be seen
Tue Oct 8 10:19:03 2024: Falco version: 0.39.0 (s390x) Tue Oct 8 10:19:03 2024: Falco initialized with configuration files: Tue Oct 8 10:19:03 2024: /etc/falco/falco.yaml | schema validation: ok Tue Oct 8 10:19:03 2024: System info: Linux version 5.14.21-150500.55.68-default (geeko@buildhost) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP Wed Jun 5 21:39:05 UTC 2024 (40e256a) Tue Oct 8 10:19:03 2024: Loading rules from: Tue Oct 8 10:19:03 2024: /etc/falco/falco_rules.yaml | schema validation: ok Tue Oct 8 10:19:03 2024: /etc/falco/falco_rules.local.yaml | schema validation: none Tue Oct 8 10:19:03 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Tue Oct 8 10:19:03 2024: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765 Tue Oct 8 10:19:03 2024: Loaded event sources: syscall Tue Oct 8 10:19:03 2024: Enabled event sources: syscall Tue Oct 8 10:19:03 2024: Opening 'syscall' source with modern BPF probe. Tue Oct 8 10:19:03 2024: One ring buffer every '2' CPUs. -
Run Falco with eBPF probe driver (Only on RHEL 9.x, SLES 15.x and Ubuntu (22.04, 24.04))
sudo FALCO_BPF_PROBE="" falcoOutput similar to following will be seen
Tue Oct 8 10:20:37 2024: Falco version: 0.39.0 (s390x) Tue Oct 8 10:20:37 2024: Falco initialized with configuration files: Tue Oct 8 10:20:37 2024: /etc/falco/falco.yaml | schema validation: ok Tue Oct 8 10:20:37 2024: System info: Linux version 5.14.21-150500.55.68-default (geeko@buildhost) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP Wed Jun 5 21:39:05 UTC 2024 (40e256a) Tue Oct 8 10:20:37 2024: Loading rules from: Tue Oct 8 10:20:37 2024: /etc/falco/falco_rules.yaml | schema validation: ok Tue Oct 8 10:20:37 2024: /etc/falco/falco_rules.local.yaml | schema validation: none Tue Oct 8 10:20:37 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Tue Oct 8 10:20:37 2024: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765 Tue Oct 8 10:20:37 2024: Loaded event sources: syscall Tue Oct 8 10:20:37 2024: Enabled event sources: syscall Tue Oct 8 10:20:37 2024: Opening 'syscall' source with modern BPF probe. Tue Oct 8 10:20:37 2024: One ring buffer every '2' CPUs.
- https://falco.org/docs/ - Official Falco documentation
The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.