Building Falco

The instructions provided below specify the steps to build Falco version 0.38.1 on Linux on IBM Z for following distributions:

• RHEL (8.8, 8.9, 8.10, 9.2, 9.3, 9.4)
• SLES (12 SP5, 15 SP5)
• Ubuntu (20.04, 22.04, 24.04)

Falco supports all three kernel drivers starting with 0.34.x releases on s390x: Kernel module, eBPF probe and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.

General Notes:

• When following the steps below please use standard permission user unless otherwise specified.
• A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.38.1/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

• RHEL (8.8, 8.9, 8.10)

  sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core clang llvm bpftool
  

• RHEL (9.2, 9.3, 9.4)

  sudo yum install --allowerasing -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-IPC-Cmd perl-bignum perl-core perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) go clang llvm bpftool
  

• SLES 12 SP5

  SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
  SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]')
  
  sudo zypper install -y --force-resolution gcc gcc9 gcc9-c++ git-core patch which automake autoconf libtool libopenssl-devel libcurl-devel libelf-devel "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" tar curl make python3 python36 zlib
  
  sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 50
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20
  sudo update-alternatives --skip-auto --config gcc
  sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 50
  export CC=$(which gcc)
  export CXX=$(which g++)
  

• SLES 15 SP5

  SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
  SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]')
  
  sudo zypper install -y gcc gcc-c++ gcc12-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static go1.21 "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang14 llvm14 bpftool
  
  sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 50
  export CC=$(which gcc)
  export CXX=$(which g++)
  

• Ubuntu 20.04

  sudo apt-get update
  sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod
  
  #Install clang 14
  cd $SOURCE_ROOT
  sudo apt install -y lsb-release wget software-properties-common gnupg
  wget https://apt.llvm.org/llvm.sh
  sed -i 's,add-apt-repository "${REPO_NAME}",add-apt-repository "${REPO_NAME}" -y,g' llvm.sh
  chmod +x llvm.sh
  sudo ./llvm.sh 14
  rm ./llvm.sh
  
  export CC=clang-14
  export CXX=clang++-14
  sudo ln -sf /usr/bin/clang-14 /usr/bin/clang
  sudo ln -sf /usr/bin/clang++-14 /usr/bin/clang++
  

• Ubuntu 22.04

  For Ubuntu 22.04, if the current kernel version is 5.15.0-71-generic, please upgrade it to a higher version such as 5.15.0-73-generic first, since linux-tools-5.15.0-71-generic package doesn't exist in the repository.

  sudo apt-get update
  sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm
  

• Ubuntu 24.04

  sudo apt-get update
  sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-12 g++-12 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm
  
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100 --slave /usr/bin/g++ g++ /usr/bin/g++-12
  export CC=$(which gcc)
  export CXX=$(which g++)
  

• Install Go v1.18.8 (Only for RHEL 8.x, SLES 12 SP5 and Ubuntu)

  cd $SOURCE_ROOT
  wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Go/1.18.4/build_go.sh
  sed -i 's:"ubuntu-23.04":"ubuntu-23.04" | "ubuntu-24.04":g' build_go.sh #(Only for Ubuntu 24.04)
  bash build_go.sh -y -v 1.18.8
  export GOPATH=$SOURCE_ROOT 
  export PATH=$GOPATH/bin:$PATH
  export CC=$(which gcc)
  export CXX=$(which g++)
  go version
  

• Install CMake v3.22.5 and Clang 14.0.6 (Only for SLES 12 SP5)

  #Install CMake v3.22.5
  cd $SOURCE_ROOT
  wget https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5.tar.gz
  tar -xf cmake-3.22.5.tar.gz
  cd cmake-3.22.5
  ./bootstrap -- -DCMAKE_BUILD_TYPE:STRING=Release
  # In case of error: "/lib64/libstdc++.so.6: version `GLIBCXX_3.4.26` not found" do following `ln`
  sudo ln -sf /usr/local/lib64/libstdc++.so.6.0.28 /lib64/libstdc++.so.6
  make
  sudo make install
  sudo ln -sf /usr/local/bin/cmake /usr/bin/cmake
  
  #Install Clang 14.0.6
  cd $SOURCE_ROOT
  URL=https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-14.0.6.tar.gz
  curl -sSL $URL | tar xzf - || error "Clang 14.0.6"
  cd llvm-project-llvmorg-14.0.6
  mkdir build && cd build
  cmake -DLLVM_ENABLE_PROJECTS=clang -DCMAKE_C_COMPILER="/usr/bin/gcc" -DCMAKE_CXX_COMPILER="/usr/bin/g++"  -DCMAKE_BUILD_TYPE="Release" -G "Unix Makefiles" ../llvm
  make clang
  clangbuild=${SOURCE_ROOT}/llvm-project-llvmorg-14.0.6/build
  export PATH=$clangbuild/bin:$PATH
  export LD_LIBRARY_PATH=$clangbuild/lib:$LD_LIBRARY_PATH
  cd $clangbuild/bin
  sudo ln -sf clang++ clang++-14
  export CC=${SOURCE_ROOT}/llvm-project-llvmorg-14.0.6/build/bin/clang
  export CXX=${SOURCE_ROOT}/llvm-project-llvmorg-14.0.6/build/bin/clang++-14
  cd $SOURCE_ROOT
  clang --version
  

Step 3: Download, configure and build Falco

3.1) Download Falco

cd $SOURCE_ROOT
git clone --depth 1 -b 0.38.1  https://github.com/falcosecurity/falco.git
cd falco

3.2) Apply patch to turn off modern BPF support (Only on SLES 12 SP5 and Ubuntu 20.04)

curl -sSL https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.38.1/patch/modern_bpf.patch | git apply -

3.3) Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build

• Configure Falco

  CMAKE_TEST_FLAG="-DBUILD_FALCO_UNIT_TESTS=On"   # Only when unit tests are expected to be run after building Falco
  CMAKE_TEST_FLAG=""  # Only when unit tests are not needed
  CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On ${CMAKE_TEST_FLAG}"  # Only for RHEL 8.x, SLES 12 SP5 and Ubuntu 20.04
  CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=ON ${CMAKE_TEST_FLAG}"   # Only for RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 24.04)
  cmake $CMAKE_FLAGS ../
  

• Fix the library link order for libabsl (Only on RHEL 9.3)

  cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules
  sed -i '135{h;d};136G' grpc.cmake
  

• Build and Install

  cd $SOURCE_ROOT/falco/build
  # Fix c-ares download link
  sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules/cares.cmake
  sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./c-ares-prefix/src/c-ares-stamp/c-ares-urlinfo.txt
  sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./c-ares-prefix/src/c-ares-stamp/download-c-ares.cmake
  make -j$(nproc)
  make package            # build deb/rpm packages (optional and only on Ubuntu and RHEL)
  sudo make install
  

3.5) Load kernel module

• Unload any existing module using

  sudo rmmod falco
  

• Insert locally built version

  cd $SOURCE_ROOT/falco/build
  sudo insmod driver/falco.ko
  

3.6) Copy eBPF driver object file to the default location (Only on RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 24.04))

sudo mkdir /root/.falco
sudo cp -f $SOURCE_ROOT/falco/build/driver/bpf/probe.o /root/.falco/falco-bpf.o

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_tests 

A separate falco project https://github.com/falcosecurity/event-generator can be used to run further tests.

Step 5: Validate installation (optional)

• Run Falco with Kernel module (default driver)

  sudo falco
  

  Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

  Output similar to following will be seen

  Wed Jun 26 06:20:43 2024: Falco version: 0.38.1 (s390x)
  Wed Jun 26 06:20:43 2024: Falco initialized with configuration files:
  Wed Jun 26 06:20:43 2024:    /etc/falco/falco.yaml
  Wed Jun 26 06:20:43 2024: System info: Linux version 5.15.0-112-generic (buildd@bos01-s390x-016) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #122-Ubuntu SMP Thu May 23 08:10:47 UTC 2024
  Wed Jun 26 06:20:43 2024: Loading rules from file /etc/falco/falco_rules.yaml
  Wed Jun 26 06:20:43 2024: Loading rules from file /etc/falco/falco_rules.local.yaml
  Wed Jun 26 06:20:43 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
  Wed Jun 26 06:20:43 2024: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
  Wed Jun 26 06:20:43 2024: Loaded event sources: syscall
  Wed Jun 26 06:20:43 2024: Enabled event sources: syscall
  Wed Jun 26 06:20:43 2024: Opening 'syscall' source with modern BPF probe.
  

• Run Falco with eBPF probe driver (Only on RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 24.04))

  sudo FALCO_BPF_PROBE="" falco
  

  Output similar to following will be seen

  Wed Jun 26 06:21:05 2024: Falco version: 0.38.1 (s390x)
  Wed Jun 26 06:21:05 2024: Falco initialized with configuration files:
  Wed Jun 26 06:21:05 2024:    /etc/falco/falco.yaml
  Wed Jun 26 06:21:05 2024: System info: Linux version 5.15.0-112-generic (buildd@bos01-s390x-016) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #122-Ubuntu SMP Thu May 23 08:10:47 UTC 2024
  Wed Jun 26 06:21:05 2024: Loading rules from file /etc/falco/falco_rules.yaml
  Wed Jun 26 06:21:05 2024: Loading rules from file /etc/falco/falco_rules.local.yaml
  Wed Jun 26 06:21:05 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
  Wed Jun 26 06:21:05 2024: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
  Wed Jun 26 06:21:05 2024: Loaded event sources: syscall
  Wed Jun 26 06:21:05 2024: Enabled event sources: syscall
  Wed Jun 26 06:21:05 2024: Opening 'syscall' source with modern BPF probe.
  

Reference:

• https://falco.org/docs/ - Official Falco documentation