Building Falco - linux-on-ibm-z/docs GitHub Wiki

Building Falco

The instructions provided below specify the steps to build Falco version 0.41.2 on Linux on IBM Z for following distributions:

RHEL (8.10, 9.4, 9.5, 9.6)
SLES 15 SP6
Ubuntu (22.04, 24.04, 25.04)

Falco supports all three kernel drivers starting with 0.34.x releases on s390x: Kernel module, eBPF probe and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.

General Notes:

When following the steps below please use standard permission user unless otherwise specified.
A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.41.2/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

RHEL 8.10

sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core clang llvm bpftool

RHEL (9.4, 9.5, 9.6)

sudo yum install --allowerasing -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-IPC-Cmd perl-bignum perl-core perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) go clang llvm bpftool

SLES 15 SP6

SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]')

sudo zypper install -y gcc gcc-c++ gcc13 gcc13-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static go1.23 "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang17 llvm17 bpftool

sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-13 50
export CC=$(which gcc)
export CXX=$(which g++)

Ubuntu 22.04

sudo apt-get update
sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm

Ubuntu (24.04, 25.04)

sudo apt-get update
sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-12 g++-12 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100 --slave /usr/bin/g++ g++ /usr/bin/g++-12
export CC=$(which gcc)
export CXX=$(which g++)

Install Go v1.22.4 (Only for RHEL 8.x and Ubuntu)

cd $SOURCE_ROOT
export GO_VERSION="1.22.4"
wget -q https://storage.googleapis.com/golang/go"$GO_VERSION".linux-s390x.tar.gz
chmod ugo+r go"$GO_VERSION".linux-s390x.tar.gz
sudo tar -C /usr/local -xzf go"$GO_VERSION".linux-s390x.tar.gz
sudo ln -sf /usr/local/go/bin/go /usr/bin/
sudo ln -sf /usr/local/go/bin/gofmt /usr/bin/
sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc # (Only on RHEL and SLES)
export GOPATH=$SOURCE_ROOT
export PATH=$GOPATH/bin:$PATH
export CC=$(which gcc)
export CXX=$(which g++)
go version

Install bpftool (Only for Ubuntu 22.04)

cd $SOURCE_ROOT
git clone --depth 1 --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool && cd src
CLANG=Nope make -j8
sudo make install

Step 3: Download, configure and build Falco

3.1. Download Falco

cd $SOURCE_ROOT
git clone --depth 1 -b 0.41.2 https://github.com/falcosecurity/falco.git
cd falco

3.2. Apply patch to wrap the plugin installation as a condition to the existing architecture checks

curl -sSL https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.41.2/patch/container_plugin.patch | git apply -

3.3. Apply patch to turn off modern BPF support RHEL 8.X

curl -sSL https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.41.2/patch/modern_bpf.patch | git apply -

3.4. Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build

Configure Falco and apply CMake patch

CMAKE_TEST_FLAG="-DBUILD_FALCO_UNIT_TESTS=On"   # Only when unit tests are expected to be run after building Falco
CMAKE_TEST_FLAG=""  # Only when unit tests are not needed
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On -DBUILD_BPF=OFF -DUSE_BUNDLED_CONTAINER_PLUGIN=OFF -DPLUGIN_CONFIG_PATHS="/usr/share/falco/plugins/libcontainer.so" -DCMAKE_SYSTEM_PROCESSOR=s390x -DCMAKE_HOST_SYSTEM_PROCESSOR=s390x ${CMAKE_TEST_FLAG}"  # Only for RHEL 8.x
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=ON -DBUILD_FALCO_MODERN_BPF=ON -DUSE_BUNDLED_CONTAINER_PLUGIN=OFF -DPLUGIN_CONFIG_PATHS="/usr/share/falco/plugins/libcontainer.so" -DCMAKE_SYSTEM_PROCESSOR=s390x -DCMAKE_HOST_SYSTEM_PROCESSOR=s390x ${CMAKE_TEST_FLAG}"   # Only for RHEL 9.x, SLES 15.6 and Ubuntu (22.04, 24.04, 25.04)
cmake $CMAKE_FLAGS ../

sed -i '/if(NOT TARGET container_plugin)/i if(USE_BUNDLED_CONTAINER_PLUGIN)\n' falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules/container_plugin.cmake
sed -i '/include(container_plugin)/a endif()' falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules/container_plugin.cmake

Build and Install

cd $SOURCE_ROOT/falco/build
make c-ares  # Only for RHEL 8.x, RHEL 9.x, SLES 15.6
ln -s $SOURCE_ROOT/falco/build/c-ares-prefix/src/c-ares/lib64 $SOURCE_ROOT/falco/build/c-ares-prefix/src/c-ares/lib # Only for RHEL 8.x, RHEL 9.x, SLES 15.6
make -j$(nproc)
make package            # build deb/rpm packages (optional and only on Ubuntu and RHEL)
sudo make install

3.5. Load kernel module

Unload any existing module using
```
sudo rmmod falco
```

Insert locally built version

cd $SOURCE_ROOT/falco/build
sudo insmod driver/falco.ko

3.6. Copy eBPF driver object file to the default location (Only on RHEL 9.x, SLES 15.6 and Ubuntu (22.04, 24.04, 25.04))

sudo mkdir /root/.falco
sudo cp -f $SOURCE_ROOT/falco/build/driver/bpf/probe.o /root/.falco/falco-bpf.o

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_tests 

A separate falco project https://github.com/falcosecurity/event-generator can be used to run further tests.

Step 5: Validate installation (optional)

Run Falco with Kernel module (default driver)

sudo falco

Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

Output similar to following will be seen

Mon Jun 23 13:10:37 2025: Falco version: 0.41.2 (s390x)
Mon Jun 23 13:10:37 2025: Falco initialized with configuration files:
Mon Jun 23 13:10:37 2025:    /etc/falco/falco.yaml | schema validation: ok
Mon Jun 23 13:10:37 2025: System info: Linux version 4.18.0-553.56.1.el8_10.s390x ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-26) (GCC)) #1 SMP Mon Jun 2 16:46:50 EDT 2025
Mon Jun 23 13:10:37 2025: [libs]: Cannot read host init process proc root: 13
Mon Jun 23 13:10:37 2025: [libs]: Cannot read host init process proc root: 13
Mon Jun 23 13:10:37 2025: Loading rules from:
Mon Jun 23 13:10:37 2025:    /etc/falco/falco_rules.yaml | schema validation: ok
Mon Jun 23 13:10:37 2025:    /etc/falco/falco_rules.local.yaml | schema validation: none
Mon Jun 23 13:10:37 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Mon Jun 23 13:10:37 2025: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Mon Jun 23 13:10:37 2025: Loaded event sources: syscall
Mon Jun 23 13:10:37 2025: Enabled event sources: syscall
Mon Jun 23 13:10:37 2025: Opening 'syscall' source with modern BPF probe.
Mon Jun 23 13:10:37 2025: One ring buffer every '2' CPUs.

Run Falco with eBPF probe driver (Only on RHEL 9.x, SLES 15.6 and Ubuntu (22.04, 24.04, 25.04))

sudo FALCO_BPF_PROBE="" falco

Output similar to following will be seen

Mon Jun 23 13:10:37 2025: Falco version: 0.41.2 (s390x)
Mon Jun 23 13:10:37 2025: Falco initialized with configuration files:
Mon Jun 23 13:10:37 2025:    /etc/falco/falco.yaml | schema validation: ok
Mon Jun 23 13:10:37 2025: System info: Linux version 4.18.0-553.56.1.el8_10.s390x ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-26) (GCC)) #1 SMP Mon Jun 2 16:46:50 EDT 2025
Mon Jun 23 13:10:37 2025: [libs]: Cannot read host init process proc root: 13
Mon Jun 23 13:10:37 2025: [libs]: Cannot read host init process proc root: 13
Mon Jun 23 13:10:37 2025: Loading rules from:
Mon Jun 23 13:10:37 2025:    /etc/falco/falco_rules.yaml | schema validation: ok
Mon Jun 23 13:10:37 2025:    /etc/falco/falco_rules.local.yaml | schema validation: none
Mon Jun 23 13:10:37 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Mon Jun 23 13:10:37 2025: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Mon Jun 23 13:10:37 2025: Loaded event sources: syscall
Mon Jun 23 13:10:37 2025: Enabled event sources: syscall
Mon Jun 23 13:10:37 2025: Opening 'syscall' source with modern BPF probe.
Mon Jun 23 13:10:37 2025: One ring buffer every '2' CPUs.

Reference:

https://falco.org/docs/ - Official Falco documentation