Building Falco - linux-on-ibm-z/docs GitHub Wiki
Building Falco
The instructions provided below specify the steps to build Falco version 0.43.1 on Linux on IBM Z for following distributions:
- RHEL (8.10, 9.6, 10.0)
- Ubuntu (22.04, 24.04)
Falco supports two kernel drivers starting with 0.34.x releases on s390x: Kernel module and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.
General Notes:
- When following the steps below please use standard permission user unless otherwise specified.
- A directory
/<source_root>/will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.
1. Build using script
If you want to build Falco using manual steps, go to step 2.
Use the following commands to build Falco using the build script. Please make sure you have wget installed.
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.43.1/build_falco.sh
# Run bash build_falco.sh -h to see all available options
bash build_falco.sh
In case of error, check logs for more details or go to Step 2 to follow manual build steps.
2. Install dependencies
export SOURCE_ROOT=/<source_root>/
PATCH_URL="https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.43.1/patch"
2.1. Install Basic Dependencies
-
RHEL 8.10
sudo yum install -y gcc-toolset-13-gcc gcc-toolset-13-gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core clang llvm bpftool source /opt/rh/gcc-toolset-13/enable -
RHEL (9.6, 10.0)
sudo yum install --allowerasing -y openssl-devel libstdc++-static libstdc++-devel c-ares-devel gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-IPC-Cmd perl-bignum perl-core perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) bpftool -
Ubuntu 22.04
sudo apt-get update sudo apt-get install -y git cmake libssl-dev build-essential pkg-config autoconf wget curl patch libssl-dev libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm -
Ubuntu 24.04
sudo apt-get update sudo apt-get install -y git cmake libssl-dev build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-13 g++-13 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-13 100 --slave /usr/bin/g++ g++ /usr/bin/g++-13 export CC=$(which gcc) export CXX=$(which g++)
2.2. Install Clang 19(Only for RHEL 9.x/10.x)
Falco requires clang <= 19, please install clang from below steps if clang 20+ is installed on your system.
cd $SOURCE_ROOT
URL=https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-19.1.0.tar.gz
curl -sSL $URL | tar xzf - || error "Clang 19.1.0"
cd llvm-project-llvmorg-19.1.0
mkdir build
cd build
cmake -DLLVM_ENABLE_PROJECTS=clang -DCMAKE_BUILD_TYPE=Release -G "Unix Makefiles" ../llvm |& tee -a "$LOG_FILE"
make clang -j$(nproc) |& tee -a "$LOG_FILE"
export PATH=$(pwd)/bin:$PATH
2.3. Install cmake 3.28.3
cd $SOURCE_ROOT
wget -q https://cmake.org/files/v3.28/cmake-3.28.3.tar.gz
tar -xf cmake-3.28.3.tar.gz
cd cmake-3.28.3
./bootstrap
make -j"$(nproc)"
sudo make install
export PATH=/usr/local/bin:$PATH
cmake --version
2.4. Install Go
cd $SOURCE_ROOT
export GO_VERSION="1.25.0"
wget -q https://go.dev/dl/go"${GO_VERSION}".linux-s390x.tar.gz
chmod ugo+r go"$GO_VERSION".linux-s390x.tar.gz
sudo tar -C /usr/local -xzf go"$GO_VERSION".linux-s390x.tar.gz
sudo ln -sf /usr/local/go/bin/go /usr/bin/
sudo ln -sf /usr/local/go/bin/gofmt /usr/bin/
export GOPATH=$SOURCE_ROOT
export PATH=$GOPATH/bin:$PATH
export CC=$(which gcc)
export CXX=$(which g++)
go version
2.5. Install bpftool (Only for Ubuntu 22.04)
cd $SOURCE_ROOT
git clone --depth 1 --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool && cd src
CLANG=Nope make -j8
sudo make install
2.6. Build container plugin
cd $SOURCE_ROOT
git clone --depth 1 -b plugins/container/v0.6.4 https://github.com/falcosecurity/plugins.git
cd plugins/plugins/container
make libcontainer.so
tar zcf $SOURCE_ROOT/container-0.6.4-linux-s390x.tar.gz libcontainer.so
3. Build and Install
3.1. Download source
cd $SOURCE_ROOT
git clone --depth 1 -b 0.43.1 https://github.com/falcosecurity/falco.git
cd falco
3.2. Apply patches
-
To include container plugin built for s390x
wget -O $SOURCE_ROOT/falco/cmake/modules/falcosecurity-libs-repo/libs_container_plugin_cmake.patch $PATCH_URL/libs_container_plugin_cmake.patch sed -i "s#SOURCE_ROOT_PATH#$SOURCE_ROOT#g" $SOURCE_ROOT/falco/cmake/modules/falcosecurity-libs-repo/libs_container_plugin_cmake.patch curl -sSL $PATCH_URL/falco.patch | git apply - -
To turn off modern BPF support (only for RHEL 8.x)
CMAKE_TEST_FLAG=" -DBUILD_FALCO_MODERN_BPF=OFF "
3.3. Configure
-
Setup build directory
mkdir -p $SOURCE_ROOT/falco/build cd $SOURCE_ROOT/falco/build -
Setup unit tests
CMAKE_TEST_FLAG+=" -DBUILD_FALCO_UNIT_TESTS=ON " # Only when unit tests are expected to be run after building Falco CMAKE_TEST_FLAG="" # Only when unit tests are not needed -
Setup common CMake flags
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=ON ${CMAKE_TEST_FLAG}" -
Run CMake
cmake $CMAKE_FLAGS ../
3.4. Build and Install
cd $SOURCE_ROOT/falco/build
sed -i 's/!found/found/g' falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c # Only for Ubuntu
make -j$(nproc)
sudo make install
3.5. Load kernel module
-
Unload any existing module using
sudo rmmod falco -
Insert locally built version
cd $SOURCE_ROOT/falco/build sudo insmod driver/falco.ko
4. Testing (optional)
cd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_tests
A separate Falco project https://github.com/falcosecurity/event-generator can be used to run further tests.
5. Validate installation (optional)
Note: Run sudo falco --help to see available options to run Falco. By default, Falco logs events to standard error.
5.1. Run Falco with Kernel module
sudo LD_PRELOAD=/lib64/libresolv.so.2 falco -o engine.kind=kmod # Only for RHEL 8.x
sudo falco -o engine.kind=kmod # For rest
Output similar to following will be seen
Tue Apr 21 13:10:39 2026: Falco version: 0.43.1 (s390x)
Tue Apr 21 13:10:39 2026: Falco initialized with configuration files:
Tue Apr 21 13:10:39 2026: /etc/falco/config.d/falco.container_plugin.yaml | schema validation: ok
Tue Apr 21 13:10:39 2026: /etc/falco/falco.yaml | schema validation: ok
Tue Apr 21 13:10:39 2026: System info: Linux version 5.15.0-164-generic (buildd@bos03-s390x-008) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04.2) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #174-Ubuntu SMP Fri Nov 14 20:32:22 UTC 2025
Tue Apr 21 13:10:39 2026: Loaded plugin '[email protected]' from file /usr/share/falco/plugins/libcontainer.so
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'podman' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/podman/podman.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'docker' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/var/run/docker.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'cri' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/containerd/containerd.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/crio/crio.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/k3s/containerd/containerd.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'containerd' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'lxc' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'libvirt_lxc' container engine.
Tue Apr 21 13:10:39 2026: [libs]: container: Enabled 'bpm' container engine.
Tue Apr 21 13:10:39 2026: Loading rules from:
Tue Apr 21 13:10:39 2026: /etc/falco/falco_rules.yaml | schema validation: ok
Tue Apr 21 13:10:39 2026: /etc/falco/falco_rules.local.yaml | schema validation: none
Tue Apr 21 13:10:39 2026: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Apr 21 13:10:39 2026: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Tue Apr 21 13:10:39 2026: Loaded event sources: syscall
Tue Apr 21 13:10:39 2026: Enabled event sources: syscall
Tue Apr 21 13:10:39 2026: Opening 'syscall' source with Kernel module
Tue Apr 21 13:10:39 2026: [libs]: Trying to open the right engine!
5.2. Run Falco with modern eBPF probe driver (default) (except RHEL 8.x)
sudo falco
Output similar to following will be seen
Tue Apr 21 13:09:39 2026: Falco version: 0.43.1 (s390x)
Tue Apr 21 13:09:39 2026: Falco initialized with configuration files:
Tue Apr 21 13:09:39 2026: /etc/falco/config.d/falco.container_plugin.yaml | schema validation: ok
Tue Apr 21 13:09:39 2026: /etc/falco/falco.yaml | schema validation: ok
Tue Apr 21 13:09:39 2026: System info: Linux version 5.15.0-164-generic (buildd@bos03-s390x-008) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04.2) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #174-Ubuntu SMP Fri Nov 14 20:32:22 UTC 2025
Tue Apr 21 13:09:39 2026: Loaded plugin '[email protected]' from file /usr/share/falco/plugins/libcontainer.so
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'podman' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/podman/podman.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'docker' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/var/run/docker.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'cri' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/containerd/containerd.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/crio/crio.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/k3s/containerd/containerd.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'containerd' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'lxc' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'libvirt_lxc' container engine.
Tue Apr 21 13:09:39 2026: [libs]: container: Enabled 'bpm' container engine.
Tue Apr 21 13:09:39 2026: Loading rules from:
Tue Apr 21 13:09:39 2026: /etc/falco/falco_rules.yaml | schema validation: ok
Tue Apr 21 13:09:39 2026: /etc/falco/falco_rules.local.yaml | schema validation: none
Tue Apr 21 13:09:39 2026: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Apr 21 13:09:39 2026: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Tue Apr 21 13:09:39 2026: Loaded event sources: syscall
Tue Apr 21 13:09:39 2026: Enabled event sources: syscall
Tue Apr 21 13:09:39 2026: Opening 'syscall' source with modern BPF probe.
Tue Apr 21 13:09:39 2026: One ring buffer every '2' CPUs.
Tue Apr 21 13:09:39 2026: [libs]: Trying to open the right engine!
Reference:
- https://falco.org/docs/ - Official Falco documentation