Building Falco - linux-on-ibm-z/docs GitHub Wiki

Building Falco

The instructions provided below specify the steps to build Falco version 0.37.1 on Linux on IBM Z for following distributions:

  • RHEL (7.8, 7.9, 8.8, 8.9, 9.2, 9.3)
  • SLES (12 SP5, 15 SP5)
  • Ubuntu (20.04, 22.04, 23.10)

Falco supports all three kernel drivers starting with 0.34.x releases on s390x: Kernel module, eBPF probe and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.

General Notes:

  • When following the steps below please use standard permission user unless otherwise specified.
  • A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.37.1/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

  • RHEL (7.8, 7.9)

    sudo yum install -y devtoolset-9-gcc devtoolset-9-gcc-c++ devtoolset-9-toolchain devtoolset-9-libstdc++-devel glibc-static openssl-devel autoconf automake libtool createrepo expect git which rpm-build git libarchive wget bzip2 perl-IPC-Cmd perl-bignum perl-core make autoconf automake pkg-config patch elfutils-libelf-devel diffutils kernel-devel-$(uname -r) kmod
source /opt/rh/devtoolset-9/enable

  • RHEL (8.8, 8.9)

    sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core

  • RHEL (9.2, 9.3)

    sudo yum install --allowerasing -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core perl-FindBin go clang llvm bpftool
go version

  • SLES 12 SP5

    SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]')

sudo zypper install -y --force-resolution gcc gcc9 gcc9-c++ git-core patch which automake autoconf libtool libopenssl-devel libcurl-devel libelf-devel "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" tar curl make

sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 50
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20
sudo update-alternatives --skip-auto --config gcc
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 50
export CC=$(which gcc)
export CXX=$(which g++)

  • SLES 15 SP5

    SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]')
sudo zypper install -y gcc gcc-c++ gcc12-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static go1.21 "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang14 llvm14 bpftool
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 50
export CC=$(which gcc)
export CXX=$(which g++)

  • Ubuntu 20.04

    sudo apt-get update
sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) kmod

  • Ubuntu 22.04

    For Ubuntu 22.04, if the current kernel version is 5.15.0-71-generic, please upgrade it to a higher version such as 5.15.0-73-generic first, since linux-tools-5.15.0-71-generic package doesn't exist in the repository.

    sudo apt-get update
sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm

  • Ubuntu 23.10

    sudo apt-get update
sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-12 g++-12 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100 --slave /usr/bin/g++ g++ /usr/bin/g++-12
export CC=$(which gcc)
export CXX=$(which g++)

  • Install GCC v10.2.0 (Only for RHEL 7.x)

    cd $SOURCE_ROOT
sudo yum groupinstall -y 'Development Tools'
sudo yum install -y wget tar git libtool autoconf make curl python3
sudo yum install -y hostname tar zip gcc-c++ unzip python3 cmake curl wget gcc vim patch binutils-devel tcl gettext
GCC_VERSION=10.2.0
wget https://ftp.gnu.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.gz
tar -xf gcc-${GCC_VERSION}.tar.gz
cd gcc-${GCC_VERSION}
./contrib/download_prerequisites
mkdir objdir
cd objdir
../configure --prefix=/opt/gcc --enable-languages=c,c++ --with-arch=zEC12 --with-long-double-128 \
     --build=s390x-linux-gnu --host=s390x-linux-gnu --target=s390x-linux-gnu                  \
     --enable-threads=posix --with-system-zlib --disable-multilib
make -j $(nproc)
sudo make install
sudo ln -sf /opt/gcc/bin/gcc /usr/bin/gcc
sudo ln -sf /opt/gcc/bin/g++ /usr/bin/g++
sudo ln -sf /opt/gcc/bin/g++ /usr/bin/c++
export PATH=/opt/gcc/bin:"$PATH"
export LD_LIBRARY_PATH=/opt/gcc/lib64:"$LD_LIBRARY_PATH"
export C_INCLUDE_PATH=/opt/gcc/lib/gcc/s390x-linux-gnu/${GCC_VERSION}/include
export CPLUS_INCLUDE_PATH=/opt/gcc/lib/gcc/s390x-linux-gnu/${GCC_VERSION}/include

  • Install Go v1.18.8 (Only for RHEL(7.x, 8.x), SLES 12 SP5 and Ubuntu)

    cd $SOURCE_ROOT
wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Go/1.18.4/build_go.sh
sed -i 's:"ubuntu-23.04":"ubuntu-23.04" | "ubuntu-23.10":g' build_go.sh #(Only for Ubuntu 23.10)
bash build_go.sh -y -v 1.18.8
export GOPATH=$SOURCE_ROOT 
export PATH=$GOPATH/bin:$PATH
export CC=$(which gcc)
export CXX=$(which g++)
go version

  • Install CMake v3.22.5 (Only for RHEL 7.x and SLES 12 SP5)

    cd $SOURCE_ROOT
wget https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5.tar.gz
tar -xf cmake-3.22.5.tar.gz
cd cmake-3.22.5
./bootstrap -- -DCMAKE_BUILD_TYPE:STRING=Release
# In case of error: "/lib64/libstdc++.so.6: version `GLIBCXX_3.4.26` not found" do following `ln`
sudo ln -sf /usr/local/lib64/libstdc++.so.6.0.28 /lib64/libstdc++.so.6
make
sudo make install
sudo ln -sf /usr/local/bin/cmake /usr/bin/cmake

Step 3: Download, configure and build Falco

3.1) Download Falco

cd $SOURCE_ROOT
git clone https://github.com/falcosecurity/falco.git
cd falco
git checkout 0.37.1

3.2) Patch Clang flags for building modern BPF object code (Only on Ubuntu (22.04, 23.10))

curl -sSL https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.37.1/patch/modern_bpf_clang_flags.patch | git apply -

3.3) Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build

  • Configure Falco

    CMAKE_TEST_FLAG="-DBUILD_FALCO_UNIT_TESTS=On"   # Only when unit tests are expected to be run after building Falco
CMAKE_TEST_FLAG=""  # Only when unit tests are not needed
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On ${CMAKE_TEST_FLAG}"  # Only for RHEL (7.x, 8.x), SLES 12 SP5 and Ubuntu 20.04
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=On -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=ON ${CMAKE_TEST_FLAG}"   # Only for RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 23.10)
cmake $CMAKE_FLAGS ../

  • Fix the library link order for libabsl (Only on RHEL 9.3)

    cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules
sed -i '135{h;d};136G' grpc.cmake

  • Build and Install

    cd $SOURCE_ROOT/falco/build
make -j$(nproc)
make package            # build deb/rpm packages (optional and only on Ubuntu and RHEL)
sudo make install

3.5) Load kernel module

  • Unload any existing module using

    sudo rmmod falco

  • Insert locally built version

    cd $SOURCE_ROOT/falco/build
sudo insmod driver/falco.ko

3.6) Copy eBPF driver object file to the default location (Only on RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 23.10))

sudo mkdir /root/.falco
sudo cp -f $SOURCE_ROOT/falco/build/driver/bpf/probe.o /root/.falco/falco-bpf.o

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_tests 

A separate falco project https://github.com/falcosecurity/event-generator can be used to run further tests.

Step 5: Validate installation (optional)

  • Run Falco with Kernel module (default driver)

    sudo falco

    Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

    Output similar to following will be seen

    Tue Nov 28 07:26:50 2023: Falco version: 0.37.1 (s390x)
Tue Nov 28 07:26:50 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Tue Nov 28 07:26:50 2023: Loading rules from file /etc/falco/falco_rules.yaml
Tue Nov 28 07:26:50 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Tue Nov 28 07:26:50 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Nov 28 07:26:50 2023: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Tue Nov 28 07:26:50 2023: Loaded event sources: syscall
Tue Nov 28 07:26:50 2023: Enabled event sources: syscall
Tue Nov 28 07:26:50 2023: Opening 'syscall' source with Kernel module

  • Run Falco with eBPF probe driver (Only on RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 23.10))

    sudo FALCO_BPF_PROBE="" falco

    Output similar to following will be seen

    Tue Nov 28 07:27:09 2023: Falco version: 0.37.1 (s390x)
Tue Nov 28 07:27:09 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Tue Nov 28 07:27:09 2023: DEPRECATION NOTICE: the 'FALCO_BPF_PROBE' environment variable is deprecated and will be removed in Falco 0.38!
Tue Nov 28 07:27:09 2023: Loading rules from file /etc/falco/falco_rules.yaml
Tue Nov 28 07:27:09 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Tue Nov 28 07:27:09 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Nov 28 07:27:09 2023: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Tue Nov 28 07:27:09 2023: Loaded event sources: syscall
Tue Nov 28 07:27:09 2023: Enabled event sources: syscall
Tue Nov 28 07:27:09 2023: Opening 'syscall' source with BPF probe. BPF probe path: /root/.falco/falco-bpf.o

  • Run Falco with modern eBPF probe driver (Only on RHEL 9.x, SLES 15 SP5 and Ubuntu (22.04, 23.10))

    sudo falco --modern-bpf

    Output similar to following will be seen

    Tue Nov 28 07:27:22 2023: Falco version: 0.37.1 (s390x)
Tue Nov 28 07:27:22 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Tue Nov 28 07:27:22 2023: DEPRECATION NOTICE: the '--modern-bpf' command line option is deprecated and will be removed in Falco 0.38!
Tue Nov 28 07:27:22 2023: Loading rules from file /etc/falco/falco_rules.yaml
Tue Nov 28 07:27:22 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Tue Nov 28 07:27:22 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Tue Nov 28 07:27:22 2023: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Tue Nov 28 07:27:22 2023: Loaded event sources: syscall
Tue Nov 28 07:27:22 2023: Enabled event sources: syscall
Tue Nov 28 07:27:22 2023: Opening 'syscall' source with modern BPF probe.
Tue Nov 28 07:27:22 2023: One ring buffer every '2' CPUs.

Reference: