Building Falco

Building Falco

The instructions provided below specify the steps to build Falco version 0.33.1 on Linux on IBM Z for following distributions:

• RHEL (7.8, 7.9, 8.4, 8.6, 8.7, 9.0, 9.1)
• SLES (12 SP5, 15 SP4)
• Ubuntu (18.04, 20.04, 22.04, 22.10)

General Notes:

• When following the steps below please use standard permission user unless otherwise specified.
• A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.33.1/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

• RHEL (7.8, 7.9)

  sudo yum install -y devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel glibc-static openssl-devel autoconf automake libtool createrepo expect git which rpm-build git libarchive wget bzip2 perl-FindBin make autoconf automake pkg-config patch elfutils-libelf-devel diffutils kernel-devel-$(uname -r) kmod
    source /opt/rh/devtoolset-7/enable

• RHEL (8.4, 8.6, 8.7)

  sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r)

• RHEL (9.0, 9.1)

  sudo yum install --allowerasing -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) go

• SLES 12 SP5

  export SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
  export SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | cut -d "|" -f 4 - | tr -d '[:space:]')
  
    sudo zypper install -y --force-resolution gcc9 gcc9-c++ git-core patch which automake autoconf libtool libopenssl-devel libcurl-devel libelf-devel "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" tar curl
  
  sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 50
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20
  sudo update-alternatives --skip-auto --config gcc
  sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 50
  export CC=$(which gcc)
  export CXX=$(which g++)

• SLES 15 SP4

  export SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//')
  export SLES_KERNEL_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | cut -d "|" -f 4 - | tr -d '[:space:]')
  sudo zypper install -y gcc gcc-c++ git-core cmake patch which automake autoconf libtool libelf-devel tar curl vim wget pkg-config glibc-devel-static go1.18 "kernel-default-devel=${SLES_KERNEL_VERSION}" kmod

• Ubuntu 18.04

  sudo apt-get update
  sudo apt-get install -y curl kmod git cmake build-essential pkg-config autoconf libtool libelf-dev libcurl4-openssl-dev patch wget rpm linux-headers-$(uname -r) gcc

• Ubuntu (20.04, 22.04, 22.10)

  sudo apt-get update
  sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc rpm linux-headers-$(uname -r) kmod

• Install Go v1.18.8 (Only for RHEL, SLES 12 SP5 and Ubuntu)

  cd $SOURCE_ROOT
  wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Go/1.18.4/build_go.sh 
  bash build_go.sh -y -v 1.18.8
  export GOPATH=$SOURCE_ROOT 
  export PATH=$GOPATH/bin:$PATH
  go version

• Install CMake v3.22.5 (Only for RHEL 7.x and SLES 12 SP5)

  cd $SOURCE_ROOT
  wget https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5.tar.gz
  tar -xf cmake-3.22.5.tar.gz
  cd cmake-3.22.5
  ./bootstrap -- -DCMAKE_BUILD_TYPE:STRING=Release
  # In case of error: "/lib64/libstdc++.so.6: version `GLIBCXX_3.4.26' not found" do following 'ln'
  sudo ln -sf /usr/local/lib64/libstdc++.so.6.0.28 /lib64/libstdc++.so.6
  make
  sudo make install
  sudo ln -sf /usr/local/bin/cmake /usr/bin/cmake

Step 3: Download, configure and build Falco

3.1) Download Falco

cd $SOURCE_ROOT
git clone https://github.com/falcosecurity/falco.git
cd falco
git checkout 0.33.1

3.2) Download and apply the required patches

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.33.1/patch/plugins.cmake.patch
git apply plugins.cmake.patch

3.3) Patch kernel module makefile - remove -fdump-ipa-clones flag (Only on SLES 12 SP5)

sudo cp "/usr/src/linux-$SLES_KERNEL_VERSION/Makefile" "/usr/src/linux-$SLES_KERNEL_VERSION/Makefile.back"
sudo sed -i 's/-fdump-ipa-clones//g' /usr/src/linux-"$SLES_KERNEL_VERSION"/Makefile

3.4) Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build

• Configure Falco

  cmake -DUSE_BUNDLED_DEPS=ON -DUSE_BUNDLED_CURL=OFF ../     # Only for SLES 12 SP5 
  cmake -DUSE_BUNDLED_DEPS=ON ../                            # Only for RHEL 7.x 
  cmake -DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_OPENSSL=On -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release ../        # Only for RHEL (8.x, 9.x), SLES 15.x and Ubuntu

• Make the following changes on RHEL, SLES 15.x, Ubuntu (20.04, 22.04, 22.10)

  cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules
  sed -i 's+https://github.com/curl/curl/releases/download/curl-7_84_0/curl-7.84.0.tar.bz2+https://github.com/curl/curl/releases/download/curl-7_85_0/curl-7.85.0.tar.bz2+g' curl.cmake
  sed -i 's/702fb26e73190a3bd77071aa146f507b9817cc4dfce218d2ab87f00cd3bc059d/21a7e83628ee96164ac2b36ff6bf99d467c7b0b621c1f7e317d8f0d96011539c/g' curl.cmake

• Fix the library link order for libabsl

  sed -i '135{h;d};136G' grpc.cmake

• Fix a socketcall issue in falco

  cd $SOURCE_ROOT/falco/
  wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.33.1/patch/libs-driver-socketcall.patch
  git apply --directory=build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs libs-driver-socketcall.patch
  git apply --directory=build/driver-repo/driver-prefix/src libs-driver-socketcall.patch
  git apply --directory=build/driver/src libs-driver-socketcall.patch

• Build and Install

  cd $SOURCE_ROOT/falco/build
  make
  make package            # build deb/rpm packages (only on Ubuntu and RHEL)
  sudo make install

3.5) Load kernel module

• Unload any existing module using

  sudo rmmod falco

• Insert locally built version

  cd $SOURCE_ROOT/falco/build
  sudo insmod driver/falco.ko

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
make tests

A separate falco project https://github.com/falcosecurity/event-generator can be used to run further tests.

Step 5: Validate installation (optional)

• Start Falco process

  sudo falco

  Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

• Output similar to following will be seen

  Fri Jan 13 15:11:23 2023: Falco version: 0.33.1 (s390x)
  Fri Jan 13 15:11:23 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
  Fri Jan 13 15:11:23 2023: Loading rules from file /etc/falco/falco_rules.yaml
  Fri Jan 13 15:11:23 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
  Fri Jan 13 15:11:23 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
  Fri Jan 13 15:11:23 2023: Starting health webserver with threadiness 8, listening on port 8765
  Fri Jan 13 15:11:23 2023: Enabled event sources: syscall
  Fri Jan 13 15:11:23 2023: Opening capture with Kernel module
  

Reference:

• https://falco.org/docs/ - Official Falco documentation