Skip to content

Building Falco

Jump to bottom
aborkar-ibm edited this page Jun 11, 2021 · 39 revisions

Building Falco

The instructions provided below specify the steps to build Falco version 0.28.1 on Linux on IBM Z for following distributions:

  • Ubuntu (18.04, 20.04, 21.04)
  • RHEL (7.8, 7.9, 8.1, 8.2, 8.3)
  • SLES (12 SP5, 15 SP2)

General Notes:

  • When following the steps below please use standard permission user unless otherwise specified.
  • A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.28.1/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

  • Ubuntu (18.04, 20.04, 21.04)

    sudo apt-get update

sudo apt-get install -y git cmake build-essential libncurses-dev pkg-config autoconf libtool libelf-dev curl rpm \
    linux-headers-$(uname -r)

  • RHEL (7.8, 7.9)

    sudo yum install -y gcc gcc-c++ git make autoconf automake pkgconfig patch ncurses-devel libtool glibc-static \
    libstdc++-static elfutils-libelf-devel kernel-devel-$(uname -r) rpm-build createrepo curl libcurl-devel

  • RHEL (8.1, 8.2, 8.3)

    sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool \
    elfutils-libelf-devel diffutils which kernel-devel-$(uname -r) rpm-build createrepo libarchive

  • SLES (12 SP5)

    export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo zypper -n install gcc7 gcc7-c++ git-core cmake ncurses-devel libopenssl-devel \
    libcurl-devel protobuf-devel patch which automake autoconf libtool libelf-devel \
    "kernel-default-devel=${KERNEL_VERSION}"
    
sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-7 40
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 40
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-7 40
sudo update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-7 40

  • SLES (15 SP2)

    export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo zypper -n install gcc gcc-c++ git-core cmake libjq-devel ncurses-devel yaml-cpp-devel \
    libopenssl-devel libcurl-devel c-ares-devel protobuf-devel patch which automake autoconf \
    libtool libelf-devel "kernel-default-devel=${KERNEL_VERSION}"

  • Install CMake v3.7.2 (Only for RHEL 7.x)

    cd $SOURCE_ROOT
wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz
tar xzf cmake-3.7.2.tar.gz
cd cmake-3.7.2
./configure --prefix=/usr/
./bootstrap --system-curl --parallel=16
make -j16
sudo make install
export PATH=/usr/local/bin:$PATH
cmake --version

Step 3: Download, configure and build Falco

3.1) Download Falco

cd $SOURCE_ROOT
git clone https://github.com/falcosecurity/falco.git
cd falco
git checkout 0.28.1

3.2) Download and apply the required patches

curl -SLO https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.28.1/patch/lauxlib.h.patch
curl -SLO https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.28.1/patch/falco.patch
git apply falco.patch

3.3) Patch kernel module makefile - remove -fdump-ipa-clones flag (Only on SLES 12 SP5)

export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo cp "/usr/src/linux-$KERNEL_VERSION/Makefile" "/usr/src/linux-$KERNEL_VERSION/Makefile.back"
sudo sed -i 's/-fdump-ipa-clones//g' /usr/src/linux-"$KERNEL_VERSION"/Makefile

3.4) Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build
cmake -DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_OPENSSL=On -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release ../
make
make package            # build deb/rpm packages (only on Ubuntu and RHEL)
sudo make install

3.5) Load kernel module

  • Unload any existing module using

    sudo rmmod falco

  • Insert locally built version

    cd $SOURCE_ROOT/falco/build
sudo insmod driver/falco.ko

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
make tests

Step 5: Validate installation (optional)

  • Start Falco process

    sudo falco

    Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

  • Output similar to following will be seen

    Fri Oct 23 09:25:45 2020: Falco version 0.28.0 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)
Fri Oct 23 09:25:45 2020: Falco initialized with configuration file /home/currency/src/falco/falco.yaml
Fri Oct 23 09:25:45 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Fri Oct 23 09:25:45 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Fri Oct 23 09:25:45 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Fri Oct 23 09:25:45 2020: Starting internal webserver, listening on port 8765

Reference:

https://falco.org/docs/ - Official Falco documentation

The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.

Clone this wiki locally