Running
Falco packages
If you installed the Falco packages using the dialog
all your services should be already up and running, while if you chose the Manual configuration
or if you used the FALCO_FRONTEND=noninteractive
env variable you have to configure services by your hand. Here we show a simple example with the eBPF probe
.
Let's imagine we want to start the falco-bpf.service
.
Type
systemctl list-units | grep falco
to check that no unit is running.Now you have to decide whether you want the Falcoctl service running together with the Falco one. If yes you don't have to do anything, else you will need to mask the Falcoctl service with
systemctl mask falcoctl-artifact-follow.service
. As pointed out in this section the Falcoctl service is strictly related to the Falco one so if you don't mask it, it will be started together with the Falco service.Type
falco-driver-loader bpf
to download/compile the BPF probe.Now running
systemctl start falco-bpf.service
and typingsystemctl list-units | grep falco
you should see something like that (supposing you didn't mask the Falcoctl service):falco-bpf.service loaded active running Falco: Container Native Runtime Security with ebpf falcoctl-artifact-follow.service loaded active running Falcoctl Artifact Follow: automatic artifacts update service
If you want to stop both services in one shot
systemctl stop falco-bpf.service
Custom run
You may have noticed a Falco unit called falco-custom.service
. You should use it when you want to run Falco with a custom configuration like a plugin or Gvisor. Please note that in this case you have to modify this template according to how you want to run Falco, the unit should not be used as is!
Falco binary
Here you can find some examples of how to run Falco after having installed it using the binary package
# Kernel module (default driver)
falco
# eBPF probe
FALCO_BPF_PROBE="" falco
# modern eBPF probe
falco --modern-bpf
# For more info see all available options
falco --help
If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that
- Your kernel has
CONFIG_BPF_JIT
enabled net.core.bpf_jit_enable
is set to 1 (enable the BPF JIT Compiler)- This can be verified via
sysctl -n net.core.bpf_jit_enable
Docker
To learn how to run Falco from a container in a Kubernetes setting, checkout the Deployment guide next.
Even using container images, Falco needs kernel headers installed on the host as prerequisite to correctly build the driver (the kernel module or the eBPF probe) on the fly. This step is not needed when a prebuilt driver is already available.
You can find instructions on how to install the kernel headers for your system under the Install section.
Falco ships a set of official docker images. The images can be used in two ways as follows:
Least privileged (recommended)
This is how the Falco userspace process can be ran in a container.
Once the kernel module has been installed directly on the host system, it can be used from within a container.
Install the kernel module:
- You can use an official installation method directly on the host
- Alternatively, you can temporarily use a privileged container to install the driver on the host:
docker pull falcosecurity/falco-driver-loader:latest docker run --rm -i -t \ --privileged \ -v /root/.falco:/root/.falco \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules \ -v /usr:/host/usr:ro \ -v /etc:/host/etc:ro \ falcosecurity/falco-driver-loader:latest
The falcosecurity/falco-driver-loader
image just wraps the falco-driver-loader
script.
You can find more about its usage here
Run Falco in a container using Docker with the principle of least privilege:
docker pull falcosecurity/falco-no-driver:latest docker run --rm -i -t \ -e HOST_ROOT=/ \ --cap-add SYS_PTRACE --pid=host $(ls /dev/falco* | xargs -I {} echo --device {}) \ -v /var/run/docker.sock:/var/run/docker.sock \ falcosecurity/falco-no-driver:latest
If you are running Falco on a system with the AppArmor LSM enabled (e.g Ubuntu), you will also need to pass --security-opt apparmor:unconfined
to
the docker run
command above.
You can verify if you have AppArmor enabled using the command below:
docker info | grep -i apparmor
Note that ls /dev/falco* | xargs -I {} echo --device {}
outputs a --device /dev/falcoX
option per CPU (ie. just the devices created by the Falco's kernel module). Also, -e HOST_ROOT=/
is necessary since with --device
there is no way to remap devices to /host/dev/
.
To run Falco in least privileged mode with the eBPF driver, we list all the required capabilities:
- on kernels <5.8, Falco requires
CAP_SYS_ADMIN
,CAP_SYS_RESOURCE
andCAP_SYS_PTRACE
- on kernels >=5.8,
CAP_BPF
andCAP_PERFMON
were separated out ofCAP_SYS_ADMIN
, so the required capabilities areCAP_BPF
,CAP_PERFMON
,CAP_SYS_RESOURCE
,CAP_SYS_PTRACE
. Unfortunately, Docker does not yet support adding the two newly introduced capabilities with the--cap-add
option. For this reason, we continue usingCAP_SYS_ADMIN
, given that it still allows performing the same operations granted byCAP_BPF
andCAP_PERFMON
. In the near future, Docker will support adding these two capabilities and we will be able to replaceCAP_SYS_ADMIN
.
Install the eBPF probe
docker pull falcosecurity/falco-driver-loader:latest docker run --rm -i -t \ --privileged \ -v /root/.falco:/root/.falco \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ -v /etc:/host/etc:ro \ falcosecurity/falco-driver-loader:latest bpf
Then, run Falco
docker pull falcosecurity/falco-no-driver:latest docker run --rm -i -t \ --cap-drop all \ --cap-add sys_admin \ --cap-add sys_resource \ --cap-add sys_ptrace \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -e FALCO_BPF_PROBE="" \ -v /root/.falco:/root/.falco \ -v /etc:/host/etc \ -v /proc:/host/proc:ro \ falcosecurity/falco-no-driver:latest # Please remember to add '-v /sys/kernel/debug:/sys/kernel/debug:ro \' to the above docker command # if you are running a kernel version < 4.14
Again, you will need to add --security-opt apparmor:unconfined
to the last command if your system has the AppArmor LSM enabled.
Fully privileged
To run Falco in a container using Docker with full privileges use the following commands.
If you want to use Falco with the Kernel module driver:
docker pull falcosecurity/falco:latest
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
Alternatively, you can use the eBPF probe driver:
docker pull falcosecurity/falco:latest
docker run --rm -i -t \
--privileged \
-e FALCO_BPF_PROBE="" \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
# Please remember to add '-v /sys/kernel/debug:/sys/kernel/debug:ro \' to the above docker command
# if you are running a kernel version < 4.14
It is also possible to use falco-no-driver
and falco-driver-loader
images in fully privileged mode.
This may be desirable in environments which do not allow the full Falco image due to space, resource, security or policy constraints.
You can load the eBPF probe or kernel module in its own temporary container as below:
docker pull falcosecurity/falco-driver-loader:latest
docker run --rm -i -t \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-driver-loader:latest
Once this has been done, or if you have installed the driver on the host permanently via the falco-driver-loader
script instead of the Docker image, then you can simply load up the falco-no-driver
image in privileged mode:
docker pull falcosecurity/falco-no-driver:latest
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
falcosecurity/falco-no-driver:latest
To use falco-no-driver
and falco-driver-loader
with the eBPF probe you have to remove the -v /dev:/host/dev
(which is only required by the Kernel Module) and add:
-e FALCO_BPF_PROBE="" -v /root/.falco:/root/.falco \
Other configurable options:
DRIVER_REPO
- See the Installing the driver section.SKIP_DRIVER_LOADER
- Set this environment variable to avoid runningfalco-driver-loader
when thefalcosecurity/falco
image starts. Useful when the driver has been already installed on the host by other means.
Modern eBPF
Privileged
The modern BPF is shipped into Falco so the falco-no-driver
image is enough. This allows you to run Falco without dependencies, just the following command:
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-no-driver:latest falco --modern-bpf
Least privileged
The following capabilities should be enough to run Falco with the Modern eBPF probe:
CAP_SYS_PTRACE
CAP_SYS_RESOURCE
CAP_BPF
CAP_PERFMON
Here we have the docker command to run with the modern probe.
docker run --rm -i -t \
--cap-drop all \
--cap-add sys_admin \
--cap-add sys_resource \
--cap-add sys_ptrace \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-no-driver:latest falco --modern-bpf
Note: in the command we use
CAP_SYS_ADMIN
because docker doesn't supportCAP_BPF
andCAP_PERFMON
yet
Rules validation
It's possible to validate Falco rules without installation by using the Docker image.
export RULES_PATH=<PATH_TO_YOUR_RULES_HERE>
docker run --rm \
-v ${RULES_PATH}:/etc/falco/my-rules \
falcosecurity/falco:latest /usr/bin/falco \
-r /etc/falco/falco_rules.yaml \
-r /etc/falco/my-rules \
-L
Hot Reload
This will reload the Falco configuration and restart the engine without killing the pid. This is useful to propagate new config changes without killing the daemon.
kill -1 $(cat /var/run/falco.pid)
Moreover, since Falco 0.32.0, watch_config_files
config option drives the automatic reload of Falco when either the config or the ruleset change.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.