-
Notifications
You must be signed in to change notification settings - Fork 56
Building Falco
aborkar-ibm edited this page Oct 31, 2022
·
42 revisions
The instructions provided below specify the steps to build Falco version 0.32.2 on Linux on IBM Z for following distributions:
- Ubuntu (18.04, 20.04, 22.04)
- RHEL (7.8, 7.9, 8.4, 8.6)
- SLES (12 SP5, 15 SP3, 15 SP4)
General Notes:
- When following the steps below please use standard permission user unless otherwise specified.
- A directory
/<source_root>/will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.
If you want to build Falco using manual steps, go to step 2.
Use the following commands to build Falco using the build script. Please make sure you have wget installed.
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.32.2/build_falco.sh
# Run bash build_falco.sh -h to see all available options
bash build_falco.sh
In case of error, check logs for more details or go to Step 2 to follow manual build steps.
export SOURCE_ROOT=/<source_root>/
-
Ubuntu 18.04
sudo apt-get update sudo apt-get install -y curl git curl cmake build-essential pkg-config autoconf libz-dev libtool libexpat1-dev libelf-dev libcurl4-openssl-dev libssl-dev libyaml-cpp-dev patch wget gettext gcc libyaml-cpp-dev libjq-dev libncurses-dev curl libc-ares-dev rpm kmod linux-headers-$(uname -r) -
Ubuntu 20.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev gettext gcc protobuf-compiler-grpc libncurses-dev curl libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libgrpc++-dev protobuf-compiler-grpc libyaml-cpp-dev rpm kmod linux-headers-$(uname -r) -
Ubuntu 22.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libtool libelf-dev libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev gettext gcc protobuf-compiler-grpc libncurses-dev curl libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libgrpc++-dev protobuf-compiler-grpc libyaml-cpp-dev golang-1.18 rpm kmod linux-headers-$(uname -r) export PATH=$PATH:/usr/lib/go-1.18/bin
-
RHEL (7.8, 7.9)
sudo yum install -y gcc gcc-c++ git libarchive wget bzip2 perl-FindBin make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which libcurl-devel openssl-devel rpm-build kmod kernel-devel-$(uname -r) -
RHEL (8.4, 8.6)
sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl glibc-static libstdc++-static openssl-devel go rpm-build kmod kernel-devel-$(uname -r) -
SLES 12 SP5
export KERNEL_VERSION=$(uname -r | sed 's/-default//g') sudo zypper install -y gcc9 gcc9-c++ git-core cmake ncurses-devel libopenssl-devel libcurl-devel protobuf-devel patch which automake autoconf libtool libelf-devel kmod "kernel-default-devel=${SLES_KERNEL_VERSION}" libexpat-devel tcl gettext-tools openssl libcurl-devel tar curl libjq-devel sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 50 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20 sudo update-alternatives --config gcc sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-9 50 sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.8 20 sudo update-alternatives --config g++ export CC=$(which gcc) export CXX=$(which g++)
-
SLES (15 SP3, 15 SP4)
export KERNEL_VERSION=$(uname -r | sed 's/-default//g') sudo zypper install -y gcc gcc-c++ git-core cmake libjq-devel ncurses-devel yaml-cpp-devel libopenssl-devel libcurl-devel c-ares-devel protobuf-devel patch which automake autoconf libtool libelf-devel libexpat-devel tcl-devel gettext-tools tar curl vim wget pkg-config curl kmod glibc-devel-static go1.18 "kernel-default-devel=${SLES_KERNEL_VERSION}"
-
Install Go v1.17.12 (Only for RHEL 7.x, SLES 12 SP5 and Ubuntu(18.04, 20.04))
cd $SOURCE_ROOT wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Go/1.18.4/build_go.sh bash build_go.sh -y -v 1.17.12 export GOPATH=$SOURCE_ROOT export PATH=$GOPATH/bin:$PATH go version
-
Install GCC v9.4.0 (Only for RHEL 7.x)
cd $SOURCE_ROOT GCC_VERSION=9.4.0 wget https://ftp.gnu.org/gnu/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.gz --no-check-certificate tar xzf gcc-${GCC_VERSION}.tar.gz mkdir obj.gcc-${GCC_VERSION} cd gcc-${GCC_VERSION} ./contrib/download_prerequisites cd ../obj.gcc-${GCC_VERSION} ../gcc-${GCC_VERSION}/configure --disable-multilib --enable-languages=c,c++ make -j $(nproc) sudo make install export PATH=/usr/local/bin:$PATH export CC=/usr/local/bin/gcc export CXX=/usr/local/bin/g++ export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:$LD_LIBRARY_PATH
-
Install CMake v3.16.3 (Only for RHEL 7.x)
cd $SOURCE_ROOT wget https://github.com/Kitware/CMake/releases/download/v3.16.3/cmake-3.16.3.tar.gz tar -xf cmake-3.16.3.tar.gz cd cmake-3.16.3 ./bootstrap -- -DCMAKE_BUILD_TYPE:STRING=Release # In case of error: "/lib64/libstdc++.so.6: version `GLIBCXX_3.4.26' not found" do following 'ln' sudo ln -sf /usr/local/lib64/libstdc++.so.6.0.28 /lib64/libstdc++.so.6 make sudo make install sudo ln -sf /usr/local/bin/cmake /usr/bin/cmake
-
Install Git version 2.27.0 (Only for Ubuntu and SLES)
cd $SOURCE_ROOT wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.27.0.tar.gz tar -xvf git-2.27.0.tar.gz cd git-2.27.0 make prefix=/usr/local all sudo make prefix=/usr/local install export PATH=$PWD:$PATH git --version
-
Install Protobuf v3.17.3 (Only for RHEL 8.x and SLES 15.x)
cd $SOURCE_ROOT git clone https://github.com/protocolbuffers/protobuf.git cd protobuf git checkout v3.17.3 git submodule update --init --recursive ./autogen.sh ./configure make -j$(nproc) sudo make install sudo ldconfig #Only on SLES export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} #Only on RHEL 8.x sudo ln -s /usr/local/lib/libprotobuf.so.28 /usr/lib64/libprotobuf.so.28 #Only on RHEL protoc --version
-
Install gRPC v1.44.0 (Only on RHEL 8.x and SLES 15.x)
cd $SOURCE_ROOT git clone --recurse-submodules -b v1.44.0 --depth 1 --shallow-submodules https://github.com/grpc/grpc cd grpc mkdir build cd build cmake -DgRPC_INSTALL=true -DgRPC_BUILD_TESTS=OFF \ -DgRPC_SSL_PROVIDER=OpenSSL -DgRPC_PROTOBUF_PROVIDER=package \ -DCMAKE_INSTALL_PREFIX=/usr/local .. make -j$(nproc) sudo make install
cd $SOURCE_ROOT
git clone https://github.com/falcosecurity/falco.git
cd falco
git checkout 0.32.2
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.32.2/patch/plugins.cmake.patch
git apply plugins.cmake.patch
export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo cp "/usr/src/linux-$KERNEL_VERSION/Makefile" "/usr/src/linux-$KERNEL_VERSION/Makefile.back"
sudo sed -i 's/-fdump-ipa-clones//g' /usr/src/linux-"$KERNEL_VERSION"/Makefile
mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build
-
Configure Falco
cmake -DUSE_BUNDLED_DEPS=ON -DUSE_BUNDLED_CURL=OFF ../ # Only for Ubuntu 18.04 & SLES 12 SP5 cmake -DUSE_BUNDLED_DEPS=ON ../ # Only for RHEL 7.x cmake -DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_OPENSSL=On -DUSE_BUNDLED_PROTOBUF=Off -DUSE_BUNDLED_GRPC=Off -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release ../ # Only for RHEL 8.x, SLES 15.x and Ubuntu (20.04, 22.04)
-
Upgrade b64 version
cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules sed -i 's/v1.4.1/v2.0.0.1/g' b64.cmake sed -i 's/0fa93fb9c4fb72cac5a21533e6d611521e4326f42c19cc23f8ded814b0eca071/ce8e578a953a591bd4a6f157eec310b9a4c2e6f10ade2fdda6ae6bafaf798b98/g' b64.cmake
-
Make the following changes on RHEL, SLES 15.x, Ubuntu (20.04, 22.04)
sed -i 's+https://github.com/curl/curl/releases/download/curl-7_84_0/curl-7.84.0.tar.bz2+https://github.com/curl/curl/releases/download/curl-7_85_0/curl-7.85.0.tar.bz2+g' curl.cmake sed -i 's/702fb26e73190a3bd77071aa146f507b9817cc4dfce218d2ab87f00cd3bc059d/21a7e83628ee96164ac2b36ff6bf99d467c7b0b621c1f7e317d8f0d96011539c/g' curl.cmake
-
Make the following changes on RHEL 7.x, SLES 12 SP5, Ubuntu 18.04
sed -i '/libabsl_low_level_hash.a/d' grpc.cmake sed -i '/libabsl_cord_internal.a/d' grpc.cmake sed -i '/libabsl_cordz_*/d' grpc.cmake sed -i '/libabsl_random_internal_*/d' grpc.cmake sed -i '/libabsl_random_seed_gen_exception.a/d' grpc.cmake sed -i 's/profiling\/libabsl_exponential_biased.a/base\/libabsl_exponential_biased.a/g' grpc.cmake sed -i 's/v1.44.0/v1.38.1/g' grpc.cmake sed -i 's/v1.44.0/v1.38.1/g' $SOURCE_ROOT/falco/build/grpc-prefix/tmp/grpc-gitclone.cmake
-
Build and Install
cd $SOURCE_ROOT/falco/build make make package # build deb/rpm packages (only on Ubuntu and RHEL) sudo make install
-
Unload any existing module using
sudo rmmod falco
-
Insert locally built version
cd $SOURCE_ROOT/falco/build sudo insmod driver/falco.ko
cd $SOURCE_ROOT/falco/build
make tests
-
Start Falco process
sudo falco
Note: Run
sudo falco --helpto see available options to run falco. By default, falco logs events to standard error. -
Output similar to following will be seen
Tue Oct 18 04:30:13 2022: Falco version 0.32.2 Tue Oct 18 04:30:13 2022: Falco initialized with configuration file /etc/falco/falco.yaml Tue Oct 18 04:30:13 2022: Loading rules from file /etc/falco/falco_rules.yaml: Tue Oct 18 04:30:13 2022: Loading rules from file /etc/falco/falco_rules.local.yaml: Tue Oct 18 04:30:13 2022: Starting internal webserver, listening on port 8765
- https://falco.org/docs/ - Official Falco documentation
The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.