Building Falco

The instructions provided below specify the steps to build Falco version 0.30.0 on Linux on IBM Z for following distributions:

Ubuntu (18.04, 20.04, 21.10)
RHEL (7.8, 7.9, 8.2, 8.4, 8.5)
SLES (12 SP5, 15 SP3)

General Notes:

When following the steps below please use standard permission user unless otherwise specified.
A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Falco using manual steps, go to step 2.

Use the following commands to build Falco using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.30.0/build_falco.sh

# Run bash build_falco.sh -h to see all available options
bash build_falco.sh

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

Ubuntu (18.04, 20.04, 21.10)

sudo apt-get update

sudo apt-get install -y git cmake build-essential libncurses-dev pkg-config autoconf libtool libelf-dev curl rpm \
    linux-headers-$(uname -r)

RHEL (7.8, 7.9)

sudo yum install -y git make autoconf automake pkgconfig patch ncurses-devel libtool glibc-static \
    libstdc++-static elfutils-libelf-devel devtoolset-7-gcc-c++ devtoolset-7-gcc kernel-devel-$(uname -r) rpm-build createrepo curl libcurl-devel

#Switch to GCC 7
source /opt/rh/devtoolset-7/enable

RHEL (8.2, 8.4, 8.5)

sudo yum install -y gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool \
    elfutils-libelf-devel diffutils which kernel-devel-$(uname -r) rpm-build createrepo libarchive

SLES (12 SP5)

export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo zypper -n install gcc7 gcc7-c++ git-core cmake ncurses-devel libopenssl-devel \
    libcurl-devel protobuf-devel=2.6.1-7.3.16 patch which automake autoconf libtool libelf-devel \
    "kernel-default-devel=${KERNEL_VERSION}"
    
sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-7 40
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 40
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-7 40
sudo update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-7 40

SLES 15 SP3

export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo zypper -n install gcc gcc-c++ git-core cmake libjq-devel ncurses-devel yaml-cpp-devel \
    libopenssl-devel libcurl-devel c-ares-devel protobuf-devel patch which automake autoconf \
    libtool libelf-devel "kernel-default-devel=${KERNEL_VERSION}"

Install CMake v3.7.2 (Only for RHEL 7.x and SLES 12 SP5)

cd $SOURCE_ROOT
wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz
tar xzf cmake-3.7.2.tar.gz
cd cmake-3.7.2
./configure --prefix=/usr/
./bootstrap --system-curl --parallel=16
make -j16
sudo make install
export PATH=/usr/local/bin:$PATH
cmake --version

Step 3: Download, configure and build Falco

3.1) Download Falco

cd $SOURCE_ROOT
git clone https://github.com/falcosecurity/falco.git
cd falco
git checkout 0.30.0

3.2) Download and apply the required patches

curl -SLO https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.30.0/patch/lauxlib.h.patch
curl -SLO https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.30.0/patch/falco.patch
git apply falco.patch

3.3) Patch kernel module makefile - remove -fdump-ipa-clones flag (Only on SLES 12 SP5)

export KERNEL_VERSION=$(uname -r | sed 's/-default//g')
sudo cp "/usr/src/linux-$KERNEL_VERSION/Makefile" "/usr/src/linux-$KERNEL_VERSION/Makefile.back"
sudo sed -i 's/-fdump-ipa-clones//g' /usr/src/linux-"$KERNEL_VERSION"/Makefile

3.4) Build Falco

mkdir -p $SOURCE_ROOT/falco/build
cd $SOURCE_ROOT/falco/build
cmake -DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_OPENSSL=On -DUSE_BUNDLED_DEPS=On -DCMAKE_BUILD_TYPE=Release ../

Make required changes for Ubuntu 21.10

cd $SOURCE_ROOT/falco/cmake/modules
sed -i 's/v2.12.1/v2.13.7/g' DownloadCatch.cmake
sed -i 's/e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3/3cdb4138a072e4c0290034fe22d9f0a80d3bcfb8d7a8a5c49ad75d3a5da24fae/g' DownloadCatch.cmake
cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules
sed -i 's/v1.38.1/v1.42.0/g' grpc.cmake

Build Falco

cd $SOURCE_ROOT/falco/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules
#(Upgrade the b64 and protobuf versions by applying following sed commands)
sed -i 's/v1.2.1/v2.0.0.1/g' b64.cmake
sed -i 's/d620e7caf3ed5f9c28d727fa799918ad3ef69c80975905646bb549a6019cdcbd/ce8e578a953a591bd4a6f157eec310b9a4c2e6f10ade2fdda6ae6bafaf798b98/g' b64.cmake
sed -i 's+http://download.sysdig.com/dependencies/protobuf-cpp-3.5.0.tar.gz+https://github.com/protocolbuffers/protobuf/releases/download/v3.13.0/protobuf-cpp-3.13.0.tar.gz+g' protobuf.cmake
sed -i 's/e4ba8284a407712168593e79e6555eb2/6425d7466db2efe5a80de1e38899f317/g' protobuf.cmake
sed -i 's/PATCH_COMMAND wget http/#PATCH_COMMAND wget http/g' protobuf.cmake
cd $SOURCE_ROOT/falco/build
make
make package            # build deb/rpm packages (only on Ubuntu and RHEL)
sudo make install

3.5) Load kernel module

Unload any existing module using
```
sudo rmmod falco
```

Insert locally built version

cd $SOURCE_ROOT/falco/build
sudo insmod driver/falco.ko

Step 4: Testing (optional)

cd $SOURCE_ROOT/falco/build
make tests

Step 5: Validate installation (optional)

Start Falco process
```
sudo falco
```
Note: Run sudo falco --help to see available options to run falco. By default, falco logs events to standard error.

Output similar to following will be seen

Tue Aug 24 01:50:59 2021: Falco version 0.30.0 (driver version 17f5df52a7d9ed6bb12d3b1768460def8439936d)
Tue Aug 24 01:50:59 2021: Falco initialized with configuration file /home/test/falco/falco/falco.yaml
Tue Aug 24 01:50:59 2021: Loading rules from file /etc/falco/falco_rules.yaml:
Tue Aug 24 01:50:59 2021: Loading rules from file /etc/falco/falco_rules.local.yaml:
Tue Aug 24 01:50:59 2021: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Tue Aug 24 01:51:00 2021: Starting internal webserver, listening on port 8765

Reference:

https://falco.org/docs/ - Official Falco documentation

The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.

Building Falco

Building Falco

Step 1: Build using script

Step 2: Install dependencies

Step 3: Download, configure and build Falco

3.1) Download Falco

3.2) Download and apply the required patches

3.3) Patch kernel module makefile - remove -fdump-ipa-clones flag (Only on SLES 12 SP5)

3.4) Build Falco

3.5) Load kernel module

Step 4: Testing (optional)

Step 5: Validate installation (optional)

Reference:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!