-
Notifications
You must be signed in to change notification settings - Fork 56
Building Falco
linuxonz edited this page Nov 17, 2025
·
42 revisions
The instructions provided below specify the steps to build Falco version 0.42.1 on Linux on IBM Z for following distributions:
- RHEL (8.10, 9.4, 9.6)
- SLES 15 SP6
- Ubuntu (22.04, 24.04, 25.04)
Falco supports all three kernel drivers starting with 0.34.x releases on s390x: Kernel module, eBPF probe and Modern eBPF probe. Please check driver - kernel version support matrix for detailed information.
General Notes:
- When following the steps below please use standard permission user unless otherwise specified.
- A directory
/<source_root>/will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.
If you want to build Falco using manual steps, go to step 2.
Use the following commands to build Falco using the build script. Please make sure you have wget installed.
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.42.1/build_falco.sh
# Run bash build_falco.sh -h to see all available options
bash build_falco.sh
In case of error, check logs for more details or go to Step 2 to follow manual build steps.
export SOURCE_ROOT=/<source_root>/
PATCH_URL="https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Falco/0.42.1/patch"
-
RHEL 8.10
sudo yum install -y gcc-toolset-13-gcc gcc-toolset-13-gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) perl-IPC-Cmd perl-bignum perl-core clang llvm bpftool source /opt/rh/gcc-toolset-13/enable
-
RHEL (9.4, 9.6)
sudo yum install --allowerasing -y openssl-devel libstdc++-static libstdc++-devel c-ares-devel gcc gcc-c++ git make cmake autoconf automake pkg-config patch perl-IPC-Cmd perl-bignum perl-core perl-FindBin libtool elfutils-libelf-devel diffutils which createrepo libarchive wget curl rpm-build kmod kernel-devel-$(uname -r) clang llvm bpftool -
SLES 15 SP6
SLES_KERNEL_VERSION=$(uname -r | sed 's/-default//') SLES_KERNEL_PKG_VERSION=$(sudo zypper se -s 'kernel-default-devel' | grep ${SLES_KERNEL_VERSION} | head -n 1 | cut -d "|" -f 4 - | tr -d '[:space:]') sudo zypper install -y gcc gcc-c++ gcc13 gcc13-c++ git-core cmake patch which automake autoconf libtool libelf-devel gawk tar curl vim wget pkg-config glibc-devel-static "kernel-default-devel=${SLES_KERNEL_PKG_VERSION}" kmod clang17 llvm17 bpftool sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-13 50 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-13 50 export CC=$(which gcc) export CXX=$(which g++)
-
Ubuntu 22.04
sudo apt-get update sudo apt-get install -y git cmake build-essential pkg-config autoconf wget curl patch libssl-dev libelf-dev gcc rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm
-
Ubuntu (24.04, 25.04)
sudo apt-get update sudo apt-get install -y git cmake libssl-dev build-essential pkg-config autoconf wget curl patch libtool libelf-dev gcc gcc-13 g++-13 rpm linux-headers-$(uname -r) linux-tools-$(uname -r) kmod clang llvm sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-13 100 --slave /usr/bin/g++ g++ /usr/bin/g++-13 export CC=$(which gcc) export CXX=$(which g++)
cd $SOURCE_ROOT
wget -q https://cmake.org/files/v3.28/cmake-3.28.3.tar.gz
tar -xf cmake-3.28.3.tar.gz
cd cmake-3.28.3
./bootstrap
make -j"$(nproc)"
sudo make install
export PATH=/usr/local/bin:$PATH
cmake --versioncd $SOURCE_ROOT
export GO_VERSION="1.25.0"
wget -q https://storage.googleapis.com/golang/go"$GO_VERSION".linux-s390x.tar.gz
chmod ugo+r go"$GO_VERSION".linux-s390x.tar.gz
sudo tar -C /usr/local -xzf go"$GO_VERSION".linux-s390x.tar.gz
sudo ln -sf /usr/local/go/bin/go /usr/bin/
sudo ln -sf /usr/local/go/bin/gofmt /usr/bin/
sudo ln -sf /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc # (Only on RHEL and SLES)
export GOPATH=$SOURCE_ROOT
export PATH=$GOPATH/bin:$PATH
export CC=$(which gcc)
export CXX=$(which g++)
go versioncd $SOURCE_ROOT
git clone --depth 1 --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool && cd src
CLANG=Nope make -j8
sudo make installcd $SOURCE_ROOT
git clone --depth 1 -b plugins/container/v0.4.1 https://github.com/falcosecurity/plugins.git
cd plugins/plugins/container
make libcontainer.so
tar zcf $SOURCE_ROOT/container-0.4.1-linux-s390x.tar.gz libcontainer.socd $SOURCE_ROOT
git clone --depth 1 -b 0.42.1 https://github.com/falcosecurity/falco.git
cd falco-
To include container plugin built for s390x
wget -O $SOURCE_ROOT/falco/cmake/modules/falcosecurity-libs-repo/libs_container_plugin_cmake.patch $PATCH_URL/libs_container_plugin_cmake.patch sed -i "s#SOURCE_ROOT_PATH#$SOURCE_ROOT#g" $SOURCE_ROOT/falco/cmake/modules/falcosecurity-libs-repo/libs_container_plugin_cmake.patch curl -sSL $PATCH_URL/falco.patch | git apply -
-
To turn off modern BPF support (only for RHEL 8.X)
curl -sSL $PATCH_URL/modern_bpf.patch | git apply -
-
Setup build directory
mkdir -p $SOURCE_ROOT/falco/build cd $SOURCE_ROOT/falco/build
-
Setup unit tests
CMAKE_TEST_FLAG="-DBUILD_FALCO_UNIT_TESTS=ON" # Only when unit tests are expected to be run after building Falco CMAKE_TEST_FLAG="" # Only when unit tests are not needed
-
RHEL 8.x only
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=ON -DBUILD_BPF=OFF ${CMAKE_TEST_FLAG}" -
For all distros except RHEL 8.x
CMAKE_FLAGS="-DFALCO_ETC_DIR=/etc/falco -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_DRIVER=ON -DBUILD_BPF=ON -DBUILD_FALCO_MODERN_BPF=ON ${CMAKE_TEST_FLAG}" -
Run CMake
cmake $CMAKE_FLAGS ../
cd $SOURCE_ROOT/falco/build
sed -i 's/!found/found/g' falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c # Only for Ubuntu
make -j$(nproc)
make package # build deb/rpm packages (optional and only on Ubuntu and RHEL)
sudo make install-
Unload any existing module using
sudo rmmod falco
-
Insert locally built version
cd $SOURCE_ROOT/falco/build sudo insmod driver/falco.ko
sudo mkdir /root/.falco
sudo cp -f $SOURCE_ROOT/falco/build/driver/bpf/probe.o /root/.falco/falco-bpf.ocd $SOURCE_ROOT/falco/build
sudo ./unit_tests/falco_unit_testsA separate Falco project https://github.com/falcosecurity/event-generator can be used to run further tests.
Note: Run sudo falco --help to see available options to run Falco. By default, Falco logs events to standard error.
sudo falco -o engine.kind=kmodOutput similar to following will be seen
Wed Nov 12 05:11:17 2025: Falco version: 0.42.1 (s390x)
Wed Nov 12 05:11:17 2025: Falco initialized with configuration files:
Wed Nov 12 05:11:17 2025: /etc/falco/config.d/falco.container_plugin.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: System info: Linux version 5.15.0-151-generic (buildd@bos03-s390x-026) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #161-Ubuntu SMP Tue Jul 22 14:27:10 UTC 2025
Wed Nov 12 05:11:17 2025: Loaded plugin 'container@0.4.1' from file /usr/share/falco/plugins/libcontainer.so
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'podman' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/podman/podman.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'docker' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/var/run/docker.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'cri' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/crio/crio.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/k3s/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'containerd' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'libvirt_lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'bpm' container engine.
Wed Nov 12 05:11:17 2025: Loading rules from:
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.local.yaml | schema validation: none
Wed Nov 12 05:11:17 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Wed Nov 12 05:11:17 2025: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Wed Nov 12 05:11:17 2025: Loaded event sources: syscall
Wed Nov 12 05:11:17 2025: Enabled event sources: syscall
Wed Nov 12 05:11:17 2025: Opening 'syscall' source with Kernel module
Wed Nov 12 05:11:17 2025: [libs]: Trying to open the right engine!sudo falco -o engine.kind=ebpfOutput similar to following will be seen
Wed Nov 12 05:11:17 2025: Falco version: 0.42.1 (s390x)
Wed Nov 12 05:11:17 2025: Falco initialized with configuration files:
Wed Nov 12 05:11:17 2025: /etc/falco/config.d/falco.container_plugin.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: System info: Linux version 5.15.0-151-generic (buildd@bos03-s390x-026) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #161-Ubuntu SMP Tue Jul 22 14:27:10 UTC 2025
Wed Nov 12 05:11:17 2025: Loaded plugin 'container@0.4.1' from file /usr/share/falco/plugins/libcontainer.so
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'podman' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/podman/podman.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'docker' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/var/run/docker.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'cri' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/crio/crio.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/k3s/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'containerd' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'libvirt_lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'bpm' container engine.
Wed Nov 12 05:11:17 2025: Loading rules from:
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.local.yaml | schema validation: none
Wed Nov 12 05:11:17 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Wed Nov 12 05:11:17 2025: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Wed Nov 12 05:11:17 2025: Loaded event sources: syscall
Wed Nov 12 05:11:17 2025: Enabled event sources: syscall
Wed Nov 12 05:11:17 2025: Opening 'syscall' source with Kernel module
Wed Nov 12 05:11:17 2025: [libs]: Trying to open the right engine!sudo falcoOutput similar to following will be seen
Wed Nov 12 05:11:17 2025: Falco version: 0.42.1 (s390x)
Wed Nov 12 05:11:17 2025: Falco initialized with configuration files:
Wed Nov 12 05:11:17 2025: /etc/falco/config.d/falco.container_plugin.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: System info: Linux version 5.15.0-151-generic (buildd@bos03-s390x-026) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #161-Ubuntu SMP Tue Jul 22 14:27:10 UTC 2025
Wed Nov 12 05:11:17 2025: Loaded plugin 'container@0.4.1' from file /usr/share/falco/plugins/libcontainer.so
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'podman' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/podman/podman.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'docker' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/var/run/docker.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'cri' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/crio/crio.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/k3s/containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'containerd' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: * enabled container runtime socket at '/run/host-containerd/containerd.sock'
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'libvirt_lxc' container engine.
Wed Nov 12 05:11:17 2025: [libs]: container: Enabled 'bpm' container engine.
Wed Nov 12 05:11:17 2025: Loading rules from:
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.yaml | schema validation: ok
Wed Nov 12 05:11:17 2025: /etc/falco/falco_rules.local.yaml | schema validation: none
Wed Nov 12 05:11:17 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Wed Nov 12 05:11:17 2025: Starting health webserver with threadiness 2, listening on 0.0.0.0:8765
Wed Nov 12 05:11:17 2025: Loaded event sources: syscall
Wed Nov 12 05:11:17 2025: Enabled event sources: syscall
Wed Nov 12 05:11:17 2025: Opening 'syscall' source with modern BPF probe.
Wed Nov 12 05:11:17 2025: One ring buffer every '2' CPUs.
Wed Nov 12 05:11:17 2025: [libs]: Trying to open the right engine!- https://falco.org/docs/ - Official Falco documentation
The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.