If you installed Falco by using the DEB or the RPM package, you can start the service by running:
systemctl start falco
You can also view the Falco logs using journalctl
.
journalctl -fu falco
If you'd like to run Falco by hand, you can find the full usage description for Falco by typing:
falco --help
Are you looking for userpace instrumentation? Please see this page.
Even using container images, Falco needs kernel headers installed on the host as prerequisite to correctly build the driver (the kernel module or the eBPF probe) on the fly. This step is not needed when a prebuilt driver is already available.
You can find instructions on how to install the kernel headers for your system under the Install section.
Falco ships a set of official docker images. The images can be used in two ways as follows:
You cannot use the Least privileged mode with the eBPF probe driver unless you have at least Kernel 5.8,
this is because --privileged
is needed to do the bpf
syscall.
If you are running Kernel >= 5.8 you can pass --cap-add SYS_BPF
to the docker run command in the step 2
and ignore the Install the kernel module section completely.
You can read more details about this here
This is how the Falco userspace process can be ran in a container.
Once the kernel module has been installed directly on the host system, it can be used from within a container.
Install the kernel module:
docker pull falcosecurity/falco-driver-loader:latest
docker run --rm -i -t \
--privileged \
-v /root/.falco:/root/.falco \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-driver-loader:latest
The falcosecurity/falco-driver-loader
image just wraps the falco-driver-loader
script.
You can find more about its usage here
Run Falco in a container using Docker with the principle of least privilege:
docker pull falcosecurity/falco-no-driver:latest
docker run --rm -i -t \
-e HOST_ROOT=/ \
--cap-add SYS_PTRACE --pid=host $(ls /dev/falco* | xargs -I {} echo --device {}) \
-v /var/run/docker.sock:/var/run/docker.sock \
falcosecurity/falco-no-driver:latest
If you are running Falco on a system with the AppArmor LSM enabled (e.g Ubuntu), you will also need to pass --security-opt apparmor:unconfined
to
the docker run
command above.
You can verify if you have AppArmor enabled using the command below:
docker info | grep -i apparmor
Note that ls /dev/falco* | xargs -I {} echo --device {}
outputs a --device /dev/falcoX
option per CPU (ie. just the devices created by the Falco's kernel module). Also, -e HOST_ROOT=/
is necessary since with --device
there is no way to remap devices to /host/dev/
.
To run Falco in a container using Docker with full privileges:
If you want to use Falco with the Kernel module driver
docker pull falcosecurity/falco:latest
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
Alternatively, you can use the eBPF probe driver:
docker pull falcosecurity/falco:latest
docker run --rm -i -t \
--privileged \
-e FALCO_BPF_PROBE="" \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
It is also possible to use falco-no-driver
and falco-driver-loader
images in fully privileged mode.
This may be desirable in environments which do not allow the full Falco image due to space, resource, security or policy constraints.
You can load the eBPF probe or kernel module in its own temporary container as below:
docker pull falcosecurity/falco-driver-loader:latest
docker run --rm -i -t \
--privileged \
# Uncomment the below to use the eBPF probe or delete it if using the kernel module
#-e FALCO_BPF_PROBE="" -v /root/.falco:/root/.falco \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-driver-loader:latest
Once this has been done, or if you have installed the driver on the host permanently via the falco-driver-loader
script instead of the Docker image, then you can simply load up the falco-no-driver
image in privileged mode:
docker pull falcosecurity/falco-no-driver:latest
docker run --rm -i -t \
--privileged \
# Uncomment the below to use the eBPF probe or delete it if using the kernel module
#-e FALCO_BPF_PROBE="" -v /root/.falco:/root/.falco \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
falcosecurity/falco-no-driver:latest
Other configurable options:
DRIVER_REPO
- See the Installing the driver section.SKIP_DRIVER_LOADER
- Set this environment variable to avoid running falco-driver-loader
when the falcosecurity/falco
image starts. Useful when the driver has been already installed on the host by other means.This will reload the Falco configuration and restart the engine without killing the pid. This is useful to propagate new config changes without killing the daemon.
kill -1 $(cat /var/run/falco.pid)
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.