Officially supported Falco artifacts

The Falco Project supports two ways for downloading and running Falco:

  • Running Falco directly on a Linux host.
  • Running Falco in a container.

Below, we are sharing the download links for the Falco artifacts. The Falco release document provides more details about the artifacts and their versioning. Additionally, we have a dedicated Deployment guide that explains a Kubernetes scenario using the option of running Falco in a container.

Download for Linux

The tables below provides quick links for the artifacts from our packages store. The .tar.gz directory includes subfolders for both x86_64 and aarch64 architectures, whereas the rpm and deb packages are all located in the same folder for each architecture.

PackagesDownload for x86_64
PackagesDownload for aarch64

If you use Falco for non-syscall events, such as some plugins, only download the Falco artifact and skip the next instruction.

When using Falco for syscall monitoring, the Falco binary relies on having Falco's kernel driver available, which can fit into two paradigms based on its type:

  1. Falco with modern eBPF driver: Download the Falco binary artifact; the driver is already included in the binary, made possible by the CO-RE "Compile Once - Run Everywhere" feature, so no further action is needed.
  2. Falco with kernel module or legacy eBPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (uname -r) for either .ko (kernel module) or .o (eBPF driver) from the driver store. Navigate to the driver versions' directory that is compatible with the Falco binary (check with falco --version). To make this easier, Falco has a falcoctl driver component that automates the driver download or tries to build it. The Install guide will explain this more and the text blob below also has more information.

Falco also relies on both a configuration file and at least one Falco rules file. The default versions of these files come with the packages and the Install covers additional tips and tricks for utilizing falcoctl in managing rules.

Since Falco 0.38.0, a new config key, config_files, allows the user to load additional configuration files to override main config entries; it allows user to keep local customization between Falco upgrades. Its default value points to a new folder, /etc/falco/config.d/ that gets installed by Falco and will be processed to look for local configuration files.

Download container images

Falco depends on having a driver installed on the host system to get information about the running system calls.

The preferred installation method is to install the driver using the native artifacts defined above or temporarily run the falcosecurity/falco-driver-loader image as privileged, then using the falcosecurity/falco-no-driver.

For more details, see the Run within Docker section.

For Kubernetes deployments, see the Deployment section.

tagpull commanddescription
latestdocker pull falcosecurity/falco-no-driver:latestThe most recent version
versiondocker pull falcosecurity/falco-no-driver:<version>A specific version of Falco such as 0.38.1
latestdocker pull falcosecurity/falco-driver-loader:latestThe most recent version of falco-driver-loader with the building toolchain
versiondocker pull falcosecurity/falco-driver-loader:<version>A specific version of falco-driver-loader such as 0.38.1 with the building toolchain
latestdocker pull falcosecurity/falco:latestThe most recent version with the falcoctl driver tool included
versiondocker pull falcosecurity/falco:<version>A specific version of Falco such as 0.38.1 with falcoctl driver tool included

The list of all available images can be found here.