Install on a host (DEB, RPM)
Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is preconfigured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the host, a driver needs to be installed.
For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.
There are two main methods to install Falco on your host using the released Falco packages:
- RPM or DEB package (includes Systemd setup): This method is detailed on this page.
- Tarball archive: For instructions, refer to the Install on a host (tarball) page.
Install
This installation method is for Linux distributions with a package manager that supports DEB (Debian, Ubuntu) or RPM (CentOS, RHEL, Fedora, Amazon Linux) packages.
In interactive installations, the Falco installation package uses the dialog
binary for configuration prompts. The dialog allows the user to complete the Systemd setup which includes:
- The driver selection (kmod, ebpf, modern_ebpf) or automatic selection
- The Falcoctl service setup
In non-interactive installations (e.g., dialog
is not available, or if the user disables it by setting FALCO_FRONTEND=noninteractive
when installing Falco using the package manager), the automatic driver selection is enabled by default and for other options, the user needs to manually configure the Systemd services.
Env variables
The following environment variables can be used to customize the installation process:
FALCO_FRONTEND
: Set tononinteractive
to disable the dialog prompts. The default isdialog
.FALCO_DRIVER_CHOICE
: Set tokmod
,ebpf
, ormodern_ebpf
to choose a driver; set tonone
to disable service installation. If one of the previous option is selected, the dialog will be skipped too. The default (empty) is automatic selection.FALCOCTL_ENABLED
: Set tono
to disable the automatic rules update provided byfalcoctl
. The default (empty) or any value other thanno
will keep the option enabled.
These environment variables can be used in conjunction with the package manager (as described in the following sections) to customize the installation process as needed.
Examples:
No dialog, no driver, no automatic rules update:
Install with
kmod
driver and automatic rules update:No dialog, automatic selection and automatic rules update:
No dialog, automatic selection and no automatic rules update:
apt
(Debian/Ubuntu)
The following steps are for Debian and Debian-based distributions, such as Ubuntu, which use the apt
package manager.
Trust the
falcosecurity
GPG keyConfigure the apt repository
In older releases of Debian (Debian 9 and older ones), you might need to additionally install the package apt-transport-https
to allow access to the Falco repository using the https
protocol.
The following command will install that package on your system:
Update the package list
Install some required dependencies that are needed to build the Kernel Module and the eBPF probe
Note: You don't need to install these dependencies if you want to use the Modern eBPF.
Install the Falco package
yum
(CentOS/RHEL/Fedora/Amazon Linux)
Trust the
falcosecurity
GPG keyConfigure the
yum
repositoryUpdate the package list
Install some required dependencies that are needed to build the Kernel Module and the eBPF probe
Note: You don't need to install these dependencies if you want to use the Modern eBPF.
Install the Falco package
You might need to validate the driver signature if your system has UEFI SecureBoot enabled. Follow these steps to do so:
Import the DKMS Machine Owner Key
```shell sudo mokutil --import /var/lib/dkms/mok.pub ```
Restart the system and wait for the MOK key enrollment prompt
Choose the option:
Enroll MOK
Load the Falco driver
```shell sudo insmod /var/lib/dkms/falco/<driver-version>/$(uname -r)/x86_64/module/falco.ko.xz ```
zypper
(openSUSE)
Trust the
falcosecurity
GPG keyConfigure the zypper repository
Update the package list
Install some required dependencies that are needed to build the Kernel Module and the eBPF probe
Note: You don't need to install these dependencies if you want to use the Modern eBPF.
Install Falco:
Uninstall Falco:
Systemd setup
Setup with dialog
By default, if you have the dialog
binary installed on your system, you will be prompted with this:
From here you can choose one of our 3 drivers Kmod
, eBPF
, Modern eBPF
, a Manual configuration
or the Automatic selection
(recommended) to trigger the automatic logic to select the best driver for you. When you choose a driver from the dialog, the systemd
service is always enabled by default so it will start at every system reboot. If you want to disable this behavior type systemctl disable falco-kmod.service
(if you are using the kernel module like in this example).
After the first dialog, you should see a second one:
If you choose Yes
, falcoctl
will periodically check for ruleset updates and, if a new update is available, will pull
and install it.
Manual configuration
If you chose Manual configuration
from the dialog, you need to complete the setup configuration.
First, let's verify the available services:
Using the systemctl
command, you can now enable the desired unit to start at boot time.
Let's say you want to enable the modern eBPF probe:
Or you'd like to switch to using the kernel module:
As you can see, enabling the falco-kmod.service
, falco-modern-bpf.service
or falco-custom.service
also creates a
new alias/service called falco.service
that can be used in place of the aliased ones.
As a side note, if you prefer not to use the falcoctl
tool to automatically update your rules, you can mask it as follows. Otherwise, as explained here, Falco will enable it too.
$ sudo systemctl mask falcoctl-artifact-follow.service
Created symlink /etc/systemd/system/falcoctl-artifact-follow.service → /dev/null.
Configuring services
If you installed the Falco packages using the dialog
option, all your services should already be up and running. However, if you chose the Manual configuration
option, you need to configure the services manually.
If you need to switch from one service to another, ensure that the current service is properly stopped before starting the new one. This can be done by using the appropriate service management commands for your system (e.g., systemctl stop <service_name>
and systemctl start <new_service_name>
).
For example, if you want to use the service for the eBPF probe:
Type
systemctl list-units | grep falco
to check that no unit is running. Stop the current services, if any.Now you have to decide whether you want the Falcoctl service running together with the Falco one. If yes you don't have to do anything, else you will need to mask the Falcoctl service with
systemctl mask falcoctl-artifact-follow.service
. The Falcoctl service is strictly related to the Falco one so if you don't mask it, it will be started together with the Falco service.Type
falcoctl driver config --type ebpf
to configure Falco to use eBPF probe, thenfalcoctl driver install
to download/compile the eBPF probe.Now running
systemctl start falco-bpf.service
and typingsystemctl list-units | grep falco
you should see something like that (supposing you didn't mask the Falcoctl service):If you want to stop both services in one shot
Falcoctl service (automatic rules update)
If this service is enabled (as default), typing systemctl list-units | grep falco
you should see something similar to this:
falco-kmod-inject.service
injects the kernel module and exits. This unit remains after exit to detach the kernel module when thefalco-kmod.service
will be stopped.falco-kmod.service
instance of Falco running the kernel module.falcoctl-artifact-follow.service
instance of Falcoctl that searches for new rulesets. This unit will be stopped whenfalco-kmod.service
terminates.
The Falcoctl service is strictly related to the Falco one:
- when the Falco service starts it searches for a unit called
falcoctl-artifact-follow.service
and if present it starts it. Please note that following this pattern, if you enable the Falco service and you reboot your system, Falcoctl will start again with Falco even if you don't enable it throughsystemd enable
! You can disable this behavior by stopping the Falcoctl service and masking itsystemctl mask falcoctl-artifact-follow.service
. - when the Falco service stops also the Falcoctl service is stopped.
In case the Falcoctl service is not enabled, the Falco package will only start the falco-kmod.service
. Typing systemctl list-units | grep falco
you should see something similar to this:
In this mode, the Falcoctl service is masked by default so if you want to enable it in a second step you need to type systemctl unmask falcoctl-artifact-follow.service
.
Custom service
You may have noticed a Falco unit called falco-custom.service
. You should use it when you want to run Falco with a custom configuration like a plugin or Gvisor. Please note that in this case you have to modify this template according to how you want to run Falco, the unit should not be used as is!
Configuration
The Falco configuration file is located at /etc/falco/falco.yaml
. You can edit it to customize Falco's behavior.
Since Falco 0.38.0, a new config key, config_files
, allows the user to load additional configuration files to override main config entries. This allows user to keep local customization between Falco upgrades. Its default value points to a new folder, /etc/falco/config.d/
that gets installed by Falco and will be processed to look for local configuration files.
Hot Reload
By default, with the watch_config_files
configuration option enabled, Falco automatically monitors changes to configuration and rule files. When these files are modified, Falco will automatically reload the updated configuration without requiring a restart.
If this option is disabled, you can manually restart the Falco systemd service to apply the changes:
Upgrade
apt
(Debian/Ubuntu)
If you configured the apt
repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message
Check in the apt-get update
log that https://download.falco.org/packages/deb
is present.
If you installed Falco by following the provided instructions:
yum
(CentOS/RHEL/Fedora/Amazon Linux)
If you configured the yum
repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message
Then check that the falcosecurity-rpm
repository is pointing to https://download.falco.org/packages/rpm/
:
If you installed Falco by following the provided instructions:
Check for updates:
If a newer Falco version is available:
zypper
(openSUSE)
If you configured the zypper
repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message
Then check that the falcosecurity-rpm
repository is pointing to https://download.falco.org/packages/rpm/
:
If you installed Falco by following the provided instructions:
Kernel Upgrades
When performing kernel upgrades on your host, a reboot is required. When using a eBPF probe or a Kernel Module driver, the Falco driver loader (i.e., falcoctl driver
) should be able to automatically find a pre-built driver (or build it on the fly) corresponding to the updated kernel release (uname -r
), making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support.
Uninstall
apt
(Debian/Ubuntu)
yum
(CentOS/RHEL/Fedora/Amazon Linux)
zypper
(openSUSE)
Package signing
On January 18th, 2023 the GPG key used to sign Falco packages has been rotated. Check out the related blog post and make sure you're using the most up-to-date key available at falco.org/repo/falcosecurity-packages.asc.
Most Falco packages available at download.falco.org are provided with a detached signature that can be used to verify that the package information downloaded from the remote repository can be trusted.
The latest trusted public GPG key used for packages signing can be downloaded from falco.org/repo/falcosecurity-packages.asc. The following table lists all the keys employed by the organization currently and in the past, including the revoked ones. We recommend updating the revoked keys to download their revocation certificate, and eventually removing them from your package verification system due to the signature made with them not being trustable anymore.
Fingerprint | Expiration | Usage | Status | Download |
---|---|---|---|---|
2005399002D5E8FF59F28CE64021833E14CB7A8D | 2026-01-17 | Signing Falco Packages | Trusted | falcosecurity-14CB7A8D.asc |
15ED05F191E40D74BA47109F9F76B25B3672BA8F | 2023-02-24 | Signing Falco Packages | Revoked | falcosecurity-3672BA8F.asc |
Troubleshooting
This section aims to offer further guidance when something doesn't go as expected in the installation of Falco.
Unable to find a prebuilt driver
ERROR failed: unable to find a prebuilt driver
This error message appears when the falcoctl driver loader tool, which looks for the Falco driver and loads it in memory, is not able to find a pre-built driver, neither as an eBPF probe nor as a kernel module, at the [Falco driver repository] (https://download.falco.org).
You can easily browse and search the supported targets at download.falco.org/driver/site.
This means that there's no prebuilt driver available for the kernel running on the machine where Falco is going to be installed.
However, you can add your kernel release version to the build grid the pipeline refers to building the drivers. Follow this tutorial to contribute the required configuration.
Enable the BPF JIT Compiler
If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that:
- Your kernel has
CONFIG_BPF_JIT
enabled net.core.bpf_jit_enable
is set to 1 (enable the BPF JIT Compiler)
This can be verified via sysctl -n net.core.bpf_jit_enable
.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.