https://v0-43--falcosecurity.netlify.app/docs/developer-guide/Recent content in Developer Guide on FalcoHugo -- gohugo.ioenhttps://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/ <p>Welcome to the guide on how to build Falco yourself! You are very brave! Since you are already doing all this, chances that you are willing to contribute are high! Please read our <a href="https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md">contributing guide</a>.</p> <ol> <li>Install the dependencies</li> </ol> <div class="card card-sm td-max-width-on-larger-screens"> <div class="card-body"> <ul class="nav nav-tabs" id="dependencies" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#dependencies-0" role="tab" aria-controls="dependencies-0" aria-selected="true">CentOS / RHEL</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#dependencies-1" role="tab" aria-controls="dependencies-1">Debian/ Ubuntu</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#dependencies-2" role="tab" aria-controls="dependencies-2">Arch Linux</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#dependencies-3" role="tab" aria-controls="dependencies-3">Alpine</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#dependencies-4" role="tab" aria-controls="dependencies-4">openSUSE</a></li></ul> <div class="tab-content" id="dependencies"><div id="dependencies-0" class="tab-pane show active" role="tabpanel" aria-labelledby="dependencies-0"> <p><p>CentOS 8 Stream / RHEL 8</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnf install git gcc gcc-c++ make cmake elfutils-libelf-devel perl-IPC-Cmd </span></span></code></pre></div></div> <div id="dependencies-1" class="tab-pane" role="tabpanel" aria-labelledby="dependencies-1"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>apt update <span style="color:#666">&amp;&amp;</span> apt install git cmake clang build-essential linux-tools-common linux-tools-generic libelf-dev bpftool </span></span></code></pre></div></div> <div id="dependencies-2" class="tab-pane" role="tabpanel" aria-labelledby="dependencies-2"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pacman -S git cmake make gcc wget </span></span><span style="display:flex;"><span>pacman -S zlib jq yaml-cpp openssl curl c-ares protobuf grpc libyaml bpf </span></span></code></pre></div><p>You'll also need kernel headers for building and making binaries properly.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pacman -S linux-headers </span></span></code></pre></div><p>You can use <code>uname -r</code> to determine the kernel version and select the appropriate header.</p> </div> <div id="dependencies-3" class="tab-pane" role="tabpanel" aria-labelledby="dependencies-3"> <p><p>Since Alpine ships with <code>musl</code> instead of <code>glibc</code>, to build on Alpine, we need to pass the <code>-DMUSL_OPTIMIZED_BUILD=On</code> CMake option.</p> <p>If that option is used along with the <code>-DUSE_BUNDLED_DEPS=On</code> option, then the final build will be 100% statically-linked and portable across different Linux distributions.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static binutils bpftool clang </span></span></code></pre></div></div> <div id="dependencies-4" class="tab-pane" role="tabpanel" aria-labelledby="dependencies-4"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>zypper -n install git gcc12 gcc12-c++ cmake make libelf-devel gawk </span></span></code></pre></div></div></div> </div> </div> <ol start="2"> <li>Build Falco</li> </ol> <div class="card card-sm td-max-width-on-larger-screens"> <div class="card-body"> <ul class="nav nav-tabs" id="build" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#build-0" role="tab" aria-controls="build-0" aria-selected="true">CentOS / RHEL</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#build-1" role="tab" aria-controls="build-1">Debian/ Ubuntu</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#build-2" role="tab" aria-controls="build-2">Arch Linux</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#build-3" role="tab" aria-controls="build-3">Alpine</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#build-4" role="tab" aria-controls="build-4">openSUSE</a></li></ul> <div class="tab-content" id="build"><div id="build-0" class="tab-pane show active" role="tabpanel" aria-labelledby="build-0"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git clone https://github.com/falcosecurity/falco.git </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco </span></span><span style="display:flex;"><span>mkdir -p build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake -DUSE_BUNDLED_DEPS<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make falco </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div> <div id="build-1" class="tab-pane" role="tabpanel" aria-labelledby="build-1"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git clone https://github.com/falcosecurity/falco.git </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco </span></span><span style="display:flex;"><span>mkdir -p build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake -DUSE_BUNDLED_DEPS<span style="color:#666">=</span>On .. </span></span><span style="display:flex;"><span>make falco </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div> <div id="build-2" class="tab-pane" role="tabpanel" aria-labelledby="build-2"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git clone https://github.com/falcosecurity/falco.git </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco </span></span><span style="display:flex;"><span>mkdir -p build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake .. </span></span><span style="display:flex;"><span>make falco </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div> <div id="build-3" class="tab-pane" role="tabpanel" aria-labelledby="build-3"> <p><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git clone https://github.com/falcosecurity/falco.git </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco </span></span><span style="display:flex;"><span>mkdir -p build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake -DUSE_BUNDLED_DEPS<span style="color:#666">=</span>On -DMUSL_OPTIMIZED_BUILD<span style="color:#666">=</span>On .. </span></span><span style="display:flex;"><span>make falco </span></span></code></pre></div></div> <div id="build-4" class="tab-pane" role="tabpanel" aria-labelledby="build-4"> <p><p>First, make sure that <code>gcc</code> and <code>g++</code> are version 9 or above. If you have multiple versions installed you can <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#specify-c-and-cxx-compilers">set the preferred one</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>git clone https://github.com/falcosecurity/falco.git </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> falco </span></span><span style="display:flex;"><span>mkdir -p build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake -DUSE_BUNDLED_DEPS<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make falco </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div></div> </div> </div> <ol start="3"> <li>Build kernel module driver</li> </ol> <div class="card card-sm td-max-width-on-larger-screens"> <div class="card-body"> <ul class="nav nav-tabs" id="kernelmodule" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#kernelmodule-0" role="tab" aria-controls="kernelmodule-0" aria-selected="true">CentOS / RHEL</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#kernelmodule-1" role="tab" aria-controls="kernelmodule-1">Debian/ Ubuntu</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#kernelmodule-2" role="tab" aria-controls="kernelmodule-2">Arch Linux</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#kernelmodule-3" role="tab" aria-controls="kernelmodule-3">Alpine</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#kernelmodule-4" role="tab" aria-controls="kernelmodule-4">openSUSE</a></li></ul> <div class="tab-content" id="kernelmodule"><div id="kernelmodule-0" class="tab-pane show active" role="tabpanel" aria-labelledby="kernelmodule-0"> <p><p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>yum -y install kernel-devel-<span style="color:#a2f;font-weight:bold">$(</span>uname -r<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>make driver </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div> <div id="kernelmodule-1" class="tab-pane" role="tabpanel" aria-labelledby="kernelmodule-1"> <p><p>Kernel headers are required to build the driver.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>apt install linux-headers-<span style="color:#a2f;font-weight:bold">$(</span>uname -r<span style="color:#a2f;font-weight:bold">)</span> </span></span></code></pre></div><p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make driver </span></span></code></pre></div></div> <div id="kernelmodule-2" class="tab-pane" role="tabpanel" aria-labelledby="kernelmodule-2"> <p><p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pacman -S --needed linux-headers </span></span><span style="display:flex;"><span>make driver </span></span></code></pre></div><p>More details <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#build-falco">here</a>.</p> </div> <div id="kernelmodule-3" class="tab-pane" role="tabpanel" aria-labelledby="kernelmodule-3"> <p><p>NO STEP</p> </div> <div id="kernelmodule-4" class="tab-pane" role="tabpanel" aria-labelledby="kernelmodule-4"> <p><p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>zypper -n install kernel-default-devel </span></span><span style="display:flex;"><span>make driver </span></span></code></pre></div></div></div> </div> </div> <ol start="4"> <li>Build eBPF driver (deprecated)</li> </ol> <div class="card card-sm td-max-width-on-larger-screens"> <div class="card-body"> <ul class="nav nav-tabs" id="ebpfdriver" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#ebpfdriver-0" role="tab" aria-controls="ebpfdriver-0" aria-selected="true">CentOS / RHEL</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#ebpfdriver-1" role="tab" aria-controls="ebpfdriver-1">Debian/ Ubuntu</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#ebpfdriver-2" role="tab" aria-controls="ebpfdriver-2">Arch Linux</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#ebpfdriver-3" role="tab" aria-controls="ebpfdriver-3">Alpine</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#ebpfdriver-4" role="tab" aria-controls="ebpfdriver-4">openSUSE</a></li></ul> <div class="tab-content" id="ebpfdriver"><div id="ebpfdriver-0" class="tab-pane show active" role="tabpanel" aria-labelledby="ebpfdriver-0"> <p><p>If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.</p> <p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnf install clang llvm </span></span><span style="display:flex;"><span>cmake -DBUILD_BPF<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make bpf </span></span></code></pre></div></div> <div id="ebpfdriver-1" class="tab-pane" role="tabpanel" aria-labelledby="ebpfdriver-1"> <p><p>If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.</p> <p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>apt install llvm clang </span></span><span style="display:flex;"><span>cmake -DBUILD_BPF<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make bpf </span></span></code></pre></div></div> <div id="ebpfdriver-2" class="tab-pane" role="tabpanel" aria-labelledby="ebpfdriver-2"> <p><p>If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.</p> <p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pacman -S llvm clang </span></span><span style="display:flex;"><span>cmake -DBUILD_BPF<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make bpf </span></span></code></pre></div></div> <div id="ebpfdriver-3" class="tab-pane" role="tabpanel" aria-labelledby="ebpfdriver-3"> <p><p>NO STEP</p> </div> <div id="ebpfdriver-4" class="tab-pane" role="tabpanel" aria-labelledby="ebpfdriver-4"> <p><p>If you do not want to use the kernel module driver you can, alternatively, build the eBPF driver as follows.</p> <p>In the build directory:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>zypper -n install clang llvm </span></span><span style="display:flex;"><span>cmake -DBUILD_BPF<span style="color:#666">=</span>ON .. </span></span><span style="display:flex;"><span>make bpf </span></span></code></pre></div></div></div> </div> </div> <h2 id="dependencies">Dependencies</h2> <p>By default Falco build bundles <strong>most of</strong> its runtime dependencies <strong>dynamically</strong>.</p> <p>You can notice this observing that the option <code>USE_BUNDLED_DEPS</code> is <code>OFF</code> by default. Which means that, whether applicable, Falco build will try to link against libraries already existing into your machine.</p> <p>Changing such option to <code>ON</code> causes Falco build to bundle all the dependencies statically.</p> <h2 id="build-falco">Build Falco</h2> <p>To build Falco, you will need to create a <code>build</code> directory. It's common to have the <code>build</code> directory in the Falco working copy itself, however it can be anywhere in your filesystem.</p> <p>There are <strong>three main steps to compile</strong> Falco.</p> <ol> <li>Create the build directory and enter in it</li> <li>Use cmake in the build directory to create the build files for Falco. <code>..</code> was used because the source directory is a parent of the current directory, you can also use the absolute path for the Falco source code instead</li> <li>Build using make</li> </ol> <h4 id="build-all">Build all</h4> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir build </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> build </span></span><span style="display:flex;"><span>cmake .. </span></span><span style="display:flex;"><span>make </span></span></code></pre></div><p>You can also build only specific targets:</p> <h4 id="build-falco-only">Build Falco only</h4> <p>Do the build folder and cmake setup, then:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make falco </span></span></code></pre></div><h4 id="build-the-falco-engine-only">Build the Falco engine only</h4> <p>Do the build folder and cmake setup, then:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make falco_engine </span></span></code></pre></div><h4 id="build-libscap-only">Build libscap only</h4> <p>Do the build folder and cmake setup, then:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make scap </span></span></code></pre></div><h4 id="build-libsinsp-only">Build libsinsp only</h4> <p>Do the build folder and cmake setup, then:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make sinsp </span></span></code></pre></div><h4 id="build-the-ebpf-probe-kernel-driver-only">Build the eBPF probe / kernel driver only</h4> <p>Do the build folder and cmake setup, then:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make driver </span></span></code></pre></div><h4 id="build-results">Build results</h4> <p>Once Falco is built, the three interesting things that you will find in your <code>build</code> folder are:</p> <ul> <li><code>userspace/falco/falco</code>: the actual Falco binary</li> <li><code>driver/src/falco.ko</code>: the Falco kernel driver</li> <li><code>driver/bpf/falco.o</code>: if you built Falco with <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#enable-ebpf-support">eBPF support</a></li> </ul> <p>If you'd like to build a debug version, run cmake as <code>cmake -DCMAKE_BUILD_TYPE=Debug ..</code> instead, see the <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#cmake-options">CMake Options</a> section for further customizations.</p> <h3 id="cmake-options">CMake Options</h3> <p>When doing the <code>cmake</code> command, we can pass additional parameters to change the behavior of the build files.</p> <p>Here'are some examples, always assuming your <code>build</code> folder is inside the Falco working copy.</p> <h4 id="generate-verbose-makefiles">Generate verbose makefiles</h4> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>-DCMAKE_VERBOSE_MAKEFILE<span style="color:#666">=</span>On </span></span></code></pre></div><h4 id="specify-c-and-cxx-compilers">Specify C and CXX compilers</h4> <pre tabindex="0"><code>-DCMAKE_C_COMPILER=$(which gcc) -DCMAKE_CXX_COMPILER=$(which g++) </code></pre><h4 id="enforce-bundled-dependencies">Enforce bundled dependencies</h4> <pre tabindex="0"><code>-DUSE_BUNDLED_DEPS=True </code></pre><p>Read more about Falco dependencies <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/source/#dependencies">here</a>.</p> <h4 id="treat-warnings-as-errors">Treat warnings as errors</h4> <pre tabindex="0"><code>-DBUILD_WARNINGS_AS_ERRORS=True </code></pre><h4 id="specify-the-build-type">Specify the build type</h4> <p>Debug build type</p> <pre tabindex="0"><code>-DCMAKE_BUILD_TYPE=Debug </code></pre><p>Release build type</p> <pre tabindex="0"><code>-DCMAKE_BUILD_TYPE=Release </code></pre><p>Notice this variable is case-insensitive and it defaults to release.</p> <h4 id="specify-the-falco-version">Specify the Falco version</h4> <p>Optionally the user can specify the version he wants Falco to have. Eg.,</p> <pre tabindex="0"><code> -DFALCO_VERSION=0.43.0-dirty </code></pre><p>When not explicitly specifying it the build system will compute the <code>FALCO_VERSION</code> value from the git history.</p> <p>In case the current git revision has a git tag, the Falco version will be equal to it (without the leading &quot;v&quot; character). Otherwise the Falco version will be in the form <code>0.&lt;commit hash&gt;[.dirty]</code>.</p> <h4 id="enable-ebpf-support">Enable eBPF support</h4> <pre tabindex="0"><code>-DBUILD_BPF=True </code></pre><p>When enabling this you will be able to make the <code>bpf</code> target after:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>make bpf </span></span></code></pre></div><h2 id="load-latest-falco-kernel-module">Load latest falco kernel module</h2> <p>If you have a binary version of Falco installed, an older Falco kernel module may already be loaded. To ensure you are using the latest version, you should unload any existing Falco kernel module and load the locally built version.</p> <p>Unload any existing kernel module via:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rmmod falco </span></span></code></pre></div><p>To load the locally built version, assuming you are in the <code>build</code> dir, use:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>insmod driver/falco.ko </span></span></code></pre></div><h2 id="run-falco">Run falco</h2> <p>Once Falco is built and the kernel module is loaded, assuming you are in the <code>build</code> dir, you can run falco as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml </span></span></code></pre></div><p>By default, falco logs events to standard error.</p>https://v0-43--falcosecurity.netlify.app/docs/developer-guide/plugins/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/developer-guide/plugins/ <h2 id="introduction">Introduction</h2> <p>This page is a guide for developers who want to write their own Falco/Falco libs plugins, providing some general best practices for authoring plugins.</p> <p>If you're not interested in writing your own plugin, or modifying one of the existing plugins, you can skip this page.</p> <p>Although plugins can be written in many languages, the Plugins API uses C functions, so you should be comfortable with C language concepts to understand the API.</p> <p>Before reading this page, read the main <a href="https://v0-43--falcosecurity.netlify.app/docs/plugins/">plugins</a> page for an overview of what plugins are and how they are used by Falco/Falco libs.</p> <h2 id="high-level-overview">High Level Overview</h2> <p>Here is a high level overview of how the plugin framework uses API functions to interact with plugins:</p> <ul> <li><strong>Initialization</strong> <ul> <li><strong>Checking API Compatibility</strong> — The framework calls <code>plugin_get_required_api_version</code> to verify that the plugin is compatible with the framework</li> <li><strong>Collecting Plugin Info</strong> — The framework calls <code>plugin_get_xxx</code> functions to obtain information about the plugin</li> <li><strong>Checking Capabilities</strong> — The framework checks which capabilities a plugin implements by verifying that the required functions are exported <ul> <li><strong>Getting Supported Event source</strong> — If the plugin has the event sourcing capability, the framework calls <code>plugin_get_id</code> and <code>plugin_get_event_source</code> to obtain the plugin ID and its event source</li> <li><strong>Getting Supported Extractable Fields</strong> — If the plugin has the field extraction capability, the framework calls <code>plugin_get_fields</code> to obtain the list of fields supported by the plugin</li> </ul> </li> <li><strong>Initializing the Plugin</strong> — The framework calls <code>plugin_init</code> to initialize a plugin, which returns an opaque <code>ss_plugin_t</code> handle. This handle is passed as an argument to later functions</li> </ul> </li> <li><strong>Opening Streams of Events (<em>event sourcing capability only</em>)</strong> <ul> <li><strong>Opening a Stream</strong> — The framework calls <code>plugin_open</code> the open a stream of events, which returns an opaque <code>ss_instance_t</code> handle. This handle is passed as an argument to later functions</li> <li><strong>Collecting Events</strong> — The framework calls <code>plugin_next_batch</code> to obtain events from the plugin</li> <li><strong>Closeing the Stream</strong> — The framework calls <code>plugin_close</code> to close a stream of events. The <code>ss_instance_t</code> handle is considered invalid and will not be used again</li> </ul> </li> <li><strong>Extracting Fields from Events (<em>field extraction capability only</em>)</strong> <ul> <li><strong>Extracting Values</strong> — The framework calls <code>plugin_extract_fields</code> to obtain values for fields for a given event</li> </ul> </li> <li><strong>Deinitialization</strong> <ul> <li><strong>Destroying the Plugin</strong> — The framework calls <code>plugin_destroy</code> to destroy a plugin. The <code>ss_plugin_t</code> handle is considered invalid and will not be used again.</li> </ul> </li> </ul> <h2 id="general-plugin-development-considerations">General Plugin Development Considerations</h2> <h3 id="plugin-sdks">Plugin SDKs</h3> <p>In order to abstract the complexity related with the low-level details of plugin development, the Falcosecurity organization provides a maintains SDKs to make the life of developers easier. Using an SDK is not mandatory but highly encouraged, and should be the way to go for almost all use cases.</p> <p>So far, only the <a href="https://github.com/falcosecurity/plugin-sdk-go">SDK for the Go language</a> is production-ready. Please check the <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/plugins/go-sdk-walkthrough/">Go SDK walkthrough section</a> for in-depth details.</p> <h3 id="api-versioning">API Versioning</h3> <p>The plugins API is versioned with a <a href="https://semver.org/">semver</a>-style version string. The plugins framework checks the plugin's required api version by calling the <code>plugin_get_required_api_version</code> API function. In order for the framework to load the plugin, the major number of the plugin framework must match the major number in the version returned by <code>plugin_get_required_api_version</code>. Otherwise, the plugin is incompatible and will not be loaded.</p> <h3 id="required-vs-optional-functions">Required vs Optional Functions</h3> <p>Some API functions are required, while others are optional. If a function is optional, the plugin can choose to not define the function at all. The framework will note that the function is not defined and will use default behavior. For optional functions, the default behavior is described below.</p> <h3 id="memory-returned-across-the-api-is-owned-by-the-plugin">Memory Returned Across the API is Owned By the Plugin</h3> <p>Every API function that returns or populates a string or struct pointer must point to memory allocated by the plugin and must remain valid for use by the plugin framework. When using the SDKs, this is generally handled automatically. Keep it in mind if using the plugin API functions directly, however.</p> <h3 id="what-configuration-internal-state-goes-where">What Configuration/Internal State Goes Where?</h3> <p>When the framework calls <code>plugin_open</code>, it provides a configuration string which is used to configure the plugin. When the framework calls <code>plugin_open</code>, it provides a parameters string which is used to source a stream of events. The format of both text blocks is defined by the plugin and is passed directly through by the plugin framework.</p> <p>Within a plugin, it must maintain state in two objects: a <code>ss_plugin_t</code> for plugin state, and a <code>ss_instance_t</code> for plugin instance state.</p> <p>For new plugin authors, it may be confusing to determine which state goes in each object and what information should be provided in the configuration string vs the parameters string. Ultimately, that's up to the plugin author, but here are some guidelines to follow:</p> <ul> <li>The <code>ss_plugin_t</code> struct should contain <em>configuration</em> that instructs the plugin how to behave. Generally, this is sourced from the configuration string.</li> <li>The <code>ss_instance_t</code> struct should contain <em>parameters</em> that instruct the plugin on how to source a stream of events. Generally, this is sourced from the parameters string.</li> <li>Instance state (e.g. the <code>ss_instance_t</code> struct) should include things like file handles, connection objects, current buffer positions, etc.</li> </ul> <p>For example, if a plugin fetches URLs, whether or not to allow self-signed certificates would belong in configuration, and the actual URLs to fetch would belong in parameters.</p> <h3 id="what-goes-in-an-event">What Goes In An Event?</h3> <p>Similarly, it may be confusing to distinguish between state for a plugin (e.g. <code>ss_plugin_t</code>/<code>ss_instance_t</code>) as compared to the actual data that ends up in an event. This is especially important when thinking about fields and what they represent. A good rule of thumb to follow is that fields should <em>only</em> extract data from events, and not internal state. For example, this behavior is encouraged by <em>not</em> providing a <code>ss_instance_t</code> handle as an argument to <code>plugin_extract_fields</code>.</p> <p>For example, assume some plugin returned a sample of a metric in events, and the internal state also held the maximum value seen so far. It would be a good practice to have a field <code>plugin.sample</code> that returned the value in a given event. It would <em>not</em> be a good practice to have a field <code>plugin.max_sample</code> that returned the maximum value seen, because that information is held in the internal state and not in events. If events <em>also</em> saved the current max sample so far, then it would be fine to have a field <code>plugin.max_sample</code>, as that can be retrieved directly from a single event.</p> <p>A question to ask when deciding what to put in an event is &quot;if this were written to a <code>.scap</code> capture file and replayed, would this plugin return the same values for fields as it did when the events were first generated?&quot;.</p> <p>Alternatively, the plugin can leverage access to <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/plugins/plugin-api-reference/#state-tables-api">state tables</a> for extracting pieces of information not contained in an event. In such a case, the best practice is for the plugin to implement the <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/plugins/plugin-api-reference/#event-parsing-capability-api">event parsing capability</a> and update its internal state when parsing the events of a given data stream. The functional internal state must not be updated when extracting fields unless for cache updates oriented to performance optimizations. Then, at the extraction, the plugin can read information from the event's payload and the state it has access to, either owned by itself or from another component registered in the framework.</p> <p>However, the fundamental question when handling the plugin's state updates is always whether that state must be reproducible or not in case the event stream is replayed through a capture file. Given that in most cases that is a requirement, the plugin must consider also implementing the <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/plugins/plugin-api-reference/#async-events-capability-api">async events capability</a> for being able to inject an async synthetic event in a live data stream, to record that and make it available for file capture. The plugin needs to be capable of parsing those async events in its event parsing functions to potentially replay them and reproduce the corresponding state changes.</p> <h3 id="plugin-authoring-lifecycle">Plugin Authoring Lifecycle</h3> <p>Here are some considerations to keep in mind when releasing the initial version of a new plugin and when releasing updated versions of the plugin.</p> <h4 id="initial-version">Initial Version</h4> <p>For plugins with event sourcing capability, make sure the event source is distinct, or if the same as existing plugins, that the saved payload is identical. In most cases, each plugin should define a new event source.</p> <p>For plugins with field extraction capability, if the plugin exports a set of compatible sources, make sure you have tested it with each compatible plugin with event sourcing capability to ensure that your plugin can read event payloads without errors/crashing. If the plugin does <em>not</em> export a set of compatible sources (meaning that it potentially handles every kind of event), your plugin must be very resilient. It will potentially be handed arbitrary binary data from other plugins.</p> <p>Register this plugin by submitting a PR to <a href="https://github.com/falcosecurity/plugins">falcosecurity/plugins</a> to update the <a href="https://github.com/falcosecurity/plugins/blob/master/registry.yaml">plugin registry</a>. This will give an official Plugin ID that can be safely used in capture files, etc., without overlapping with other plugins. It also lets others know that a new plugin is available!</p> <h4 id="updates">Updates</h4> <p>Every new release of a plugin should update the plugin's version number. Following semver conventions, the patch number should always be updated, the minor number should be updated when new fields are added, and the major number should be updated whenever any field is modified/removed or the semantics of a given field changes.</p> <p>With every release, you should check for an updated Plugin API Version and if needed, update the plugin to conform to the new API. Remember that a plugin and framework are considered be compatible if their major versions are the same.</p> <p>With each new release, make sure the contact information provided by the plugin is up-to-date.</p>https://v0-43--falcosecurity.netlify.app/docs/developer-guide/grpc/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/developer-guide/grpc/ <div class="card card-sm pageinfo pageinfo-warning my-4"> <div class="card-body"> <div class="card-text"> <p>The gRPC Output as well as the embedded gRPC server have been deprecated in Falco <code>0.43.0</code> and will be removed in a future release. Until removal and since Falco <code>0.43.0</code>, using any of them will result in a warning informing the user about the deprecation. Users are encouraged to leverage another output and/or Falcosidekick, as the usage will result in an error after the removal.</p> </div> </div> </div> <p>Starting from version <a href="https://github.com/falcosecurity/falco/releases/tag/0.18.0">0.18.0</a>, Falco has its own <a class='glossary-tooltip' title='gRPC is a modern open source, high-performance Remote Procedure Call (RPC) framework.' data-toggle='tooltip' data-placement='top' href='https://v0-43--falcosecurity.netlify.app/docs/grpc/' target='_blank' aria-label='gRPC'>gRPC</a> server which provides a set of gRPC APIs.</p> <p>The current APIs are:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/grpc/outputs/">schema definition</a>: get or subscribe to Falco output events.</li> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/grpc/version/">schema definition</a>: retrieve the Falco version.</li> </ul> <p>In order to interact with these APIs, the The Falco Project provides a <a href="https://v0-43--falcosecurity.netlify.app/docs/developer-guide/grpc/client-go/">Golang SDK</a>.</p>