Falco – Setup

Docs: Deploy on Kubernetes with the Operator

Mon, 01 Jan 0001 00:00:00 +0000

The Falco Operator is the recommended way to deploy and manage Falco on Kubernetes. It provides a declarative, Kubernetes-native experience for managing Falco instances, detection rules, plugins, and configuration through Custom Resources.

Going forward, the Falco Operator will become the standard deployment method for Falco on Kubernetes. The existing Helm chart remains fully supported during the transition period.

Overview

The Falco Operator manages the full Falco ecosystem through Kubernetes Custom Resources:

Falco Operator - Manages Falco instances (DaemonSet or Deployment mode) and ecosystem components
Artifact Operator - Manages rules, plugins, and configuration fragments (runs as a sidecar in each Falco pod)

The operator uses five Custom Resource Definitions (CRDs) across two API groups:

CRD	API Group	Purpose
`Falco`	`instance.falcosecurity.dev/v1alpha1`	Define and manage a Falco instance
`Component`	`instance.falcosecurity.dev/v1alpha1`	Deploy ecosystem components (Falcosidekick, Falcosidekick UI, k8s-metacollector)
`Rulesfile`	`artifact.falcosecurity.dev/v1alpha1`	Manage detection rules (OCI, inline YAML, or ConfigMap)
`Plugin`	`artifact.falcosecurity.dev/v1alpha1`	Manage Falco plugins from OCI registries
`Config`	`artifact.falcosecurity.dev/v1alpha1`	Manage configuration fragments (inline YAML or ConfigMap)

Prerequisites

Kubernetes 1.29+ (native sidecar support required)
kubectl installed and configured
Cluster admin privileges (for CRD and ClusterRole installation)

Install the Operator

Install the Falco Operator with a single command:

VERSION=latest
if [ "$VERSION" = "latest" ]; then
 kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/latest/download/install.yaml
else
 kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/download/${VERSION}/install.yaml
fi

This creates:

5 CRDs
The falco-operator namespace
A ServiceAccount, ClusterRole, and ClusterRoleBinding
The operator Deployment

Verify the operator is running:

kubectl get pods -n falco-operator
kubectl wait pods --for=condition=Ready --all -n falco-operator

Full Stack Quickstart

Want to deploy the entire Falco ecosystem in one command? The quickstart manifest deploys everything in the falco namespace: Falco, detection rules, container and k8smeta plugins, Falcosidekick, Falcosidekick UI with Redis, k8s-metacollector, and the configuration to wire them all together:

VERSION=latest
if [ "$VERSION" = "latest" ]; then
 kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/latest/download/quickstart.yaml
else
 kubectl apply --server-side -f https://github.com/falcosecurity/falco-operator/releases/download/${VERSION}/quickstart.yaml
fi

Verify everything is running:

kubectl get falco,plugins,rulesfiles,configs,components -n falco
kubectl get pods -n falco

All resources should show Reconciled: True and Available: True. All pods should be Running.

To uninstall (order matters - artifacts first so the sidecar can process finalizer cleanup):

# 1. Artifacts first
kubectl delete configs,rulesfiles,plugins --all -n falco
# 2. Instances and components
kubectl delete components,falcos --all -n falco
# 3. Infrastructure
kubectl delete statefulset falcosidekick-ui-redis -n falco
kubectl delete svc falcosidekick-ui-redis -n falco
# 4. Namespace
kubectl delete namespace falco

To configure Falcosidekick outputs (Slack, Elasticsearch, S3, etc.), see the Falcosidekick documentation.

If you prefer to deploy components individually and customize each one, follow the step-by-step quickstart below.

Step-by-Step Quickstart

Deploy Falco

Create a Falco instance with default settings (DaemonSet mode, modern_ebpf driver):

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Falco
metadata:
 name: falco
spec: {}
EOF

Check that Falco pods are running on your nodes:

kubectl get falco
kubectl get pods -l app.kubernetes.io/name=falco

Falco starts in idle mode until you provide detection rules. The next steps add the container plugin and rules to activate monitoring.

Add the Container Plugin

The official Falco rules use fields like container.id and container.image.repository that require the container plugin. Without it, rules referencing container metadata fields will not work. Always load the container plugin before adding rules.

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Plugin
metadata:
 name: container
spec:
 ociArtifact:
 image:
 repository: falcosecurity/plugins/plugin/container
 tag: latest
 registry:
 name: ghcr.io
EOF

Add Detection Rules

Load the official Falco rules from the OCI registry:

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Rulesfile
metadata:
 name: falco-rules
spec:
 ociArtifact:
 image:
 repository: falcosecurity/rules/falco-rules
 tag: latest
 registry:
 name: ghcr.io
 priority: 50
EOF

Check the rulesfile status:

kubectl get rulesfiles

Falco will automatically pick up the rules and start monitoring.

The registry.name field defaults to ghcr.io when omitted. The image.tag field defaults to latest.

Rules can also come from inline YAML or Kubernetes ConfigMaps. See the Rulesfile CRD reference for all options.

Add Other Plugins

Load additional plugins from OCI registries. For example, the k8saudit plugin for Kubernetes audit log monitoring:

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Plugin
metadata:
 name: k8saudit
spec:
 ociArtifact:
 image:
 repository: falcosecurity/plugins/plugin/k8saudit
 tag: latest
 registry:
 name: ghcr.io
EOF

See the Plugin CRD reference for configuration options.

Add Ecosystem Components

The operator can deploy ecosystem components alongside Falco using the Component CRD.

Falcosidekick

Deploy Falcosidekick to route Falco events to 70+ integrations:

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Component
metadata:
 name: sidekick
spec:
 component:
 type: falcosidekick
 replicas: 2
EOF

Then configure Falco to send events to Falcosidekick:

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Config
metadata:
 name: sidekick-output
spec:
 config:
 json_output: true
 http_output:
 enabled: true
 url: "http://sidekick:2801"
 priority: 60
EOF

Falcosidekick UI

Deploy the web dashboard for event visualization. Requires a Redis instance:

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Component
metadata:
 name: sidekick-ui
spec:
 component:
 type: falcosidekick-ui
 replicas: 2
EOF

Falcosidekick UI requires an external Redis instance. If Redis is not available, pods will stay in Init:0/1 state until Redis becomes reachable. See the Component CRD reference for a complete example with a bundled Redis StatefulSet.

k8s-metacollector

Deploy the centralized Kubernetes metadata collector:

cat <<EOF | kubectl apply -f -
apiVersion: instance.falcosecurity.dev/v1alpha1
kind: Component
metadata:
 name: metacollector
spec:
 component:
 type: metacollector
 replicas: 1
EOF

Customize Configuration

Override Falco configuration with Config resources:

cat <<EOF | kubectl apply -f -
apiVersion: artifact.falcosecurity.dev/v1alpha1
kind: Config
metadata:
 name: custom-config
spec:
 config:
 engine:
 kind: modern_ebpf
 modern_ebpf:
 buf_size_preset: 4
 output_timeout: 2000
 priority: 50
EOF

Configuration fragments are applied in priority order (0–99) and merged with the base configuration. You can target specific nodes using label selectors. See the Config CRD reference.

Deployment Modes

The operator supports two deployment modes:

DaemonSet (default)

Runs Falco on every node for cluster-wide syscall monitoring using the modern_ebpf driver. This is the standard deployment for runtime security.

spec:
 type: DaemonSet

Deployment

Runs Falco as a regular Deployment instead of a DaemonSet.

spec:
 type: Deployment
 replicas: 2

Uninstall

Remove resources in the correct order, artifacts first (so the sidecar can clean up finalizers), then instances, then the operator:

# 1. Remove artifact resources first
kubectl delete rulesfiles --all --all-namespaces
kubectl delete plugins --all --all-namespaces
kubectl delete configs --all --all-namespaces

# 2. Remove instance resources
kubectl delete components --all --all-namespaces
kubectl delete falco --all --all-namespaces

# 3. Remove the operator and CRDs
kubectl delete -f https://github.com/falcosecurity/falco-operator/releases/latest/download/install.yaml

Deleting Falco instances before artifacts will terminate the Artifact Operator sidecar, leaving artifact finalizers unresolved. Always delete artifact resources (Rulesfile, Plugin, Config) before Falco instances.

Learn More

For complete documentation, including the CRD reference, architecture overview, migration guide, and contributing instructions, visit the Falco Operator repository.

Resource	Link
Full documentation	github.com/falcosecurity/falco-operator/docs
CRD reference	Falco, Rulesfile, Plugin, Config, Component
Architecture	Architecture overview
Sample manifests	config/samples/

Docs: Deploy on Kubernetes with Helm

Mon, 01 Jan 0001 00:00:00 +0000

The Falco Operator is now the recommended way to deploy Falco on Kubernetes. It provides a declarative, Kubernetes-native experience with Custom Resources for managing Falco instances, rules, plugins, and configuration. The Helm chart method described on this page remains fully supported.

Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is pre-configured to consume events from the Linux Kernel. This default installation scenario will add Falco to all nodes in your cluster using a DaemonSet. This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a driver will be installed on the node.

For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.

A well-established method to deploy Falco on a Kubernetes cluster is to use the provided Helm chart. The official Falco charts repository is hosted at:

https://falcosecurity.github.io/charts

If needed, you can consult the Installing Helm guide for information about how to download and install Helm. Before deploying Falco on Kubernetes, ensure you can access the targeted cluster running with Linux nodes, either x86_64 or ARM64. Also, you will need to have kubectl and helm installed and configured.

Alternatively, Falco can be installed in Kubernetes without Helm by providing manifest files and deploying them to your cluster. For details, see the example here.

Install

First, add the Helm repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Then install Falco:

helm install --replace falco --namespace falco --create-namespace --set tty=true falcosecurity/falco

And check that the Falco pods are running:

kubectl get pods -n falco

Falco pod(s) might need a few seconds to start. Wait until they are ready:

kubectl wait pods --for=condition=Ready --all -n falco

Configuration

When deploying Falco via Helm, you will use Helm values to pass the Falco configuration. For further details, see the Falco Helm Chart documentation.

Upgrade

If you wish to upgrade Falco to a new version, you need to find the corresponding version in the Falco Helm Chart repository (e.g., 4.8.1 is for Falco 0.38.2) then run:

helm upgrade falco -n falco --version 4.8.1

To avoid any possible disruption, before upgrading to a new version, consult the Falco Helm chart Breaking Changes page.

Uninstall

If you wish to remove Falco from your cluster, you can simply run:

helm uninstall falco -n falco

Docs: Deploy as a container

Mon, 01 Jan 0001 00:00:00 +0000

Falco consumes streams of events and evaluates them against a set of security rules to detect abnormal behavior. By default, Falco is pre-configured to consume events from the Linux Kernel. This scenario requires Falco to be privileged, and depending on the kernel version installed on the node, a driver will be installed on the node. Since orchestration systems like Kubernetes are out of scope for this section, it's up to the user to manage the container lifecycle and deployment across the nodes.

For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.

Install

This section describes how to run the Falco userspace process in a container using one of the released container images.

By default, Falco is pre-configured to consume events from the Linux Kernel. For this default installation scenario, Falco can be run in two ways:

Different instructions apply to each method depending on the driver used. Note that the Modern eBPF does not require driver installation.

Fully Privileged

To run Falco in a container using Docker with full privileges, use the following commands:

Modern eBPF

The Modern eBPF is bundled into the Falco binary. This allows you to run Falco without dependencies by using the following command:

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 --privileged \
 -v /sys/kernel/tracing:/sys/kernel/tracing:ro \
 -v /var/run/docker.sock:/host/var/run/docker.sock \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco:0.43.0

On some systems, tracefs is available at /sys/kernel/debug/tracing instead of /sys/kernel/tracing. If this is the case, please replace -v /sys/kernel/tracing:/sys/kernel/tracing:ro with -v /sys/kernel/debug/tracing:/sys/kernel/tracing:ro.

Mounting the host's tracefs (i.e.: mounting the host /sys/kernel/tracing path) is an optional but recommended pre-requisite. By removing the -v /sys/kernel/tracing:/sys/kernel/tracing:ro line from the above command, you will reduce the amount of accesses granted to the container, but will not benefit anymore from TOCTOU mitigation support.

Kernel Module

For the Kernel Module driver, Falco requires the driver to be installed on the host system first.

Install the driver on the host system using the falcosecurity/falco-driver-loader image, as described in the Driver Installation section.

Run Falco:

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 --privileged \
 -v /var/run/docker.sock:/host/var/run/docker.sock \
 -v /dev:/host/dev \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco:0.43.0 falco -o engine.kind=kmod

eBPF Probe

For the eBPF probe driver, Falco requires the probe to be prepared and stored on the host system first (under /root/.falco).

Install the driver on the host system using the falcosecurity/falco-driver-loader image, as described in the Driver Installation section.

Run Falco:

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 --privileged \
 -v /var/run/docker.sock:/host/var/run/docker.sock \
 -v /root/.falco:/root/.falco \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco:0.43.0 falco -o engine.kind=ebpf

# If running a kernel version < 4.14, add '-v /sys/kernel/debug:/sys/kernel/debug:ro \' to the above docker command.

Least Privileged (Recommended)

To run Falco in a container using Docker with the principle of least privilege, you can use the following commands depending on the driver you want to use.

Modern eBPF

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 --cap-drop all \
 --cap-add sys_admin \
 --cap-add sys_resource \
 --cap-add sys_ptrace \
 -v /sys/kernel/tracing:/sys/kernel/tracing:ro \
 -v /var/run/docker.sock:/host/var/run/docker.sock \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco:0.43.0

The minimum set of capabilities to run Falco with the Modern eBPF driver are:

CAP_SYS_PTRACE
CAP_SYS_RESOURCE
CAP_BPF
CAP_PERFMON

However, in the command above, we use CAP_SYS_ADMIN because Docker does not yet support CAP_BPF and CAP_PERFMON.

Kernel Module

For the Kernel Module driver, Falco requires the driver to be installed on the host system first. This step requires full privileges, while the Falco container can then run with the least privileges.

Install the driver on the host system using the falcosecurity/falco-driver-loader image, as described in the Driver Installation section.

Run Falco using the falcosecurity/falco image with the least privileges:

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 -e HOST_ROOT=/ \
 --cap-add SYS_PTRACE --pid=host $(ls /dev/falco* | xargs -I {} echo --device {}) \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v /etc:/host/etc:ro \
 falcosecurity/falco:0.43.0 falco -o engine.kind=kmod

Note that ls /dev/falco* | xargs -I {} echo --device {} outputs a --device /dev/falcoX option per CPU (i.e., just the devices created by the Falco's kernel module). Also, -e HOST_ROOT=/ is necessary since with --device there is no way to remap devices to /host/dev/.

If you are running Falco on a system with the AppArmor LSM enabled (e.g., Ubuntu), you must also pass --security-opt apparmor:unconfined to the docker run command above.

You can verify if you have AppArmor enabled using the command below:

docker info | grep -i apparmor

eBPF Probe

For the eBPF probe driver, Falco requires the probe to be prepared and stored on the host system first (under /root/.falco). This step requires full privileges, after which the Falco container can run with the least privileges.

Install the driver on the host system using the falcosecurity/falco-driver-loader image, as described in the Driver Installation section.

Run Falco using the falcosecurity/falco image with the least privileges:

docker pull falcosecurity/falco:0.43.0
docker run --rm -it \
 --cap-drop all \
 --cap-add sys_admin \
 --cap-add sys_resource \
 --cap-add sys_ptrace \
 -v /var/run/docker.sock:/host/var/run/docker.sock \
 -v /root/.falco:/root/.falco \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc \
 falcosecurity/falco:0.43.0 falco -o engine.kind=ebpf

# If running a kernel version < 4.14, add '-v /sys/kernel/debug:/sys/kernel/debug:ro \' to the above Docker command.

If you are running Falco on a system with the AppArmor LSM enabled (e.g., Ubuntu), you must also pass --security-opt apparmor:unconfined to the docker run command above.

To verify if AppArmor is enabled, use the command below:

docker info | grep -i apparmor

To run Falco with the least privileges using the eBPF probe, the following capabilities are required:

On kernels <5.8, Falco requires CAP_SYS_ADMIN, CAP_SYS_RESOURCE, and CAP_SYS_PTRACE.
On kernels >=5.8, CAP_BPF and CAP_PERFMON were separated from CAP_SYS_ADMIN, so the required capabilities are CAP_BPF, CAP_PERFMON, CAP_SYS_RESOURCE, CAP_SYS_PTRACE. Unfortunately, Docker does not yet support adding the two newly introduced capabilities with the --cap-add option. For this reason, we continue using CAP_SYS_ADMIN, which still allows performing the same operations granted by CAP_BPF and CAP_PERFMON. In the near future, Docker will support adding these two capabilities, and we will be able to replace CAP_SYS_ADMIN.

Driver Installation

This section provides instructions for installing the driver on the host system using the falcosecurity/falco-driver-loader image. This approach is helpful if you prefer to install the driver on the host first and then run Falco in a container later.

Driver installation on the host is only required for the Kernel Module and eBPF probe drivers.

You can skip this section if you plan to use the Modern eBPF.

When using the eBPF probe or kernel module drivers, the driver loader attempts to either download a prebuilt driver or build it on the fly as a fallback. Starting with Falco 0.38, the driver loader has improved functionality to automatically retrieve the required kernel headers for distributions supported by driverkit. This enhancement ensures that the necessary kernel headers are available to dynamically build the appropriate driver—whether it is the Kernel Module or the eBPF probe.

However, if the driver loader cannot automatically fetch the required kernel headers, you may need to install them manually on the host as a prerequisite. For detailed instructions on manual installation, refer to the Installation section.

The falcosecurity/falco-driver-loader:0.43.0 is based on a recent Debian image. For ancient kernel versions, this might not work. The alternative falcosecurity/falco-driver-loader:0.43.0-buster (based on an older Debian image) may work in such a case.

Kernel Module

To install the kernel module driver on the host system, you can use the following command:

docker pull falcosecurity/falco-driver-loader:0.43.0
docker run --rm -it \
 --privileged \
 -v /root/.falco:/root/.falco \
 -v /boot:/host/boot:ro \
 -v /lib/modules:/host/lib/modules \
 -v /usr:/host/usr:ro \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco-driver-loader:0.43.0 kmod

eBPF Probe

To install the eBPF probe driver on the host system, you can use the following command:

docker pull falcosecurity/falco-driver-loader:0.43.0
docker run --rm -it \
 --privileged \
 -v /root/.falco:/root/.falco \
 -v /boot:/host/boot:ro \
 -v /lib/modules:/host/lib/modules:ro \
 -v /usr:/host/usr:ro \
 -v /proc:/host/proc:ro \
 -v /etc:/host/etc:ro \
 falcosecurity/falco-driver-loader:0.43.0 ebpf

Verify Image Signing

All official container images for Falco, starting from version 0.35.0, are signed with cosign. To verify the signature, you can run the following command:

cosign verify docker.io/falcosecurity/falco:0.43.0 \
 --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
 --certificate-identity-regexp=https://github.com/falcosecurity/falco/ \
 --certificate-github-workflow-ref=refs/tags/0.43.0

Replace docker.io/falcosecurity/falco with any official Falco image (falco, falco-driver-loader) from any official container registry to verify other images.

If you have your own container registry and wish to retain the signature while copying Falco images, you can simply use the cosign copy command:

cosign copy docker.io/falcosecurity/falco:0.43.0 your-registry/falco:0.43.0

And you'll be able to easily verify that the image in your registry was not tampered with!

Configuration

You can configure Falco by either:

Passing the -o command line flag to the Docker run command
Or by mounting a custom configuration file into the container (e.g., -v /path/to/falco.yaml:/etc/falco/falco.yaml)

Further configurable options via environment variables include (to be passed with -e with Docker):

FALCOCTL_DRIVER_REPOS - See the Installing the Driver section.
SKIP_DRIVER_LOADER - Set this environment variable to avoid running falcoctl driver tool when the falcosecurity/falco image starts. Useful when the driver has already been installed on the host by other means.

Docs: Install on a host (DEB, RPM)

Mon, 01 Jan 0001 00:00:00 +0000

For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.

There are two main methods to install Falco on your host using the released Falco packages:

RPM or DEB package (includes Systemd setup): This method is detailed on this page.
Tarball archive: For instructions, refer to the Install on a host (tarball) page.

System requirements

Falco runs on Linux and is available for the x86_64 and aarch64 architectures. Falco with its bundled plugins requires GLIBC 2.28 or newer. You can check your system's GLIBC version by running ldd --version.

Install

This installation method is for Linux distributions with a package manager that supports DEB (Debian, Ubuntu) or RPM (CentOS, RHEL, Fedora, Amazon Linux) packages.

In interactive installations, the Falco installation package uses the dialog binary for configuration prompts. The dialog allows the user to complete the Systemd setup which includes:

The driver selection (kmod, ebpf, modern_ebpf) or automatic selection
The Falcoctl service setup

In non-interactive installations (e.g., dialog is not available, or if the user disables it by setting FALCO_FRONTEND=noninteractive when installing Falco using the package manager), the automatic driver selection is enabled by default and for other options, the user needs to manually configure the Systemd services.

Env variables

The following environment variables can be used to customize the installation process:

FALCO_FRONTEND: Set to noninteractive to disable the dialog prompts. The default is dialog.
FALCO_DRIVER_CHOICE: Set to kmod, ebpf, or modern_ebpf to choose a driver; set to none to disable service installation. If one of the previous option is selected, the dialog will be skipped too. The default (empty) is automatic selection.
FALCOCTL_ENABLED: Set to no to disable the automatic rules update provided by falcoctl. The default (empty) or any value other than no will keep the option enabled.

These environment variables can be used in conjunction with the package manager (as described in the following sections) to customize the installation process as needed.

Examples:

No dialog, no driver, no automatic rules update:

FALCO_DRIVER_CHOICE=none apt-get install -y falco

Install with kmod driver and automatic rules update:

FALCO_DRIVER_CHOICE=kmod apt-get install -y falco

No dialog, automatic selection and automatic rules update:
```
FALCO_FRONTEND=noninteractive apt-get install -y falco
```

No dialog, automatic selection and no automatic rules update:

FALCO_FRONTEND=noninteractive FALCOCTL_ENABLED=no apt-get install -y falco

`apt` (Debian/Ubuntu)

The following steps are for Debian and Debian-based distributions, such as Ubuntu, which use the apt package manager.

Trust the falcosecurity GPG key

curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg

Configure the apt repository

echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
sudo tee -a /etc/apt/sources.list.d/falcosecurity.list

In older releases of Debian (Debian 9 and older ones), you might need to additionally install the package apt-transport-https to allow access to the Falco repository using the https protocol.

The following command will install that package on your system:

sudo apt-get install apt-transport-https

Update the package list
```
sudo apt-get update -y
```

Install some required dependencies that are needed to build the Kernel Module and the eBPF probe

Note: You don't need to install these dependencies if you want to use the Modern eBPF.

sudo apt install -y dkms make linux-headers-$(uname -r)
# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
sudo apt install -y clang llvm
# You can install also the dialog package if you want it
sudo apt install -y dialog

Install the Falco package
```
sudo apt-get install -y falco
```

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

Trust the falcosecurity GPG key

sudo rpm --import https://falco.org/repo/falcosecurity-packages.asc

Configure the yum repository

sudo curl -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo

Update the package list
```
sudo yum update -y
```

Install some required dependencies that are needed to build the Kernel Module and the eBPF probe

Note: You don't need to install these dependencies if you want to use the Modern eBPF.

# If necessary install it using: `yum install epel-release` (or `amazon-linux-extras install epel` in case of amzn2), then `yum install make dkms`.
sudo yum install -y dkms make
# If the package was not found by the below command, you might need to run `yum distro-sync` in order to fix it. Rebooting the system may be required.
sudo yum install -y kernel-devel-$(uname -r)
# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
sudo yum install -y clang llvm
# You can install also the dialog package if you want it
sudo yum install -y dialog

Install the Falco package
```
sudo yum install -y falco
```

You might need to validate the driver signature if your system has UEFI SecureBoot enabled. Follow these steps to do so:

Import the DKMS Machine Owner Key

 ```shell
sudo mokutil --import /var/lib/dkms/mok.pub
```

Restart the system and wait for the MOK key enrollment prompt
Choose the option: Enroll MOK

Load the Falco driver

 ```shell
sudo insmod /var/lib/dkms/falco/<driver-version>/$(uname -r)/x86_64/module/falco.ko.xz
```

RHEL 8 / UBI 8 users: Starting from Falco 0.42, you may need to set the LD_PRELOAD environment variable due to a glibc compatibility issue:

LD_PRELOAD=/lib64/libresolv.so.2 falco

When using systemd, you can add this to your service override or edit the unit file to include Environment="LD_PRELOAD=/lib64/libresolv.so.2".

`zypper` (openSUSE)

Trust the falcosecurity GPG key

sudo rpm --import https://falco.org/repo/falcosecurity-packages.asc

Configure the zypper repository

sudo curl -o /etc/zypp/repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo

Update the package list
```
sudo zypper -n update
```

Install some required dependencies that are needed to build the Kernel Module and the eBPF probe

Note: You don't need to install these dependencies if you want to use the Modern eBPF.

sudo zypper -n install dkms make
# If the package was not found by the below command, you might need to run `zypper -n dist-upgrade` in order to fix it. Rebooting the system may be required.
sudo zypper -n install kernel-default-devel-$(uname -r | sed s/\-default//g)
# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
sudo zypper -n install clang llvm
# You can install also the dialog package if you want it
sudo zypper -n install dialog

Install Falco:
```
sudo zypper -n install falco
```
Uninstall Falco:
```
sudo zypper rm falco
```

Systemd setup

Setup with dialog

By default, if you have the dialog binary installed on your system, you will be prompted with this:

From here you can choose one of our 3 drivers Kmod, eBPF, Modern eBPF, a Manual configuration or the Automatic selection (recommended) to trigger the automatic logic to select the best driver for you. When you choose a driver from the dialog, the systemd service is always enabled by default so it will start at every system reboot. If you want to disable this behavior type systemctl disable falco-kmod.service (if you are using the kernel module like in this example).

After the first dialog, you should see a second one:

If you choose Yes, falcoctl will periodically check for ruleset updates and, if a new update is available, will pull and install it.

Manual configuration

If you chose Manual configuration from the dialog, you need to complete the setup configuration.

First, let's verify the available services:

$ sudo systemctl list-unit-files "falco*"

UNIT FILE STATE PRESET
falco-bpf.service disabled enabled
falco-custom.service disabled enabled
falco-kmod-inject.service static enabled
falco-kmod.service disabled enabled
falco-modern-bpf.service disabled enabled
falcoctl-artifact-follow.service disabled enabled

Using the systemctl command, you can now enable the desired unit to start at boot time.

Let's say you want to enable the modern eBPF probe:

$ sudo systemctl enable falco-modern-bpf.service
Created symlink /etc/systemd/system/falco.service → /usr/lib/systemd/system/falco-modern-bpf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/falco-modern-bpf.service → /usr/lib/systemd/system/falco-modern-bpf.service.

$ sudo systemctl list-unit-files "falco*"

UNIT FILE STATE PRESET
falco-bpf.service disabled enabled
falco-custom.service disabled enabled
falco-kmod-inject.service static -
falco-kmod.service disabled enabled
falco-modern-bpf.service enabled enabled
falco.service alias -
falcoctl-artifact-follow.service disabled enabled

Or you'd like to switch to using the kernel module:

$ sudo systemctl disable falco-modern-bpf.service
Removed "/etc/systemd/system/multi-user.target.wants/falco-modern-bpf.service".
Removed "/etc/systemd/system/falco.service".

$ sudo systemctl enable falco-kmod.service
Created symlink /etc/systemd/system/falco.service → /usr/lib/systemd/system/falco-kmod.service.
Created symlink /etc/systemd/system/multi-user.target.wants/falco-kmod.service → /usr/lib/systemd/system/falco-kmod.service.

$ sudo systemctl list-unit-files "falco*"

UNIT FILE STATE PRESET
falco-bpf.service disabled enabled
falco-custom.service disabled enabled
falco-kmod-inject.service static -
falco-kmod.service enabled enabled
falco-modern-bpf.service disabled enabled
falco.service alias -
falcoctl-artifact-follow.service disabled enabled

7 unit files listed.

As you can see, enabling the falco-kmod.service, falco-modern-bpf.service or falco-custom.service also creates a new alias/service called falco.service that can be used in place of the aliased ones.

As a side note, if you prefer not to use the falcoctl tool to automatically update your rules, you can mask it as follows. Otherwise, as explained here, Falco will enable it too.

$ sudo systemctl mask falcoctl-artifact-follow.service
Created symlink /etc/systemd/system/falcoctl-artifact-follow.service → /dev/null.

Configuring services

If you installed the Falco packages using the dialog option, all your services should already be up and running. However, if you chose the Manual configuration option, you need to configure the services manually.

If you need to switch from one service to another, ensure that the current service is properly stopped before starting the new one. This can be done by using the appropriate service management commands for your system (e.g., systemctl stop <service_name> and systemctl start <new_service_name>).

For example, if you want to use the service for the eBPF probe:

Type systemctl list-units | grep falco to check that no unit is running. Stop the current services, if any.
Now you have to decide whether you want the Falcoctl service running together with the Falco one. If yes you don't have to do anything, else you will need to mask the Falcoctl service with systemctl mask falcoctl-artifact-follow.service. The Falcoctl service is strictly related to the Falco one so if you don't mask it, it will be started together with the Falco service.
Type falcoctl driver config --type ebpf to configure Falco to use eBPF probe, then falcoctl driver install to download/compile the eBPF probe.

Now running systemctl start falco-bpf.service and typing systemctl list-units | grep falco you should see something like that (supposing you didn't mask the Falcoctl service):

falco-bpf.service loaded active running Falco: Container Native Runtime Security with ebpf
falcoctl-artifact-follow.service loaded active running Falcoctl Artifact Follow: automatic artifacts update service

If you want to stop both services in one shot
```
systemctl stop falco-bpf.service
```

Falcoctl service (automatic rules update)

If this service is enabled (as default), typing systemctl list-units | grep falco you should see something similar to this:

falco-kmod-inject.service loaded active exited Falco: Container Native Runtime Security with kmod, inject.
falco-kmod.service loaded active running Falco: Container Native Runtime Security with kmod
falcoctl-artifact-follow.service loaded active running Falcoctl Artifact Follow: automatic artifacts update service

falco-kmod-inject.service injects the kernel module and exits. This unit remains after exit to detach the kernel module when the falco-kmod.service will be stopped.
falco-kmod.service instance of Falco running the kernel module.
falcoctl-artifact-follow.service instance of Falcoctl that searches for new rulesets. This unit will be stopped when falco-kmod.service terminates.

The Falcoctl service is strictly related to the Falco one:

when the Falco service starts it searches for a unit called falcoctl-artifact-follow.service and if present it starts it. Please note that following this pattern, if you enable the Falco service and you reboot your system, Falcoctl will start again with Falco even if you don't enable it through systemd enable! You can disable this behavior by stopping the Falcoctl service and masking it systemctl mask falcoctl-artifact-follow.service.
when the Falco service stops also the Falcoctl service is stopped.

In case the Falcoctl service is not enabled, the Falco package will only start the falco-kmod.service. Typing systemctl list-units | grep falco you should see something similar to this:

falco-kmod-inject.service loaded active exited Falco: Container Native Runtime Security with kmod, inject.
falco-kmod.service loaded active running Falco: Container Native Runtime Security with kmod

In this mode, the Falcoctl service is masked by default so if you want to enable it in a second step you need to type systemctl unmask falcoctl-artifact-follow.service.

Custom service

You may have noticed a Falco unit called falco-custom.service. You should use it when you want to run Falco with a custom configuration like a plugin. Please note that in this case you have to modify this template according to how you want to run Falco, the unit should not be used as is!

Configuration

The Falco configuration file is located at /etc/falco/falco.yaml. You can edit it to customize Falco's behavior.

Since Falco 0.38.0, a new config key, config_files, allows the user to load additional configuration files to override main config entries. This allows user to keep local customization between Falco upgrades. Its default value points to a new folder, /etc/falco/config.d/ that gets installed by Falco and will be processed to look for local configuration files.

Hot Reload

By default, with the watch_config_files configuration option enabled, Falco automatically monitors changes to configuration and rule files. When these files are modified, Falco will automatically reload the updated configuration without requiring a restart.

If this option is disabled, you can manually restart the Falco systemd service to apply the changes:

systemctl restart falco

Upgrade

`apt` (Debian/Ubuntu)

If you configured the apt repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message

sed -i 's,https://dl.bintray.com/falcosecurity/deb,https://download.falco.org/packages/deb,' /etc/apt/sources.list.d/falcosecurity.list
apt-get clean
apt-get -y update

Check in the apt-get update log that https://download.falco.org/packages/deb is present.

If you installed Falco by following the provided instructions:

apt-get --only-upgrade install falco

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

If you configured the yum repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message

sudo sed -i 's,https://dl.bintray.com/falcosecurity/rpm,https://download.falco.org/packages/rpm,' /etc/yum.repos.d/falcosecurity.repo
sudo yum clean all

Then check that the falcosecurity-rpm repository is pointing to https://download.falco.org/packages/rpm/:

sudo sudo yum repolist -v falcosecurity-rpm

If you installed Falco by following the provided instructions:

Check for updates:
```
sudo yum check-update
```
If a newer Falco version is available:
```
sudo yum update falco
```

`zypper` (openSUSE)

If you configured the zypper repository by having followed the instructions for Falco 0.27.0 or older, you may need to update the repository URL, otherwise, feel free to ignore this message

sudo sed -i 's,https://dl.bintray.com/falcosecurity/rpm,https://download.falco.org/packages/rpm,' /etc/zypp/repos.d/falcosecurity.repo
sudo zypper refresh

Then check that the falcosecurity-rpm repository is pointing to https://download.falco.org/packages/rpm/:

sudo zypper lr falcosecurity-rpm

If you installed Falco by following the provided instructions:

sudo zypper update falco

Kernel Upgrades

When performing kernel upgrades on your host, a reboot is required. When using a eBPF probe or a Kernel Module driver, the Falco driver loader (i.e., falcoctl driver) should be able to automatically find a pre-built driver (or build it on the fly) corresponding to the updated kernel release (uname -r), making it easy to handle kernel upgrades. The Falco Project features a kernel crawler and automated CI, ensuring you can always obtain the necessary pre-built driver artifact, even for the latest kernel releases we support.

Uninstall

`apt` (Debian/Ubuntu)

sudo apt-get --purge autoremove falco

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

sudo yum remove falco

`zypper` (openSUSE)

sudo zypper remove falco

Package signing

On December, 2025 we started rotating the GPG key used to sign Falco packages. Check out the related blog post and make sure you're using the most up-to-date key available at falco.org/repo/falcosecurity-packages.asc.

Most Falco packages available at download.falco.org are provided with a detached signature that can be used to verify that the package information downloaded from the remote repository can be trusted.

The latest trusted public GPG key used for packages signing can be downloaded from falco.org/repo/falcosecurity-packages.asc. The following table lists all the keys employed by the organization currently and in the past, including the revoked ones. We recommend updating the revoked keys to download their revocation certificate, and eventually removing them from your package verification system due to the signature made with them not being trustable anymore.

Fingerprint	Expiration	Usage	Status	Download
`478B2FBBC75F4237B731DA4365106822B35B1B1F`	2028-12-10	Signing Falco Packages	Trusted	falcosecurity-B35B1B1F.asc
`2005399002D5E8FF59F28CE64021833E14CB7A8D`	2026-01-17	Signing Falco Packages	Revoked	falcosecurity-14CB7A8D.asc
`15ED05F191E40D74BA47109F9F76B25B3672BA8F`	2023-02-24	Signing Falco Packages	Revoked	falcosecurity-3672BA8F.asc

Troubleshooting

This section aims to offer further guidance when something doesn't go as expected in the installation of Falco.

Unable to find a prebuilt driver

ERROR failed: unable to find a prebuilt driver

This error message appears when the falcoctl driver loader tool, which looks for the Falco driver and loads it in memory, is not able to find a pre-built driver, neither as an eBPF probe nor as a kernel module, at the [Falco driver repository] (https://download.falco.org).

You can easily browse and search the supported targets at download.falco.org/driver/site.

This means that there's no prebuilt driver available for the kernel running on the machine where Falco is going to be installed.

However, you can add your kernel release version to the build grid the pipeline refers to building the drivers. Follow this tutorial to contribute the required configuration.

There are a limited set of Linux distributions whose kernels are supported by the current prebuilt driver distribution pipeline.

driverkit is the tool used to build those drivers. Hence, it needs to support the specific Linux distribution. Find whether your Linux distribution is supported here.

Enable the BPF JIT Compiler

If you are using the eBPF probe, in order to ensure that performance is not degraded, make sure that:

Your kernel has CONFIG_BPF_JIT enabled
net.core.bpf_jit_enable is set to 1 (enable the BPF JIT Compiler)

This can be verified via sysctl -n net.core.bpf_jit_enable.

Docs: Install on a host (tarball)

Mon, 01 Jan 0001 00:00:00 +0000

For other installation scenarios, such as consuming cloud events or other data sources using plugins, please refer to the Plugins section.

There are two main methods to install Falco on your host using the released Falco packages:

RPM or DEB package (includes Systemd setup): For instructions, refer to the Install on a host (DEB, RPM) page.
Tarball archive: This method is detailed on this page.

System requirements

Install

In these steps, we are targeting a Debian-like system on x86_64 architecture. You can easily extrapolate similar steps for other distros or architectures.

Download the latest binary:

curl -L -O https://download.falco.org/packages/bin/x86_64/falco-0.43.0-x86_64.tar.gz

Install Falco:

tar -xvf falco-0.43.0-x86_64.tar.gz
cp -R falco-0.43.0-x86_64/* /

Install some required dependencies that are needed to build the kernel module and the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins, you can skip this step.

apt update -y
apt install -y dkms make linux-headers-$(uname -r)
# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
apt install -y clang llvm

Use the falcoctl driver tool to configure Falco and install the kernel module or the eBPF probe. If you want to use other sources like the modern eBPF probe or plugins, you can skip this step.

To install the driver, write and execute permissions on the /tmp directory are required, since falcoctl will try to create and execute a script from there.

# If you want to use the kernel module, configure Falco for it
falcoctl driver config --type kmod
# If you want to use the eBPF probe, configure Falco for it
falcoctl driver config --type ebpf
# Install the chosen driver
falcoctl driver install

By default, the falcoctl driver install command tries to download a prebuilt driver from the official Falco download s3 bucket. If a driver is found, it is inserted into ${HOME}/.falco/. Otherwise, the script tries to compile the driver locally; for this reason, you need the dependencies in step [3].

You can use the environment variable FALCOCTL_DRIVER_REPOS to override the default repository URL for prebuilt drivers. The URL must not have a trailing slash, i.e., https://myhost.mydomain.com or, if the server has a subdirectory structure, https://myhost.mydomain.com/drivers. The drivers must be hosted with the following structure:

/${driver_version}/${arch}/falco_${target}_${kernelrelease}_${kernelversion}.[ko|o]

where ko and o stand for Kernel module and eBPF probe, respectively. This is an example:

/7.0.0+driver/x86_64/falco_amazonlinux2022_5.10.75-82.359.amzn2022.x86_64_1.ko

If you wish to print some debug info, you can use:

# If you want to use the kernel module, configure Falco for it
falcoctl driver printenv

Manual Systemd setup

The Falco .tar.gz archive doesn't include the Systemd setup. If you want to enable Falco to start automatically at boot time, you can still download systemd files from the Falco repo and place them in the /lib/systemd/system directory. Finally, you can follow the same instructions for enabling Systemd manually under the Install on a host (DEB, RPM) section.

Configuration

The Falco configuration file is located at /etc/falco/falco.yaml. You can edit it to customize Falco's behavior.

Since Falco 0.38.0, a new config key, config_files, allows the user to load additional configuration files to override main config entries; it allows users to keep local customization between Falco upgrades. Its default value points to a new folder, /etc/falco/config.d/, that gets installed by Falco and will be processed to look for local configuration files.

You can also override the default configuration by passing options to the falco binary. For example, to force the eBPF probe or the kernel module:

# Force eBPF probe
falco -o engine.kind=ebpf
# Force kernel module
falco -o engine.kind=kmod

Hot Reload

If this option is disabled, you can manually reload the configuration by sending a SIGHUP signal to the Falco process. To do this, use the following command:

kill -1 $(pidof falco)

Upgrade

If you are using the Kernel Module driver, please remove it with root privileges before upgrading Falco to avoid issues during the upgrade.

rmmod falco

When utilizing the eBPF probe driver, although not strictly required, you can remove the corresponding previous object files:

rm /root/.falco/*.o

With Modern eBPF, there is no requirement when updating Falco, as the driver is bundled within the Falco binary.

Once the driver is removed, ensure the falco daemon is not running, then you can follow the same steps as the Install section.

Uninstall

For the Falco binary, we don't provide specific update paths; you just have to remove files installed by the old tar.gz.

Docs: Specific Environments

Mon, 01 Jan 0001 00:00:00 +0000

GKE

Google Kubernetes Engine (GKE) uses Container-Optimized OS (COS) as the default operating system for its worker node pools. COS is a security-enhanced operating system that limits access to certain parts of the underlying OS. Because of this security constraint, Falco cannot insert its Kernel Module to process events for system calls. However, COS provides the ability to leverage eBPF (extended Berkeley Packet Filter) to supply the stream of system calls to the Falco engine.

To use Falco on GKE, you need to deploy using the Modern eBPF. The Modern eBPF is the default driver for Falco 0.38.0 and later, so no further action is required in this case.

gVisor

The gVisor engine has been deprecated in Falco 0.43.0 and will be removed in a future release. Until removal and since Falco 0.43.0, using it will result in a warning informing the user about the deprecation. Users are encouraged to switch to another engine, such as the modern eBPF probe, as the usage will result in an error after the removal.

Falco offers native support for gVisor. A specific configuration is necessary to integrate Falco with gVisor seamlessly. For detailed instructions, refer to the gVisor Event Source documentation.

Docs: Download

Mon, 01 Jan 0001 00:00:00 +0000

Falco and its ecosystem components are available as downloadable files and OCI (Open Container Initiative) artifacts. This page provides the official URLs for accessing these artifacts.

For a comprehensive overview of the available artifacts and their versioning, refer to the Falco release documentation.

Packages

For installation instructions, refer to the Install on a host (DEB, RPM) or the Install on a host (tarball) pages.

The tables below provide quick links for Falco packages hosted at download.falco.org.

Packages	Download for Linux x86_64
rpm
deb
binary

Packages	Download for Linux aarch64
rpm
deb
binary

Container images

For deployment instructions, refer to the Deploy as a container or the Deploy on Kubernetes pages.

The tables below provide quick pull commands for Falco container images hosted at Docker Hub.

tag	pull command	description
latest	`docker pull falcosecurity/falco:latest`	Distroless image with the latest released of Falco. No tools are included in the image.
version	`docker pull falcosecurity/falco:<version>`	Distroless image with a specific version of Falco such as `0.43.0`. No tools are included in the image.
latest-debian	`docker pull falcosecurity/falco:latest-debian`	Debian-based image with the latest released of Falco. Available since Falco 0.40.
version-debian	`docker pull falcosecurity/falco:<version>-debian`	Debian-based image with a specific version of Falco such as `0.43.0`. Available since Falco 0.40.
latest	`docker pull falcosecurity/falco-driver-loader:latest`	Debian-based image with the most recent Falco driver loader and the building toolchain.
version	`docker pull falcosecurity/falco-driver-loader:<version>`	Debian-based image with specific version of `falco-driver-loader` such as `0.43.0` and the building toolchain.
latest-buster	`docker pull falcosecurity/falco-driver-loader:latest`	Same as `falco-driver-loader:latest` but based on Debian `buster`. Available since Falco 0.40.
version-buster	`docker pull falcosecurity/falco-driver-loader:<version>`	Same as `falco-driver-loader:<version>` but based on Debian `buster`. Available since Falco 0.40.

Rules

The Falco packages and container images come with a built-in ruleset file (including only rules with maturity stable level). Those rules and others with different maturity levels are available as downloadable files at download.falco.org and are also available as OCI artifacts (refer to falcoctl documentation for downloading and installing OCI artifacts).

Plugins

Plugins hosted by The Falco Project are available as downloadable packages at download.falco.org and are also available as OCI artifacts (refer to falcoctl documentation for downloading and installing OCI artifacts).

Drivers

When using Falco for Kernel Events (i.e., with the syscall data source enabled), the Falco binary relies on having a driver available on the host system.

Starting from Falco 0.38.0, the default driver is the Modern eBPF driver, which is included in the Falco binary and built using the CO-RE "Compile Once - Run Everywhere" technology. If your system satisfies the modern eBPF driver requirements, no further action is needed. Otherwise, you need to use the Kernel Module, which provides wider compatibility.

In brief, you don't need to install a driver if you are either:

using the modern eBPF driver (default option)
or if you are using only plugin data sources.

Pre-built Falco drivers for a vast variety of Linux Kernel releases are distributed at download.falco.org.

To download a pre-built driver, navigate to the driver versions' directory that is compatible with the Falco binary you're currently using (check with falco --version), then download the kernel artifact corresponding to your kernel release (uname -r) for either .ko (kernel module) or .o (legacy eBPF driver, deprecated). To make this easier, Falco comes with the falcoctl tool that automates the driver download (or tries to build it on the fly). The Install guide will explain this more, and the text blob below also has more information.

Tools

Falcoctl

falcoctl is a command-line tool that helps you manage Falco and its ecosystem components. It is included in the Falco distribution and can be used to download and install Falco drivers, rules, plugins, and other artifacts.

You can also manually download falcoctl from GitHub releases.

Helm Charts

For deployment instructions using Helm, please refer to the Deploy on Kubernetes page.

The Falco Project provides various Helm charts and documentation for Falco and its ecosystem tools.

For detailed information about these charts, refer to the Falco Helm Charts repository.

For information about how to download and install Helm, see the official Helm installation guide.

View Installing Helm Guide

Falco – Setup

Docs: Deploy on Kubernetes with the Operator

Overview

Prerequisites

Install the Operator

Full Stack Quickstart

Step-by-Step Quickstart

Deploy Falco

Add the Container Plugin

Add Detection Rules

Add Other Plugins

Add Ecosystem Components

Falcosidekick

Falcosidekick UI

k8s-metacollector

Customize Configuration

Deployment Modes

DaemonSet (default)

Deployment

Uninstall

Learn More

Docs: Deploy on Kubernetes with Helm

Install

Configuration

Upgrade

Uninstall

Docs: Deploy as a container

Install

Fully Privileged

Modern eBPF

Kernel Module

eBPF Probe

Least Privileged (Recommended)

Modern eBPF

Kernel Module

eBPF Probe

Driver Installation

Kernel Module

eBPF Probe

Verify Image Signing

Configuration

Docs: Install on a host (DEB, RPM)

System requirements

Install

Env variables

apt (Debian/Ubuntu)

yum (CentOS/RHEL/Fedora/Amazon Linux)

zypper (openSUSE)

Systemd setup

Setup with dialog

Manual configuration

Configuring services

Falcoctl service (automatic rules update)

Custom service

Configuration

Hot Reload

Upgrade

apt (Debian/Ubuntu)

yum (CentOS/RHEL/Fedora/Amazon Linux)

zypper (openSUSE)

Kernel Upgrades

Uninstall

apt (Debian/Ubuntu)

yum (CentOS/RHEL/Fedora/Amazon Linux)

zypper (openSUSE)

Package signing

Troubleshooting

Unable to find a prebuilt driver

Enable the BPF JIT Compiler

Docs: Install on a host (tarball)

System requirements

Install

Manual Systemd setup

Configuration

Hot Reload

Upgrade

Uninstall

Docs: Specific Environments

GKE

gVisor

`apt` (Debian/Ubuntu)

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

`zypper` (openSUSE)

`apt` (Debian/Ubuntu)

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

`zypper` (openSUSE)

`apt` (Debian/Ubuntu)

`yum` (CentOS/RHEL/Fedora/Amazon Linux)

`zypper` (openSUSE)