https://v0-43--falcosecurity.netlify.app/tags/tutorial/Recent content in Tutorial on FalcoHugo -- gohugo.ioenTue, 20 Sep 2022 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/Tue, 20 Sep 2022 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/ <p>Hello, Falcoers!</p> <p>Do you want to run Falco on Apple ARM M1 CPUs? Since <a href="https://github.com/falcosecurity/falco/releases/tag/0.32.1">Falco 0.32.1</a>, you can! It requires a Linux virtual machine (VM) since Falco doesn't run on OSX, but it is pretty straightforward.</p> <p>Let's go step by step:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#setting-up-the-environment">Setting up the environment</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#creating-a-vm">Creating a VM</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#creating-an-emulated-x86_64-vm">Creating an Emulated <code>x86_64</code> VM</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#lima-tips">Lima Tips</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#installing-falco">Installing Falco</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#installing-the-falco-driver">Installing the Falco driver</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#running-falco">Running Falco</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#falco-on-m1-on-kubernetes">Falco on M1 on Kubernetes</a> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#creating-a-kubernetes-cluster">Creating a Kubernetes cluster</a></li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#deploying-falco-via-helm">Deploying Falco via Helm</a></li> </ul> </li> <li><a href="https://v0-43--falcosecurity.netlify.app/blog/falco-apple-silicon/#conclusion">Conclusion</a></li> </ul> <h3 id="setting-up-the-environment">Setting up the environment</h3> <p>There are a few ways to create a Linux VM on OSX using Apple Silicon, using <a href="https://mac.getutm.app/">UTM</a>, <a href="https://www.vmware.com/products/fusion/fusion-evaluation.html">VMWare Fusion</a>, or <a href="https://www.parallels.com/es/">Parallels</a>. In this case we are going to use <a href="https://github.com/lima-vm/lima">Lima</a>, an open source project based on QEMU with lots of features, including the ability to run ARM VMs on Apple Silicon (hint: <a href="https://rancherdesktop.io/">Rancher Desktop</a> is based on Lima).</p> <p>To install Lima, it is required to install Homebrew first. If you have Homebrew already installed, you can just skip those steps.</p> <p><strong>NOTE:</strong> It is highly recommended to read the <a href="https://docs.brew.sh/Installation">installation options</a> before copying and pasting random commands. :)</p> <p>Open the macOS terminal and paste the following snippet:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ /bin/bash -c <span style="color:#b44">&#34;</span><span style="color:#a2f;font-weight:bold">$(</span>curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh<span style="color:#a2f;font-weight:bold">)</span><span style="color:#b44">&#34;</span> </span></span></code></pre></div><p>After Homebrew is added, install lima as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ brew install lima </span></span></code></pre></div><h4 id="creating-a-vm">Creating a VM</h4> <p>Lima has different <a href="https://lima-vm.io/docs/templates/">templates</a> already available to choose from:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl start --list-templates </span></span><span style="display:flex;"><span>almalinux </span></span><span style="display:flex;"><span>alpine </span></span><span style="display:flex;"><span>archlinux </span></span><span style="display:flex;"><span>buildkit </span></span><span style="display:flex;"><span>centos-stream </span></span><span style="display:flex;"><span>debian </span></span><span style="display:flex;"><span>default </span></span><span style="display:flex;"><span>deprecated/centos-7 </span></span><span style="display:flex;"><span>docker-rootful </span></span><span style="display:flex;"><span>docker </span></span><span style="display:flex;"><span>experimental/9p </span></span><span style="display:flex;"><span>experimental/almalinux-9 </span></span><span style="display:flex;"><span>experimental/apptainer </span></span><span style="display:flex;"><span>experimental/centos-stream-9 </span></span><span style="display:flex;"><span>experimental/opensuse-tumbleweed </span></span><span style="display:flex;"><span>experimental/oraclelinux-9 </span></span><span style="display:flex;"><span>experimental/riscv64 </span></span><span style="display:flex;"><span>experimental/rocky-9 </span></span><span style="display:flex;"><span>faasd </span></span><span style="display:flex;"><span>fedora </span></span><span style="display:flex;"><span>k3s </span></span><span style="display:flex;"><span>k8s </span></span><span style="display:flex;"><span>nomad </span></span><span style="display:flex;"><span>opensuse </span></span><span style="display:flex;"><span>oraclelinux </span></span><span style="display:flex;"><span>podman </span></span><span style="display:flex;"><span>rocky </span></span><span style="display:flex;"><span>singularity </span></span><span style="display:flex;"><span>ubuntu-lts </span></span><span style="display:flex;"><span>ubuntu </span></span><span style="display:flex;"><span>vmnet </span></span></code></pre></div><p>You can see the definition of those templates <a href="https://github.com/lima-vm/lima/tree/master/examples">here</a>.</p> <p>For this exercise, we are going to launch a Fedora machine named 'falco-fedora' as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl start --name<span style="color:#666">=</span>falco-fedora template://fedora </span></span></code></pre></div><p>The previous command allows you to edit the template, choose a different one, or just deploy the VM (hint: you can skip that step using the <code>--tty=false</code> flag).</p> <p>After a few seconds, you have a Fedora VM already available! Let's connect into it:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl shell falco-fedora </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ uname -a </span></span><span style="display:flex;"><span>Linux lima-falco-fedora 6.5.6-300.fc39.aarch64 <span style="color:#080;font-style:italic">#1 SMP PREEMPT_DYNAMIC Fri Oct 6 19:36:57 UTC 2023 aarch64 GNU/Linux</span> </span></span><span style="display:flex;"><span>$ cat /etc/fedora-release </span></span><span style="display:flex;"><span>Fedora release <span style="color:#666">39</span> <span style="color:#666">(</span>Thirty Nine<span style="color:#666">)</span> </span></span></code></pre></div><p>Before moving forward, let's update the packages to the most recent versions and reboot the VM to use the latest kernel available:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ sudo bash -c <span style="color:#b44">&#34;dnf clean all &amp;&amp; \ </span></span></span><span style="display:flex;"><span><span style="color:#b44"> dnf update -y &amp;&amp; \ </span></span></span><span style="display:flex;"><span><span style="color:#b44"> reboot&#34;</span> </span></span></code></pre></div><p>After a few minutes, the VM is updated and rebooted. Now it is time to install Falco!</p> <h4 id="creating-an-emulated-x86-64-vm">Creating an Emulated <code>x86_64</code> VM</h4> <p>Would you like to test in an emulated <code>x86_64</code> VM? Let's set up the same Fedora VM for the <code>x86_64</code> architecture.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl start --vm-type<span style="color:#666">=</span>qemu --arch<span style="color:#666">=</span>x86_64 --name<span style="color:#666">=</span>falco-fedora-x86_64 template://fedora </span></span></code></pre></div><p>Drop into the VM interactively:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl shell falco-fedora-x86_64 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ uname -a </span></span><span style="display:flex;"><span>Linux lima-falco-fedora-x8664 6.5.6-300.fc39.x86_64 <span style="color:#080;font-style:italic">#1 SMP PREEMPT_DYNAMIC Fri Oct 6 19:57:21 UTC 2023 x86_64 GNU/Linux</span> </span></span><span style="display:flex;"><span>$ cat /etc/fedora-release </span></span><span style="display:flex;"><span>Fedora release <span style="color:#666">39</span> <span style="color:#666">(</span>Thirty Nine<span style="color:#666">)</span> </span></span></code></pre></div><p><strong>NOTE</strong> : You can always install your own custom kernel and reboot the VM into that new kernel.</p> <h4 id="lima-tips">Lima Tips</h4> <ul> <li>Checkout the <a href="https://lima-vm.io/docs/examples/#advanced-configuration">Advanced Configuration</a>. For example, using additional flags such as <code>--memory 8 --cpus 8 --mount-type &quot;reverse-sshfs&quot; --mount-writable</code> when starting the VM allows for easy testing of your custom rules since your cwd from your macOS host is automatically mounted.</li> <li>After rebooting the VM, we observed that mounts may not work anymore. However, leveraging <a href="https://lima-vm.io/docs/reference/limactl_edit/">limactl edit</a> can fix it.</li> <li>If you encounter issues, you can force stop and delete the VM, and then rebuild it. For instance, you can use the following commands: <code>limactl stop -f falco-fedora-x86_64 || true; limactl delete falco-fedora-x86_64 || true;</code>.</li> </ul> <h3 id="installing-falco">Installing Falco</h3> <p>Let's connect to the VM again and install Falco following the <a href="https://falco.org/docs/getting-started/installation/#centos-rhel">official documentation</a>:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl shell falco-fedora </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ sudo bash -c <span style="color:#b44">&#34;rpm --import https://falco.org/repo/falcosecurity-packages.asc &amp;&amp; \ </span></span></span><span style="display:flex;"><span><span style="color:#b44"> curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo &amp;&amp; \ </span></span></span><span style="display:flex;"><span><span style="color:#b44"> dnf install falco -y&#34;</span> </span></span></code></pre></div><p>This will install the Falco repository and signature and then install the Falco binaries and dependencies (including make and the kernel headers).</p> <h4 id="installing-the-falco-driver">Installing the Falco Driver</h4> <p>Falco depends on a driver that taps into the stream of system calls on a machine and passes them to user space. This driver can be either a kernel module or an eBPF probe (see the <a href="https://falco.org/docs/event-sources/drivers/">driver official documentation</a> for more information).</p> <p>In this exercise, we are going to go the eBPF route. But first, let's see if we have BPF JIT enabled (see <a href="https://falco.org/docs/getting-started/installation/#install-driver">here</a> why it is recommended):</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ grep <span style="color:#b8860b">CONFIG_BPF_JIT</span><span style="color:#666">=</span> /boot/config-<span style="color:#a2f;font-weight:bold">$(</span>uname -r<span style="color:#a2f;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">CONFIG_BPF_JIT</span><span style="color:#666">=</span>y </span></span><span style="display:flex;"><span>$ sysctl -n net.core.bpf_jit_enable </span></span><span style="display:flex;"><span><span style="color:#666">1</span> </span></span></code></pre></div><p>Great, now let's install some packages required to build the eBPF probe:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ sudo dnf install -y clang llvm </span></span></code></pre></div><p>Finally, let's run the <code>falco-driver-loader</code> script to build the eBPF probe using the <code>bpf</code> command argument as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ sudo falco-driver-loader bpf </span></span></code></pre></div><p>The output should look like:</p> <pre tabindex="0"><code>* Running falco-driver-loader for: falco version=0.32.2, driver version=2.0.0+driver * Running falco-driver-loader with: driver=bpf, compile=yes, download=yes * Mounting debugfs * Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/2.0.0%2Bdriver/aarch64/falco_fedora_5.19.8-200.fc36.aarch64_1.o curl: (22) The requested URL returned error: 404 Unable to find a prebuilt falco eBPF probe * Trying to compile the eBPF probe (falco_fedora_5.19.8-200.fc36.aarch64_1.o) ... * eBPF probe located in /root/.falco/falco_fedora_5.19.8-200.fc36.aarch64_1.o * Success: eBPF probe symlinked to /root/.falco/falco-bpf.o </code></pre><p>The eBPF probe has been built and we are ready to go!</p> <h3 id="running-falco">Running Falco</h3> <p>The last step is to run Falco as a service as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ sudo systemctl <span style="color:#a2f">enable</span> --now falco </span></span></code></pre></div><p>The journalctl logs should look like:</p> <pre tabindex="0"><code>$ sudo journalctl -fu falco Sep 15 11:07:41 lima-falco-fedora systemd[1]: Starting falco.service - Falco: Container Native Runtime Security... Sep 15 11:07:41 lima-falco-fedora systemd[1]: Started falco.service - Falco: Container Native Runtime Security. Sep 15 11:07:41 lima-falco-fedora falco[21290]: Falco version 0.32.2 Sep 15 11:07:41 lima-falco-fedora falco[21290]: Falco initialized with configuration file /etc/falco/falco.yaml Sep 15 11:07:41 lima-falco-fedora falco[21290]: Loading rules from file /etc/falco/falco_rules.yaml: Sep 15 11:07:41 lima-falco-fedora falco[21290]: Loading rules from file /etc/falco/falco_rules.local.yaml: Sep 15 11:07:41 lima-falco-fedora falco[21290]: Starting internal webserver, listening on port 8765 Sep 15 11:07:54 lima-falco-fedora falco[21290]: 11:07:54.233793746: Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=-1 program=systemd-userwor command=systemd-userwor file=/etc/shadow parent=systemd-userdbd gparent=systemd ggparent=&lt;NA&gt; gggparent=&lt;NA&gt; container_id=host image=&lt;NA&gt;) </code></pre><p>Profit!!!</p> <blockquote> <p>The last line in the output shows a Falco rule has already been triggered by running the previous systemctl command, so everything is working as it should. Yay!</p> </blockquote> <h3 id="falco-on-m1-on-kubernetes">Falco on M1 on Kubernetes</h3> <p>Running Falco on a single host is great, but what about running it in Kubernetes on your Apple hardware? Let's do it!</p> <h4 id="creating-a-kubernetes-cluster">Creating a Kubernetes cluster</h4> <p>This time, we will leverage the <a href="https://github.com/lima-vm/lima/blob/master/examples/k8s.yaml">k8s</a> Lima template (basically, a vanilla Ubuntu 22.04 VM plus what is required to run Kubernetes via <a href="https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/">kubeadm</a>) to have a single node Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ limactl start --name<span style="color:#666">=</span>falco-k8s template://k8s --tty<span style="color:#666">=</span><span style="color:#a2f">false</span> </span></span></code></pre></div><p>After a few minutes, our Kubernetes cluster is ready to be used. But first, let's get the Kubeconfig file needed to interact with the cluster:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ mkdir -p <span style="color:#b44">&#34;</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">HOME</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">/.lima/falco-k8s/conf&#34;</span> </span></span><span style="display:flex;"><span>$ <span style="color:#a2f">export</span> <span style="color:#b8860b">KUBECONFIG</span><span style="color:#666">=</span><span style="color:#b44">&#34;</span><span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">HOME</span><span style="color:#b68;font-weight:bold">}</span><span style="color:#b44">/.lima/falco-k8s/conf/kubeconfig.yaml&#34;</span> </span></span><span style="display:flex;"><span>$ limactl shell falco-k8s sudo cat /etc/kubernetes/admin.conf &gt;<span style="color:#b8860b">$KUBECONFIG</span> </span></span><span style="display:flex;"><span>$ chmod <span style="color:#666">0600</span> <span style="color:#b68;font-weight:bold">${</span><span style="color:#b8860b">KUBECONFIG</span><span style="color:#b68;font-weight:bold">}</span> </span></span></code></pre></div><p>Then, we are ready to go:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl get pods -A </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAMESPACE NAME READY STATUS RESTARTS AGE </span></span><span style="display:flex;"><span>kube-flannel kube-flannel-ds-rjk74 1/1 Running <span style="color:#666">0</span> 17s </span></span><span style="display:flex;"><span>kube-system coredns-565d847f94-5277n 0/1 Running <span style="color:#666">0</span> 17s </span></span><span style="display:flex;"><span>kube-system coredns-565d847f94-spkgc 1/1 Running <span style="color:#666">0</span> 17s </span></span><span style="display:flex;"><span>kube-system etcd-lima-falco-k8s 1/1 Running <span style="color:#666">0</span> 31s </span></span><span style="display:flex;"><span>kube-system kube-apiserver-lima-falco-k8s 1/1 Running <span style="color:#666">0</span> 31s </span></span><span style="display:flex;"><span>kube-system kube-controller-manager-lima-falco-k8s 1/1 Running <span style="color:#666">0</span> 32s </span></span><span style="display:flex;"><span>kube-system kube-proxy-265h6 1/1 Running <span style="color:#666">0</span> 17s </span></span><span style="display:flex;"><span>kube-system kube-scheduler-lima-falco-k8s 1/1 Running <span style="color:#666">0</span> 33s </span></span></code></pre></div><h4 id="deploying-falco-via-helm">Deploying Falco via Helm</h4> <p>We leverage <a href="https://helm.sh">Helm</a> to deploy Falco on our Kubernetes cluster using the official <a href="https://github.com/falcosecurity/charts/tree/master/charts/falco">Falco helm chart</a>.</p> <p>To install Helm, we can use brew as:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ brew install helm </span></span></code></pre></div><p>Then, we need to add the <code>falcosecurity</code> helm repository and install the <code>falcosecurity/falco</code> chart.</p> <blockquote> <p>For this basic example we are just going to enable eBPF as we did before, but there are tons of parameters and configurations that can be tweaked. Check the <a href="https://github.com/falcosecurity/charts/tree/master/charts/falco">official documentation</a> to know more.</p> </blockquote> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span style="display:flex;"><span>$ helm repo update </span></span><span style="display:flex;"><span>$ helm install falco falcosecurity/falco --namespace falco --create-namespace --set driver.kind<span style="color:#666">=</span>modern-bpf </span></span></code></pre></div><p>This will trigger the deployment of Falco on your Kubernetes cluster. The <code>falco-driver-loader</code> init container will perform all the steps required to build the eBPF probe (hint: the kernel headers are already included in the VM) as you can see with the following snippet:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs -n falco <span style="color:#a2f;font-weight:bold">$(</span>kubectl get po -n falco -l app.kubernetes.io/name<span style="color:#666">=</span>falco -o name<span style="color:#a2f;font-weight:bold">)</span> -c falco-driver-loader </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>* Setting up /usr/src links from host </span></span><span style="display:flex;"><span>* Running falco-driver-loader <span style="color:#a2f;font-weight:bold">for</span>: falco <span style="color:#b8860b">version</span><span style="color:#666">=</span>0.32.2, driver <span style="color:#b8860b">version</span><span style="color:#666">=</span>2.0.0+driver </span></span><span style="display:flex;"><span>* Running falco-driver-loader with: <span style="color:#b8860b">driver</span><span style="color:#666">=</span>bpf, <span style="color:#b8860b">compile</span><span style="color:#666">=</span>yes, <span style="color:#b8860b">download</span><span style="color:#666">=</span>yes </span></span><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span>* eBPF probe located in /root/.falco/falco_ubuntu-generic_5.15.0-47-generic_51.o </span></span><span style="display:flex;"><span>* Success: eBPF probe symlinked to /root/.falco/falco-bpf.o </span></span></code></pre></div><p>And then, the falco pod should be running:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ kubectl logs -n falco <span style="color:#a2f;font-weight:bold">$(</span>kubectl get po -n falco -l app.kubernetes.io/name<span style="color:#666">=</span>falco -o name<span style="color:#a2f;font-weight:bold">)</span> -c falco </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Thu Sep <span style="color:#666">15</span> 13:03:03 2022: Falco version 0.32.2 </span></span><span style="display:flex;"><span>Thu Sep <span style="color:#666">15</span> 13:03:03 2022: Falco initialized with configuration file /etc/falco/falco.yaml </span></span><span style="display:flex;"><span>Thu Sep <span style="color:#666">15</span> 13:03:03 2022: Loading rules from file /etc/falco/falco_rules.yaml: </span></span><span style="display:flex;"><span>Thu Sep <span style="color:#666">15</span> 13:03:04 2022: Loading rules from file /etc/falco/falco_rules.local.yaml: </span></span><span style="display:flex;"><span>Thu Sep <span style="color:#666">15</span> 13:03:04 2022: Starting internal webserver, listening on port <span style="color:#666">8765</span> </span></span></code></pre></div><p>Yay!</p> <h3 id="conclusion">Conclusion</h3> <p>You have learned how to set up a Linux VM to run Falco with the help of Lima in your ARM-powered Apple hardware.</p> <p>You can find us in the <a href="https://github.com/falcosecurity/community">Falco community</a>. Please feel free to reach out to us for any questions, suggestions, or just a friendly chat!</p> <p>If you would like to find out more about Falco:</p> <ul> <li>Get started in <a href="http://falco.org/">Falco.org</a>.</li> <li>Check out the <a href="https://github.com/falcosecurity/falco">Falco project in GitHub</a>.</li> <li>Get involved in the <a href="https://falco.org/community/">Falco community</a>.</li> <li>Meet the maintainers on the <a href="https://kubernetes.slack.com/?redir=%2Farchives%2FCMWH3EH32">Falco Slack</a>.</li> <li>Follow <a href="https://twitter.com/falco_org">@falco_org on Twitter</a>.</li> </ul>