Try Falco on Linux
In this scenario, you will learn how to install Falco on an Ubuntu host, trigger a Falco rule by generating a suspicious event, and then examine the output.
This activity aims to give you a quick example of how Falco works. After you complete it, you should be able to move on to trying falco on kubernetes or spend some time reading some additional resources.
Prerequisites
This lab is based on installing Falco using the kernel module on Ubuntu.
The scenario has been tested using VirtualBox and Lima (for MacBooks running Apple Silicon).
While this tutorial may work with Ubuntu running on a cloud provider or another virtualization platform, it has not been tested.
VirtualBox setup
The following steps will set up a VirtualBox virtual machine running Ubuntu 20.04.
Install VirtualBox and Vagrant according to the instructions appropriate for your local system.
Issue the following commands from the command line to create an Ubuntu 20.04 virtual machine.
- Log into the newly launched virtual machine and continue to the Install Falco section below (the default password is vagrant).
Lima setup for Apple silicon (M1/M2)
This section explains how to create an Ubuntu 22.04 VM on Apple computers running M1 silicon (as opposed to Intel).
If you are unsure what processor your Apple machine is running, you can find out by clicking the Apple icon in the upper left and choosing "About this Mac". The first item listed, Chip, tells you what silicon you're running on.
Install Homebrew according to the project's documentation.
Use Homebrew to install Lima.
- Create an Ubuntu 20.04 VM with Lima.
- Shell into the Ubuntu VM, and once you're in the VM, continue to the Install Falco section.
Install Falco
Regardless of which setup you used above, this section will show you how to install Falco on a host system. You'll begin by updating the package repository. Next, you'll install the Linux headers and the dialog package. Then you'll install Falco and ensure it's up and running.
Set up the package repository
- Add the Falco repository key.
- Add the Falco repository.
- Read the repository contents.
Install the Linux headers and dialog
- Install the Linux kernel headers, dkms, and make which are required to compile the Falco driver and dialog which is used by the Falco installer.
Install Falco
- Install the latest Falco version.
When prompted, choose the Kmod option. This will compile the Falco module for your specific kernel version.
When prompted, choose Yes. Although we won't use the functionality in this exercise, this option allows Falco to update its rules automatically.
Wait for the Falco installation to complete - this should only take a few minutes.
Verify Falco is running
- Make sure the Falco service is running.
The output should be similar to the following:
See Falco in action
Generate a suspicious event
- There is a Falco rule that is designed to trigger whenever someone accesses a sensitive file (of which, /etc/shadow is one). Run the following command to trigger that rule.
Examine Falco's output
One of the endpoints that Falco can write output to is syslog. There are multiple ways to examine the system logs, but we have featured two for our exercise: using journalctl and simply using cat on the log file.
Using journalctl
- Run the following command to retrieve Falco messages that have been generated with a priority of
warning
:
You should see output similar to the following:
Using /var/log/syslog
- Log messages describing Falco's activity are logged to syslog. Run the following command to retrieve Falco logs:
You should see output similar to the following:
Cleanup
Remove the Lima virtual machine
If you wish, remove the Lima virtual machine
Remove the Virtualbox virtual machine
If you wish, remove the Virtualbox virtual machine
Be sure you are in same subdirectory as the Vagrantfile
Congratulations, you finished this scenario!
Check out other items in our Getting Started section, including installing Falco on Kubernetes or learning more about Falco's architecture and features in the additional resources section.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.