Skynats Logo

Need Assistance?

In only two hours, with an average response time of 15 minutes, our expert will have your problem sorted out.

Get Assistance Now

Server Trouble?

For a single, all-inclusive fee, we guarantee the continuous reliability, safety, and blazing speed of your servers.

Explore Our Plans

Falco Installation on Ubuntu 

Table of Contents

  • Falco is the de facto standard for runtime security in Linux and Kubernetes environments.
  • Uses modern eBPF or kernel modules to monitor system calls efficiently.
  • Can alert you in real time via logs, Slack, webhooks, or other integrations.
  • Ideal for DevOps, security engineers, and sysadmins who need visibility into system-level activity.

Add the GPG key

curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg

Add the Falco repository

sudo bash -c 'cat << EOF > /etc/apt/sources.list.d/falcosecurity.list
deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main
EOF'

Update your package list

sudo apt-get update -y

Install dialog (used by the installer)

Falco uses dialog to present UI prompts during the installation process.

sudo apt-get install -y dialog

Install Falco

You’re now ready to install the Falco runtime:

sudo apt-get install -y falco

During the install,

  •  Choose the Modern eBPF driver when prompted.
  • Enable automatic ruleset updates (optional but recommended).

These options enable modern syscall tracing and future-proof rule updates.

Verify Falco is Running

To check that Falco is active and monitoring your system:

sudo systemctl status falco-modern-bpf.service

You should see output like:-

● falco-modern-bpf.service  Falco: Container Native Runtime Security with modern ebpf

   Loaded: loaded 

   Active: active (running)

   Opening ‘syscall’ source with modern BPF probe.

Trigger a Falco Rule 

Falco includes built-in rules to detect suspicious activity like accessing /etc/shadow.

Trigger the alert:

sudo cat /etc/shadow > /dev/null

View Falco Alerts

Falco logs alerts to system log files. Here are two ways to view them:

Option 1: Use journalctl

sudo journalctl _COMM=falco -p warning

Example output:

Warning Sensitive file opened for reading by non-trusted program 

Option 2: Use grep with /var/log/syslog

sudo grep Sensitive /var/log/syslog

You’ll see a similar output:

falco: Warning Sensitive file opened for reading by non-trusted program 

Falco helps you secure your infrastructure against potential runtime threats. Whether you are managing standalone Linux servers or preparing for more complex containerized environments, Falco offers a lightweight yet effective way to enhance your security posture.

For expert assistance with Falco installation on Ubuntu and ensuring your server stays secure, our team offers reliable Linux Server Management services.

Liked!! Share the post.

Get Support right now!

Start server management with our 24x7 monitoring and active support team

GET STARTED NOW
wordpress malware removal services

Recent Posts

Company

Server Management

Cloud Management

Infrastructure

Quick Contact

© Copyright 2025 Skynats.com

Let us know your requirement.

Can't get what you are looking for?

CONTACT OUR SUPPORT TEAM

Get Support Right Away!

Thank You

We have received your query and will get back to you soon.