{"id":15614,"date":"2025-08-14T16:12:35","date_gmt":"2025-08-14T10:42:35","guid":{"rendered":"https:\/\/www.skynats.com\/?p=15614"},"modified":"2025-08-14T16:12:37","modified_gmt":"2025-08-14T10:42:37","slug":"falco-installation-on-ubuntu","status":"publish","type":"post","link":"https:\/\/www.skynats.com\/blog\/falco-installation-on-ubuntu\/","title":{"rendered":"Falco Installation on Ubuntu\u00a0"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Falco is the de facto standard for runtime security in Linux and Kubernetes environments.<\/li>\n\n\n\n<li>Uses modern eBPF or kernel modules to monitor system calls efficiently.<\/li>\n\n\n\n<li>Can alert you in real time via logs, Slack, webhooks, or other integrations.<\/li>\n\n\n\n<li>Ideal for DevOps, security engineers, and sysadmins who need visibility into system-level activity.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-add-the-gpg-key\"><strong>Add the GPG key<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -fsSL https:\/\/falco.org\/repo\/falcosecurity-packages.asc | \\\nsudo gpg --dearmor -o \/usr\/share\/keyrings\/falco-archive-keyring.gpg<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-add-the-falco-repository\"><strong>Add the Falco repository<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo bash -c 'cat &lt;&lt; EOF > \/etc\/apt\/sources.list.d\/falcosecurity.list\ndeb &#91;signed-by=\/usr\/share\/keyrings\/falco-archive-keyring.gpg] https:\/\/download.falco.org\/packages\/deb stable main\nEOF'<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\" id=\"h-update-your-package-list\"><strong>Update your package list<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get update -y<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\" id=\"h-install-dialog-used-by-the-installer\"><strong>Install dialog (used by the installer)<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Falco uses dialog to present UI prompts during the installation process.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get install -y dialog<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\"><strong>Install Falco<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You&#8217;re now ready to install the Falco runtime:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get install -y falco<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">During the install,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00a0Choose the Modern eBPF driver when prompted.<br><\/li>\n\n\n\n<li>Enable automatic ruleset updates (optional but recommended).<br><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These options enable modern syscall tracing and future-proof rule updates.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\" id=\"h-verify-falco-is-running\"><strong>Verify Falco is Running<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To check that Falco is active and monitoring your system:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status falco-modern-bpf.service<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You should see output like:-<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u25cf falco-modern-bpf.service&nbsp; Falco: Container Native Runtime Security with modern ebpf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;Loaded: loaded&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;Active: active (running)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;Opening &#8216;syscall&#8217; source with modern BPF probe.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\"><strong>Trigger a Falco Rule&nbsp;<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Falco includes built-in rules to detect suspicious activity like accessing \/etc\/shadow.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\">Trigger the alert:<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cat \/etc\/shadow > \/dev\/null<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-small-font-size\"><strong>View Falco Alerts<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Falco logs alerts to system log files. Here are two ways to view them:<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\">Option 1: Use journalctl<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo journalctl _COMM=falco -p warning<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Example output:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Warning Sensitive file opened for reading by non-trusted program&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\">Option 2: Use grep with \/var\/log\/syslog<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo grep Sensitive \/var\/log\/syslog<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019ll see a similar output:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">falco: Warning Sensitive file opened for reading by non-trusted program&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Falco helps you secure your infrastructure against potential runtime threats. Whether you are managing standalone <a href=\"https:\/\/www.linux.org\/\" target=\"_blank\" rel=\"noopener\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-secondary-color\">Linux<\/mark><\/a> servers or preparing for more complex containerized environments, Falco offers a lightweight yet effective way to enhance your security posture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For expert assistance with Falco installation on Ubuntu and ensuring your server stays secure, our team offers reliable <a href=\"https:\/\/www.skynats.com\/linux-server-management\/\">Linux Server Management services<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Add the GPG key Add the Falco repository Update your package list Install dialog (used by the installer) Falco uses dialog to present UI prompts during the installation process. Install Falco You&#8217;re now ready to install the Falco runtime: During the install, These options enable modern syscall tracing and future-proof rule updates. Verify Falco is [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[1085,1010],"class_list":["post-15614","post","type-post","status-publish","format-standard","hentry","category-blog","tag-falco-installation-on-ubuntu","tag-linux-server-management-services"],"_links":{"self":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/comments?post=15614"}],"version-history":[{"count":2,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15614\/revisions"}],"predecessor-version":[{"id":15616,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/posts\/15614\/revisions\/15616"}],"wp:attachment":[{"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/media?parent=15614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/categories?post=15614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.skynats.com\/blog\/wp-json\/wp\/v2\/tags?post=15614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}