Adding falco script from install docs

Signed-off-by: Kris Nova <kris@nivenly.com>
2026-04-02 10:02:12 +00:00 · 2020-02-20 07:43:47 -08:00
8 changed files with 209 additions and 36 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,32 +2,6 @@
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 ## v0.20.0
 Released on 2020-02-24
 ### Major Changes
 * fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
 * new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
 ### Bug Fixes
 * fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
 * fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
 ### Rule Changes
 * rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 ## v0.19.0
 Released on 2020-01-23
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
 #### Latest release
-**v0.20.0**
+**v0.19.0**
 Read the [change log](CHANGELOG.md)
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -22,13 +22,12 @@ include(ExternalProject)
 # In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
  set(SYSDIG_CHECKSUM "SHA256=6e477ac5fe9d3110b870bd4495f01541373a008c375a1934a2d1c46798b6bad6")
 endif()
 ExternalProject_Add(
  sysdig
  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -22,7 +22,7 @@ endif()
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
--- a/docker/kernel/linuxkit/Dockerfile
+++ b/docker/kernel/linuxkit/Dockerfile
@@ -1,13 +1,13 @@
 ARG ALPINE_VERSION=3.10
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.20.0
+ARG FALCO_VERSION=0.19.0
 FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
 FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
 FROM alpine:${ALPINE_VERSION} AS probe-build
 LABEL maintainer="opensource@sysdig.com"
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.20.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV KERNEL_VERSION=${KERNEL_VERSION}
@@ -32,7 +32,7 @@ RUN apk add --no-cache --update \
  autoconf
 FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.20.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
 CMD ["insmod","/falco-probe.ko"]
--- a/docker/minimal/Dockerfile
+++ b/docker/minimal/Dockerfile
@@ -2,7 +2,7 @@ FROM ubuntu:18.04 as ubuntu
 LABEL maintainer="opensource@sysdig.com"
-ARG FALCO_VERSION=0.20.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
@@ -20,7 +20,7 @@ spec:
            privileged: true
          #env:
          #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.20.0
+          #    value: 0.19.0
          #  - name: FALCOCTL_FALCO_PROBE_URL
          #    value:
          #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -31,7 +31,7 @@ spec:
              readOnly: true
      containers:
        - name: falco
-          image: falcosecurity/falco:0.20.0-slim
+          image: falcosecurity/falco:0.19.0-slim
          securityContext:
            privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
--- a/scripts/install-falco.sh
+++ b/scripts/install-falco.sh
@@ -0,0 +1,200 @@
 #!/bin/bash
 #
 # Copyright (C) 2013-2018 Draios Inc dba Sysdig.
 #
 # This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 set -e
 function install_rpm {
 	if ! hash curl > /dev/null 2>&1; then
 		echo "* Installing curl"
 		yum -q -y install curl
 	fi
 	if ! yum -q list dkms > /dev/null 2>&1; then
 		echo "* Installing EPEL repository (for DKMS)"
 		if [ $VERSION -eq 8 ]; then
 			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 		elif [ $VERSION -eq 7 ]; then
 			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
 		else
 			rpm --quiet -i https://mirrors.kernel.org/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
 		fi
 	fi
 	echo "* Installing falco public key"
 	rpm --quiet --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
 	echo "* Installing falco repository"
 	curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
 	echo "* Installing kernel headers"
 	KERNEL_VERSION=$(uname -r)
 	if [[ $KERNEL_VERSION == *PAE* ]]; then
 		yum -q -y install kernel-PAE-devel-${KERNEL_VERSION%.PAE} || kernel_warning
 	elif [[ $KERNEL_VERSION == *stab* ]]; then
 		# It's OpenVZ kernel and we should install another package
 		yum -q -y install vzkernel-devel-$KERNEL_VERSION || kernel_warning
 	elif [[ $KERNEL_VERSION == *uek* ]]; then
 		yum -q -y install kernel-uek-devel-$KERNEL_VERSION || kernel_warning
 	else
 		yum -q -y install kernel-devel-$KERNEL_VERSION || kernel_warning
 	fi
 	echo "* Installing falco"
 	yum -q -y install falco
 }
 function install_deb {
 	export DEBIAN_FRONTEND=noninteractive
 	if ! hash curl > /dev/null 2>&1; then
 		echo "* Installing curl"
 		apt-get -qq -y install curl < /dev/null
 	fi
 	echo "* Installing Sysdig public key"
 	curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
 	echo "* Installing falco repository"
 	curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list
 	apt-get -qq update < /dev/null
 	echo "* Installing kernel headers"
 	apt-get -qq -y install linux-headers-$(uname -r) < /dev/null || kernel_warning
 	echo "* Installing falco"
 	apt-get -qq -y install falco < /dev/null
 }
 function unsupported {
 	echo 'Unsupported operating system. Please consider writing to the mailing list at'
 	echo 'https://groups.google.com/forum/#!forum/sysdig or trying the manual'
 	echo 'installation.'
 	exit 1
 }
 function kernel_warning {
 	echo "Unable to find kernel development files for the current kernel version" $(uname -r)
 	echo "This usually means that your system is not up-to-date or you installed a custom kernel version."
 	echo "The installation will continue but you'll need to install these yourself in order to use falco."
 	echo 'Please write to the mailing list at https://groups.google.com/forum/#!forum/sysdig'
 	echo "if you need further assistance."
 }
 if [ $(id -u) != 0 ]; then
 	echo "Installer must be run as root (or with sudo)."
 	exit 1
 fi
 echo "* Detecting operating system"
 ARCH=$(uname -m)
 if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ] && [ ! $ARCH = "s390x" ]; then
 	unsupported
 fi
 if [ $ARCH = "s390x" ]; then
 	echo "------------"
 	echo "WARNING: A Docker container is the only officially supported platform on s390x"
 	echo "------------"
 fi
 if [ -f /etc/debian_version ]; then
 	if [ -f /etc/lsb-release ]; then
 		. /etc/lsb-release
 		DISTRO=$DISTRIB_ID
 		VERSION=${DISTRIB_RELEASE%%.*}
 	else
 		DISTRO="Debian"
 		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
 	fi
 	case "$DISTRO" in
 		"Ubuntu")
 			if [ $VERSION -ge 10 ]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		"LinuxMint")
 			if [ $VERSION -ge 9 ]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		"Debian")
 			if [ $VERSION -ge 6 ]; then
 				install_deb
 			elif [[ $VERSION == *sid* ]]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		*)
 			unsupported
 			;;
 	esac
 elif [ -f /etc/system-release-cpe ]; then
 	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
 	# New Amazon Linux 2 distro
 	if [[ -f /etc/image-id ]]; then
 		AMZ_AMI_VERSION=$(cat /etc/image-id | grep 'image_name' | cut -d"=" -f2 | tr -d "\"")
 	fi
 	if [[ "${DISTRO}" == "o" ]] && [[ ${AMZ_AMI_VERSION} = *"amzn2"* ]]; then
 		DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f4)
 	fi
 	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
 	case "$DISTRO" in
 		"oracle" | "centos" | "redhat")
 			if [ $VERSION -ge 6 ]; then
 				install_rpm
 			else
 				unsupported
 			fi
 			;;
 		"amazon")
 			install_rpm
 			;;
 		"fedoraproject")
 			if [ $VERSION -ge 13 ]; then
 				install_rpm
 			else
 				unsupported
 			fi
 			;;
 		*)
 			unsupported
 			;;
 	esac
 else
 	unsupported
 fi
 modprobe -r falco_probe