Closed chkp-amitd closed 1 year ago
Falco and Sysdig are confusingly tightly coupled projects. You can find substantially more information in the Falco documentation about how the various drivers work and how you can leverage them as needed.
Hi!
Are these two options supported on all environments? What are the requirements for each collector?
Kind of; the minimum kernel version is different; have a look here: https://github.com/falcosecurity/libs#drivers-officially-supported-architectures
Can I check for a specific installation which option is valid and which one is recommended?
There is no "valid" option, ie: they are both valid where supported. The kmod is still the most used probably, because of its better performances. At the same time, eBPF cannot crash your system :) That's up to the user to choose the best one!
Do I always have to build either the kernel module or the probe or can I use pre-compiled collector? Is there any documentation regarding which pre-compiled collector is available for which kernel version?
What do you mean by collector?
Hi. Thank you for you reply. By "collector" I mean either kernel module or eBPF.
Do I always have to build either the kernel module or the probe or can I use pre-compiled collector? Is there any documentation or repository from which I can learn which pre-compiled kernel module or eBPF is available for which kernel version?
Thanks!
The prebuilt drivers are hosted on an s3 bucket, namely download.draios.com
with prefix scap-drivers
.
There is no frontend; you can use awscli
to list them :)
Like:
aws s3 ls s3://download.draios.com/scap-drivers --recursive --human-readable --summarize --no-sign-request
You can see that they are in subfolders (ie: the driverversion); you should look for the correct driverversion matching your sysdig release; the latest is: e5c53d648f3c4694385bbe488e7d47eaa36c229a
-> https://github.com/draios/sysdig/blob/0.29.0/cmake/modules/falcosecurity-libs.cmake#L32
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi, I have encountered this paragraph on Sysdig documentation: Falco and sysdig operate on top of the same data source: system calls. This data source is collected using either a kernel module or an eBPF probe. The two methods are equivalent in functionality, but the kernel module is a tiny bit more efficient, while the eBPF approach is safer and more modern.
My questions:
Thanks for your help!