This project automates the building and mirroring of eBPF kernel probes for use by Falco as an eBPF probe driver to consume system call information which feeds its runtime threat detection abilities.
Falco Security provide falcosecurity/driverkit for building Falco drivers and download.falco.org/driver which mirrors only Falco kernel module drivers built from falcosecurity/test-infra. This didn't quite meet all of our requirements, thus the birth of this project with the following features:
This project mirrors built Falco eBPF probes to GitHub releases, where they are organised per Falco Driver Version (see docs/REPOSITORY_DESIGN.md for more information.).
To obtain an eBPF kernel probe, you can:
FALCO_VERSION=0.29.1
docker run --rm --entrypoint="" \
docker.io/falcosecurity/falco:$FALCO_VERSION \
cat /usr/bin/falco-driver-loader \
| grep DRIVER_VERSION= \
| cut -f2 -d\"
# 17f5df52a7d9ed6bb12d3b1768460def8439936dBelow is a scripted example to download probes:
FALCO_VERSION=0.29.1
PROBE_NAME="falco_amazonlinux2_4.14.232-177.418.amzn2.x86_64_1.o"
FALCO_DRIVER_VERSION=$(docker run --rm --entrypoint="" "docker.io/falcosecurity/falco:${FALCO_VERSION}" cat /usr/bin/falco-driver-loader | grep DRIVER_VERSION= | cut -f2 -d\")
# truncate driver version to 8 characters to get the release tag.
RELEASE_TAG=$(printf "%.8s\n" "${FALCO_DRIVER_VERSION}")
curl -LO "https://github.com/thought-machine/falco-probes/releases/download/${RELEASE_TAG}/${PROBE_NAME}"amazonlinux2)cos)We're not currently planning on supporting other distributions, but we're open to pull requests.
See CONTRIBUTING.md for how to add support for additional operating systems.
To contact us, open a ticket in GitHub Issues Project Link: https://github.com/thought-machine/falco-probes