Chapter 2. Getting Started with Falco on Your Local Machine
Now that youâre acquainted with the possibilities that Falco offers, what better way to familiarize yourself with it than to try it? In this chapter, you will discover how easy it is to install and run Falco on a local machine. Weâll walk you through the process step-by-step, introducing and analyzing the core concepts and functions. We will generate an event that Falco will detect for us by simulating a malicious action, and show you how to read Falcoâs notification output. Weâll finish the chapter by presenting some manageable approaches to customizing your installation.
Running Falco on Your Local Machine
Although Falco is not a typical application, installing and running it on a local machine is quite simpleâall you need is a Linux host or a virtual machine and a terminal. There are two components to install: the user space program (named falco) and a driver. The driver is needed to collect system calls, which are one possible data source for Falco. For simplicity, we will focus only on system call capture in this chapter.
Note
You will learn more about the available drivers and why we need them to instrument the system in Chapter 3 and explore alternative data sources in Chapter 4. For the moment, you only need to know that the default driver, which is implemented as a Linux kernel module, is enough to collect system calls and start using Falco.
Several methods are available to install these components, ...
Get Practical Cloud Native Security with Falco now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
