Download
The Falco Project supports two ways for downloading and running Falco:
- Running Falco directly on a Linux host.
- Running Falco in a container.
Below, we are sharing the download links for the Falco artifacts. The Falco release document provides more details about the artifacts and their versioning. Additionally, we have a dedicated Deployment guide that explains a Kubernetes scenario using the option of running Falco in a container.
Download for Linux
The tables below provides quick links for the artifacts from our packages store. The .tar.gz
directory includes subfolders for both x86_64
and aarch64
architectures, whereas the rpm
and deb
packages are all located in the same folder for each architecture.
Packages | Download for x86_64 |
---|---|
rpm | |
deb | |
binary |
Packages | Download for aarch64 |
---|---|
rpm | |
deb | |
binary |
If you use Falco for non-syscall events, such as some plugins, only download the Falco artifact and skip the next instruction.
When using Falco for syscall monitoring, the Falco binary relies on having Falco's kernel driver available, which can fit into two paradigms based on its type:
- Falco with modern eBPF driver: Download the Falco binary artifact; the driver is already included in the binary, made possible by the CO-RE "Compile Once - Run Everywhere" feature, so no further action is needed.
- Falco with kernel module or legacy eBPF driver: Also, download the Falco binary artifact, and additionally, download the kernel artifact corresponding to your kernel release (
uname -r
) for either.ko
(kernel module) or.o
(eBPF driver) from the driver store. Navigate to the driver versions' directory that is compatible with the Falco binary (check withfalco --version
). To make this easier, Falco has afalcoctl driver
component that automates the driver download or tries to build it. The Install guide will explain this more and the text blob below also has more information.
Falco also relies on both a configuration file and at least one Falco rules file. The default versions of these files come with the packages and the Install covers additional tips and tricks for utilizing falcoctl
in managing rules.
Download container images
Falco depends on having a driver installed on the host system to get information about the running system calls.
The preferred installation method is to install the driver using the native artifacts defined above or
temporarily run the falcosecurity/falco-driver-loader
image as privileged, then using the falcosecurity/falco-no-driver
.
For more details, see the Run within Docker section.
For Kubernetes deployments, see the Deployment section.
tag | pull command | description |
---|---|---|
latest | docker pull falcosecurity/falco-no-driver:latest | The most recent version |
version | docker pull falcosecurity/falco-no-driver:<version> | A specific version of Falco such as 0.37.1 |
latest | docker pull falcosecurity/falco-driver-loader:latest | The most recent version of falco-driver-loader with the building toolchain |
version | docker pull falcosecurity/falco-driver-loader:<version> | A specific version of falco-driver-loader such as 0.37.1 with the building toolchain |
latest | docker pull falcosecurity/falco:latest | The most recent version with the falcoctl driver tool included |
version | docker pull falcosecurity/falco:<version> | A specific version of Falco such as 0.37.1 with falcoctl driver tool included |
The list of all available images can be found here.
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.