---
title: Falco tech docs assessment draft
tags: falco
---
# Assessment template
Prepared by: \<name> ([@add-link-to-your-github-id](https://github.com/cncf/techdocs))<br>
Date: 2021-mm-dd
## Introduction
This document assesses the quality and completeness of a project's documentation and website (if present).
This document:
- Measures existing documentation quality against the CNCF’s standards
- Recommends specific and general improvements
- Provides examples of great documentation as reference
- Identifies key improvements with the largest return on investment
## How this document works
The assessment is divided into three sections:
- **Project documentation:** for end users of the project; aimed at people who intend to use it
- **Contributor documentation:** for new and existing contributors to the project
- **Website:** branding, website structure, and maintainability
Each section rates content based on different [criteria](criteria.md).
## Project documentation
| Criteria | 1 | 2 | 3 | 4 | 5 |
| --- | --- | --- | --- | --- | --- |
| Information architecture | | | | | |
| New user content | | | | | |
| Content maintainability | | | | | |
| Content creation processes | | | | | |
Scale:
- 1 = (Is not present or requires significant work)
- 3 = (Is present, but needs work)
- 5 = (Is executed extremely well or no improvement required)
**Comments**
_Provide comments for each rating above, 1-2 sentences max, bullet point list_
- Information architecture
- New user content
- Falco's getting started is used as an example for new user content in the Techdocs assessment!
- I'm not sure it's up to date, I've tried setting it up following the getting started and ran into errors
**Recommendations**
_Provide a list of recommendations to improve in this area_
## Contributor documentation
| Criteria | 1 | 2 | 3 | 4 | 5 |
| --- | --- | --- | --- | --- | --- |
| Communication methods documented | | | | | |
| Beginner friendly issue backlog | | | | | |
| “New contributor” getting started content | | | | | |
| Project governance documentation | | | | | |
Scale:
- 1 = (Is not present or requires significant work)
- 3 = (Is present, but needs work)
- 5 = (Is executed extremely well or no improvement required)
**Comments**
_Provide comments for each rating above, 1-2 sentences max, bullet point list_
**Recommendations**
_Provide a list of recommendations to improve in this area_
## Website
| Criteria | 1 | 2 | 3 | 4 | 5 |
| --- | --- | --- | --- | --- | --- |
| Single-source for all files | | | | | |
| Meets min website req. (for maturity level) | | | | | |
| Branding and design | | | | | |
| Case studies/social proof | | | | | |
| Maintenance planning | | | | | |
| A11y plan & implementation | | | | | |
| Mobile-first plan & impl. | | | | | |
| HTTPS access & HTTP redirect | | | | | |
| Google Analytics 4 for production only | | | | | |
| Indexing allowed for production server only | | | | | |
| Intra-site / local search | | | | | |
| Account custodians are documented | | | | | |
Scale:
- 1 = (Is not present or requires significant work)
- 3 = (Is present, but needs work)
- 5 = (Is executed extremely well or no improvement required)
**Comments**
_Provide comments for each rating above, 1-2 sentences max, bullet point list_
_Include a list of the top 404s, as reported through analytics or a search console._
**Recommendations**
_Provide a list of recommendations to improve in this area_
## Recommendations
_From the recommendations above, lis the top 1-3 concerns for this particular project and expand on them in enough detail that you could either:_
- _Pass the work off to a contractor or other member of the CNCF techdocs team_
- _Write a GitHub issue for the project team and place it in the backlog and someone not involved in the docs assessment process could execute on it_
# Notes
## Friction log
Attempting to get started -
https://github.com/falcosecurity/falco/issues/1024 should be reopened?
1. VMware fusion - ubuntu
Getting started
* I'm not sure the Getting started "Try Falco on Ubuntu" instructions are up to date
* https://falco.org/docs/getting-started/try-falco/try-falco-on-ubuntu/
* Tried the regular install instructions and ran into issues as well
* https://falco.org/docs/getting-started/installation/
* When I get to the 'Configure the apt repository' step I always get a Permssion denied error
(/etc/apt/sources.list.d/falcosecurity.list)
* also tried several to use the Vagrant file supplied, but ran into the same issue in the end.
1. Docker
base system: MacBook Pro 14-inch, 2021 Apple M1 Pro, macOS 13.4.1
docker desktop v 4.17.0
https://falco.org/docs/getting-started/running/#docker
Recommendad least privileged instructions fail at:
```
$ docker run --rm -i -t \
--privileged \
-v /root/.falco:/root/.falco \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco-driver-loader:latest
docker: Error response from daemon: Mounts denied:
The path /root/.falco is not shared from the host and is not known to Docker.
You can configure shared paths from Docker -> Preferences... -> Resources -> File Sharing.
See https://docs.docker.com/desktop/mac for more info.
ERRO[0000] error waiting for container:
```
1. Running Falco on Apple Silicon
base system: MacBook Pro 14-inch, 2021 Apple M1 Pro, macOS 13.4.1
https://falco.org/blog/falco-apple-silicon/
Fails at: `$ sudo falco-driver-loader bpf`
Blog article should also provide cleanup instructions.
```
$ sudo falco-driver-loader bpf
* Running falco-driver-loader for: falco version=0.35.1, driver version=5.0.1+driver, arch=aarch64, kernel release=6.3.8-200.fc38.aarch64, kernel version=1
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Filename 'falco_fedora_6.3.8-200.fc38.aarch64_1.o' is composed of:
- driver name: falco
- target identifier: fedora
- kernel release: 6.3.8-200.fc38.aarch64
- kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/5.0.1%2Bdriver/aarch64/falco_fedora_6.3.8-200.fc38.aarch64_1.o
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt falco eBPF probe
* Trying to compile the eBPF probe (falco_fedora_6.3.8-200.fc38.aarch64_1.o)
warning: the compiler differs from the one used to build the kernel
The kernel was built by: gcc (GCC) 13.1.1 20230511 (Red Hat 13.1.1-2)
You are using: gcc (GCC) 13.1.1 20230614 (Red Hat 13.1.1-4)
In file included from /usr/src/falco-5.0.1+driver/bpf/probe.c:25:
In file included from /usr/src/falco-5.0.1+driver/bpf/filler_helpers.h:14:
In file included from ./include/net/sock.h:46:
In file included from ./include/linux/netdevice.h:38:
In file included from ./include/net/net_namespace.h:43:
In file included from ./include/linux/skbuff.h:17:
In file included from ./include/linux/bvec.h:10:
In file included from ./include/linux/highmem.h:8:
In file included from ./include/linux/cacheflush.h:5:
In file included from ./arch/arm64/include/asm/cacheflush.h:11:
In file included from ./include/linux/kgdb.h:19:
In file included from ./include/linux/kprobes.h:30:
./include/linux/freelist.h:88:48: warning: passing 'unsigned int *' to parameter of type 'int *' converts between pointers to integer types with different sign [-Wpointer-sign]
!atomic_try_cmpxchg_acquire(&head->refs, &refs, refs+1)) {
^~~~~
./include/linux/atomic/atomic-instrumented.h:539:46: note: passing argument to parameter 'old' here
atomic_try_cmpxchg_acquire(atomic_t *v, int *old, int new)
^
In file included from /usr/src/falco-5.0.1+driver/bpf/probe.c:26:
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6343:76: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6343:96: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6348:76: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6348:96: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6353:76: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
/usr/src/falco-5.0.1+driver/bpf/fillers.h:6353:96: error: no member named 'cap' in 'kernel_cap_t'
res = bpf_push_u64_to_ring(data, capabilities_to_scap(((unsigned long)cap.cap[1] << 32) | cap.cap[0]));
~~~ ^
1 warning and 6 errors generated.
make[2]: *** [/usr/src/falco-5.0.1+driver/bpf/Makefile:54: /usr/src/falco-5.0.1+driver/bpf/probe.o] Error 1
make[1]: *** [Makefile:2037: /usr/src/falco-5.0.1+driver/bpf] Error 2
make: *** [Makefile:38: all] Error 2
mv: cannot stat '/usr/src/falco-5.0.1+driver/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe
```
Solved by
1. ensuring I was running fedora 36
then I ran into
```
$ sudo systemctl enable --now falco
Failed to enable unit: Unit file falco.service does not exist.
```
which I solved by:
`sudo /usr/bin/falco-driver-loader`
Now I can run falco manually (tho i can't seem to add it to a service, so i need to run it each time the system boots)
```
sudo /usr/bin/falco-driver-loader
sudo /usr/bin/falco
```