Confirm the host kernel version meets the modern-eBPF driver minimum requirement (5.8 or later with BTF enabled, check /sys/kernel/btf/vmlinux)
Start Falco with the '--driver modern_ebpf' flag or set 'driver.kind: modern_ebpf' in falco.yaml
Verify that Falco starts without errors related to driver loading and that kernel probe compilation is not attempted
Confirm event capture by running a test exec inside a container and checking Falco output for the expected evt.type = execve event
If running in a container, ensure the pod has the necessary Linux capabilities (CAP_BPF, CAP_PERFMON) and that the host /sys/kernel/btf path is mounted
Known gotchas
Modern-eBPF requires BTF (BPF Type Format) to be available on the host; cloud-managed node images sometimes strip BTF, causing Falco to fall back to other drivers silently
Unlike the kernel module, the modern-eBPF driver does not require a kernel headers package or module compilation at runtime, but it does require a sufficiently recent kernel
Running Falco as a Kubernetes DaemonSet with modern-eBPF needs appropriate securityContext settings; verify the Falco Helm chart version supports modern_ebpf as a driver option before upgrading
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp