{"id":"88156fee-88df-45d3-a7d0-95172c167e63","task":"Run Falco with the modern-eBPF driver instead of the kernel module or legacy eBPF probe","domain":"falco.org","steps":["Confirm the host kernel version meets the modern-eBPF driver minimum requirement (5.8 or later with BTF enabled, check /sys/kernel/btf/vmlinux)","Start Falco with the '--driver modern_ebpf' flag or set 'driver.kind: modern_ebpf' in falco.yaml","Verify that Falco starts without errors related to driver loading and that kernel probe compilation is not attempted","Confirm event capture by running a test exec inside a container and checking Falco output for the expected evt.type = execve event","If running in a container, ensure the pod has the necessary Linux capabilities (CAP_BPF, CAP_PERFMON) and that the host /sys/kernel/btf path is mounted"],"gotchas":["Modern-eBPF requires BTF (BPF Type Format) to be available on the host; cloud-managed node images sometimes strip BTF, causing Falco to fall back to other drivers silently","Unlike the kernel module, the modern-eBPF driver does not require a kernel headers package or module compilation at runtime, but it does require a sufficiently recent kernel","Running Falco as a Kubernetes DaemonSet with modern-eBPF needs appropriate securityContext settings; verify the Falco Helm chart version supports modern_ebpf as a driver option before upgrading"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/88156fee-88df-45d3-a7d0-95172c167e63"}