Falco hot reload

While practicing Falco, I’ve noticed that the pid is not available via cat /var/run/falco.pid
Falco is started by systemd as a service.

controlplane $ service falco status
● falco.service - Falco: Container Native Runtime Security
     Loaded: loaded (/lib/systemd/system/falco.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-12-19 11:05:09 UTC; 11min ago
       Docs: https://falco.org/docs/
    Process: 47647 ExecStartPre=/sbin/modprobe falco (code=exited, status=0/SUCCESS)
   Main PID: 47663 (falco)
      Tasks: 16 (limit: 2339)
     Memory: 18.8M
     CGroup: /system.slice/falco.service
             └─47663 /usr/bin/falco --pidfile=/var/run/falco.pid

controlplane $ cat /var/run/falco.pid
cat: /var/run/falco.pid: No such file or directory

Any idea if something has changed?

To get the pid I use ps aux | grep falco

Also I have noticed that the changes to the rules take effect even without a falco service hot reload.

Any clarifications would be helpful.

I’ll admit that I’ve never worried about where falco’s run file is. I just use systemctl restart falco after I finish my changes to its configuration files. You’re correct that falco can detect changes to these files, but it may take some time to do so, and when doing the CKS exam, time is something you have little of

Thanks @rob_kodekloud