From 2a7a75c109fbf7be705d7b86ae38facddc2bba42 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 20 Sep 2017 17:29:30 -0700 Subject: [PATCH] Updated Falco Rules (markdown) --- Falco-Rules.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/Falco-Rules.md b/Falco-Rules.md index 5defbf6..982d3b2 100644 --- a/Falco-Rules.md +++ b/Falco-Rules.md @@ -82,6 +82,32 @@ Here's an example: Referring to a list inserts the list items in the macro, rule, or list. Note that lists can contain other lists. +### Appending to Lists +(This feature isn't in any official Falco release yet, but it was added to the dev version as of https://github.com/draios/falco/pull/264) + +If you use multiple falco rules files, you might want to append new items to an existing list. To do that, define a list with the same name as an existing list, and add an `append: true` attribute to the list. Here's an example: + +*falco_rules.yaml* +``` +- list: my_programs + items: [ls, cat, pwd] + +- rule: my_programs_opened_file + desc: track whenever a set of programs opens a file + condition: proc.name in (my_programs) and evt.type=open + output: a tracked program opened a file (user=%user.name command=%proc.cmdline file=%fd.name) + priority: INFO +``` + +*falco_rules-additional.yaml* +``` +- list: my_programs + append: true + items: [cp] +``` + +If you ran falco via `falco -r falco_rules.yaml -r falco_rules-additional.yaml`, the rule `my_programs_opened_file` would trigger whenever any of `ls`, `cat`, `pwd`, or `ls` opened a file. + ## Rule Priorities Every falco rule has a priority which indicates how serious a violation of the rule is. The priority will be included in the message/json output/etc. The possible set of priorities are: