github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-21 09:57:15 +00:00
Code Issues Projects Releases Wiki Activity

Updated Falco Rules (markdown)

Mark Stemm
2016-09-16 09:25:52 -07:00
parent bedcb5b9de
commit f5c3a4d597
1 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
Falco-Rules.md

@@ -2,10 +2,14 @@
_Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_ _Call for contributions: If you come up with additional rules which you'd like to see in the core repository - PR welcome!_
A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing two kinds of elements: *rules* and *macros*. Rules consist of a *condition* under which an alert should be generated and a *output string* to send with the alert. A falco rules file is a [YAML](http://www.yaml.org/start.html) file containing three kinds of elements: *rules*, *macros*, and *lists*.
Rules consist of a *condition* under which an alert should be generated and a *output string* to send with the alert.
Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns. Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns.
Lists are (surprise!) lists of items that can be included in rules, macros, or other lists. Unlike rules/macros, they can not be parsed as sysdig filtering expressions.
## Rules ## Rules
A Rule is a node containing the following keys: A Rule is a node containing the following keys:
@@ -51,6 +55,31 @@ With this macro defined, we can then rewrite the above rule's condition as `in_c
For many more examples of rules and macros, please take a look `rules/falco_rules.yaml`. For many more examples of rules and macros, please take a look `rules/falco_rules.yaml`.
## Lists
The third type of item in a rules file is lists. A list is a node with the following keys:
* _list_: a name for the list
* _items_: a list of values
Here's an example:
```
- list: shell_binaries
items: [bash, csh, ksh, sh, tcsh, zsh, dash]
- list: userexec_binaries
items: [sudo, su]
- list: known_binaries
items: [shell_binaries, userexec_binaries]
- macro: safe_procs
condition: proc.name in (known_binaries)
```
Referring to a list inserts the list items in the macro, rule, or list. Note that lists can contain other lists.
## Rule Condition Best Practices ## Rule Condition Best Practices
To allow for grouping of rules by event type, which improves performance, falco prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like: To allow for grouping of rules by event type, which improves performance, falco prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like: