Default Macros
The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user defined rule sets. Falco also provide Macros that should be overridden by the user to provide settings that are specific to a user's environment. The provided Macros can also be appended to in a local rules file.
File Opened for Writing
File Opened for Reading
Never True
Always True
Proc Name is Set
File System Object Renamed
New Directory Created
File System Object Removed
File System Object Modified
New Process Spawned
Common Directories for Binaries
Shell is Started
Known Sensitive Files
Newly Created Process
Inbound Network Connections
Outbound Network Connections
Inbound or Outbound Network Connections
Object is a Container
Interactive Process Spawned
Macros to Override
The below macros contain values that can be overridden for a user's specific environment.
Common SSH Port
Override this macro to reflect ports in your environment that provide SSH services.
Allowed SSH Hosts
Override this macro to reflect hosts that can connect to known SSH ports (ie a bastion or jump box).
User Whitelisted Containers
Whitelist containers that are allowed to run in privileged mode.
Containers Allowed to Spawn Shells
Whitelist containers that are allowed to spawn shells, which may be needed if containers are used in the CI/CD pipeline.
Containers Allowed to Communicate with EC2 Metadata Services
Whitelist containers that are allowed to communicate with the EC2 metadata service. Default: any container.
Kubernetes API Server
Set the IP of your Kubernetes API Service here.
Containers Allowed to Communicate with the Kubernetes API
Whitelist containers that are allowed to communicate with the Kubernetes API Service. Requires k8s_api_server being set.
Containers Allowed to Communicate with Kubernetes Service NodePorts
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.