Default Macros

Last modified December 19, 2022
Use the default macros to simplify Falco Rules

The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user defined rule sets.

Falco also provide Macros that should be overridden. Refer here for further information.

File Opened for Writing

- macro: open_write
  condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0

File Opened for Reading

- macro: open_read
  condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0

Never True

- macro: never_true
  condition: (evt.num=0)

Always True

- macro: always_true
  condition: (evt.num=>0)

Proc Name is Set

- macro: proc_name_exists
  condition: (proc.name!="<NA>")

File System Object Renamed

- macro: rename
  condition: evt.type in (rename, renameat)

New Directory Created

- macro: mkdir
  condition: evt.type = mkdir

File System Object Removed

- macro: remove
  condition: evt.type in (rmdir, unlink, unlinkat)
- macro: remove
  condition: evt.type in (rmdir, unlink, unlinkat)

File System Object Modified

- macro: modify
  condition: rename or remove

New Process Spawned

- macro: spawned_process
  condition: evt.type = execve and evt.dir=<

Common Directories for Binaries

- macro: bin_dir
  condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

Shell is Started

- macro: shell_procs
  condition: (proc.name in (shell_binaries))

Known Sensitive Files

- macro: sensitive_files
  condition: >
    fd.name startswith /etc and
    (fd.name in (sensitive_file_names)
     or fd.directory in (/etc/sudoers.d, /etc/pam.d))    

Newly Created Process

- macro: proc_is_new
  condition: proc.duration <= 5000000000

Inbound Network Connections

- macro: inbound
  condition: >
    (((evt.type in (accept,listen) and evt.dir=<)) or
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))    

Outbound Network Connections

- macro: outbound
  condition: >
    (((evt.type = connect and evt.dir=<)) or
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))    

Inbound or Outbound Network Connections

- macro: inbound_outbound
  condition: >
    (((evt.type in (accept,listen,connect) and evt.dir=<)) or
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))    

Object is a Container

- macro: container
  condition: container.id != host

Interactive Process Spawned

- macro: interactive
  condition: >
    ((proc.aname=sshd and proc.name != sshd) or
    proc.name=systemd-logind or proc.name=login)