Several examples of Falco Rules
Here are some examples of the types of behavior falco can detect.
For a more comprehensive set of examples, see the full rules file at
A shell is run in a container
- macro: container condition: container.id != host - macro: spawned_process condition: evt.type = execve and evt.dir=< - rule: run_shell_in_container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. condition: container and proc.name = bash and spawned_process and proc.pname exists and not proc.pname in (bash, docker) output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING
Unexpected outbound Elasticsearch connection
- macro: outbound condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) - macro: elasticsearch_cluster_port condition: fd.sport=9300 - rule: elasticsearch_unexpected_network_outbound desc: outbound network traffic from elasticsearch on a port other than the standard ports condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)" priority: WARNING
Write to directory holding system binaries
- macro: open_write condition: > (evt.type=open or evt.type=openat) and fd.typechar='f' and (evt.arg.flags contains O_WRONLY or evt.arg.flags contains O_RDWR or evt.arg.flags contains O_CREAT or evt.arg.flags contains O_TRUNC) - macro: package_mgmt_binaries condition: proc.name in (dpkg, dpkg-preconfigu, rpm, rpmkey, yum) - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: evt.dir = < and open_write and not proc.name in (package_mgmt_binaries) and bin_dir output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Non-authorized container namespace change
- rule: change_thread_namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. condition: syscall.type = setns and not proc.name in (docker, sysdig, dragent) output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" priority: WARNING
Non-device files written in /dev (some rootkits do this)
- rule: create_files_below_dev desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Process other than skype/webex tries to access camera
- rule: access_camera desc: a process other than skype/webex tries to access the camera condition: evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex) output: Unexpected process opening camera video device (command=%proc.cmdline) priority: WARNING
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified Nov 19, 2022: added section reference/rules/examples (a867c2e)