Macros to Override
Falco also provide Macros that should be overridden by the user to provide settings that are specific to a user's environment. The provided Macros can also be appended to in a local rules file.
The below macros contain values that can be overridden for a user's specific environment.
Common SSH Port
Override this macro to reflect ports in your environment that provide SSH services.
- macro: ssh_port condition: fd.sport=22
Allowed SSH Hosts
Override this macro to reflect hosts that can connect to known SSH ports (ie a bastion or jump box).
- macro: allowed_ssh_hosts condition: ssh_port
User Whitelisted Containers
Whitelist containers that are allowed to run in privileged mode.
- macro: user_trusted_containers condition: (container.image startswith sysdig/agent)
Containers Allowed to Spawn Shells
Whitelist containers that are allowed to spawn shells, which may be needed if containers are used in the CI/CD pipeline.
- macro: user_shell_container_exclusions condition: (never_true)
Containers Allowed to Communicate with EC2 Metadata Services
Whitelist containers that are allowed to communicate with the EC2 metadata service. Default: any container.
- macro: ec2_metadata_containers condition: container
Kubernetes API Server
Set the IP of your Kubernetes API Service here.
- macro: k8s_api_server condition: (fd.sip="126.96.36.199" and fd.sport=8080)
Containers Allowed to Communicate with the Kubernetes API
Whitelist containers that are allowed to communicate with the Kubernetes API Service. Requires k8s_api_server being set.
- macro: k8s_containers condition: > (container.image startswith gcr.io/google_containers/hyperkube-amd64 or container.image startswith gcr.io/google_containers/kube2sky or container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)
Containers Allowed to Communicate with Kubernetes Service NodePorts
- macro: nodeport_containers condition: container
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.