Macros to Override
Falco also provide Macros that should be overridden by the user to provide settings that are specific to a user's environment. The provided Macros can also be appended to in a local rules file.
The below macros contain values that can be overridden for a user's specific environment.
Common SSH Port
Override this macro to reflect ports in your environment that provide SSH services.
- macro: ssh_port condition: fd.sport=22
Allowed SSH Hosts
Override this macro to reflect hosts that can connect to known SSH ports (ie a bastion or jump box).
- macro: allowed_ssh_hosts condition: ssh_port
User Whitelisted Containers
Whitelist containers that are allowed to run in privileged mode.
- macro: user_trusted_containers condition: (container.image startswith sysdig/agent)
Containers Allowed to Spawn Shells
Whitelist containers that are allowed to spawn shells, which may be needed if containers are used in the CI/CD pipeline.
- macro: user_shell_container_exclusions condition: (never_true)
Containers Allowed to Communicate with EC2 Metadata Services
Whitelist containers that are allowed to communicate with the EC2 metadata service. Default: any container.
- macro: ec2_metadata_containers condition: container
Kubernetes API Server
Set the IP of your Kubernetes API Service here.
- macro: k8s_api_server condition: (fd.sip="220.127.116.11" and fd.sport=8080)
Containers Allowed to Communicate with the Kubernetes API
Whitelist containers that are allowed to communicate with the Kubernetes API Service. Requires k8s_api_server being set.
- macro: k8s_containers condition: > (container.image startswith gcr.io/google_containers/hyperkube-amd64 or container.image startswith gcr.io/google_containers/kube2sky or container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)
Containers Allowed to Communicate with Kubernetes Service NodePorts
- macro: nodeport_containers condition: container
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.