Default Macros
Use the default macros to simplify Falco Rules
The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user defined rule sets.
Falco also provide Macros that should be overridden. Refer here for further information.
File Opened for Writing
- macro: open_write
condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0
File Opened for Reading
- macro: open_read
condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
Never True
- macro: never_true
condition: (evt.num=0)
Always True
- macro: always_true
condition: (evt.num=>0)
Proc Name is Set
- macro: proc_name_exists
condition: (proc.name!="<NA>")
File System Object Renamed
- macro: rename
condition: evt.type in (rename, renameat)
New Directory Created
- macro: mkdir
condition: evt.type = mkdir
File System Object Removed
- macro: remove
condition: evt.type in (rmdir, unlink, unlinkat)
- macro: remove
condition: evt.type in (rmdir, unlink, unlinkat)
File System Object Modified
- macro: modify
condition: rename or remove
New Process Spawned
- macro: spawned_process
condition: evt.type = execve and evt.dir=<
Common Directories for Binaries
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
Shell is Started
- macro: shell_procs
condition: (proc.name in (shell_binaries))
Known Sensitive Files
- macro: sensitive_files
condition: >
fd.name startswith /etc and
(fd.name in (sensitive_file_names)
or fd.directory in (/etc/sudoers.d, /etc/pam.d))
Newly Created Process
- macro: proc_is_new
condition: proc.duration <= 5000000000
Inbound Network Connections
- macro: inbound
condition: >
(((evt.type in (accept,listen) and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Outbound Network Connections
- macro: outbound
condition: >
(((evt.type = connect and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Inbound or Outbound Network Connections
- macro: inbound_outbound
condition: >
(((evt.type in (accept,listen,connect) and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Object is a Container
- macro: container
condition: container.id != host
Interactive Process Spawned
- macro: interactive
condition: >
((proc.aname=sshd and proc.name != sshd) or
proc.name=systemd-logind or proc.name=login)
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.