Note: This repository has been created upon this proposal.
This repository maintains the default rules files officially owned by the Falcosecurity organization as well as the Falco Rules Files Registry.
Rules tell Falco what to do. These rules are pre-defined detections for various security threats, abnormal behaviors, and compliance-related monitoring. Adopters can customize these rules to their specific needs or use them as examples. Please refer to the official documentation to better understand the rules' concepts.
The main branch contains the most up-to-date state of development. All rules files are located under the rules folder. Please refer to our Release Process to understand how rules are released. Stable rules are released and published only when a new release gets tagged. This means that rules in the main branch can become incompatible with the latest stable Falco release if, for example, new output fields are introduced.
Links:
- Getting Started with Falco Rules - Official Documentation
- Rules Overview Document
- Rules Maturity Framework and Adoption
The falco_rules.yaml file includes community-contributed Falco rules for syscalls and container events. These rules are part of the default Falco release package and are categorized by maturity level as maturity_stable, following the Rules Maturity Framework. Rules at the remaining maturity levels can be found within the Falco rules file according to their level. Rules at a maturity level lower than maturity_stable may need extra customization to ensure effective adoption.
For an up-to-date overview table linking to the respective Mitre Attack resources and more, please refer to the rules overview document. Lastly, you can find Falco plugins rules in the respective plugins repos' subfolder.
Interested in contributing your custom rules? Visit the contributing section below and join the Falco community now.
The Falco Rules Files Registry contains metadata and information about rules files distributed by the Falcosecurity organization. The registry serves as an additional method of making the rules files available to the community, complementing the process of retrieving the rules files from this repository.
Note: Currently, the registry includes only rules for the syscall call data source; for other data sources see the plugins repository.
Rule files must be located in the /rules folder of this repository and are named according to the following convention: <ruleset>_rules.yaml.
The <ruleset> portion represents the ruleset name, which must be an alphanumeric string, separated by -, entirely in lowercase, and beginning with a letter.
Rule files are subsequently released using Git tags. The tag name should follow the pattern <ruleset>-rules-<version>, where <version> adheres to Semantic Versioning. See RELEASE.md for more details about our release process.
For instance, the falco ruleset is stored under /rules/falco_rules.yaml, and its version 1.0.0 was released using the falco-rules-1.0.0 tag.
Note: This convention applies to this repository only. Falco application does not impose any naming convention for naming rule files.
If you are interested in helping and wish to contribute, we kindly request that you review our general contribution guidelines and, more specifically, the dedicated rules contributing guide hosted in this repository. Please be aware that our reviewers will ensure compliance with the rules' acceptance criteria.
This project is licensed to you under the Apache 2.0 Open Source License.