falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

How to eanble and use Incubating Falco Rules or Sandbox Falco Rules?

Open yf-0dyssey opened this issue 1 year ago • 1 comments

What to document

Hello, everyone! I 've read the offical documents about rules. I want to use some rules of incubating & sandbox rules. I only find how to disable some rules of Stable rules( https://falco.org/docs/rules/controlling-rules/#disable-default-rules). But I didn't find documents about how to selectively use some rules of incubating & sandbox rules. Could you kindly supply these documents url? Thanks a lot!

yf-0dyssey avatar Oct 17 '24 09:10 yf-0dyssey

https://falco.org/docs/reference/rules/default-rules/

By default, only the stable rules are loaded by Falco, you can install the sandbox or incubating rules by referencing them in the Helm chart:

helm install falco falcosecurity/falco \
--set "falcoctl.config.artifact.install.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}" \
--set "falcoctl.config.artifact.follow.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}" \
--set "falco.rules_files={/etc/falco/k8s_audit_rules.yaml,/etc/falco/rules.d,/etc/falco/falco_rules.yaml,/etc/falco/falco-incubating_rules.yaml,/etc/falco/falco-sandbox_rules.yaml}"

Where the option falcoctl.config.artifact.install.refs governs which rules are downloaded at startup, falcoctl.config.artifact.follow.refs identifies which rules are automatically updated and falco.rules_files indicates which rules are loaded by the engine.

Or something like this in your helm values file:

falco:
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/rules.d


falcoctl:
  config:
    artifact:
      install:
        refs:
          - falco-rules:3
          - falco-incubating-rules:4
      follow:
        refs:
          - falco-rules:3
          - falco-incubating-rules:4

doublez13 avatar Oct 17 '24 16:10 doublez13

https://falco.org/docs/reference/rules/default-rules/

By default, only the stable rules are loaded by Falco, you can install the sandbox or incubating rules by referencing them in the Helm chart:

helm install falco falcosecurity/falco \
--set "falcoctl.config.artifact.install.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}" \
--set "falcoctl.config.artifact.follow.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}" \
--set "falco.rules_files={/etc/falco/k8s_audit_rules.yaml,/etc/falco/rules.d,/etc/falco/falco_rules.yaml,/etc/falco/falco-incubating_rules.yaml,/etc/falco/falco-sandbox_rules.yaml}"

Where the option falcoctl.config.artifact.install.refs governs which rules are downloaded at startup, falcoctl.config.artifact.follow.refs identifies which rules are automatically updated and falco.rules_files indicates which rules are loaded by the engine.

Or something like this in your helm values file:

falco:
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/rules.d


falcoctl:
  config:
    artifact:
      install:
        refs:
          - falco-rules:3
          - falco-incubating-rules:4
      follow:
        refs:
          - falco-rules:3
          - falco-incubating-rules:4

Thanks your rely. I'll read these docs and try it.

yf-0dyssey avatar Oct 28 '24 03:10 yf-0dyssey

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 26 '25 04:01 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Feb 25 '25 04:02 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Mar 27 '25 04:03 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

poiana avatar Mar 27 '25 04:03 poiana