rules
rules copied to clipboard
falcosecurity
Falco rule repository
**What to document** failed_remove_sensitive_file condition similiar to the open sensitive file condition, just a failed or removed sensitive file condition would be much appreciated. /kind documentation
**What type of PR is this?** > Uncomment one (or more) `/kind ` lines: > /kind feature > /kind bug > /kind cleanup > /kind design > /kind documentation /kind...
**What type of PR is this?** After more than a year as a reviewer in the falcosecurity/rules repo and more than 3 years as a contributor in the Falco community,...
**Motivation** See https://github.com/falcosecurity/rules/pull/149#issuecomment-1705527047 The common use case is when a list or a macro is first defined in the *stable* rules file, but it is also needed (as-is or extended)...
**Motivation** The rules must be both syntactically and grammatically correct and should evaluate to true during successful end-to-end tests. Furthermore, it needs to accurately detect the intended cyber threats, specifically...
See https://github.com/falcosecurity/libs/issues/1546#issue-2025780307 @Biagio-Dipalma @loresuso @darryk10 @RichardoC
**Motivation** We are missing logs for what a user is performing in a container. We have alerts if one does "dangerous" commands like `nc` but I want to use falco...
**Motivation** The name of the OCI artifact to package the rules file and the name of the .yaml containing the rules are not the same (`-` vs `_`). See: |...
In some rules like `Set Setuid or Setgid bit` we use some filter checks like `fd=%evt.arg.fd`. These filter checks are event-specific so using them with a condition like `evt.type in...
**Motivation** When using Falco and testing various variations of certain techniques It became apparent that the rule **Netcat Remote Code Execution in Containers** does not trigger when the nc binary...
