Chapter 7. Falco Rules
Chapters 3 through 6 gave you a comprehensive view of Falcoâs architecture, describing most of the important concepts that a serious Falco user needs to understand. The remaining piece to cover is one of the most important ones: rules. Rules are at the heart of Falco. Youâve already encountered them several times, but this chapter approaches the topic in a more formal and comprehensive manner, giving you the foundation you will need as you work through the next parts of the book.
Note
This chapter covers what rules are and their syntax. The goal is to give you all the knowledge you need to understand and use them, not to teach you to write your own. Writing your own rules will be covered in Part IV of the book (in particular, in Chapter 13).
Falco is designed to be easy and intuitive, and the rule syntax and semantics are no exception. Rules files are straightforward, and youâll be able to understand them in no time. Letâs start by covering some basics.
Introducing Falco Rules Files
Falco rules tell Falco what to do. They are typically packaged inside rules files, which Falco reads at startup time. A rules file is a YAML file that can contain one or more rules, with each rule being a node in the YAML body.
Falco comes packaged with a set of default rules files that are normally located in /etc/falco. The default rules files are loaded automatically if Falco is launched with no command-line options. These files are curated by the community and ...
Get Practical Cloud Native Security with Falco now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
