How to deactivate or add filtering on rules matching #788
Labels
kind/documentation
Improvements or additions to documentation
Comments
|
Hi, Here's some examples for appending items to lists and disable some specific rules: customRules:
override-rules.yaml: |-
- list: falco_containers
items: ["docker.io/issif/falco-talon"]
override:
items: append
- list: package_mgmt_binaries
items: ["apt"]
override:
items: append
- rule: Terminal shell in container
condition: and not k8s.ns.name="kube-system"
override:
enabled: append
- rule: Contact EC2 Instance Metadata Service From Container
enabled: false
override:
enabled: replace
- rule: Non sudo setuid
enabled: false
override:
enabled: replaceYou can use my rules explorer to know the default rules, which lists and macros they use you could replace or extend. |
|
Thanks for the answer ! A little mistake in your example: - rule: Terminal shell in container
condition: and not k8s.ns.name="kube-system"
override:
condition: appendThe override should concern |
You're right, forgot to edit this part, you understood the method anyway 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I just got started on falco, following installation by default using helm.
I'm looking for a way to ignore some rules, or adding filtering conditions.
For example:
I have a rules looking for binary installation on pods, and i want to say that some container are legitimate to make this. So I wouldn't throw an alert for specific container.
A more global rules could be, i want to deactivate a default rules because it doesn't make sense in my environment.
I can't find a way to achieve this.
Any hint ?
The text was updated successfully, but these errors were encountered: