This feature is available in Enterprise Edition only.
The functionality of the module might significantly change. Compatibility with future versions is not guaranteed.

FalcoAuditRules

Scope: Cluster
Version: v1alpha1

  • spec
    object

    Required value

    • spec.requiredEngineVersion
      integer

      Used to ensure compatibility between the rules content and the Falco engine version.

    • spec.requiredK8sAuditPluginVersion
      string

      Used to ensure compatibility between the rules content and plugin versions.

    • spec.rules
      array of objects

      Required value

      Describes the Falco rules that will be applied to monitor the cluster runtime.

      These rules help detect threats at runtime by observing the behavior of your applications and containers.

      Refer to the Falco documentation and reference for more details.

      Minimal length: 1

      • spec.rules.list
        object

        Collections of items that can be included in rules, macros, or other lists.

        Unlike rules and macros, lists cannot be parsed as filtering expressions.

        • spec.rules.list.items
          array

          Required value

          A list of values.

        • spec.rules.list.name
          string

          Required value

          A unique name for the list (as a slug).

      • spec.rules.macro
        object

        Rule condition snippets that can be re-used inside other rules and even macros.

        Macros provide a way to name common patterns and eliminate redundancies in the rules.

        • spec.rules.macro.condition
          string

          Required value

          A filtering expression that is applied to events to check whether they match the rule.

        • spec.rules.macro.name
          string

          Required value

          A short, unique name for the macro.

      • spec.rules.rule
        object

        Defines the conditions under which an alert is to be generated.

        The rule is accompanied by a descriptive output string that is sent with an alert.

        • spec.rules.rule.condition
          string

          Required value

          A filtering expression that is applied to events to check whether they match the rule.

        • spec.rules.rule.desc
          string

          Required value

          A detailed description of what the rule detects.

        • spec.rules.rule.enabled
          boolean

          If set to false, a rule is neither loaded nor matched against any events.

          Default: true

        • spec.rules.rule.name
          string

          Required value

          A short, unique name for the rule.

        • spec.rules.rule.output
          string

          Required value

          A message to output if a matching event occurs.

        • spec.rules.rule.priority
          string

          Required value

          A severity of the event.

          Allowed values: Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug

        • spec.rules.rule.source
          string

          The event source for which this rule is to be evaluated.

          Default: "Syscall"

          Allowed values: Syscall, K8sAudit

        • spec.rules.rule.tags
          array of strings

          A list of tags applied to the rule.