FalcoAuditRules
Scope: Cluster
Version: v1alpha1
- specobject
Required value
- spec.requiredEngineVersioninteger
Used to ensure compatibility between the rules content and the Falco engine version.
- spec.requiredK8sAuditPluginVersionstring
Used to ensure compatibility between the rules content and plugin versions.
- spec.rulesarray of objects
Required value
Describes the Falco rules that will be applied to monitor the cluster runtime.
These rules help detect threats at runtime by observing the behavior of your applications and containers.
Refer to the Falco documentation and reference for more details.
Minimal length:
1
- spec.rules.listobject
Collections of items that can be included in rules, macros, or other lists.
Unlike rules and macros, lists cannot be parsed as filtering expressions.
- spec.rules.list.itemsarray
Required value
A list of values.
- spec.rules.list.namestring
Required value
A unique name for the list (as a slug).
- spec.rules.list.itemsarray
- spec.rules.macroobject
Rule condition snippets that can be re-used inside other rules and even macros.
Macros provide a way to name common patterns and eliminate redundancies in the rules.
- spec.rules.macro.conditionstring
Required value
A filtering expression that is applied to events to check whether they match the rule.
- spec.rules.macro.namestring
Required value
A short, unique name for the macro.
- spec.rules.macro.conditionstring
- spec.rules.ruleobject
Defines the conditions under which an alert is to be generated.
The rule is accompanied by a descriptive output string that is sent with an alert.
- spec.rules.rule.conditionstring
Required value
A filtering expression that is applied to events to check whether they match the rule.
- spec.rules.rule.descstring
Required value
A detailed description of what the rule detects.
- spec.rules.rule.enabledboolean
If set to
false
, a rule is neither loaded nor matched against any events.Default:
true
- spec.rules.rule.namestring
Required value
A short, unique name for the rule.
- spec.rules.rule.outputstring
Required value
A message to output if a matching event occurs.
- spec.rules.rule.prioritystring
Required value
A severity of the event.
Allowed values:
Emergency
,Alert
,Critical
,Error
,Warning
,Notice
,Informational
,Debug
- spec.rules.rule.sourcestring
The event source for which this rule is to be evaluated.
Default:
"Syscall"
Allowed values:
Syscall
,K8sAudit
- array of strings
A list of tags applied to the rule.
- spec.rules.rule.conditionstring
- spec.rules.listobject
- spec.requiredEngineVersioninteger