Falco Ruleset
Definition
Falco is an open-source runtime security tool that monitors system behavior to detect anomalous activity. A Falco ruleset consists of a collection of rules that define suspicious behaviors or security threats to watch for in a system. These rules are written in a YAML format and specify conditions under which alerts should be triggered, helping to identify potential security breaches or policy violations in real-time.
Secure Settings Example
- rule: Write below etc
desc: Detect any write below the /etc directory
condition: evt.type = write and fd.name startswith /etc
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
tags: [filesystem, mitre_persistence]
Insecure Settings Example
- rule: Allow all writes
desc: This rule allows all write operations without any restrictions
condition: evt.type = write
output: "Write operation detected (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: INFO
tags: [filesystem]