On trying to add a custom rule to falco, it should be noted that the custom output text cannot start with a field value.
If the first word of the output is an evaluation of a field, the yaml does not parse.
Example of custom rule which ends in error: (see the output field)
rule: Terminal shell in container
desc: >
A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have
legitimately already exited and be null (read container_entrypoint macro). Common when using “kubectl exec” in Kubernetes.
Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name).
Rather than considering it a standalone rule, it may be best used as generic auditing rule while examining other triggered
rules in this container/tty.
condition: >
spawned_process
and container
and shell_procs
and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions output: %evt.type
priority: NOTICE
tags: [maturity_stable, container, shell, mitre_execution, T1059]
Error Dec 19 14:46:35 kubeworker01 falco: 14:46:35.499499693: Critical Falco internal: hot restart failure: /etc/falco/falco_rules.local.yaml: Invalid#0121 Errors:#012In rules content: (/etc/falco/falco_rules.local.yaml:0:0)#012 value for: (/etc/falco/falco_rules.local.yaml:15:10)#012------#012 output: %evt.type#012 ^#012------#012LOAD_ERR_YAML_PARSE (YAML parse error): yaml-cpp: error at line 16, column 11: unknown token#012 ()
I’ve raised an issue to Falco suggesting to add this as a note to the documentation.