This recipe showed you how to detect anomalies based on the predefined and custom rules of your applications when they're running on Kubernetes.
In the Installing Falco on Kubernetes recipe, in Step 5, we created a ConfigMap to be used by the Falco pods. Falco has two types of rules files.
In Step 6, when we created the DaemonSet, all the default rules are provided through the falco_rules.yaml file in the ConfigMap.These are placed in /etc/falco/falco_rules.yaml inside the pods, while the local rules file , falco_rules.local.yaml, can be found at /etc/falco/falco_rules.local.yaml.
The default rules file contains rules for many common anomalies and threats. All pieces of customization must be added to the falco_rules.local.yaml file, which we did in the Defining custom rules recipe.
In the Defining custom rules recipe, in Step 6, we created a custom rule file containing the rules element. The Falco rule file is a YAML file that uses three kinds of elements: rules, macros, and lists.
The rules define certain conditions to send alerts about them. A rule is a file that contains at least the following keys:
- rule: The name of the rule
- condition: An expression that's applied to events to check if they match the rule
- desc: Detailed description of what the rule is used for
- output: The message that is displayed to the user
- priority: Either emergency, alert, critical, error, warning, notice, informational, or debug
You can find out more about these rules by going to the Understanding Falco Rules link that's provided in the See also section.