{"id":"42a70eff-53b6-418d-9442-240c4d285a88","task":"Configure Falco macros and lists for reusable container-aware conditions across multiple rules","domain":"falco.org","steps":["Define a list of allowed image prefixes or process names that represent trusted container workloads","Write a macro 'trusted_container' using 'container.image.repository' to check membership against that list","Write a second macro 'interactive_session' combining evt.type checks for open/read with 'proc.tty != 0'","Reference these macros in multiple rules using logical composition with 'and not trusted_container' to suppress noise","Place shared macros and lists in a dedicated include file and reference it via 'rules_file' ahead of rule files that consume them"],"gotchas":["Macro names are global; a macro defined in one file can be silently overridden by another file loaded later, so load order in falco.yaml matters","The 'append' keyword can extend an existing list or macro — use 'append: true' under the list/macro definition to add items without replacing the original","Avoid using container.image.repository in rules triggered by non-container host events; the field will be empty and conditions using it will not match as expected"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/42a70eff-53b6-418d-9442-240c4d285a88"}