Verified steps

Declare a `list` of allowed binaries with `- list: allowed_binaries` and an `items:` block listing process names
Declare a `macro` such as `is_shell` with `condition: proc.name in (sh, bash, zsh)` to encapsulate repeated logic
Reference macros inside rule conditions with `and not is_shell` to keep individual rule conditions readable
Use the `append: true` key in a secondary file to extend an existing list or macro without overwriting it
Load both files by ordering them in the `rules_file` array in `falco.yaml`, base definitions before extensions

Known gotchas

Lists and macros must be defined before the rule that references them in the evaluated file order — forward references are not resolved
Appending to a list from a different file requires the same `list` name and `append: true`; omitting `append: true` silently replaces the list
Macro conditions are inlined textually at parse time, so a syntax error in a macro breaks every rule that uses it

github.com/falcosecurity/falcosidekick · 6 steps · unrated

Write a Falco custom rule to detect suspicious exec inside a container

Configure Terraform dynamic blocks to generate variable numbers of security group ingress rules from a variable list with precondition validation

developer.hashicorp.com · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Falco lists and macros to build reusable rule conditions

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes