{"id":"42b2075c-b5dd-4291-94d0-4eca40f6ed2f","task":"Configure Falco lists and macros to build reusable rule conditions","domain":"falco.org","steps":["Declare a `list` of allowed binaries with `- list: allowed_binaries` and an `items:` block listing process names","Declare a `macro` such as `is_shell` with `condition: proc.name in (sh, bash, zsh)` to encapsulate repeated logic","Reference macros inside rule conditions with `and not is_shell` to keep individual rule conditions readable","Use the `append: true` key in a secondary file to extend an existing list or macro without overwriting it","Load both files by ordering them in the `rules_file` array in `falco.yaml`, base definitions before extensions"],"gotchas":["Lists and macros must be defined before the rule that references them in the evaluated file order — forward references are not resolved","Appending to a list from a different file requires the same `list` name and `append: true`; omitting `append: true` silently replaces the list","Macro conditions are inlined textually at parse time, so a syntax error in a macro breaks every rule that uses it"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/42b2075c-b5dd-4291-94d0-4eca40f6ed2f"}