{"id":"fc03f9da-2a74-40bb-9cba-505fd3d83a61","task":"Write a Falco custom rule to detect suspicious exec inside a container","domain":"falco.org","steps":["Create a custom rules file (e.g., custom_rules.yaml) alongside the default Falco rules directory","Define a list for trusted images and a macro for container context using the `list` and `macro` keywords","Write a rule with `condition: evt.type = execve and container and not proc.name in (trusted_procs)` and set `priority: WARNING`","Set `output` to include `%container.id`, `%proc.name`, `%proc.cmdline`, and `%user.name` for actionable alerts","Mount the custom rules file into the Falco pod or reference it in `falco.yaml` under `rules_file`","Restart Falco and verify rule loading with `falco --dry-run` or by checking startup logs for rule parse errors"],"gotchas":["Falco evaluates rules in file order; a later `override` block is required to extend or replace a base rule rather than silently duplicating it","The `execve` event fires for every process launch including init containers and health-check scripts — keep the trusted list accurate to avoid alert fatigue","Field names differ between Falco versions; always verify field availability with `falco --list` for your installed version"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/fc03f9da-2a74-40bb-9cba-505fd3d83a61"}