Sysdig Platform CLI - Falco Lists

This section explains concepts and notations in the set of the Falco Lists commands provided.

Usage

The Falco Lists section contains the following subcommands:

$ sdc-cli policy falco-list --help
Usage: sdc-cli policy falco-list [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  add     Add a falco list
  del     Delete falco lists
  get     Get falco list
  list    List all falco lists
  update  Update falco list

Listing all the existing falco lists

There are a lot of Falco lists that come by default with Sysdig Secure (and cannot be removed nor modified). To list all the lists that you have available in your installation use:

$ sdc-cli policy falco-list list
ids                 name                                                
[86]                allowed_dev_files                                   
[1236]              allowed_image                                       
[42]                allowed_inbound_source_domains                      
[40]                allowed_inbound_source_ipaddrs                      
[41]                allowed_inbound_source_networks                     
[1240, 3611]        allowed_k8s_nodes      
...                  

Here you will see some lists that have multiple IDs. That’s because another list with the same name is appending values to the existing one called allowed_k8s_nodes.

Retrieve more information of a list

To see the actual contents of the lists, you can execute:

$ sdc-cli policy falco-list get 1240
id:                       1240
name:                     allowed_k8s_nodes
items:
    {
      "items": []
    }
filename:                 k8s_audit_rules.yaml
 
$ sdc-cli policy falco-list get 3611 
id:                       3611
name:                     allowed_k8s_nodes
items:
    {
      "items": [
        "kks_01_tools_xyz"
      ]
    }
filename:                 falco_rules_local.yaml

The first list is empty and the appending one contains kks_01_tools_xyz. Some out-of-the-box lists are in fact empty because appending the them gives them actual behavior. For example, this is a list of allowed k8s nodes. By default no node is allowed, but appending to the list builds up the allowed list.

Add a new list

You can create new lists with:

$ sdc-cli policy falco-list add --help
Usage: sdc-cli policy falco-list add [OPTIONS] NAME

  NAME: the name of the new falco list.

Options:
  --item TEXT  An item as represented in the yaml List.
  --help       Show this message and exit.

The --item can be specified multiple times, for each element. The elements of the item can be existing Falco lists as well. All the elements of the targeted list will be considered during rule evaluation. For example:

$ sdc-cli policy falco-list add example_falco_list \
    --item foo \
    --item bar
id:                       3612
name:                     example_falco_list
items:
    {
      "items": [
        "foo",
        "bar"
      ]
    }
filename:                 falco_rules_local.yaml

Update a Falco list

Falco lists can be updated by their ID. Currently there’s no way to specify the name itself, so the ID needs to be retrieved from a list command.

$ sdc-cli policy falco-list update 3612 \
    --item bar \
    --item baz
id:                       3612
name:                     example_falco_list
items:
    {
      "items": [
        "bar",
        "baz"
      ]
    }
filename:                 falco_rules_local.yaml

The items are replaced by the ones specified in the arguments.

Remove a list

Lists can be removed using the CLI if the following is true:

The list is not being used by a Macro or a Rule.
The list is not provided by Sysdig.

To remove the last list created in the previous examples execute:

$ sdc-cli policy falco-list del 3612   
Success

Currently there’s no way to specifiy the name of the list itself, and the ID is needed, so first, retrieve it with a list command.