cleanup(rules): add explanations to always_true never_true macros

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Jul 31, 2023 · 12a531c · 12a531c
1 parent 7a6c277
commit 12a531c
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -50,9 +50,27 @@
 - macro: open_file_failed
   condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E)
 
+# This macro `never_true` is used as placeholder for tuning negative logical sub-expressions, for example
+# - macro: allowed_ssh_hosts
+#   condition: (never_true)
+# can be used in a rules' expression with double negation `and not allowed_ssh_hosts` which effectively evaluates
+# to true and does nothing, the perfect empty template for `logical` cases as opposed to list templates.
+# When tuning the rule you can override the macro with something useful, e.g.
+# - macro: allowed_ssh_hosts
+#   condition: (evt.hostname contains xyz)
+
 - macro: never_true
   condition: (evt.num=0)
 
+# This macro `always_true` is the flip side of the macro `never_true` and currently is commented out as
+# it is not used. You can use it as placeholder for a positive logical sub-expression tuning template
+# macro, e.g. `and custom_procs`, where
+# - macro: custom_procs
+#   condition: (always_true)
+# later you can customize, override the macros to something like
+# - macro: custom_procs
+#   condition: (proc.name in (custom1, custom2, custom3))
+
 # - macro: always_true
 #   condition: (evt.num>=0)