Views:

After creating valid Trend Vision One custom rules, you can enable and import your custom rules to Container Security using either local files or OCI registries.

Import using ConfigMap

  1. Create the ConfigMap with the following command:
    kubectl create configmap custom-rules-config --from-file=customRulesFile.yaml -n trendmicro-system
  2. Enable the custom rules feature by pointing to the ConfigMap in the overrides file:
    visionOne
  runtimeSecurity:
    enabled: true
    customRules:
        configmap:
            name: custom-rules-config
  3. Complete configuration of the policy through policy as code.
    Custom rulesets are a part of the policy. To ensure there is no deviation when using a shared policy, the custom rules feature requires users to use policy as code with a cluster‑managed policy. Learn more about Cluster-managed policies.

Import using OCI registry

  1. If the custom rules are configured using OCI repositories, create a Kubernetes secret that contains the basic authentication parameters of the OCI repositories.
    The format for the secret value is the same as the FALCOCTL_REGISTRY_AUTH_BASIC falcoctl environment variable.
  2. Configure credentials for multiple OCI repositories with a secret value like the following:
    OCI registry,basic auth username,basic auth password;OCI registry1, basic auth username1, basic auth password
  3. Use the following command to create the Kubernetes secret for storing OCI repository authentication parameters:
    kubectl create secret generic <oci-basic-auth-secret-name> --from-literal=falcoctl=<OCI registry,basic auth username,basic auth
                    password;OCI registry1, basic auth username1, basic auth password1> --namespace trendmicro-system
  4. Configure the overrides.yaml file and import your custom rules through local configuration or an OCI registry.
    1. Upload the rules file to an OCI registry, typically using a command like the following:
      sudo falcoctl registry push <OCI-repository>:<tag> <rulesFilePath> --type rulesfile --version "<version>"
    2. Enable the custom rules feature by setting visionOne.customRules.enabled=true, visionOne.customRules.output.visionOne.enabled=true, visionOne.ociRepository.enabled=true, and specifying the artifactUrls, rulesFile(s), and basicAuthTokenSecretName:
      visionOne:
    runtimeSecurity:
        enabled: true
        customRules:
            ociRepository:
                enabled: true
                artifactUrls:
                    - docker.io/sampleRules:latest
                rulesFiles:
                    - customRulesFile.yaml
                basicAuthTokenSecretName: <oci-basic-auth-secret-name>
  5. Complete configuration of the policy through policy as code.
    Custom rulesets are a part of the policy. To ensure there is no deviation when using a shared policy, the custom rules feature requires users to use policy as code with a cluster‑managed policy. Learn more about Cluster-managed policies.