Update falco rules in vagrant (#1058)

SumoLogic · Oct 30, 2020 · 97a95c0 · 97a95c0
1 parent bc40670
commit 97a95c0
Showing 1 changed file with 7 additions and 8 deletions.
diff --git a/vagrant/values.yaml b/vagrant/values.yaml
@@ -43,7 +43,7 @@ falco:
   enabled: true
   customRules:
     # Mark the following as known k8s api callers:
-    # * fluentd and its plugins
+    # * fluentd image
     # * grafana sidecar
     # * terraform provider started in setup job
     # * telegraf operator
@@ -53,16 +53,15 @@ falco:
     rules_user_known_k8s_api_callers.yaml: |-
       - macro: user_known_contact_k8s_api_server_activities
         condition: >
-          (proc.pcmdline = "fluentd /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or
-          (proc.cmdline = "fluentd /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or
-          (proc.cmdline = "ruby -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or
-          (proc.cmdline = "event_loop -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or
-          (proc.cmdline = "watch_endpoints -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or
-          (proc.cmdline = "watch_events -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or
-          (proc.cmdline = "filter_kuberne* /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or
+          (container.image.repository = "sumologic/kubernetes-fluentd") or
           (proc.cmdline = "python -u /app/sidecar.py") or
           (proc.cmdline startswith "terraform-provi") or
           (proc.cmdline startswith "manager --telegraf-default-class=sumologic-prometheus --telegraf-classes-directory=/etc/telegraf-operator --enable-default-internal-plugin --telegraf-image=docker.io/library/telegraf") or
           (proc.cmdline startswith "kube-state-metr") or
           (proc.cmdline startswith "prometheus") or
           (proc.cmdline startswith "operator")
+    rules_user_sensitive_mount_containers.yaml: |-
+      - macro: user_sensitive_mount_containers
+        condition: >
+          (container.image.repository = "falcosecurity/falco") or
+          (container.image.repository = "quay.io/prometheus/node-exporter")