Start using falco_ prefix for default lists/macros

Start using a falco_ prefix for falco-provided lists/macros. Not
changing existing object names to retain compatibility.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

rules/falco_rules.yaml

@@ -1671,7 +1671,7 @@
 # NOTE: This list is only provided for backwards compatibility with
 # older local falco rules files that may have been appending to
 # trusted_images. To make customizations, it's better to add images to
-# either privileged_images or sensitive_mount_images.
+# either privileged_images or falco_sensitive_mount_images.
 - list: trusted_images
   items: []
 
@@ -1696,7 +1696,7 @@
           registry.access.redhat.com/sematext/logagent]
 
 # These container images are allowed to run with --privileged
-- list: privileged_images
+- list: falco_privileged_images
   items: [
     sysdig/agent, sysdig/falco, sysdig/sysdig,
     gcr.io/google_containers/kube-proxy, calico/node,
@@ -1704,11 +1704,11 @@
     docker/ucp-agent, sematext_images
     ]
 
-- macro: privileged_containers
+- macro: falco_privileged_containers
   condition: (openshift_image or
               user_trusted_containers or
               container.image.repository in (trusted_images) or
-              container.image.repository in (privileged_images) or
+              container.image.repository in (falco_privileged_images) or
               container.image.repository startswith istio/proxy_ or
               container.image.repository startswith quay.io/sysdig)
 
@@ -1716,7 +1716,7 @@
 # overwriting this macro) to specify additional containers that are
 # allowed to run privileged
 #
-# In this file, it just takes one of the images in privileged_images
+# In this file, it just takes one of the images in falco_privileged_images
 # and repeats it.
 - macro: user_privileged_containers
   condition: (container.image.repository=sysdig/agent)
@@ -1730,7 +1730,7 @@
 
 # These container images are allowed to mount sensitive paths from the
 # host filesystem.
-- list: sensitive_mount_images
+- list: falco_sensitive_mount_images
   items: [
     sysdig/agent, sysdig/falco, sysdig/sysdig,
     gcr.io/google_containers/hyperkube,
@@ -1739,21 +1739,21 @@
     datadog/docker-dd-agent, datadog/agent, docker/ucp-agent, gliderlabs/logspout
     ]
 
-- macro: sensitive_mount_containers
+- macro: falco_sensitive_mount_containers
   condition: (user_trusted_containers or
               container.image.repository in (trusted_images) or
-              container.image.repository in (sensitive_mount_images) or
+              container.image.repository in (falco_sensitive_mount_images) or
               container.image.repository startswith quay.io/sysdig)
 
 # These container images are allowed to run with hostnetwork=true
-- list: hostnetwork_images
+- list: falco_hostnetwork_images
   items: []
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
 # allowed to perform sensitive mounts.
 #
-# In this file, it just takes one of the images in sensitive_mount_images
+# In this file, it just takes one of the images in falco_sensitive_mount_images
 # and repeats it.
 - macro: user_sensitive_mount_containers
   condition: (container.image.repository=sysdig/agent)
@@ -1763,7 +1763,7 @@
   condition: >
     container_started and container
     and container.privileged=true
-    and not privileged_containers
+    and not falco_privileged_containers
     and not user_privileged_containers
   output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
@@ -1803,7 +1803,7 @@
   condition: >
     container_started and container
     and sensitive_mount
-    and not sensitive_mount_containers
+    and not falco_sensitive_mount_containers
     and not user_sensitive_mount_containers
   output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
   priority: INFO

rules/k8s_audit_rules.yaml

@@ -117,7 +117,7 @@
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (privileged_images)
+  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (falco_privileged_images)
   output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
   priority: WARNING
   source: k8s_audit
@@ -135,7 +135,7 @@
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (sensitive_mount_images)
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (falco_sensitive_mount_images)
   output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image mounts=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
@@ -144,7 +144,7 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (hostnetwork_images)
+  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (falco_hostnetwork_images)
   output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
   priority: WARNING
   source: k8s_audit