remove non-oss images in the whitelist

Signed-off-by: kaizhe <derek0405@gmail.com>
2025-09-28 05:38:06 +00:00 · 2020-08-10 14:30:59 -07:00
parent 4eba59c3f0
commit 50832c7990
1 changed files with 11 additions and 19 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1459,7 +1459,7 @@
  condition: cmp_cp_by_passwd

 - list: read_sensitive_file_images
-  items: [sysdig/agent, sysdig/agent-slim, docker.io/sysdig/agent, docker.io/sysdig/agent-slim]
+  items: []

 - macro: user_read_sensitive_file_containers
  condition: (container and container.image.repository in read_sensitive_file_images)
@@ -1831,24 +1831,19 @@
 # In this file, it just takes one of the images in trusted_containers
 # and repeats it.
 - macro: user_trusted_containers
-  condition: (container.image.repository=docker.io/sysdig/agent)
+  condition: (never_true)

 - list: sematext_images
-  items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
-          registry.access.redhat.com/sematext/sematext-agent-docker,
-          registry.access.redhat.com/sematext/agent,
-          registry.access.redhat.com/sematext/logagent]
+  items: []

 # These container images are allowed to run with --privileged
 - list: falco_privileged_images
  items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
-    docker.io/sysdig/agent-slim, docker.io/sysdig/node-image-analyzer,
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig,
    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
-    docker.io/falcosecurity/falco, sysdig/agent, sysdig/falco, sysdig/sysdig, sysdig/agent-slim,
-    falcosecurity/falco, sysdig/node-image-analyzer
+    docker.io/falcosecurity/falco, sysdig/falco, sysdig/sysdig, falcosecurity/falco
    ]

 - macro: falco_privileged_containers
@@ -1866,7 +1861,7 @@
 # In this file, it just takes one of the images in falco_privileged_images
 # and repeats it.
 - macro: user_privileged_containers
-  condition: (container.image.repository=docker.io/sysdig/agent)
+  condition: (never_true)

 - list: rancher_images
  items: [
@@ -1878,8 +1873,7 @@
 # host filesystem.
 - list: falco_sensitive_mount_images
  items: [
-    docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/sysdig/agent-slim,
-    sysdig/agent, sysdig/falco, sysdig/sysdig, sysdig/agent-slim,
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig,
    gcr.io/google_containers/hyperkube,
    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -1905,7 +1899,7 @@
 # In this file, it just takes one of the images in falco_sensitive_mount_images
 # and repeats it.
 - macro: user_sensitive_mount_containers
-  condition: (container.image.repository = docker.io/sysdig/agent)
+  condition: (never_true)

 - rule: Launch Privileged Container
  desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
@@ -2364,9 +2358,9 @@
 - macro: k8s_containers
  condition: >
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
-     gcr.io/google_containers/kube2sky, docker.io/sysdig/agent, docker.io/sysdig/agent-slim, docker.io/sysdig/falco,
+     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/agent, sysdig/agent-slim, sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))

 - macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@@ -2772,9 +2766,7 @@
  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

 - macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository in (docker.io/sysdig/agent,
-              docker.io/sysdig/agent-slim, docker.io/falcosecurity/falco,
-              sysdig/agent, sysdig/agent-slim, falcosecurity/falco))
+  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco))
  append: false

 # The rule is disabled by default.