From 6bb0bba68a70ea976f6e7f0e839ae2811b2c10d7 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Thu, 23 Jul 2020 13:57:55 -0700
Subject: [PATCH] rules update(Read sensitive file untrusted): add trusted
 images into whitelist

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2af5cd5b..7234fb43 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1482,6 +1482,7 @@
     and not perl_running_centrifydc
     and not runuser_reading_pam
     and not user_known_read_sensitive_files_activities
+    and not (container and user_trusted_containers)
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)