Added exception to Launch Privileged Container

Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2025-06-27 15:17:50 +00:00 · 2022-07-07 15:48:41 +02:00 · 2022-07-07 15:48:41 +02:00 · 6feeaee0cd
commit 6feeaee0cd
parent a7153f2fd8
1 changed files with 8 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1760,6 +1760,13 @@
       container.image.repository endswith /prometheus-node-exporter or
       container.image.repository endswith /image-inspector))

+- list: redhat-io-images-privileged
+  items: [registry.redhat.io/openshift-logging/fluentd-rhel8, registry.redhat.io/openshift4/ose-csi-node-driver-registrar, registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, registry.redhat.io/openshift3/ose-service-catalog, registry.redhat.io/openshift4/ose-local-storage-diskmaker,]
+
+- macro: redhat_image
+  condition: >
+    (container.image.repository in (redhat-io-images-privileged))
+
 # https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
 #  official AWS EKS registry list. AWS has different ECR repo per region
 - macro: allowed_aws_ecr_registry_root_for_eks
@ -1902,6 +1909,7 @@
    and container.privileged=true
    and not falco_privileged_containers
    and not user_privileged_containers
+    and not redhat_image
  output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]