From 7effc02c60ec5f03ff855210ed2aa48b6a97df17 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 27 Aug 2020 17:33:05 -0700 Subject: [PATCH] rule(Write below etc): add calco exceptions Add several calico images and command line programs that end up writing below /etc/calico. Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1a20bdb4..9bd7afa0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1183,7 +1183,10 @@ - macro: calico_writing_conf condition: > - (proc.name = calico-node and fd.name startswith /etc/calico) + (((proc.name = calico-node) or + (container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or + (container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed)) + and fd.name startswith /etc/calico) - macro: prometheus_conf_writing_conf condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)