github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-30 21:25:06 +00:00
Code Issues Projects Releases Wiki Activity

Ignore sensitive mounts from ecs-agent

Browse Source 
Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

  Notice Container with sensitive mount started (
    user=root
    command=init -- /agent ecs-agent (id=19d4e98bb0dc)
    image=amazon/amazon-ecs-agent:latest
    mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
  )

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Signed-off-by: Felipe Bessa Coelho <fcoelho.9@gmail.com>
This commit is contained in:
Felipe Bessa Coelho 2019-10-07 18:45:28 -03:00 committed by Leo Di Donato
parent 1d1ecd9905
commit 8353a0b22e
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -1787,7 +1787,8 @@
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
amazon/amazon-ecs-agent
]
- macro: falco_sensitive_mount_containers