From 9ab718c100e148671472d0349fd0c1b8c6605686 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Mon, 22 Jul 2019 16:19:18 -0700
Subject: [PATCH] rules update:

Add trusted_logging_images macro for rule Clear Log Hisotry as exception

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 67b964f3..c05a98ef 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2341,12 +2341,16 @@
 - macro: allowed_clear_log_files
   condition: (never_true)
 
+- macro: trusted_logging_images
+  condition: (container.image.repository endswith "splunk/fluentd-hec")
+
 - rule: Clear Log Activities
   desc: Detect clearing of critical log files
   condition: >
     open_write and
     access_log_files and
     evt.arg.flags contains "O_TRUNC" and
+    not trusted_logging_images and
     not allowed_clear_log_files
   output: >
     Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)