From acb3f94786c06944377279363cd7e53d4d2d79fc Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Wed, 20 May 2020 09:33:24 -0700
Subject: [PATCH] rule(macro trusted_logging_images): Add addl fluentd image

Openshift specific variant, example alert:

---
Log files were tampered (user=root command=fluentd /usr/bin/fluentd
--no-supervisor file=/var/log/journal.pos CID1 image=registry.redhat.io/openshift3/ose-logging-fluentd)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c985f736..e50318a8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2437,7 +2437,8 @@
 
 - macro: trusted_logging_images
   condition: (container.image.repository endswith "splunk/fluentd-hec" or
-              container.image.repository endswith "fluent/fluentd-kubernetes-daemonset")
+              container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or
+              container.image.repository endswith "openshift3/ose-logging-fluentd")
 
 - rule: Clear Log Activities
   desc: Detect clearing of critical log files