rule(macro trusted_logging_images): Add addl fluentd image

Openshift specific variant, example alert: --- Log files were tampered (user=root command=fluentd /usr/bin/fluentd --no-supervisor file=/var/log/journal.pos CID1 image=registry.redhat.io/openshift3/ose-logging-fluentd) --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-08-22 08:06:10 +00:00 · 2020-05-20 09:33:24 -07:00 · 2020-05-20 09:33:24 -07:00 · acb3f94786
commit acb3f94786
parent d1af7e139f
1 changed files with 2 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -2437,7 +2437,8 @@
 - macro: trusted_logging_images
  condition: (container.image.repository endswith "splunk/fluentd-hec" or
-              container.image.repository endswith "fluent/fluentd-kubernetes-daemonset")
+              container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or
              container.image.repository endswith "openshift3/ose-logging-fluentd")
 - rule: Clear Log Activities
  desc: Detect clearing of critical log files