From ad82f66be3a1a4c0e3f21c62bda378a606c36806 Mon Sep 17 00:00:00 2001
From: Kaizhe Huang <derek0405@gmail.com>
Date: Tue, 27 Apr 2021 23:51:07 -0700
Subject: [PATCH] rules update(Change thread namespace and Set Setuid or Setgid
 bit): disable by default

Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9484c2e3..3809a314 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1565,6 +1565,7 @@
     and not calico_node
     and not weaveworks_scope
     and not user_known_change_thread_namespace_activities
+  enabled: false
   output: >
     Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -2641,6 +2642,7 @@
     and not proc.name in (user_known_chmod_applications)
     and not exe_running_docker_save
     and not user_known_set_setuid_or_setgid_bit_conditions
+  enabled: false
   output: >
     Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)