From bca98e0419c77b15a3df05b873e18c4d30446b91 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Wed, 15 Jul 2020 11:55:36 +0200
Subject: [PATCH] update(rules): disable drift detection rules by default

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a2c3f795..ec7b7fe3 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2915,9 +2915,10 @@
 # Two things to pay attention to:
 #   1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged
 #   2) Drift rules will be noisy in environments in which containers are built (e.g. docker build)
+# These two rules are not enabled by default. Use `never_true` in macro condition to enable them.
 
 - macro: user_known_container_drift_activities
-  condition: (never_true)
+  condition: (always_true)
 
 - rule: Container Drift Detected (chmod)
   desc: New executable created in a container due to chmod