From bcc84c47c6fd32e0c1a9d303ccd17c2c2e7b4d34 Mon Sep 17 00:00:00 2001
From: Hiroki Suezawa <suezawa@gmail.com>
Date: Sat, 7 Dec 2019 03:03:40 +0900
Subject: [PATCH] rule(macro user_known_k8s_client_container): have more strict
 condition to avoid false positives

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
---
 rules/falco_rules.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 607b7309..04644bae 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2646,13 +2646,15 @@
 - list: k8s_client_binaries
   items: [docker, kubectl, crictl]
 
+# You can overwrite this macro to avoid false positives.
+# (The default value is a condition for Kubernetes Cluster on GCP) 
 - macro: user_known_k8s_client_container
-  condition: (k8s.ns.name = "kube-system")
+  condition: (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler)
   
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
   condition: spawned_process and container and not user_known_k8s_client_container and proc.name in (k8s_client_binaries)
-  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
+  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
   priority: WARNING
   tags: [container, mitre_execution]