From c5a964e6511de7bf44e2e7675d4f9c3a8958d192 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 24 May 2017 10:17:57 -0700
Subject: [PATCH] Address some setns FPs.

Allow the sysdig cloud agent to call setns to collect java process
metrics.

We've also seen cases where some of the intermediate processes created
below runc appear to call setns. It appears that this only should happen
if some events (like the execve that spawns the intermediate processes)
are lost, but just to be safe allow processes starting with "runc:" to
call setns.
---
 rules/falco_rules.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4301eb5a..5f6d2592 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -241,6 +241,9 @@
 - macro: parent_linux_image_upgrade_script
   condition: proc.pname startswith linux-image-
 
+- macro: java_running_sdjagent
+  condition: proc.name=java and proc.cmdline contains sdjagent.jar
+
 ###############
 # General Rules
 ###############
@@ -355,7 +358,9 @@
   condition: >
     evt.type = setns
     and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)
+    and not java_running_sdjagent
   output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
   priority: WARNING
   tags: [process]