From f98ec60c88ee6ee51e87e7a56816f2e8890c3bd7 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 24 Oct 2016 13:22:33 -0700
Subject: [PATCH] Rule fixes for dragent.

Make sure falco doesn't detect the things draios-agent does as
suspicious. It's possible that you might run open source falco alongside
sysdig cloud.

App checks spawned by sysdig cloud binaries might also change namespace,
so also allow children of sysdigcloud binaries to call setns.
---
 rules/falco_rules.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a22f38a7..a9ab58bd 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -96,7 +96,7 @@
     ]
 
 - list: sysdigcloud_binaries
-  items: [setup-backend, dragent]
+  items: [setup-backend, dragent, sdchecks]
 
 - list: docker_binaries
   items: [docker, dockerd, exe]
@@ -276,8 +276,8 @@
 
 - rule: Change thread namespace
   desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
-  condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdig, dragent, nsenter)
-  output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline %container.info)"
+  condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.pname in (sysdigcloud_binaries)
+  output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
   priority: WARNING
 
 - rule: Run shell untrusted