From fa3d2eb4738af2435c75f03ebfd8273898e81f41 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Wed, 20 May 2020 09:38:12 -0700
Subject: [PATCH] rule(macro trusted_logging_images): Let azure-npm image write
 to /var/log

"The Azure's NPM is a a daemonset that supports network policies as
defined by the Kubernetes policy specification."

Example event:

---
Log files were tampered (user=root command=azure-npm
file=/var/log/iptables.conf CID1 image=mcr.microsoft.com/containernetworking/azure-npm)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index e50318a8..58b402e2 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2438,7 +2438,8 @@
 - macro: trusted_logging_images
   condition: (container.image.repository endswith "splunk/fluentd-hec" or
               container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or
-              container.image.repository endswith "openshift3/ose-logging-fluentd")
+              container.image.repository endswith "openshift3/ose-logging-fluentd" or
+              container.image.repository endswith "containernetworking/azure-npm")
 
 - rule: Clear Log Activities
   desc: Detect clearing of critical log files