rule(Launch Package Management...): add sysdig nia

Example falco alert:

Package management process launched in container (user=root
user_loginuid=-1 command=rpm
--dbpath=/analysis_scratch/de10314b-70bb-4149-802e-1c2c3d47f23c/rpmtmp/rpmdbfinal/var/lib/rpm
-qa --queryformat
[%{FILENAMES}|ANCHORETOK|%{FILEDIGESTS}|ANCHORETOK|%{FILEMODES:octal}|ANCHORETOK|%{FILEGROUPNAME}|ANCHORETOK|%{FILEUSERNAME}|ANCHORETOK|%{FILESIZES}|ANCHORETOK|%{=NAME}|ANCHORETOK|%{FILEFLAGS:fflags}|ANCHORETOK|%{=FILEDIGESTALGO}\n]
container_id=3748cd603f28 container_name=sysdig-image-analyzer image=quay.io/sysdig/node-image-analyzer:latest)

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

rules/falco_rules.yaml

@@ -706,8 +706,9 @@
   condition: >
     proc.name = "exe"
     and (proc.cmdline contains "/var/lib/docker"
-    or proc.cmdline contains "/var/run/docker")
+    or proc.cmdline contains "/var/run/docker"
-    and proc.pname in (dockerd, docker, dockerd-current, docker-current)
+    or proc.cmdline contains "/var/lib/containers")
+    and proc.pname in (dockerd, docker, dockerd-current, docker-current, crio)
 
 - macro: python_running_get_pip
   condition: (proc.cmdline startswith "python get-pip.py")
@@ -1508,6 +1509,7 @@
       comps: in
       values: [sysdigcloud_binaries, sysdig, calico, oci-umount,
                cilium-cni, network_plugin_binaries,
+               oneagenthelper,
                user_known_change_thread_namespace_binaries]
     - name: container_proc_name
       fields: [container.id, proc.name]
@@ -1537,6 +1539,8 @@
         - [[rancher-bridge], "rancher/network-manager"]
         - [[calico-node], "calico/node"]
         - [[scope], "weaveworks/scope"]
+        - [[nsenter], "quay.io/cilium/startup-script"]
+        - [[java], "docker.io/sysdig/agent"]
   output: >
     Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -2417,6 +2421,8 @@
     - name: proc_name_image_suffix
       fields: [proc.name, container.image.repository]
       comps: [in, endswith]
+      values:
+        - [[rpm], quay.io/sysdig/node-image-analyzer]
   output: >
     Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2553,6 +2559,7 @@
         - ["fluent/fluentd-kubernetes-daemonset"]
         - ["openshift3/ose-logging-fluentd"]
         - ["containernetworking/azure-npm"]
+        - ["registry.redhat.io/openshift4/ose-logging-fluentd"]
   output: >
     Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority: