add macro user_read_sensitive_file_containers

Signed-off-by: kaizhe <derek0405@gmail.com>
falcosecurity · Jul 25, 2020 · 571f8a2 · 571f8a2
1 parent 6bb0bba
commit 571f8a2
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1458,6 +1458,11 @@
 - macro: user_read_sensitive_file_conditions
   condition: cmp_cp_by_passwd
 
+- macro: user_read_sensitive_file_containers
+  condition: (container and
+              (container.image.repository endswith "sysdig/agent") or
+              (container.image.repository endswith "sysdig/agent-slim"))
+
 - rule: Read sensitive file untrusted
   desc: >
     an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1482,7 +1487,7 @@
     and not perl_running_centrifydc
     and not runuser_reading_pam
     and not user_known_read_sensitive_files_activities
-    and not (container and user_trusted_containers)
+    and not user_read_sensitive_file_containers
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)