Ignore sensitive mounts from ecs-agent

Without this, as ecs-agent starts we get a bunch of errors that look like this (reformatted for readability): Notice Container with sensitive mount started ( user=root command=init -- /agent ecs-agent (id=19d4e98bb0dc) image=amazon/amazon-ecs-agent:latest mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings ) ecs-agent needs those to work properly, so this can cause lots of false positives when starting a new instance. Signed-off-by: Felipe Bessa Coelho <[email protected]>
falcosecurity · Oct 8, 2019 · 2cd5b70 · 2cd5b70
1 parent 2bc4bfd
commit 2cd5b70
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1788,7 +1788,8 @@
     gcr.io/google_containers/kube-proxy, docker.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
     docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
-    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter
+    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
+    amazon/amazon-ecs-agent
     ]
 
 - macro: falco_sensitive_mount_containers