From 8353a0b22e199b1708c9a4ddc66ac258d5c8db0c Mon Sep 17 00:00:00 2001
From: Felipe Bessa Coelho <fcoelho.9@gmail.com>
Date: Mon, 7 Oct 2019 18:45:28 -0300
Subject: [PATCH] Ignore sensitive mounts from ecs-agent

Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

  Notice Container with sensitive mount started (
    user=root
    command=init -- /agent ecs-agent (id=19d4e98bb0dc)
    image=amazon/amazon-ecs-agent:latest
    mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
  )

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Signed-off-by: Felipe Bessa Coelho <fcoelho.9@gmail.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c26552b7466..ed747609fb8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1787,7 +1787,8 @@
     gcr.io/google_containers/kube-proxy, docker.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
     docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
-    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter
+    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
+    amazon/amazon-ecs-agent
     ]
 
 - macro: falco_sensitive_mount_containers