rules: add support for k3s to containerd_activities macro

kyrofa · poiana · commit 8e4ed0c27da2 · 2025-03-02T09:27:47.000+01:00
K3s is a stripped down version of Kubernetes that bundles dependencies
within it, including containerd. It puts containerd files (sockets,
tmpmounts, snapshotter overlayfs, etc.) in namespaced, non-standard
locations in an attempt to not interfere with a system-wide containerd
installation. As a result, the "Clear Log Activities" rule triggers
warnings for the bundled containerd. Fix that by including K3s'
non-standard paths in the containerd_activities macro.

Signed-off-by: Kyle Fazzari &lt;kyrofa@ubuntu.com&gt;
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -919,7 +919,9 @@
 
 - macro: containerd_activities
   condition: (proc.name=containerd and (fd.name startswith "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/" or
-                                        fd.name startswith "/var/lib/containerd/tmpmounts/"))
+                                        fd.name startswith "/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots" or
+                                        fd.name startswith "/var/lib/containerd/tmpmounts/" or
+                                        fd.name startswith "/var/lib/rancher/k3s/agent/containerd/tmpmounts/"))
 
 - rule: Clear Log Activities
   desc: > 
