From e65f2518b06b6e439b49451a0738115f74d224e0 Mon Sep 17 00:00:00 2001 From: Petter Reinholdtsen Date: Thu, 2 Feb 2023 10:23:13 +0100 Subject: [PATCH] rule(write_etc_common): Ignore writes by etckeeper under /etc/.git/ Every time etckeeper update the git history of the content in /etc/, it update files in /etc/.git/ (nd /etc/.etckeeper). This trigger a warning from falco about writes in /etc/ for every time the cron job or package update. This change tell the write_etc_common macro to ignore all writes under /etc/.git/ by a process whos anchestor is etckeeper and one of the scripts called by etckeeper to do the /etc/.git updates. /kind bug /kind design /kind feature /area rules Signed-off-by: Petter Reinholdtsen --- rules/falco-sandbox_rules.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index a4388781..d5903087 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -834,6 +834,17 @@ fd.name startswith /etc/ssh/ssh_monitor_config_ or fd.name startswith /etc/ssh/ssh_config_)) +- macro: etckeeper_activities + condition: (never_true) + +- macro: etckeeper + condition: > + (proc.aname = etckeeper + or (proc.aname in (50vcs-commit, 30store-metadata, 50uncommitted-c)) + and (fd.name startswith /etc/.git/ + or fd.name = /etc/.etckeeper) + and etckeeper_activities) + - macro: multipath_writing_conf condition: (proc.name = multipath and fd.name startswith /etc/multipath/) @@ -961,6 +972,7 @@ and not automount_using_mtab and not mcafee_writing_cma_d and not avinetworks_supervisor_writing_ssh + and not etckeeper and not multipath_writing_conf and not calico_node)