From 06086df21edeaf96465dd26ff0a3d33713797221 Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Fri, 9 Apr 2021 14:31:10 +0000
Subject: [PATCH] chore(rules): re-enable negation of package_mgmt_procs for
 Write below binary dir rule

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 765962bf..5cd36c4c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -892,6 +892,7 @@
   desc: an attempt to write to any file below a set of binary directories
   condition: >
     bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
     and not exe_running_docker_save
     and not python_running_get_pip
     and not python_running_ms_oms