From 09748fcbb3ca2035645e5e9b701d83c5cca29407 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Thu, 21 Sep 2017 08:25:08 -0700
Subject: [PATCH] Allow writes to /etc/motd

These files are relatively innocuous.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index ffa218f8..9d8fb6a8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -440,7 +440,7 @@
                           qualys-cloud-ag, locales.postins, nomachine_binaries)
     and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins)
     and not fd.name pmatch (safe_etc_dirs)
-    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
+    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
     and not ansible_running_python
     and not python_running_denyhosts
     and not fluentd_writing_conf_files