From 12de2e4119975553319d8c3bddfe8210b291785b Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 21 Aug 2017 17:30:27 -0700
Subject: [PATCH] Make safe etc directories a list.

This way it can more easily be modified/added to.
---
 rules/falco_rules.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9895c43f..10fff3f3 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -377,6 +377,9 @@
   priority: ERROR
   tags: [filesystem]
 
+- list: safe_etc_dirs
+  items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment]
+
 - macro: write_etc_common
   condition: >
     etc_dir and evt.dir = < and open_write
@@ -391,8 +394,7 @@
                           gen_resolvconf., update-ca-certi, certbot, runsv,
                           qualys-cloud-ag)
     and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
-    and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash,
-                             /etc/nginx/conf.d, /etc/container_environment)
+    and not fd.directory in (safe_etc_dirs)
     and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
     and not ansible_running_python
     and not python_running_denyhosts