From 2bc9d35d373de32c25d405cfaec0b9b16c8636c7 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Thu, 21 Sep 2017 08:25:35 -0700
Subject: [PATCH] Let nfsnobody become themself.

---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9d8fb6a8..0d96c832 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -816,7 +816,8 @@
               (user.name=_apt and evt.arg.uid=_apt) or
               (user.name=postfix and evt.arg.uid=postfix) or
               (user.name=pki-agent and evt.arg.uid=pki-agent) or
-              (user.name=pki-acme and evt.arg.uid=pki-acme))
+              (user.name=pki-acme and evt.arg.uid=pki-acme) or
+              (user.name=nfsnobody and evt.arg.uid=nfsnobody))
 
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
 - rule: Non sudo setuid