From 2cbff6ff709be2d86704988141db56277262f09d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 8 Nov 2017 13:40:56 -0800
Subject: [PATCH] Add addl safe root directories

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2e8efca3..4c34a4f8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -695,7 +695,7 @@
   items: [/root/.monit.state]
 
 - list: known_root_directories
-  items: [/root/.oracle_jre_usage, /root/.java/.userPrefs]
+  items: [/root/.oracle_jre_usage, /root/.java/.userPrefs, /root/.ssh, /root/.cache]
 
 - macro: known_root_conditions
   condition: (fd.name startswith /root/orcexec.)