From 2eda3432e96ff681b9d3a172fbe3d68e2f2a4546 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 31 Oct 2017 20:50:58 -0700
Subject: [PATCH] Let dmeventd write additional dirs

---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index bdc1a01f..cf2fc0c6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -543,7 +543,8 @@
   condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
 
 - macro: dmeventd_writing_lvm_archive
-  condition: (proc.name=dmeventd and fd.name startswith /etc/lvm/archive/)
+  condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
+                                      fd.name startswith /etc/lvm/backup))
 
 ###############
 # General Rules