From 2fd90bf6a7deef5147b746624c113e7f1fbf565a Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lachance <jplachance@coveo.com>
Date: Thu, 28 Mar 2019 17:17:01 -0400
Subject: [PATCH] + Add a user_known_write_monitored_dir_conditions macro to
 allow custom conditions in the "Write below monitored dir" rule (#566)

falco-CLA-1.0-contributing-entity: Coveo Solutions Inc.
falco-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
---
 rules/falco_rules.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 68a48c36..8b9e81aa 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -763,6 +763,15 @@
      or user_ssh_directory)
     and not mkinitramfs_writing_boot
 
+# Add conditions to this macro (probably in a separate file,
+# overwriting this macro) to allow for specific combinations of
+# programs writing below monitored directories.
+#
+# Its default value is an expression that always is false, which
+# becomes true when the "not ..." in the rule is applied.
+- macro: user_known_write_monitored_dir_conditions
+  condition: (never_true)
+
 - rule: Write below monitored dir
   desc: an attempt to write to any file below a set of binary directories
   condition: >
@@ -774,6 +783,7 @@
     and not python_running_ms_oms
     and not google_accounts_daemon_writing_ssh
     and not cloud_init_writing_ssh
+    and not user_known_write_monitored_dir_conditions
   output: >
     File below a monitored directory opened for writing (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])