From 3dbd43749a95d8c7138567fe39c34e7de991e4d3 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Wed, 31 Jul 2019 14:51:17 -0700
Subject: [PATCH] rule update: add exception for write below rpm (#745)

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 1a2a3c83..c78e62f3 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1412,6 +1412,12 @@
   priority: WARNING
   tags: [filesystem, mitre_credential_access, mitre_discovery]
 
+- macro: amazon_linux_running_python_yum
+  condition: >
+    (proc.name = python and
+     proc.pcmdline = "python -m amazon_linux_extras system_motd" and
+     proc.cmdline startswith "python -c import yum;")
+
 # Only let rpm-related programs write to the rpm database
 - rule: Write below rpm database
   desc: an attempt to write to the rpm database by any non-rpm related program
@@ -1421,6 +1427,7 @@
     and not ansible_running_python
     and not python_running_chef
     and not exe_running_docker_save
+    and not amazon_linux_running_python_yum
   output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, software_mgmt, mitre_persistence]