From 480ba4e0f82ff5a0db9b5467e6f8f1a613ec3e82 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 7 Nov 2017 09:43:07 -0800
Subject: [PATCH] Let duply write below /etc/duply

It's a shell script that runs touch so the detection is slightly more
complicated.
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 926c86c4..4a2d1f26 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -594,6 +594,9 @@
 - macro: add_shell_writing_shells_tmp
   condition: (proc.name=add-shell and fd.name=/etc/shells.tmp)
 
+- macro: duply_writing_exclude_files
+  condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply")
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -640,6 +643,7 @@
     and not networkmanager_writing_resolv_conf
     and not run_by_chef
     and not add_shell_writing_shells_tmp
+    and not duply_writing_exclude_files
     and not parent_supervise_running_multilog
     and not pki_realm_writing_realms
     and not htpasswd_writing_passwd