From 53776b0ec6a20cd1640f50dab63297ca9b63185b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 31 Oct 2017 20:51:18 -0700 Subject: [PATCH] Add additional /etc writers --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index cf2fc0c6..d92a4c1d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -611,7 +611,8 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries, - adclient, certutil, crlutil, pam-auth-update, parallels_insta) + adclient, certutil, crlutil, pam-auth-update, parallels_insta, + openshift-launc) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)