From 68d29fc906a9a74218acb314abeb95bbd28f7017 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 5 Jul 2017 14:08:05 -0700
Subject: [PATCH] Add shell management programs.

add-shell and remove-shell are programs that remove shells from
/etc/shells. They are allowed to write to files below /etc.
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index ccb7c5e4..122842dc 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -74,6 +74,9 @@
 - list: shell_binaries
   items: [bash, csh, ksh, sh, tcsh, zsh, dash]
 
+- list: shell_mgmt_binaries
+  items: [add-shell, remove-shell]
+
 - macro: shell_procs
   condition: proc.name in (shell_binaries)
 
@@ -332,7 +335,7 @@
     etc_dir and evt.dir = < and open_write
     and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
                           package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
-                          dev_creation_binaries,
+                          dev_creation_binaries, shell_mgmt_binaries,
                           ldconfig.real, ldconfig, confd, gpg, insserv,
                           apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
                           systemd-machine, debconf-show, rollerd, bind9.postinst, sv,