From 71fee6753bb2d96fefbdcb43537e8f8e9ebb8645 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 11 Aug 2017 15:42:44 -0700
Subject: [PATCH] Let qualys write below /etc

---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0a75338e..152b31af 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -382,7 +382,8 @@
                           apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
                           systemd, systemd-machine, systemd-sysuser,
                           debconf-show, rollerd, bind9.postinst, sv,
-                          gen_resolvconf., update-ca-certi, certbot, runsv)
+                          gen_resolvconf., update-ca-certi, certbot, runsv,
+                          qualys-cloud-ag)
     and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
     and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash,
                              /etc/nginx/conf.d, /etc/container_environment)