Alow writes to /etc/pki from openshift secrets dir

Sample falco alert: ``` File below /etc opened for writing (user=root command=cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node image\nunset KUB... ``` The exception is conditioned on containers. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-01 00:52:16 +00:00 · 2020-01-30 17:05:52 -08:00 · 2020-01-30 17:05:52 -08:00 · 7794e468ba
commit 7794e468ba
parent 0d74f3938d
1 changed files with 1 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1200,6 +1200,7 @@
                          qualys-cloud-ag, locales.postins, nomachine_binaries,
                          adclient, certutil, crlutil, pam-auth-update, parallels_insta,
                          openshift-launc, update-rc.d, puppet)
+    and not (container and proc.cmdline in ("cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt"))
    and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
    and not fd.name pmatch (safe_etc_dirs)
    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)