From 8a3a4c4d57d65e0cd8049d37aba9902e08b11967 Mon Sep 17 00:00:00 2001
From: Mac Chaffee <me@macchaffee.com>
Date: Thu, 16 Dec 2021 16:05:50 -0500
Subject: [PATCH] rule(maco write_etc_common): Fix false-positive of sssd
 updating /etc/krb5.keytab

Signed-off-by: Mac Chaffee <me@macchaffee.com>
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index d45b5999..655e88b9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -775,6 +775,9 @@
 - macro: centrify_writing_krb
   condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5)
 
+- macro: sssd_writing_krb
+  condition: (proc.name=adcli and proc.aname[2]=sssd and fd.name startswith /etc/krb5)
+
 - macro: cockpit_writing_conf
   condition: >
     ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la)
@@ -1218,6 +1221,7 @@
     and not nginx_writing_certs
     and not chef_client_writing_conf
     and not centrify_writing_krb
+    and not sssd_writing_krb
     and not cockpit_writing_conf
     and not ipsec_writing_conf
     and not httpd_writing_ssl_conf
@@ -3123,4 +3127,3 @@
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
-