From 8dd34205a8a0d863152e2bd653e388c79dcbb1b2 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 10 Nov 2017 12:11:26 -0800
Subject: [PATCH] Let java write specific config files below /etc

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index b18143e6..3541e9b5 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -642,6 +642,9 @@
   condition: ((proc.name=update-haproxy- or proc.pname=update-haproxy-)
                and fd.name in (/etc/openvpn/client.map, /etc/haproxy/client.map-))
 
+- macro: java_writing_conf
+  condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -698,6 +701,7 @@
     and not datadog_writing_conf
     and not curl_writing_pki_db
     and not haproxy_writing_conf
+    and not java_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session