More specific control of some /etc files

Add more specific controls of files below /etc, allowing specific
combinations of programs and files:
 - start-fluentd can write to /etc/fluent/fluent.conf
 - locales.postins can write to /etc/locale.gen

rules/falco_rules.yaml

@@ -383,6 +383,12 @@
 - list: safe_etc_dirs
   items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment]
 
+- macro: fluentd_writing_fluentd_conf
+  condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf)
+
+- macro: locales_postinst_writing_locale_gen
+  condition: (proc.name=locales.postins and fd.name=/etc/locale.gen)
+
 - macro: write_etc_common
   condition: >
     etc_dir and evt.dir = < and open_write
@@ -398,9 +404,11 @@
                           qualys-cloud-ag)
     and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
     and not fd.name pmatch (safe_etc_dirs)
-    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/local.gen)
+    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
     and not ansible_running_python
     and not python_running_denyhosts
+    and not fluentd_writing_fluentd_conf
+    and not locales_postinst_writing_locale_gen
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session