From 96992d7ac36e6ba91932bfc5851106ce4239b24d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 25 Sep 2017 07:44:15 -0700
Subject: [PATCH] Add scripts possibly run by sshkit

Some general management scripts, possibly run by sshkit (need to check).
---
 rules/falco_rules.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 45ba58d9..9d199004 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -295,6 +295,10 @@
 - list: needrestart_binaries
   items: [needrestart, 10-dpkg, 20-rpm, 30-pacman]
 
+# Possible scripts run by sshkit
+- list: sshkit_script_binaries
+  items: [10_etc_sudoers., 10_passwd_group]
+
 # System users that should never log into a system. Consider adding your own
 # service users (e.g. 'apache' or 'mysqld') here.
 - macro: system_users
@@ -438,6 +442,7 @@
                           package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
                           dev_creation_binaries, shell_mgmt_binaries,
                           sendmail_config_binaries,
+                          sshkit_script_binaries,
                           ldconfig.real, ldconfig, confd, gpg, insserv,
                           apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
                           systemd, systemd-machine, systemd-sysuser,
@@ -511,7 +516,7 @@
     sensitive_files and open_read
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
-     vpn_binaries, sendmail_config_binaries, nomachine_binaries)
+     vpn_binaries, sendmail_config_binaries, nomachine_binaries, sshkit_script_binaries)
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb