From 9ceb11a7c83d680e2d6577cfd1b489bc54ebcb87 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 7 Nov 2017 10:19:19 -0800
Subject: [PATCH] Let update-xmlcatal(og) write below /etc/xml

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index b75bc463..8db3cefe 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -599,6 +599,9 @@
 - macro: duply_writing_exclude_files
   condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply")
 
+- macro: xmlcatalog_writing_files
+  condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -646,6 +649,7 @@
     and not run_by_chef
     and not add_shell_writing_shells_tmp
     and not duply_writing_exclude_files
+    and not xmlcatalog_writing_files
     and not parent_supervise_running_multilog
     and not pki_realm_writing_realms
     and not htpasswd_writing_passwd