From c4c5d2f5853dcd65f98b89a7f177928dc7d8a0ed Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 20 Sep 2017 18:22:11 -0700
Subject: [PATCH] Let chef read sensitive files

Add the macro run_by_chef to the set of exclusions for reading sensitive
files.
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f606c1a4..4c5c8b6c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -497,6 +497,7 @@
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb
     and not run_by_qualys
+    and not run_by_chef
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])