From e95ab26f336a0e9647d7b45c94c288dbb6cba383 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Thu, 15 Apr 2021 14:52:39 +0200
Subject: [PATCH] update(rules): stricter detection of man-db postinst
 exception

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2c6dca4c..58983871 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1392,6 +1392,15 @@
 - macro: user_read_sensitive_file_containers
   condition: (container and container.image.repository in (read_sensitive_file_images))
 
+# This macro detects man-db postinst, see https://salsa.debian.org/debian/man-db/-/blob/master/debian/postinst
+# The rule "Read sensitive file untrusted" use this macro to avoid FPs.
+- macro: mandb_postinst
+  condition: >
+    (proc.name=perl and proc.args startswith "-e" and
+    proc.args contains "@pwd = getpwnam(" and
+    proc.args contains "exec " and
+    proc.args contains "/usr/bin/mandb")
+
 - rule: Read sensitive file untrusted
   desc: >
     an attempt to read any sensitive file (e.g. files containing user/password/authentication
@@ -1407,11 +1416,11 @@
      )
     and not cmp_cp_by_passwd
     and not ansible_running_python
-    and not proc.cmdline contains /usr/bin/mandb
     and not run_by_qualys
     and not run_by_chef
     and not run_by_google_accounts_daemon
     and not user_read_sensitive_file_conditions
+    and not mandb_postinst
     and not perl_running_plesk
     and not perl_running_updmap
     and not veritas_driver_script