From ea303ba32fda96435c3d1599511a9777cf908072 Mon Sep 17 00:00:00 2001
From: Loris Degioanni <loris@sysdig.com>
Date: Mon, 10 Dec 2018 11:54:47 -0800
Subject: [PATCH] noise suppression: calico writing config files into /etc
 (#481)

---
 rules/falco_rules.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 167a1ddf..19ea82e7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -841,6 +841,10 @@
 - macro: ufw_writing_conf
   condition: proc.name=ufw and fd.directory=/etc/ufw
 
+- macro: calico_writing_conf
+  condition: >
+    (proc.name = calico-node and fd.name startswith /etc/calico)
+    
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -943,6 +947,7 @@
     and not iscsi_writing_conf
     and not istio_writing_conf
     and not ufw_writing_conf
+    and not calico_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc