From fb5e13c6949ba469745e1b7e84fb5944b3bb9382 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Thu, 27 Aug 2020 17:33:42 -0700
Subject: [PATCH] rule(Write below root): add mysqlsh

Let mysqlsh write below /root/.mysqlsh.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9bd7afa0..a9da9ea0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1406,6 +1406,9 @@
 - macro: runc_writing_var_lib_docker
   condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
 
+- macro: mysqlsh_writing_state
+  condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
+
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
@@ -1426,6 +1429,7 @@
     and not calico_writing_state
     and not rancher_writing_root
     and not runc_writing_exec_fifo
+    and not mysqlsh_writing_state
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities