rule(write_etc_common): Ignore writes by etckeeper under /etc/.git/

Every time etckeeper update the git history of the content in /etc/, it update files in /etc/.git/ (nd /etc/.etckeeper). This trigger a warning from falco about writes in /etc/ for every time the cron job or package update. This change tell the write_etc_common macro to ignore all writes under /etc/.git/ by a process whos anchestor is etckeeper and one of the scripts called by etckeeper to do the /etc/.git updates. /kind bug /kind design /kind feature /area rules Signed-off-by: Petter Reinholdtsen <[email protected]>
falcosecurity · Apr 23, 2024 · e65f251 · e65f251
1 parent ec255e6
commit e65f251
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
@@ -834,6 +834,17 @@
        fd.name startswith /etc/ssh/ssh_monitor_config_ or
        fd.name startswith /etc/ssh/ssh_config_))
 
+- macro: etckeeper_activities
+  condition: (never_true)
+
+- macro: etckeeper
+  condition: >
+    (proc.aname = etckeeper
+     or (proc.aname in (50vcs-commit, 30store-metadata, 50uncommitted-c))
+    and (fd.name startswith /etc/.git/
+         or fd.name = /etc/.etckeeper)
+    and etckeeper_activities)
+
 - macro: multipath_writing_conf
   condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
 
@@ -961,6 +972,7 @@
     and not automount_using_mtab
     and not mcafee_writing_cma_d
     and not avinetworks_supervisor_writing_ssh
+    and not etckeeper
     and not multipath_writing_conf
     and not calico_node)