rule(write_etc_common): Ignore writes by etckeeper under /etc/.git/

Every time etckeeper update the git history of the content in /etc/, it update files in /etc/.git/ (nd /etc/.etckeeper). This trigger a warning from falco about writes in /etc/ for every time the cron job or package update. This change tell the write_etc_common macro to ignore all writes under /etc/.git/ by a process whos anchestor is etckeeper and one of the scripts called by etckeeper to do the /etc/.git updates. /kind bug /kind design /kind feature /area rules Signed-off-by: Petter Reinholdtsen <[email protected]>
falcosecurity · Feb 13, 2023 · f39d569 · f39d569
1 parent 3c1f203
commit f39d569
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1172,6 +1172,16 @@
 - macro: calico_node
   condition: (container.image.repository endswith calico/node and proc.name=calico-node)
 
+- macro: etckeeper_activities
+  condition: (never_true)
+
+- macro: etckeeper
+  condition: (proc.aname in (50vcs-commit, 30store-metadata) and
+              proc.aname = etckeeper and
+              (fd.name startswith /etc/.git/ or
+               fd.name = /etc/.etckeeper) and
+              etckeeper_activities)
+
 - macro: write_etc_common
   condition: >
     etc_dir and evt.dir = < and open_write
@@ -1278,6 +1288,7 @@
     and not avinetworks_supervisor_writing_ssh
     and not multipath_writing_conf
     and not calico_node
+    and not etckeeper
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc