From 010d770c3b3ebf6f7bfa7e8f7b79e8ca04df37db Mon Sep 17 00:00:00 2001
From: Nicolas Marier <software@nmarier.com>
Date: Thu, 5 Nov 2020 11:12:44 -0500
Subject: [PATCH] rule(macro multipath_writing_conf): create and use the macro

`multipath`, which is run by `systemd-udevd`, writes to
`/etc/multipath/wwids`, `/etc/multipath/bindings` and a few other paths
under `/etc/multipath` as part of its normal operation.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 30e9b290810..5af10931d1a 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1213,6 +1213,9 @@
        fd.name startswith /etc/ssh/ssh_monitor_config_ or
        fd.name startswith /etc/ssh/ssh_config_))
 
+- macro: multipath_writing_conf
+  condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1333,6 +1336,7 @@
     and not automount_using_mtab
     and not mcafee_writing_cma_d
     and not avinetworks_supervisor_writing_ssh
+    and not multipath_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc