Alow writes to /etc/pki from openshift secrets dir

Sample falco alert: ``` File below /etc opened for writing (user=root command=cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node image\nunset KUB... ``` The exception is conditioned on containers. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Feb 3, 2020 · 7794e46 · 7794e46
1 parent 0d74f39
commit 7794e46
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1200,6 +1200,7 @@
                           qualys-cloud-ag, locales.postins, nomachine_binaries,
                           adclient, certutil, crlutil, pam-auth-update, parallels_insta,
                           openshift-launc, update-rc.d, puppet)
+    and not (container and proc.cmdline in ("cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt"))
     and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
     and not fd.name pmatch (safe_etc_dirs)
     and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)