From 20156ef86c99933abe981eb996f3d8d661a4bb5b Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 15:56:57 -0700
Subject: [PATCH 01/17] Add dpkg-divert as a debian package mgmt program.

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 7ab60f21855..3dc202d6e23 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -158,7 +158,7 @@
   condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
 
 - list: deb_binaries
-  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude,
+  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
     frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
     apt-listchanges, unattended-upgr, apt-add-reposit
     ]

From 4569e25e33482a0c8ffbc4baf6887a763f726198 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 15:57:47 -0700
Subject: [PATCH 02/17] Add pip3 as a package mgmt program.

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3dc202d6e23..3f59cb43a32 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -166,7 +166,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the sysdig level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, sane-utils.post, alternatives, chef-client]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)

From c2a58b5054774c107e7b39665cc611d64df97de6 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:00:20 -0700
Subject: [PATCH 03/17] Let ucpagent write config

Since the name is fairly generic (apiserver), require that it runs in a
container with image docker/ucp-agent.
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3f59cb43a32..f3da1f7e3e7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -546,6 +546,9 @@
 - macro: openldap_writing_conf
   condition: (proc.pname=run-openldap.sh and fd.name startswith /etc/openldap)
 
+- macro: ucpagent_writing_conf
+  condition: (proc.name=apiserver and container.image startswith docker/ucp-agent and fd.name=/etc/authorization_config.cfg)
+
 - macro: symantec_writing_conf
   condition: >
     ((proc.name=symcfgd and fd.name startswith /etc/symantec) or
@@ -862,6 +865,7 @@
     and not brandbot_writing_os_release
     and not redis_writing_conf
     and not openldap_writing_conf
+    and not ucpagent_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc

From 78eabc9e484b09be797bb82ca63810876277412e Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:01:25 -0700
Subject: [PATCH 04/17] Let iscsi admin programs write config

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f3da1f7e3e7..1a622af8edb 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -549,6 +549,9 @@
 - macro: ucpagent_writing_conf
   condition: (proc.name=apiserver and container.image startswith docker/ucp-agent and fd.name=/etc/authorization_config.cfg)
 
+- macro: iscsi_writing_conf
+  condition: (proc.name=iscsiadm and fd.directory=/etc/iscsi)
+
 - macro: symantec_writing_conf
   condition: >
     ((proc.name=symcfgd and fd.name startswith /etc/symantec) or
@@ -866,6 +869,7 @@
     and not redis_writing_conf
     and not openldap_writing_conf
     and not ucpagent_writing_conf
+    and not iscsi_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc

From 83910575047edf5140912b351b80f22792744af5 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:01:52 -0700
Subject: [PATCH 05/17] Add parent to some output strings

Will aid in addressing false positives.
---
 rules/falco_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 1a622af8edb..de9c3acaa6c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1000,7 +1000,7 @@
 - rule: Write below rpm database
   desc: an attempt to write to the rpm database by any non-rpm related program
   condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not python_running_chef
-  output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
+  output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)"
   priority: ERROR
   tags: [filesystem, software_mgmt]
 
@@ -1044,7 +1044,7 @@
   condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
   output: >
     File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
-    operation=%evt.type file=%fd.name %evt.args)
+    pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args)
   priority: ERROR
   tags: [filesystem]
 

From 927ca376e012975e7f5791ee4711bc5cff8e380b Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:02:52 -0700
Subject: [PATCH 06/17] Let update-ca-trust write to pki files

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index de9c3acaa6c..322349c9827 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -570,6 +570,9 @@
     (proc.name=urlgrabber-ext- and proc.pname in (yum, yum-cron, repoquery) and
      (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
 
+- macro: update_ca_trust_writing_pki
+  condition: (proc.pname=update-ca-trust and proc.name=trust and fd.name startswith /etc/pki)
+
 - macro: brandbot_writing_os_release
   condition: proc.name=brandbot and fd.name=/etc/os-release
 
@@ -865,6 +868,7 @@
     and not httpd_writing_ssl_conf
     and not userhelper_writing_etc_security
     and not pkgmgmt_progs_writing_pki
+    and not update_ca_trust_writing_pki
     and not brandbot_writing_os_release
     and not redis_writing_conf
     and not openldap_writing_conf

From f0c759954171df0bc6fe1407f75a52402fba40d6 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:03:45 -0700
Subject: [PATCH 07/17] Add additional root writing programs

- zap: web application security tool
- airflow: apache app for managing data pipelines
- rpm can sometimes write below /root/.rpmdb
- maven can write groovy files
---
 rules/falco_rules.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 322349c9827..eb03d596029 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -632,6 +632,18 @@
 - macro: dse_writing_tmp
   condition: (proc.name=dse-entrypoint and fd.name=/root/tmp__)
 
+- macro: zap_writing_state
+  condition: (proc.name=java and proc.cmdline contains "jar /zap" and fd.name startswith /root/.ZAP)
+
+- macro: airflow_writing_state
+  condition: (proc.name=airflow and fd.name startswith /root/airflow)
+
+- macro: rpm_writing_root_rpmdb
+  condition: (proc.name=rpm and fd.directory=/root/.rpmdb)
+
+- macro: maven_writing_groovy
+  condition: (proc.name=java and proc.cmdline contains "classpath /usr/local/apache-maven" and fd.name startswith /root/.groovy)
+
 - rule: Write below binary dir
   desc: an attempt to write to any file below a set of binary directories
   condition: >
@@ -932,6 +944,10 @@
     and not exe_running_docker_save
     and not gugent_writing_guestagent_log
     and not dse_writing_tmp
+    and not zap_writing_state
+    and not airflow_writing_state
+    and not rpm_writing_root_rpmdb
+    and not maven_writing_groovy
     and not known_root_conditions
   output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
   priority: ERROR

From fa44500434b54136aefbc42a62ffdd354367602d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:06:39 -0700
Subject: [PATCH 08/17] Expand redis etc files

Additional program redis-launcher.(sh) and path /etc/redis.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index eb03d596029..4c3a468c13f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -763,7 +763,7 @@
 
 - macro: redis_writing_conf
   condition: >
-    (proc.name=run-redis and fd.name=/etc/redis.conf)
+    (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis)
 
 - macro: openvpn_writing_conf
   condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)

From 15ceb21a73d0a72bfd52a32255e4d5b9d34f45d0 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:08:18 -0700
Subject: [PATCH 09/17] Add additional root directories

/root/workspace could be used by jenkins, /root/oradiag_root could be
used by Oracle 11 SQL*Net.
---
 rules/falco_rules.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4c3a468c13f..ca8d0ff0a45 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -900,7 +900,7 @@
           /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd]
 
 - list: known_root_directories
-  items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]
+  items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami, /root/workspace]
 
 - macro: known_root_conditions
   condition: (fd.name startswith /root/orcexec.
@@ -933,7 +933,8 @@
               or fd.name startswith /root/.composer
               or fd.name startswith /root/.gconf
               or fd.name startswith /root/.nv
-              or fd.name startswith /root/.local/share/jupyter)
+              or fd.name startswith /root/.local/share/jupyter
+              or fd.name startswith /root/oradiag_root)
 
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root

From 75feb3e03162ed884ccf5f244ac07eef10049013 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:10:37 -0700
Subject: [PATCH 10/17] Add pam-config as an auth program

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index ca8d0ff0a45..4e877781c03 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -973,7 +973,7 @@
   items: [
     iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
-    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
+    pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
     scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
     ]
 

From 8f83d8beee18fc9886b304921c3d729f97cf5324 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 6 Jul 2018 16:10:51 -0700
Subject: [PATCH 11/17] Add additional trusted containers

openshift image inspector, alternate name for datadog agent, docker ucp
agent, gliderlabs logspout.
---
 rules/falco_rules.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4e877781c03..f5579f5a6f7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1264,11 +1264,15 @@
               container.image startswith registry.access.redhat.com/openshift3/metrics-cassandra or
               container.image startswith openshift3/ose-sti-builder or
               container.image startswith registry.access.redhat.com/openshift3/ose-sti-builder or
+              container.image startswith registry.access.redhat.com/openshift3/image-inspector or
               container.image startswith cloudnativelabs/kube-router or
               container.image startswith "consul:" or
               container.image startswith mesosphere/mesos-slave or
               container.image startswith istio/proxy_ or
-              container.image startswith datadog/docker-dd-agent)
+              container.image startswith datadog/docker-dd-agent or
+              container.image startswith datadog/agent or
+              container.image startswith docker/ucp-agent or
+              container.image startswith gliderlabs/logspout)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are

From 50dd9c81cc5bd08b8ad6882eb1d44ec04f7daf3d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 10 Jul 2018 13:58:39 -0700
Subject: [PATCH 12/17] Add microdnf as a rpm binary.

https://github.com/rpm-software-management/microdnf
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f5579f5a6f7..128d6a4aec6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -152,7 +152,7 @@
 - list: rpm_binaries
   items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
           repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
-          abrt-action-sav, rpmdb_stat]
+          abrt-action-sav, rpmdb_stat, microdnf]
 
 - macro: rpm_procs
   condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)

From 632b0c9345130fdb0d12079e69ea480eab51c676 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 10 Jul 2018 13:59:47 -0700
Subject: [PATCH 13/17] Let coreos update-ssh-keys write /home/core/.ssh

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 128d6a4aec6..d5cde74b23a 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -171,6 +171,9 @@
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)
 
+- macro: coreos_write_ssh_dir
+  condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh)
+
 - macro: run_by_package_mgmt_binaries
   condition: proc.aname in (package_mgmt_binaries, needrestart)
 
@@ -687,6 +690,7 @@
   condition: >
     evt.dir = < and open_write and monitored_dir
     and not package_mgmt_procs
+    and not coreos_write_ssh_dir
     and not exe_running_docker_save
     and not python_running_get_pip
     and not python_running_ms_oms

From 62c41ef7b85dfc9b52aeb9e12294e2b10f03bda5 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 10 Jul 2018 14:00:32 -0700
Subject: [PATCH 14/17] Allow additional writes below /etc/iscsi

Allow any path starting with /etc/iscsi.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index d5cde74b23a..2e7db9f5fa7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -553,7 +553,7 @@
   condition: (proc.name=apiserver and container.image startswith docker/ucp-agent and fd.name=/etc/authorization_config.cfg)
 
 - macro: iscsi_writing_conf
-  condition: (proc.name=iscsiadm and fd.directory=/etc/iscsi)
+  condition: (proc.name=iscsiadm and fd.name startswith /etc/iscsi)
 
 - macro: symantec_writing_conf
   condition: >

From 69154c1ded2624ffd9f522ec8e05a8d51446fecd Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 10 Jul 2018 14:01:12 -0700
Subject: [PATCH 15/17] Add additional /root write paths

Additional files, with /root/workspace changing from a directory to a
path prefix.
---
 rules/falco_rules.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2e7db9f5fa7..7729f562697 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -901,10 +901,10 @@
 - list: known_root_files
   items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
           /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack,
-          /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd]
+          /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts]
 
 - list: known_root_directories
-  items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami, /root/workspace]
+  items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]
 
 - macro: known_root_conditions
   condition: (fd.name startswith /root/orcexec.
@@ -938,7 +938,10 @@
               or fd.name startswith /root/.gconf
               or fd.name startswith /root/.nv
               or fd.name startswith /root/.local/share/jupyter
-              or fd.name startswith /root/oradiag_root)
+              or fd.name startswith /root/oradiag_root
+              or fd.name startswith /root/workspace
+              or fd.name startswith /root/jvm
+              or fd.name startswith /root/.node-gyp)
 
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root

From 9306b1e74198f64ff873fefae199c945918fb380 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 10 Jul 2018 14:01:44 -0700
Subject: [PATCH 16/17] Add additional openshift trusted container.

---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 7729f562697..60f02388b9e 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1271,6 +1271,7 @@
               container.image startswith registry.access.redhat.com/openshift3/metrics-cassandra or
               container.image startswith openshift3/ose-sti-builder or
               container.image startswith registry.access.redhat.com/openshift3/ose-sti-builder or
+              container.image startswith registry.access.redhat.com/openshift3/ose-docker-builder or
               container.image startswith registry.access.redhat.com/openshift3/image-inspector or
               container.image startswith cloudnativelabs/kube-router or
               container.image startswith "consul:" or

From 05dfefd0a5306c2325ee7177df5564039abca1ae Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Thu, 12 Jul 2018 17:58:36 -0700
Subject: [PATCH 17/17] Also allow grandparents for ms_oms_writing_conf

In some cases the program spawns intermediate shells, for example:

07:15:30.756713513: Error File below /etc opened for writing (user= command=StatusReport.sh /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime parent=sh pcmdline=sh -c /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime file=/etc/opt/omi/conf/omsconfig/last_statusreport program=StatusReport.sh gparent=omiagent ggparent=omiagent gggparent=omiagent) k8s.pod= container=host k8s.pod= container=host

This should fix #387.
---
 rules/falco_rules.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 60f02388b9e..b0370ad6204 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -522,10 +522,14 @@
 - macro: countly_writing_nginx_conf
   condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)
 
+- list: ms_oms_binaries
+  items: [omi.postinst, omsconfig.posti, scx.postinst, omsadmin.sh, omiagent]
+
 - macro: ms_oms_writing_conf
   condition: >
     ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
-      or proc.pname in (omi.postinst,omsconfig.posti,scx.postinst,omsadmin.sh,omiagent))
+       or proc.pname in (ms_oms_binaries)
+       or proc.aname[2] in (ms_oms_binaries))
      and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))
 
 - macro: ms_scx_writing_conf