From 59e83ef060d2cc6227331108864f5d4ef06af23c Mon Sep 17 00:00:00 2001
From: Jonathan McGowan <jonnymcgow7@gmail.com>
Date: Fri, 26 Jul 2019 16:30:05 -0700
Subject: [PATCH] Fix for Write below root error triggering on GKE

GKE regularly calls /exec.fifo from both a system level, and within
individual falco pods.  As is this triggers errors multiple times every
hour.  This change adds /exec.fifo to the expected files below root that
will be called.

Signed-off-by: Jonathan McGowan <jonnymcgow7@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6d32990a732..1a2a3c83fbf 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1265,7 +1265,7 @@
 - list: known_root_files
   items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
           /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack,
-          /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health]
+          /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health, /exec.fifo]
 
 - list: known_root_directories
   items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]