From eb3f1236ee5fb23e298c5315f4c70cd426b79734 Mon Sep 17 00:00:00 2001
From: Nicolas Marier <nmarier@coveo.com>
Date: Thu, 5 Dec 2019 09:47:23 -0500
Subject: [PATCH] rule(Write below etc): whitelist automount writing under /etc

This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a7a92907448..607b7309a2c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1153,6 +1153,9 @@
 - macro: etcd_manager_updating_dns
   condition: (container and proc.name=etcd-manager and fd.name=/etc/hosts)
 
+- macro: automount_using_mtab
+  condition: (proc.pname = automount and fd.name startswith /etc/mtab)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1269,6 +1272,7 @@
     and not jboss_in_container_writing_passwd
     and not etcd_manager_updating_dns
     and not user_known_write_below_etc_activities
+    and not automount_using_mtab
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc