From bd6a3fdee49afafa23dce438d4980b924ec45944 Mon Sep 17 00:00:00 2001
From: GLVS Kiriti <glvskiriti2003369@gmail.com>
Date: Thu, 14 Mar 2024 16:24:41 +0530
Subject: [PATCH] Added event for the default rule WriteBelowMonitoredDir

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
---
 events/syscall/write_below_montiored_dir.go | 33 +++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 events/syscall/write_below_montiored_dir.go

diff --git a/events/syscall/write_below_montiored_dir.go b/events/syscall/write_below_montiored_dir.go
new file mode 100644
index 00000000..b3a9b575
--- /dev/null
+++ b/events/syscall/write_below_montiored_dir.go
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	WriteBelowMonitoredDir,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func WriteBelowMonitoredDir(h events.Helper) error {
+	const filename = "/usr/local/bin/created-by-event-generator"
+	h.Log().Infof("writing to %s", filename)
+	defer os.Remove(filename)
+	return os.WriteFile(filename, nil, os.FileMode(0755))
+}