"Write below rpm database" rule failing in Amazon Linux 2

[fcoelho]

What happened:

The "Write below rpm database" rule fails under Amazon Linux 2 when installing something, like running yum install -y vim. The generated event looks like this:

{
  "output": "2019-07-30T19:35:28.038655549+0000: Error Rpm database opened for writing by a non-rpm program (command=python -c import yum; y=yum.YumBase(); y.doConfigSetup(init_plugins=False); print(y.conf.yumvar) file=/var/lib/rpm/__db.003 parent=python pcmdline=python -m amazon_linux_extras system_motd container_id=host image=<NA>)",
  "priority": "Error",
  "rule": "Write below rpm database",
  "time": "2019-07-30T19:35:28.038655549Z",
  "output_fields": {
    "container.id": "host",
    "container.image.repository": null,
    "evt.time.iso8601": 1564515328038655500,
    "fd.name": "/var/lib/rpm/__db.003",
    "proc.cmdline": "python -c import yum; y=yum.YumBase(); y.doConfigSetup(init_plugins=False); print(y.conf.yumvar)",
    "proc.pcmdline": "python -m amazon_linux_extras system_motd",
    "proc.pname": "python"
  }
}

What you expected to happen:

It shouldn't fail for regular yum install commands

How to reproduce it (as minimally and precisely as possible):

Running yum install vim is enough to trigger the issue.

Anything else we need to know?:

I'm using the following blocks to silence the alerts:

- macro: amazon_linux_running_python_yum
  condition: >
    proc.name = python
    and proc.pcmdline = "python -m amazon_linux_extras system_motd"
    and proc.cmdline = "python -c import yum; y=yum.YumBase(); y.doConfigSetup(init_plugins=False); print(y.conf.yumvar)"

- rule: Write below rpm database
  append: true
  condition: and not amazon_linux_running_python_yum

Environment:

• Falco version: falco version 0.16.0
• System info:

{
  "machine": "x86_64",
  "nodename": "ip-10-xx-xx-xx.eu-west-1.compute.internal",
  "release": "4.14.128-112.105.amzn2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Wed Jun 19 16:53:40 UTC 2019"
}

• Cloud provider or hardware configuration: EC2 instance, type m5.large
• OS: ECS-optimized Amazon Linux 2, AMI ID ami-0ae254c8a2d3346a7 in eu-west-1

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

• Kernel: Linux ip-10-xx-xx-xx.eu-west-1.compute.internal 4.14.128-112.105.amzn2.x86_64 #1 SMP Wed Jun 19 16:53:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
• Install tools: Installed the RPM from cloud-init using the following commands:

yum -y install kernel-devel-$(uname -r)
yum -y install falco
systemctl enable falco
systemctl start falco

[leodido]

/assign @Kaizhe

[Kaizhe]

Thanks I will take a look!

[poiana]

@fcoelho: There is not a label identifying the kind of this issue.
Please specify it either using /kind <group> or manually from the side menu.
In case you do not know which kind this proposal is please mention the maintainers using @team/maintainers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.