rule update:

1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)

rules/falco_rules.yaml

@@ -59,7 +59,7 @@
 - macro: rename
   condition: evt.type in (rename, renameat)
 - macro: mkdir
-  condition: evt.type = mkdir
+  condition: evt.type in (mkdir, mkdirat)
 - macro: remove
   condition: evt.type in (rmdir, unlink, unlinkat)
 
@@ -2299,10 +2299,17 @@
 - macro: access_log_files
   condition: (fd.directory in (log_directories) or fd.filename in (log_files))
 
+# a placeholder for whitelist log files that could be cleared. Recommend the macro as (fd.name startswith "/var/log/app1*")
+- macro: allowed_clear_log_files
+  condition: (never_true)
+
 - rule: Clear Log Activities
   desc: Detect clearing of critical log files
   condition: >
-    open_write and access_log_files and evt.arg.flags contains "O_TRUNC"
+    open_write and
+    access_log_files and
+    evt.arg.flags contains "O_TRUNC" and
+    not allowed_clear_log_files
   output: >
     Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name)
   priority: