From 0272b94bb10d3efa644abe0cf3ff52af7f09a293 Mon Sep 17 00:00:00 2001
From: Nicolas Marier <nmarier@coveo.com>
Date: Fri, 15 May 2020 16:08:27 -0400
Subject: [PATCH] rule(macro exe_running_docker_save): add new cmdline

While using Falco, I noticed we were getting many events that were
virtually identical to those that were previously filtered out by the
`exexe_running_docker_save` macro, but where the `cmdline` was something
like `exe /var/run/docker/netns/cc5c7b9bb110 all false`. I believe this
is caused by the use of docker-in-docker.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 7ee4ab4a..56d9f5a6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -861,7 +861,8 @@
 - macro: exe_running_docker_save
   condition: >
     proc.name = "exe"
-    and proc.cmdline contains "/var/lib/docker"
+    and (proc.cmdline contains "/var/lib/docker"
+    or proc.cmdline contains "/var/run/docker")
     and proc.pname in (dockerd, docker)
 
 # Ideally we'd have a length check here as well but sysdig