From 03e8b7f53da8572d498b83d6f98190c6288f680f Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lachance <jplachance@coveo.com>
Date: Tue, 3 Dec 2019 12:15:31 -0500
Subject: [PATCH] Exclude exe_running_docker_save in the "Modify Shell
 Configuration File" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
---
 rules/falco_rules.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 43330851..2c73c972 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -443,10 +443,11 @@
     open_write and
     (fd.filename in (shell_config_filenames) or
      fd.name in (shell_config_files) or
-     fd.directory in (shell_config_directories)) and
-    not proc.name in (shell_binaries)
+     fd.directory in (shell_config_directories))
+    and not proc.name in (shell_binaries)
+    and not exe_running_docker_save
   output: >
-    a shell configuration file has been modified (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file has been modified (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tag: [file, mitre_persistence]