Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2025-07-03 09:56:45 +00:00 · 2019-12-03 12:15:31 -05:00 · 2019-12-03 12:15:31 -05:00 · 03e8b7f53d
commit 03e8b7f53d
parent 146343e5f0
1 changed files with 4 additions and 3 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -443,10 +443,11 @@
    open_write and
    (fd.filename in (shell_config_filenames) or
     fd.name in (shell_config_files) or
-     fd.directory in (shell_config_directories)) and
+     fd.directory in (shell_config_directories))
-    not proc.name in (shell_binaries)
+    and not proc.name in (shell_binaries)
    and not exe_running_docker_save
  output: >
-    a shell configuration file has been modified (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file has been modified (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
  tag: [file, mitre_persistence]