Update the exe_running_docker_save macro to support docker in docker

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
2025-07-02 01:22:16 +00:00 · 2019-12-03 16:00:27 -05:00 · 2019-12-03 16:00:27 -05:00 · 146343e5f0
commit 146343e5f0
parent 7da245e902
1 changed files with 4 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -845,7 +845,10 @@
  condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec)

 - macro: exe_running_docker_save
-  condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
+  condition: >
+    proc.name = "exe"
+    and proc.cmdline contains "/var/lib/docker"
+    and proc.pname in (dockerd, docker)

 # Ideally we'd have a length check here as well but sysdig
 # filterchecks don't have operators like len()