From 146343e5f0cf2817a7d084e30f4743a596f8aadc Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lachance Date: Tue, 3 Dec 2019 16:00:27 -0500 Subject: [PATCH] Update the exe_running_docker_save macro to support docker in docker Signed-off-by: Jean-Philippe Lachance --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f1a140c3..43330851 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -845,7 +845,10 @@ condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec) - macro: exe_running_docker_save - condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker)) + condition: > + proc.name = "exe" + and proc.cmdline contains "/var/lib/docker" + and proc.pname in (dockerd, docker) # Ideally we'd have a length check here as well but sysdig # filterchecks don't have operators like len()