github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 10:56:47 +00:00
Code Issues Projects Releases Wiki Activity

Update the exe_running_docker_save macro to support docker in docker

Browse Source 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
This commit is contained in:
Jean-Philippe Lachance 2019-12-03 16:00:27 -05:00 committed by Leo Di Donato
parent 7da245e902
commit 146343e5f0
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -845,7 +845,10 @@
condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec) condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec)
- macro: exe_running_docker_save - macro: exe_running_docker_save
condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker)) condition: >
proc.name = "exe"
and proc.cmdline contains "/var/lib/docker"
and proc.pname in (dockerd, docker)
# Ideally we'd have a length check here as well but sysdig # Ideally we'd have a length check here as well but sysdig
# filterchecks don't have operators like len() # filterchecks don't have operators like len()