rule(Write below root): use pmatch to check against known root directories

Signed-off-by: kaizhe <derek0405@gmail.com>
2025-08-01 22:47:46 +00:00 · 2020-04-08 17:26:30 -07:00 · 2020-04-08 17:26:30 -07:00 · 1548ccbc4f
commit 1548ccbc4f
parent a0c189b730
1 changed files with 1 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1361,7 +1361,7 @@
  condition: >
    root_dir and evt.dir = < and open_write
    and not fd.name in (known_root_files)
-    and not fd.directory in (known_root_directories)
+    and not fd.directory pmatch (known_root_directories)
    and not exe_running_docker_save
    and not gugent_writing_guestagent_log
    and not dse_writing_tmp