From 1548ccbc4f2f7fc2b1499a4bb0499bd9cf950043 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Wed, 8 Apr 2020 17:26:30 -0700
Subject: [PATCH] rule(Write below root): use pmatch to check against known
 root directories

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 8b89e5b0..4223639c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1361,7 +1361,7 @@
   condition: >
     root_dir and evt.dir = < and open_write
     and not fd.name in (known_root_files)
-    and not fd.directory in (known_root_directories)
+    and not fd.directory pmatch (known_root_directories)
     and not exe_running_docker_save
     and not gugent_writing_guestagent_log
     and not dse_writing_tmp