github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-10 10:32:23 +00:00
Code Issues Projects Releases Wiki Activity

rule(Write below root): use pmatch to check against known root directories

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-04-08 17:26:30 -07:00 committed by poiana
parent a0c189b730
commit 1548ccbc4f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -1361,7 +1361,7 @@
condition: > condition: >
root_dir and evt.dir = < and open_write root_dir and evt.dir = < and open_write
and not fd.name in (known_root_files) and not fd.name in (known_root_files)
and not fd.directory in (known_root_directories) and not fd.directory pmatch (known_root_directories)
and not exe_running_docker_save and not exe_running_docker_save
and not gugent_writing_guestagent_log and not gugent_writing_guestagent_log
and not dse_writing_tmp and not dse_writing_tmp