From 18595528346170733605465f13da902fb3860690 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 24 Jun 2020 15:38:30 +0200 Subject: [PATCH] fix(rules): correct `root_dir` macro to avoid unwanted matching Signed-off-by: Leonardo Grasso --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index fd2e4a58..5a5f47c6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -110,7 +110,7 @@ # This detects writes immediately below / or any write anywhere below /root - macro: root_dir - condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/") + condition: ((fd.directory=/ or fd.name startswith /root/) and fd.name contains "/") - list: shell_binaries items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]