From 1f1f7c16b66b18ab6c3c36f45b1296c2a52b697a Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Tue, 18 Aug 2020 09:58:15 +0200 Subject: [PATCH] chore(rules): add `renameat2` to `rename` macro Signed-off-by: Leonardo Grasso --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a81fe47d..2fef4ea9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -55,11 +55,12 @@ - macro: proc_name_exists condition: (proc.name!="") -# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp - macro: rename - condition: evt.type in (rename, renameat) + condition: evt.type in (rename, renameat, renameat2) + - macro: mkdir condition: evt.type in (mkdir, mkdirat) + - macro: remove condition: evt.type in (rmdir, unlink, unlinkat)