From 2f0e09b549e9b400d44b7d275944c51202ae190a Mon Sep 17 00:00:00 2001
From: Shane Lawrence <shane@lawrence.dev>
Date: Sat, 20 Feb 2021 18:17:40 -0500
Subject: [PATCH] rule (Write below monitored dir): Clean up and use glob
 matching.

Signed-off-by: Shane Lawrence <shane@lawrence.dev>
---
 rules/falco_rules.yaml | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 58bc5c38..0a188867 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -806,15 +806,10 @@
 # the following rule and lists.
 
 - list: monitored_directories
-  items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver]
+  items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh]
 
-# Until https://github.com/draios/sysdig/pull/1153, which fixes
-# https://github.com/draios/sysdig/issues/1152, is widely available,
-# we can't use glob operators to match pathnames. Until then, we do a
-# looser check to match ssh directories.
-# When fixed, we will use "fd.name glob '/home/*/.ssh/*'"
 - macro: user_ssh_directory
-  condition: (fd.name startswith '/home' and fd.name contains '.ssh')
+  condition: (fd.name glob '/home/*/.ssh/*')
 
 - macro: mkinitramfs_writing_boot
   condition: (proc.pname in (mkinitramfs, update-initramf) and fd.directory=/boot)