From 45241e74c80b3288e0889676b82eb1b5e90fe8e2 Mon Sep 17 00:00:00 2001
From: Nataly <6011550+natalysheinin@users.noreply.github.com>
Date: Thu, 30 May 2019 00:17:14 +0200
Subject: [PATCH] falco-CLA-1.0-signed-off-by: Nataly Sheinin
 <sheininn@gmail.com> (#593)

correcting typo and including google accounts daemons in Read sensitive file untrusted
---
 rules/falco_rules.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 34daced2..bab29494 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -643,7 +643,8 @@
 - macro: run_by_google_accounts_daemon
   condition: >
     (proc.aname[1] startswith google_accounts or
-     proc.aname[2] startswith google_accounts)
+     proc.aname[2] startswith google_accounts or
+     proc.aname[3] startswith google_accounts)
 
 # Chef is similar.
 - macro: run_by_chef
@@ -1343,6 +1344,7 @@
     and not proc.cmdline contains /usr/bin/mandb
     and not run_by_qualys
     and not run_by_chef
+    and not run_by_google_accounts_daemon
     and not user_read_sensitive_file_conditions
     and not perl_running_plesk
     and not perl_running_updmap
@@ -2122,7 +2124,7 @@
   priority: WARNING
   tags: [network, process, mitre_execution]
 
-- rule: Lauch Suspicious Network Tool in Container
+- rule: Launch Suspicious Network Tool in Container
   desc: Detect network tools launched inside container
   condition: >
     spawned_process and container and network_tool_procs