From 4e622fc033998b36e09b8ac79b1d3fd4401e7bfa Mon Sep 17 00:00:00 2001
From: Hi120ki <12624257+hi120ki@users.noreply.github.com>
Date: Thu, 8 Sep 2022 10:12:27 +0900
Subject: [PATCH] add host to target

Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
---
 rules/falco_rules.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6fc7740a..47ff2fbc 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3219,17 +3219,11 @@
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
 
-- list: proc_environ_file_names
-  items: [/proc/self/environ, /proc/1/environ]
-
-- macro: proc_environ_files
-  condition: >
-    fd.name in (proc_environ_file_names)
-
 - rule: Read environment variable from /proc files
   desc: An attempt to read process environment variables from /proc files
   condition: >
-    container and open_read and proc_environ_files
+    open_read and (fd.name glob /proc/*/environ)
+    and not proc.name in (systemctl, systemd-detect-, cloud-id)
   enabled: true
   output: >
     Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name