From 578ef7f64d94408fb2e07d30dd3f7131a054643c Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Thu, 4 Jun 2020 15:58:03 +0200
Subject: [PATCH] rule(Create files below dev): correct condition to catch
 `openat`

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 444732b8..b8f98fd9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2238,7 +2238,7 @@
   desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
   condition: >
     fd.directory = /dev and
-    (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
+    (evt.type = creat or ((evt.type = open or evt.type = openat) and evt.arg.flags contains O_CREAT))
     and not proc.name in (dev_creation_binaries)
     and not fd.name in (allowed_dev_files)
     and not fd.name startswith /dev/tty