From 5d71d70a14430cb0e8554ecd5b63347828a66163 Mon Sep 17 00:00:00 2001 From: Loris Degioanni Date: Fri, 28 Aug 2020 16:21:38 -0700 Subject: [PATCH] added brakets to three macros to make them less ambiguous Signed-off-by: Loris Degioanni --- rules/falco_rules.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 32de568c..f29d3375 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -344,8 +344,8 @@ # for efficiency. - macro: inbound_outbound condition: > - (((evt.type in (accept,listen,connect) and evt.dir=<)) or - (fd.typechar = 4 or fd.typechar = 6) and + ((((evt.type in (accept,listen,connect) and evt.dir=<)) or + (fd.typechar = 4 or fd.typechar = 6)) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) @@ -696,8 +696,8 @@ - macro: run_by_foreman condition: > (user.name=foreman and - (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or - (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))) + ((proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or + (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))) - macro: java_running_sdjagent condition: proc.name=java and proc.cmdline contains sdjagent.jar @@ -1145,7 +1145,7 @@ - macro: redis_writing_conf condition: > - (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis) + (proc.name in (run-redis, redis-launcher.) and (fd.name=/etc/redis.conf or fd.name startswith /etc/redis)) - macro: openvpn_writing_conf condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)