From 74ca02d1990c4a2bcc0b36a35dd7e16786ff87dc Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Thu, 4 Jun 2020 10:33:24 +0200
Subject: [PATCH] rule(macro bin_dir_mkdir): correct condition to catch
 `mkdirat` case

Since the dir's path is found:
-  in `evt.arg[1]` for `mkdir`
-  but in `evt.arg[2]` for `mkdirat`
switch to `evt.arg.path` to catch both.
That ensures `Mkdir binary dirs` works properly.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9f21fd0d..0a43b532 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -80,10 +80,10 @@
 
 - macro: bin_dir_mkdir
   condition: >
-    (evt.arg[1] startswith /bin/ or
-     evt.arg[1] startswith /sbin/ or
-     evt.arg[1] startswith /usr/bin/ or
-     evt.arg[1] startswith /usr/sbin/)
+     (evt.arg.path startswith /bin/ or
+     evt.arg.path startswith /sbin/ or
+     evt.arg.path startswith /usr/bin/ or
+     evt.arg.path startswith /usr/sbin/)
 
 - macro: bin_dir_rename
   condition: >