From 79cb75dcd1208b073b5bacf3da6c712768699b0b Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lachance <jplachance@coveo.com>
Date: Mon, 2 Dec 2019 16:53:17 -0500
Subject: [PATCH] ! Exclude exe_running_docker_save in the "Set Setuid or
 Setgid bit" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c632cd4a..5c2a90f0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2443,7 +2443,10 @@
     When the setuid or setgid bits are set for an application,
     this means that the application will run with the privileges of the owning user or group respectively.
     Detect setuid or setgid bits set via chmod
-  condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.name in (user_known_chmod_applications)
+  condition: >
+    consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
+    and not proc.name in (user_known_chmod_applications)
+    and not exe_running_docker_save
   output: >
     Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)