mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-01 00:52:16 +00:00
macro(exe_running_docker_save): add better support for centos
dockerd and docker have "-current" suffix on centos and rhel. This macro does not match causing false positives on multiple rules using it Signed-off-by: Radu Andries <radu@sysdig.com>
This commit is contained in:
parent
511ef52717
commit
938ece8f4e
@ -867,7 +867,7 @@
|
||||
proc.name = "exe"
|
||||
and (proc.cmdline contains "/var/lib/docker"
|
||||
or proc.cmdline contains "/var/run/docker")
|
||||
and proc.pname in (dockerd, docker)
|
||||
and proc.pname in (dockerd, docker, dockerd-current, docker-current)
|
||||
|
||||
# Ideally we'd have a length check here as well but sysdig
|
||||
# filterchecks don't have operators like len()
|
||||
|
Loading…
Reference in New Issue
Block a user