macro(exe_running_docker_save): add better support for centos

dockerd and docker have "-current" suffix on centos and rhel. This
macro does not match causing false positives on multiple rules
using it

Signed-off-by: Radu Andries <radu@sysdig.com>
This commit is contained in:
Radu Andries 2020-08-12 10:34:32 +02:00 committed by poiana
parent 511ef52717
commit 938ece8f4e

View File

@ -867,7 +867,7 @@
proc.name = "exe"
and (proc.cmdline contains "/var/lib/docker"
or proc.cmdline contains "/var/run/docker")
and proc.pname in (dockerd, docker)
and proc.pname in (dockerd, docker, dockerd-current, docker-current)
# Ideally we'd have a length check here as well but sysdig
# filterchecks don't have operators like len()