From 938ece8f4e1e5bd6d6b875afad936ffac9fc44ee Mon Sep 17 00:00:00 2001
From: Radu Andries <radu.andries@sysdig.com>
Date: Wed, 12 Aug 2020 10:34:32 +0200
Subject: [PATCH] macro(exe_running_docker_save): add better support for centos

dockerd and docker have "-current" suffix on centos and rhel. This
macro does not match causing false positives on multiple rules
using it

Signed-off-by: Radu Andries <radu@sysdig.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 64a9d328..4f4db8f9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -867,7 +867,7 @@
     proc.name = "exe"
     and (proc.cmdline contains "/var/lib/docker"
     or proc.cmdline contains "/var/run/docker")
-    and proc.pname in (dockerd, docker)
+    and proc.pname in (dockerd, docker, dockerd-current, docker-current)
 
 # Ideally we'd have a length check here as well but sysdig
 # filterchecks don't have operators like len()