github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

macro(exe_running_docker_save): add better support for centos

Browse Source 
dockerd and docker have "-current" suffix on centos and rhel. This
macro does not match causing false positives on multiple rules
using it

Signed-off-by: Radu Andries <radu@sysdig.com>
This commit is contained in:
Radu Andries 2020-08-12 10:34:32 +02:00 committed by poiana
parent 511ef52717
commit 938ece8f4e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -867,7 +867,7 @@
proc.name = "exe" proc.name = "exe"
and (proc.cmdline contains "/var/lib/docker" and (proc.cmdline contains "/var/lib/docker"
or proc.cmdline contains "/var/run/docker") or proc.cmdline contains "/var/run/docker")
and proc.pname in (dockerd, docker) and proc.pname in (dockerd, docker, dockerd-current, docker-current)
# Ideally we'd have a length check here as well but sysdig # Ideally we'd have a length check here as well but sysdig
# filterchecks don't have operators like len() # filterchecks don't have operators like len()