From 9e8687401d05f844db96b409e66b9ab6179c8807 Mon Sep 17 00:00:00 2001
From: m4wh6k <84995001+m4wh6k@users.noreply.github.com>
Date: Fri, 31 Dec 2021 18:09:57 -0800
Subject: [PATCH] fix(macro truncate_shell_history): avoid false positives from
 .zsh_history.new and .LOCK files

Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c9594eba..0e43af4d 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2584,7 +2584,7 @@
   condition: >
     (open_write and (
       fd.name contains "bash_history" or
-      fd.name contains "zsh_history" or
+      fd.name endswith "zsh_history" or
       fd.name contains "fish_read_history" or
       fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")