github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 06:10:45 +00:00
Code Issues Projects Releases Wiki Activity

Add runc to the list of possible container entrypoint parents

Browse Source 
Docker versions >= 18.09 removed the "docker-" prefix, so include runc
in the list.

Signed-off-by: Mattia Pagnozzi <mattia.pagnozzi@gmail.com>
This commit is contained in:
Mattia Pagnozzi
2019-07-09 10:59:59 +02:00
committed by Lorenzo Fontana
parent fdbd520cce
commit a32870ae1d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@@ -1832,7 +1832,7 @@
# when we lose events and lose track of state.
- macro: container_entrypoint
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc, exe))
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe))
- rule: Launch Sensitive Mount Container
desc: >