From b208008be1a6e7ec5b4f65d3a617b5404ff16ef5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 26 Jul 2017 14:01:03 -0700 Subject: [PATCH] Fix parent_python_running_sdchecks It was checking the current process instead of the parent, which doesn't work when you've just done an exec. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6e97d0c9..9d4f7278 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -301,8 +301,8 @@ - macro: parent_python_running_sdchecks condition: > - (proc.name in (python, python2.7) and - (proc.cmdline contains /opt/draios/bin/sdchecks)) + (proc.pname in (python, python2.7) and + (proc.pcmdline contains /opt/draios/bin/sdchecks)) - macro: parent_bro_running_python condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)