From bc9a2f38e104b1e29f425153916cfe46c5cc8030 Mon Sep 17 00:00:00 2001
From: Leo Di Donato <leodidonato@gmail.com>
Date: Sun, 18 Oct 2020 20:24:40 +0200
Subject: [PATCH] update(falco/rules): re-use `spawned_process` macro inside
 `container_started` macro

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index d3e8038d..36b964f0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -522,7 +522,7 @@
 - macro: container_started
   condition: >
     ((evt.type = container or
-     (evt.type=execve and evt.dir=< and proc.vpid=1)) and
+     (spawned_process and proc.vpid=1)) and
      container.image.repository != incomplete)
 
 - macro: interactive