github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 15:51:55 +00:00
Code Issues Projects Releases Wiki Activity

update(falco/rules): re-use spawned_process macro inside container_started macro

Browse Source 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leo Di Donato 2020-10-18 20:24:40 +02:00 committed by poiana
parent c188f4a731
commit bc9a2f38e1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -522,7 +522,7 @@
- macro: container_started
condition: >
((evt.type = container or
(evt.type=execve and evt.dir=< and proc.vpid=1)) and
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
- macro: interactive