rule(Mkdir binary dirs): Exclude exe_running_docker_save

Signed-off-by: James Barlow <james.barlow@finbourne.com>
2025-08-28 10:51:24 +00:00 · 2020-09-08 17:23:38 +01:00 · 2020-09-08 17:23:38 +01:00 · c2a05b3e64
commit c2a05b3e64
parent 581d67fa08
1 changed files with 6 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1601,7 +1601,12 @@

 - rule: Mkdir binary dirs
  desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
+  condition: >
+    mkdir
+    and bin_dir_mkdir
+    and not package_mgmt_procs
+    and not user_known_mkdir_bin_dir_activities
+    and not exe_running_docker_save
  output: >
    Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
    command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)