From c2a05b3e64344d0b5e759038d76a2ea8d9442c60 Mon Sep 17 00:00:00 2001
From: James Barlow <james.barlow@finbourne.com>
Date: Tue, 8 Sep 2020 17:23:38 +0100
Subject: [PATCH] rule(Mkdir binary dirs): Exclude exe_running_docker_save

Signed-off-by: James Barlow <james.barlow@finbourne.com>
---
 rules/falco_rules.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index fe0ea9df..d3694757 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1601,7 +1601,12 @@
 
 - rule: Mkdir binary dirs
   desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
+  condition: >
+    mkdir
+    and bin_dir_mkdir
+    and not package_mgmt_procs
+    and not user_known_mkdir_bin_dir_activities
+    and not exe_running_docker_save
   output: >
     Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)