mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
81a145fd4f
Related to discussion on https://github.com/draios/agent/pull/160, verifying we can have rule names with spaces.
8 lines
217 B
YAML
8 lines
217 B
YAML
- macro: is_cat
|
|
condition: proc.name=cat
|
|
|
|
- rule: Open From Cat
|
|
desc: A process named cat does an open
|
|
condition: evt.type=open and is_cat
|
|
output: "An open was seen (command=%proc.cmdline)"
|
|
priority: WARNING |