From 4006c7eead55a777e9c726634d7f4552044915d7 Mon Sep 17 00:00:00 2001
From: James Barlow <james.barlow@finbourne.com>
Date: Tue, 8 Sep 2020 17:24:53 +0100
Subject: [PATCH] rule(Create Hidden Files or Directories): Exclude
 exe_running_docker_save

Signed-off-by: James Barlow <james.barlow@finbourne.com>
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 89d2483d4e9..e01b8bf0ef1 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2707,6 +2707,7 @@
      (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
     consider_hidden_file_creation and
     not user_known_create_hidden_file_activities
+    and not exe_running_docker_save
   output: >
     Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)