Skip to content

Commit

Permalink
update(falco/rules): re-use spawned_process macro inside `container…
Browse files Browse the repository at this point in the history 
…_started` macro

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
  • Loading branch information
@leodido @poiana
leodido authored and poiana committed Oct 26, 2020
1 parent c188f4a commit bc9a2f3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -522,7 +522,7 @@
- macro: container_started
condition: >
((evt.type = container or
(evt.type=execve and evt.dir=< and proc.vpid=1)) and
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
- macro: interactive
Expand Down

0 comments on commit bc9a2f3

Please sign in to comment.