rule(Create files below dev): correct condition to catch openat

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
falcosecurity · Jun 10, 2020 · 578ef7f · 578ef7f
1 parent a5ce61f
commit 578ef7f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2238,7 +2238,7 @@
   desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
   condition: >
     fd.directory = /dev and
-    (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
+    (evt.type = creat or ((evt.type = open or evt.type = openat) and evt.arg.flags contains O_CREAT))
     and not proc.name in (dev_creation_binaries)
     and not fd.name in (allowed_dev_files)
     and not fd.name startswith /dev/tty