From cb51e0154fe8e99bf61c2bc5edd162c5dd975da2 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Wed, 10 Apr 2019 22:53:39 -0700 Subject: [PATCH] minor fix --- rules/falco_rules.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 27d3a4f2611..ea65d0be7f7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1907,10 +1907,9 @@ - rule: Create hidden files or directories desc: Detect hidden files or directories created condition: > - (container and - ((open_write and evt.arg.flags contains "O_CREAT" and + (((open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)) or - (mkdir and evt.arg.path contains "/."))) + (mkdir and evt.arg.path contains "/.")) and container) output: > Hidden file or directory created (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)