Skip to content

Commit

Permalink
cleanup(falco_rules): we need only dup exit events
Browse files Browse the repository at this point in the history 
In `Redirect STDOUT/STDIN` rule we check for evt.rawres but this is a
parameter that we only have in the exit event

Signed-off-by: Andrea Terzolo <[email protected]>
  • Loading branch information
@Andreagit97 @poiana
Andreagit97 authored and poiana committed May 31, 2024
1 parent ad27109 commit a815900
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
condition: (evt.type in (init_module, finit_module) and evt.dir=<)

- macro: dup
condition: (evt.type in (dup, dup2, dup3))
condition: (evt.type in (dup, dup2, dup3) and evt.dir=<)

# File categories
- macro: etc_dir
Expand Down

0 comments on commit a815900

Please sign in to comment.