diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index cef71723..8653d42a 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -769,7 +769,7 @@ # https://github.com/draios/sysdig/issues/954). So in that case, allow # a setuid. - macro: known_user_in_container - condition: (container and not user.name in ("","N/A")) + condition: (container and not user.name in ("","N/A","")) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of