From df963b6bcdf340200fd19a7d253eaf113df40008 Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Mon, 27 May 2024 18:01:36 +0200
Subject: [PATCH] cleanup: remove `startswith /etc`

In macro `sensitive_files` the `startswith /etc` is redundant because it
used in combination with the `in` condition

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0cf902c1..c2b2161c 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -208,7 +208,7 @@
 
 - macro: sensitive_files
   condition: >
-    ((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
+    (fd.name in (sensitive_file_names) or
       fd.directory in (/etc/sudoers.d, /etc/pam.d))
 
 # Indicates that the process is new. Currently detected using time