From 0b775fa722c2877ffef381da42f19a27985d6b8a Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 7 Nov 2017 11:19:24 -0800
Subject: [PATCH] Let java running endeca spawn shells

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3fef6de8..1ff604f4 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -551,6 +551,9 @@
 - macro: parent_java_running_install4j
   condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar")
 
+- macro: parent_java_running_endeca
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/")
+
 - macro: parent_running_datastax
   condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
               (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
@@ -894,6 +897,7 @@
     and not run_by_openshift
     and not parent_java_running_tomcat
     and not parent_java_running_install4j
+    and not parent_java_running_endeca
     and not parent_running_datastax
     and not parent_java_running_appdynamics
     and not parent_cpanm_running_perl