From 537565d27a43aabe5dbb6a4e1e2df47f2d4ea04e Mon Sep 17 00:00:00 2001
From: Daniel Kerwin <d.kerwin@gini.net>
Date: Mon, 6 Mar 2017 17:20:13 +0100
Subject: [PATCH] Add support for gitlab omnibus containers/pod
 (https://docs.gitlab.com/omnibus/README.html).

sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <daniel@linuxaddicted.de>
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 165bbf03..ae36def6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -113,6 +113,9 @@
 - list: db_server_binaries
   items: [mysqld]
 
+- list: gitlab_binaries
+  items: [gitlab-shell, git]
+
 - macro: server_procs
   condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd)
 
@@ -430,7 +433,7 @@
     and shell_procs
     and proc.pname exists
     and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
-                           monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
+                           monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
     and not trusted_containers
   output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING