From 3b5f959de9d0e3b96e80e1a029738e83f0fe9546 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 25 Aug 2017 08:08:02 -0700
Subject: [PATCH] Add additional node/edi command lines.

---
 rules/falco_rules.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 14c28dec..f29dc6e2 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -725,7 +725,9 @@
 
 # Temporarily adding as an example
 - macro: node_running_edi_dynamodb
-  condition: proc.pname=node and proc.pcmdline contains /var/www/edi/process.js
+  condition: >
+    (proc.pname=node and (proc.pcmdline contains /var/www/edi/process.js or
+                          proc.pcmdline contains "sh -c /var/www/edi/bin/sftp.sh"))
 
 - rule: Run shell in container
   desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.