From 4f5ab79c692f4f12f9922ec4560397dd99ea99d3 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 29 Sep 2017 15:10:28 -0700
Subject: [PATCH] Add xray-rabbitmq shell spawning programs.

They have names {1234}_scheduler and need to be quoted as they start
with digits.
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a204e9fa..6665d5eb 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -211,6 +211,9 @@
 - list: x2go_binaries
   items: [x2gosuspend-age, x2goagent]
 
+- list: xray_rabbitmq_binaries
+  items: ['"1_scheduler"', '"2_scheduler"', '"3_scheduler"', '"4_scheduler"']
+
 - list: nids_binaries
   items: [bro, broctl]
 
@@ -802,6 +805,7 @@
                            chef_binaries,
                            nomachine_binaries,
                            x2go_binaries,
+                           xray_rabbitmq_binaries,
                            monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
                            erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf,
                            runsv, supervisord, varnishd, crond, logrotate, timeout, tini,