From 56e07f53f21ca7e4b450749fc4f3587dc76ba6bf Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 30 Oct 2017 22:57:08 -0700
Subject: [PATCH] Let appdynamics spawn shells.

It's java, so look in classpath.
---
 rules/falco_rules.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 36fbf673..bdc1a01f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -392,6 +392,10 @@
   condition: >
     (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/")
 
+- macro: parent_java_running_appdynamics
+  condition: >
+    (proc.pname=java and proc.pcmdline contains "-jar /opt/appdynamics/")
+
 - macro: python_running_es_curator
   condition: (proc.pcmdline="python -u run_cron.py" and
               proc.cmdline startswith "sh -c /usr/bin/curator")
@@ -846,6 +850,7 @@
     and not run_by_openshift
     and not parent_java_running_tomcat
     and not parent_java_running_install4j
+    and not parent_java_running_appdynamics
     and not parent_cpanm_running_perl
     and not parent_ruby_running_discourse
     and not assemble_running_php
@@ -1080,6 +1085,7 @@
     and not run_by_passenger_agent
     and not parent_java_running_jenkins
     and not parent_java_running_maven
+    and not parent_java_running_appdynamics
     and not python_running_es_curator
     and not parent_beam_running_python
     and not jenkins_scripts