From 70d6e8de2f36b2e01b751e0687672ecdccf12e09 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 25 Aug 2017 09:25:52 -0700
Subject: [PATCH] Add more ancestors for tracking.

---
 rules/falco_rules.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6e46cb65..ae0b2d50 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -435,7 +435,7 @@
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session
   condition: write_etc_common and not proc.sname=fbash
-  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name)"
+  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)"
   priority: ERROR
   tags: [filesystem]
 
@@ -485,7 +485,7 @@
     and not run_by_qualys
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
-    command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
+    command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: WARNING
   tags: [filesystem]
 
@@ -827,7 +827,7 @@
     not proc.cmdline startswith "useradd -D"
   output: >
     User management binary command run outside of container
-    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
+    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: NOTICE
   tags: [host, users]