From a22099c8c3c7170feee38b17861a4ae450d5d2b5 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 25 Sep 2017 07:42:53 -0700
Subject: [PATCH] Let adclient spawn shells.

It's not direct, hence the run_by_adclient macro.
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 59dd198a..45ba58d9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -379,6 +379,9 @@
 - macro: run_by_chef
   condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
 
+- macro: run_by_adclient
+  condition: (proc.aname[2]=adclient or proc.aname[3]=adclient)
+
 - macro: run_by_puppet
   condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
 
@@ -634,6 +637,7 @@
     and not parent_java_running_sbt
     and not run_by_chef
     and not run_by_puppet
+    and not run_by_adclient
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])