From ac7032552251f477d32dd5dd7aced21393b565da Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 23 Aug 2017 16:50:58 -0700
Subject: [PATCH] Add more debugging for shells

Used to track down deeper chains of shells for things like ansible, chef.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 38cd464e..a95a00e5 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -573,7 +573,7 @@
     and not parent_node_running_npm
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
-    cmdline=%proc.cmdline pcmdline=%proc.pcmdline)
+    cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])
   priority: DEBUG
   tags: [host, shell]