From d9cb1e2b27dffb2a21d5a8548d190a841ab93701 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 25 Sep 2017 07:51:18 -0700
Subject: [PATCH] Let adclient/certutil spawn shells/write below etc

Let adclient/certutil spawn shells and write below etc.
---
 rules/falco_rules.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9d199004..22329ebf 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -448,7 +448,8 @@
                           systemd, systemd-machine, systemd-sysuser,
                           debconf-show, rollerd, bind9.postinst, sv,
                           gen_resolvconf., update-ca-certi, certbot, runsv,
-                          qualys-cloud-ag, locales.postins, nomachine_binaries)
+                          qualys-cloud-ag, locales.postins, nomachine_binaries,
+                          adclient, certutil)
     and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins)
     and not fd.name pmatch (safe_etc_dirs)
     and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
@@ -613,7 +614,7 @@
     landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
     npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d,
     serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini,
-    timeout, updatedb.findut, mysql_ssl_rsa_s
+    timeout, updatedb.findut, mysql_ssl_rsa_s, adclient
     ]
 
 - rule: Run shell untrusted