From e51fbd65697046fd6c4192e5152c4d9eff09d828 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 10 Nov 2017 12:06:44 -0800
Subject: [PATCH] Let python/mesos health checks spawn shells

---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 435e6c9b..53349b86 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -553,6 +553,9 @@
 - macro: parent_java_running_endeca
   condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/")
 
+- macro: python_mesos_healthcheck
+  condition: (proc.pcmdline startswith "python /mesoshealthcheck.py")
+
 - macro: parent_running_datastax
   condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
               (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
@@ -1181,6 +1184,7 @@
     and not parent_python_running_zookeeper
     and not parent_docker_start_script
     and not parent_java_running_endeca
+    and not python_mesos_healthcheck
   output: >
     Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
     shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])