From e88c9ec8e34ccdf784b874aba4dde1a93bd11b6a Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 22 Aug 2017 14:15:44 -0700
Subject: [PATCH] Add more shell spawners.

awslogs, authconfig
---
 rules/falco_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c5e60d58..7e8fe0e0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -531,14 +531,14 @@
 - list: known_shell_spawn_binaries
   items: [
     sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
-    nginx, monit, supervisord, dragent, aws, initdb, docker-compose,
+    nginx, monit, supervisord, dragent, aws, awslogs, initdb, docker-compose,
     configure, awk, falco, fail2ban-server, fleetctl,
     logrotate, ansible, less, adduser, pycompile, py3compile,
     pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
     init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
     landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
     npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d,
-    serf, a2enmod, runsv, supervisord, varnishd
+    serf, a2enmod, runsv, supervisord, varnishd, authconfig
     ]
 
 - rule: Run shell untrusted