From ef9e045a40f77b951f8c7cf1c0b365cb4b8ee687 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 9 Aug 2017 10:10:41 -0700
Subject: [PATCH] Add more ancestors

Add more ancestors for several rules. Sometimes shells spawn the program
reading the sensitive file, etc.
---
 rules/falco_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index e04b3570..3f2b46a7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -411,7 +411,7 @@
   condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
   output: >
     Sensitive file opened for reading by trusted program after startup (user=%user.name
-    command=%proc.cmdline parent=%proc.pname file=%fd.name)
+    command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]
   priority: WARNING
   tags: [filesystem]
 
@@ -727,7 +727,7 @@
     not proc.pname in (cron_binaries, systemd, run-parts)
   output: >
     User management binary command run outside of container
-    (user=%user.name command=%proc.cmdline parent=%proc.pname)
+    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])
   priority: NOTICE
   tags: [host, users]