Fix bugs.

 - Add preinst as a shell spawner.
 - linux-image-N.N should be the parent.

rules/falco_rules.yaml

@@ -118,7 +118,8 @@
 - list: package_mgmt_binaries
   items: [
     dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend,
-    apt, apt-get, apt-add-reposit, apt-auto-remova, apt-key
+    apt, apt-get, apt-add-reposit, apt-auto-remova, apt-key,
+    preinst
     ]
 
 - macro: package_mgmt_procs
@@ -207,8 +208,8 @@
 
 # As a part of kernel upgrades, dpkg will spawn a perl script with the
 # name linux-image-N.N. This macro matches that.
-- macro: linux_image_upgrade_script
-  condition: proc.name startswith linux-image-
+- macro: parent_linux_image_upgrade_script
+  condition: proc.pname startswith linux-image-
 
 ###############
 # General Rules
@@ -335,7 +336,7 @@
     and proc.pname exists
     and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries)
     and not ansible_running_python
-    and not linux_image_upgrade_script
+    and not parent_linux_image_upgrade_script
   output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)"
   priority: WARNING