From b513042926f4f82379f7f4337d7ee7da383a9939 Mon Sep 17 00:00:00 2001
From: rileydakota <DAKOTARILEY2@GMAIL.COM>
Date: Mon, 24 Jan 2022 16:36:58 -0500
Subject: [PATCH] Rule Update - Adds npm support

Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 89a1eae1996..523e63edea2 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -222,7 +222,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the falcosecurity-libs level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, npm, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)