Rule Update - Adds npm support to pkg mgt processes

[rileydakota]

Adds npm to package_mgmt_binaries for detection of "living off the land" style attacks that utilize NPM to pull down additional tooling/libraries

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Adds npm to the list of package_management_binaries. NodeJS is one of the most popular development languages in the world - and the node base image comes packaged with npm. Like other package managers - npm installing packages in an already built container is a best practice violation at best, and a potential IoC at worst (attackers could potentially use it to pull down additional tooling/libraries without tripping the existing package management process alerts).

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Yes

rule(list package_mgmt_binaries): `npm` added
rule(Launch Package Management Process in Container): support for detecting `npm` usage

[poiana]

Welcome @rileydakota! It looks like this is your first PR to falcosecurity/falco 🎉

[jasondellaluce]

Hi @rileydakota! Thanks for your contribution. Can you sign-off your commit?

[leogr]

/cc @Kaizhe

[leogr]

/milestone 0.32.0

[leogr]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 568d596468083146e758fce93905961628a8c165

[jasondellaluce]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jasondellaluce, leogr, rileydakota

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS [jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[micheas]

This was approved in error and generates false positives over 99% of the time.

npm start is the standard way of starting a node js application.

[micheas]

Unless it can be rewritten to exclude npm start it should be backed out

[micheas]

@rileydakota this is awful. 99% false positives in the real world.

Error Package management process launched in container (user=<NA> user_loginuid=-1 command=npm node /usr/local/bin/npm start container_id=7215a7d30edc container_name=<NA> image=<NA>:<NA>) k8s.ns=<NA> k8s.pod=<NA> container=7215a7d30edc

Is the most common log message. While the intention is good it resulted in all of the package management processes being ignored resulting in a net negative.

[rileydakota]

potentially could break it into a separate rule and rely on proc.args to only flag on instances of npm install which was the original intention/consistent with the spirit of the other rules. The current structure (having all package manager names grouped and then a macro that checks if proc.name is present in the list) wouldn't suffice however.

It may also be worth considering if other package managers have this issue.