diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 53df908d..9895c43f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -139,6 +139,9 @@
 - list: phusion_passenger_binaries
   items: [PassengerAgent]
 
+- list: chef_binaries
+  items: [chef-client]
+
 - list: http_server_binaries
   items: [nginx, httpd, httpd-foregroun, lighttpd]
 
@@ -546,7 +549,7 @@
                            k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries,
                            monitoring_binaries, gitlab_binaries, mesos_slave_binaries,
                            keepalived_binaries,
-                           needrestart_binaries, phusion_passenger_binaries)
+                           needrestart_binaries, phusion_passenger_binaries, chef_binaries)
     and not parent_ansible_running_python
     and not parent_bro_running_python
     and not parent_python_running_denyhosts
@@ -684,6 +687,7 @@
                            user_known_container_shell_spawn_binaries,
                            needrestart_binaries,
                            phusion_passenger_binaries,
+                           chef_binaries,
                            monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
                            erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf,
                            runsv, supervisord, varnishd, crond, logrotate)