From d36df62d1e0e342f618819f89d231e3a8cd8e9fe Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 6 Nov 2017 15:26:03 -0800
Subject: [PATCH] Add an additional yarn cmdline.

---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index ca7435e7..1c28ab8f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -433,6 +433,7 @@
        proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
        proc.cmdline startswith "sh -c make parent" or
        proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
+       proc.pcmdline startswith "node /usr/local/bin/yarn" or
        proc.pcmdline startswith "node /root/.config/yarn" or
        proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))