diff --git a/audit.rules b/audit.rules index 41b7e22..9fbc3da 100644 --- a/audit.rules +++ b/audit.rules @@ -413,6 +413,19 @@ -w /usr/bin/zstd -p x -k Data_Compressed -w /usr/local/bin/zstd -p x -k Data_Compressed +### https://github.com/ib/xarchiver +-a always,exit -F arch=b32 -F path=/usr/bin/xarchiver -F perm=x -F key=Data_Compressed +-a always,exit -F arch=b64 -F path=/usr/bin/xarchiver -F perm=x -F key=Data_Compressed + +-a always,exit -F arch=b32 -F path=/usr/sbin/xarchiver -F perm=x -F key=Data_Compressed +-a always,exit -F arch=b64 -F path=/usr/sbin/xarchiver -F perm=x -F key=Data_Compressed + +-a always,exit -F arch=b32 -F path=/usr/local/bin/xarchiver -F perm=x -F key=Data_Compressed +-a always,exit -F arch=b64 -F path=/usr/local/bin/xarchiver -F perm=x -F key=Data_Compressed + +-a always,exit -F arch=b32 -F path=/usr/lib/mime/packages/xarchiver -F perm=x -F key=Data_Compressed +-a always,exit -F arch=b64 -F path=/usr/lib/mime/packages/xarchiver -F perm=x -F key=Data_Compressed + ## Added to catch netcat on Ubuntu -w /bin/nc.openbsd -p x -k susp_activity -w /bin/nc.traditional -p x -k susp_activity