From 504e0ef9c336299ecdcb25a6082f72f9e4a864d4 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Wed, 21 Feb 2024 06:29:00 +0100
Subject: [PATCH] Update audit.rules tar

---
 audit.rules | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/audit.rules b/audit.rules
index 41b7e22..d4b504b 100644
--- a/audit.rules
+++ b/audit.rules
@@ -381,9 +381,19 @@
 
 -w /usr/bin/zip -p x -k Data_Compressed
 -w /usr/bin/gzip -p x -k Data_Compressed
--w /usr/bin/tar -p x -k Data_Compressed
 -w /usr/bin/bzip2 -p x -k Data_Compressed
 
+## https://www.gnu.org/software/tar/
+-a always,exit -F arch=b32 -F path=/usr/bin/tar -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/bin/tar -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/sbin/tar -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/sbin/tar -F perm=x -F key=Data_Compressed
+
+### macOS
+-a always,exit -F arch=b32 -F path=/usr/local/bin/tar -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/local/bin/tar -F perm=x -F key=Data_Compressed
+
 -w /usr/bin/lzip -p x -k Data_Compressed
 -w /usr/local/bin/lzip -p x -k Data_Compressed