diff --git a/audit.rules b/audit.rules index a88a5d2..0b8b1cb 100644 --- a/audit.rules +++ b/audit.rules @@ -461,6 +461,10 @@ -w /bin/open -p x -k susp_shell -w /bin/rbash -p x -k susp_shell +### https://gtfobins.github.io/gtfobins/yash/ +-w /bin/yash -p x -k susp_shell +-w /usr/bin/yash -p x -k susp_shell + # Web Server Actvity ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www