From 19b8601edd75ec3946db85c6a13ddb81e7b967bd Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Tue, 15 Aug 2023 17:04:41 +0200
Subject: [PATCH] Update audit.rules yash

---
 audit.rules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/audit.rules b/audit.rules
index 03ed184..2c5ca7f 100644
--- a/audit.rules
+++ b/audit.rules
@@ -417,6 +417,10 @@
 -w /bin/open -p x -k susp_shell
 -w /bin/rbash -p x -k susp_shell
 
+### https://gtfobins.github.io/gtfobins/yash/
+-w /bin/yash -p x -k susp_shell
+-w /usr/bin/yash -p x -k susp_shell
+
 # Web Server Actvity
 ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
 -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www