From 859228b886e39d2fada332e2d8532261b2537240 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Wed, 21 Feb 2024 06:32:33 +0100
Subject: [PATCH] Update audit.rules cpio

---
 audit.rules | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/audit.rules b/audit.rules
index 41b7e22..0a34a1c 100644
--- a/audit.rules
+++ b/audit.rules
@@ -413,6 +413,25 @@
 -w /usr/bin/zstd -p x -k Data_Compressed
 -w /usr/local/bin/zstd -p x -k Data_Compressed
 
+### https://www.gnu.org/software/cpio/
+-a always,exit -F arch=b32 -F path=/usr/bin/cpio -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/bin/cpio -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/sbin/cpio -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/sbin/cpio -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/local/bin/cpio -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/local/bin/cpio -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/bin/mt-gnu -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/bin/mt-gnu -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/sbin/mt-gnu -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/sbin/mt-gnu -F perm=x -F key=Data_Compressed
+
+-a always,exit -F arch=b32 -F path=/usr/local/bin/mt-gnu -F perm=x -F key=Data_Compressed
+-a always,exit -F arch=b64 -F path=/usr/local/bin/mt-gnu -F perm=x -F key=Data_Compressed
+
 ## Added to catch netcat on Ubuntu
 -w /bin/nc.openbsd -p x -k susp_activity
 -w /bin/nc.traditional -p x -k susp_activity