From 9661994daafba933b230c16ab66530e010ed94d3 Mon Sep 17 00:00:00 2001
From: sh4hin <amir.shaahin@gmail.com>
Date: Tue, 17 Dec 2024 18:33:52 +0100
Subject: [PATCH] Update audit.rules

Added it as there are still many Linux distributions that this can be leveraged by attackers to configure boot-time tasks or establish persistence
---
 audit.rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/audit.rules b/audit.rules
index f71bf7c..077cb97 100644
--- a/audit.rules
+++ b/audit.rules
@@ -238,6 +238,9 @@
 -w /etc/init.d/ -p wa -k init
 -w /etc/init/ -p wa -k init
 
+# Monitor /etc/rc.local
+-w /etc/rc.local -p wa -k rc_local
+
 ## Library search paths
 -w /etc/ld.so.conf -p wa -k libpath
 -w /etc/ld.so.conf.d -p wa -k libpath