From 4c4423a474d3d805f35e6a356feb8c462f037bc7 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 19 Nov 2024 16:09:38 -0500
Subject: [PATCH] suspicious systemd: accept any char instead of single quote

---
 detection/persistence/suspicious-systemd-unit.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql
index 54d7680..0831604 100644
--- a/detection/persistence/suspicious-systemd-unit.sql
+++ b/detection/persistence/suspicious-systemd-unit.sql
@@ -226,7 +226,7 @@ rule usr_bin_execstop_shell : medium {
     $execstop = /ExecStop=\/bin\/sh .{0,64}/
     $not_podman_logging = "/usr/bin/podman $LOGGING"
     $not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/
-    $not_nfs = /ExecStop=\/bin\/sh -c \'\/usr\/sbin\/nfsdctl /
+    $not_nfs = /ExecStop=\/bin\/sh -c .\/usr\/sbin\/nfsdctl /
   condition:
     filesize < 4096 and $execstop and none of ($not*)
 }