From 5eefbd0dba4775d506e4bb2a001b21fc50df3540 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 14 Feb 2023 20:35:24 -0500
Subject: [PATCH] Add chattr, setenforce to unexpected-sysutils

---
 detection/execution/unexpected-sysutils-linux.sql | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/detection/execution/unexpected-sysutils-linux.sql b/detection/execution/unexpected-sysutils-linux.sql
index 8c1c687..ca390b6 100644
--- a/detection/execution/unexpected-sysutils-linux.sql
+++ b/detection/execution/unexpected-sysutils-linux.sql
@@ -67,7 +67,13 @@ WHERE
   AND pe.path IN (
     '/usr/bin/sysctl',
     '/sbin/sysctl',
-    '/usr/sbin/sysctl'
+    '/usr/sbin/sysctl',
+    '/usr/bin/chattr',
+    '/sbin/chattr',
+    '/usr/sbin/chattr',
+    '/usr/bin/setenforce',
+    '/sbin/setenforce',
+    '/usr/sbin/setenforce'
   )
   AND p.parent > 0
 GROUP BY