From 1663e0da6070b24756b085ebc01ef49735a3f863 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Tue, 19 Sep 2023 20:20:11 +0200
Subject: [PATCH] Update audit.rules - susp_activity_Earth_Lusca

---
 audit.rules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/audit.rules b/audit.rules
index 03ed184..5699aaa 100644
--- a/audit.rules
+++ b/audit.rules
@@ -406,6 +406,10 @@
 ### may indicate privilege escalation CVE-2021-4034
 -w /usr/bin/pkexec -p x -k pkexec
 
+## https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html
+-w /dev/ptmx -p x -k susp_activity_Earth_Lusca
+-w /dev/pts -p wa -k  susp_activity_Earth_Lusca
+
 ## Suspicious shells
 -w /bin/ash -p x -k susp_shell
 -w /bin/csh -p x -k susp_shell