Rule tuning as part of Linux Detection Rules Review (#2170)

rules/linux/persistence_credential_access_modify_ssh_binaries.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/21"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -26,10 +26,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:file and event.type:change and 
+event.category:file and event.type:change and
  process.name:* and
  (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and
- not process.executable:/usr/bin/dpkg
+ not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic")
 '''