From c5ff8511a9d829b762b6d8667a2bbf57426846a1 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Tue, 23 Aug 2022 09:59:31 -0300
Subject: [PATCH] [Rule Tuning] Abnormal Process ID or Lock File Created 
 (#2113)

* [Rule Tuning] Abnormal Process ID or Lock File Created

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update execution_abnormal_process_id_file_created.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../execution_abnormal_process_id_file_created.toml  | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
index e6d835227..1d4b67ba4 100644
--- a/rules/linux/execution_abnormal_process_id_file_created.toml
+++ b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -61,7 +61,17 @@ file where event.type == "creation" and user.id == "0" and
     "unattended-upgrades.lock",
     "unattended-upgrades.pid",
     "cmd.pid",
-    "cron*.pid"
+    "cron*.pid",
+    "yum.pid",
+    "netconfig.pid",
+    "docker.pid",
+    "atd.pid",
+    "lfd.pid",
+    "atop.pid",
+    "nginx.pid",
+    "dhclient.pid",
+    "smtpd.pid",
+    "stunnel.pid"
     )
 '''