Update privilege_escalation_potential_suid_sgid_proxy_execution.toml

Aegrah · web-flow · commit f2b80246ca1f · 2025-10-30T15:33:46.000+01:00
diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml
@@ -70,6 +70,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   "/usr/bin/sudo",
   "/bin/mount", "/usr/bin/mount",
   "/bin/umount", "/usr/bin/umount",
+  "/usr/bin/fusermount3",
   "/bin/passwd", "/usr/bin/passwd",
   "/bin/chfn", "/usr/bin/chfn",
   "/bin/chsh", "/usr/bin/chsh",
@@ -79,7 +80,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   "/usr/bin/newuidmap", "/usr/bin/newgidmap",
   "/usr/lib/dbus-1.0/dbus-daemon-launch-helper", "/usr/libexec/dbus-daemon-launch-helper",
   "/usr/lib/openssh/ssh-keysign", "/usr/libexec/openssh/ssh-keysign",
-  "/usr/bin/pkexec", "/usr/libexec/pkexec", "/usr/lib/polkit-1/pkexec"
+  "/usr/bin/pkexec", "/usr/libexec/pkexec", "/usr/lib/polkit-1/pkexec",
+  "/usr/lib/polkit-1/polkit-agent-helper-1", "/usr/libexec/polkit-agent-helper-1",
+  "/usr/lib/snapd/snap-confine"
 ) and process.parent.args_count == 1 
 '''
 
