From fdb1aef6f353505749a9afd74f4917b1674d441d Mon Sep 17 00:00:00 2001
From: Yacine Boulbot <35232505+yacinebbt@users.noreply.github.com>
Date: Wed, 11 Dec 2024 16:45:15 +0100
Subject: [PATCH] fix etc path

https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html

the page containing two missing forward slashes "/"
---
 source/proof-of-concept-guide/audit-commands-run-by-user.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source/proof-of-concept-guide/audit-commands-run-by-user.rst b/source/proof-of-concept-guide/audit-commands-run-by-user.rst
index 267b87afaa..56a1f69cc5 100644
--- a/source/proof-of-concept-guide/audit-commands-run-by-user.rst
+++ b/source/proof-of-concept-guide/audit-commands-run-by-user.rst
@@ -105,7 +105,7 @@ Perform the following steps to create a CDB list of malicious programs and rules
 
    .. code-block:: xml
 
-      <list>etc/lists/suspicious-programs</list>
+      <list>/etc/lists/suspicious-programs</list>
 
 #. Create a high severity rule to fire when a "red" program is executed. Add this new rule to the ``/var/ossec/etc/rules/local_rules.xml`` file on the Wazuh server.
 
@@ -114,7 +114,7 @@ Perform the following steps to create a CDB list of malicious programs and rules
       <group name="audit">
         <rule id="100210" level="12">
             <if_sid>80792</if_sid>
-        <list field="audit.command" lookup="match_key_value" check_value="red">etc/lists/suspicious-programs</list>
+        <list field="audit.command" lookup="match_key_value" check_value="red">/etc/lists/suspicious-programs</list>
           <description>Audit: Highly Suspicious Command executed: $(audit.exe)</description>
             <group>audit_command,</group>
         </rule>