From a43ae037a993e62a200343dde873185c92b8cf66 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Thu, 26 Sep 2019 17:36:05 -0700
Subject: [PATCH] rules update: add back rule Delete Bash History for backport
 compatibility

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a2953cd7..61625766 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2415,6 +2415,13 @@
     WARNING
   tag: [process, mitre_defense_evation]
 
+# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
+- rule: Delete Bash History
+  desc: Detect bash history deletion
+  condition: >
+    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or 
+     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+
 - macro: consider_all_chmods
   condition: (always_true)