--- falco_rules.yaml	2023-11-07 16:26:40.171716913 +0000
+++ zdt_falco_rules.yaml	2023-11-07 16:30:24.912804117 +0000
@@ -171,7 +171,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
 - list: user_mgmt_binaries
   items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -200,7 +200,7 @@
     ]
 
 - list: sensitive_file_names
-  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+  items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
 - list: sensitive_directory_names
   items: [/, /etc, /etc/, /root, /root/]
@@ -208,7 +208,7 @@
 - macro: sensitive_files
   condition: >
     ((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
-      fd.directory in (/etc/sudoers.d, /etc/pam.d))
+      fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
 
 # Indicates that the process is new. Currently detected using time
 # since process was started, using a threshold of 5 seconds.