--- falco_rules.yaml.orig	2025-01-29 18:47:38.918577192 +0000
+++ falco_rules.yaml	2025-01-29 18:47:21.505145109 +0000
@@ -172,7 +172,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
 - list: user_mgmt_binaries
   items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -201,7 +201,7 @@
     ]
 
 - list: sensitive_file_names
-  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+  items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
 - list: sensitive_directory_names
   items: [/, /etc, /etc/, /root, /root/]
@@ -209,7 +209,7 @@
 - macro: sensitive_files
   condition: >
     (fd.name in (sensitive_file_names) or
-      fd.directory in (/etc/sudoers.d, /etc/pam.d))
+      fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
 
 # Indicates that the process is new. Currently detected using time
 # since process was started, using a threshold of 5 seconds.
@@ -362,7 +362,7 @@
 
 - list: read_sensitive_file_binaries
   items: [
-    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
+    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, sshd-session,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
     pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
     scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd