From 09f5faafdcd3af2aad9294d3f7254fe28c81c9fd Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Thu, 26 Sep 2019 17:36:05 -0700
Subject: [PATCH 1/3] rules update: add back rule Delete Bash History for
 backport compatibility

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a2953cd7d98..616257661be 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2415,6 +2415,13 @@
     WARNING
   tag: [process, mitre_defense_evation]
 
+# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
+- rule: Delete Bash History
+  desc: Detect bash history deletion
+  condition: >
+    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or 
+     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+
 - macro: consider_all_chmods
   condition: (always_true)
 

From c756d2cdf1004a5aba28ac1ab9399170de44801d Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Fri, 27 Sep 2019 12:00:18 -0700
Subject: [PATCH 2/3] rule update: fix missing entries

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 616257661be..37a7f0201d5 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2421,6 +2421,11 @@
   condition: >
     ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or 
      (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+  output: >
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+  priority:
+    WARNING
+  tag: [process, mitre_defense_evation]
 
 - macro: consider_all_chmods
   condition: (always_true)

From 278390fe61d0860c506787b7f4a8aa872a9f4e91 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Mon, 30 Sep 2019 13:49:51 -0700
Subject: [PATCH 3/3] rule update: add more comments

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 37a7f0201d5..1c9e6b0ac69 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2416,6 +2416,7 @@
   tag: [process, mitre_defense_evation]
 
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
+# Rule Delete or rename shell history is the preferred rule to use now.
 - rule: Delete Bash History
   desc: Detect bash history deletion
   condition: >