From 548d23865e2c8d9cc1dc28906a997d29ffaa7e70 Mon Sep 17 00:00:00 2001
From: Emanuel <222579485+EFA006@users.noreply.github.com>
Date: Wed, 25 Feb 2026 09:48:32 +0100
Subject: [PATCH] Add SELinux status check detection rule for Linux

---
 rules/detection/low/linux.json | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 rules/detection/low/linux.json

diff --git a/rules/detection/low/linux.json b/rules/detection/low/linux.json
new file mode 100644
index 0000000..9d53d59
--- /dev/null
+++ b/rules/detection/low/linux.json
@@ -0,0 +1,8 @@
+[
+  {
+    "title": "Execution of SELinux Status Check Command",
+    "expression": "to_string(event.action) == 'executed' && (to_string(process.name) == 'sestatus' || contains(to_string(process.title), 'sestatus'))",
+    "severity": "low",
+    "type": "auditbeat"
+  }
+]