File Permission Modification in Writable Directory

host.os.type:"linux" and event.category:process and event.type:"start" and event.action:"exec" and
process.name:("chattr" or "chgrp" or "chmod") and process.working_directory:("/dev/shm" or "/tmp" or "/var/tmp") and
not (
  process.args:(
    "+r" or "640" or /tmp/apt-key-gpghome* or "/usr/bin/coreutils" or "/opt/eset/eei/uninstall.sh" or /tmp/era.repository.*.bin
  ) or
  process.parent.args:"/var/illumio_pce/illumio/scripts/consul" or
  process.parent.name:(
    apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
  ) or
  process.parent.executable:(
    "/usr/local/bin/afb-ssh-setup-keys.sh" or "/usr/local/bin/afb-ssh-setup-keys.sh" or "/opt/puppetlabs/puppet/bin/ruby" or
    "/usr/sbin/update-exim4.conf" or "/bin/dracut"
  )
)