From 32e36572218da25e1bdd7ecf4dc993dfc55b7bba Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 10 Nov 2022 11:31:37 -0500
Subject: [PATCH] Accept strace-log-merge anywhere

---
 detection/impact/evenly-timestomped.sql | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql
index 44c9e17..e5d9a5c 100644
--- a/detection/impact/evenly-timestomped.sql
+++ b/detection/impact/evenly-timestomped.sql
@@ -38,13 +38,11 @@ WHERE
     OR mod_time LIKE "% 00:00:00"
   )
   -- false positives
-  AND file.path NOT IN (
-    '/etc/master.passwd',
-    '/usr/share/doc/strace/NEWS',
-    '/bin/strace-log-merge',
-    '/etc/printcap',
-    '/usr/bin/strace-log-merge',
-    '/bin/X11/strace-log-merge'
+  AND filename NOT IN (
+    'master.passwd',
+    'NEWS',
+    'printcap',
+    'strace-log-merge'
   )
   AND file.path NOT LIKE '%/lynis%'
   AND file.path NOT LIKE '%/yelp-xsl%'