From 81b97536e93d4b32ff0244418b9c03c2cea1e49c Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sat, 29 Oct 2022 12:11:46 -0400
Subject: [PATCH] Exclude locatedb updates

---
 detection/execution/exotic-command-events-macos.sql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
index a246789..e706125 100644
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -117,4 +117,6 @@ WHERE
     AND p.parent = -1
   )
   AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%'
+  AND NOT cmd LIKE 'rm -f /tmp/locate%/_updatedb%'
+  AND NOT cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
   AND NOT cmd LIKE 'touch -r /tmp/KSInstallAction.%'