From 67fb9cad146aee2c1bf15300479114b918e41ba4 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 19 Jan 2023 12:16:20 -0500
Subject: [PATCH] Remove false positive: apt-helper calls to systemctl

---
 detection/persistence/unexpected-systemctl-calls.sql | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection/persistence/unexpected-systemctl-calls.sql b/detection/persistence/unexpected-systemctl-calls.sql
index d6c7ad3..21757d5 100644
--- a/detection/persistence/unexpected-systemctl-calls.sql
+++ b/detection/persistence/unexpected-systemctl-calls.sql
@@ -67,5 +67,10 @@ WHERE
     '/sbin/systemctl'
   )
   AND pe.time > (strftime('%s', 'now') -29000) -- Ignore partial table joins
+  AND NOT exception_key IN (
+    'systemctl,0,apt-helper,'
+  )
+  -- apt-helper form
+  AND NOT child_cmd LIKE 'systemctl is-active -q %.service'
 GROUP BY
   pe.pid