More tuning

2022-09-16 14:21:42 -04:00 · 2022-09-16 14:21:42 -04:00 · b75c7d5404
parent f5696431c7
commit b75c7d5404
3 changed files with 11 additions and 3 deletions
--- a/fs/unexpected-tmp-executables.sql
+++ b/fs/unexpected-tmp-executables.sql
@ -27,4 +27,6 @@ AND NOT (
 -- Nix
 AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
 -- Don't alert if it's only on disk for a moment
-AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
+AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
+-- macOS updates
+AND NOT file.directory LIKE "/tmp/msu-target-%"
--- a/process/sketchy-fetcher.sql
+++ b/process/sketchy-fetcher.sql
@ -78,8 +78,12 @@ WHERE
            OR p.cmdline LIKE "%ctlog%"
            OR p.cmdline LIKE "%.well-known/openid-configuration%"
            OR p.cmdline LIKE "%/openid/v1/jwks%"
-            OR p.cmdline LIKE "--progress-bar"
+            OR p.cmdline LIKE "%--progress-bar%"
            OR parent_cmdline LIKE "%brew.rb%"
            OR parent_cmdline LIKE "%brew.sh%"
+            OR p.cmdline LIKE "git %"
+            OR p.cmdline LIKE "%LICENSES/vendor/%"
+            OR p.cmdline LIKE "%localhost:%"
+            OR p.cmdline LIKE "%127.0.0.1:%"
        )
    )
--- a/process_events/sketchy-fetcher-events.sql
+++ b/process_events/sketchy-fetcher-events.sql
@ -80,10 +80,12 @@ WHERE p.time > (strftime('%s', 'now') -300)
            OR p.cmdline LIKE "%ctlog%"
            OR p.cmdline LIKE "%.well-known/openid-configuration%"
            OR p.cmdline LIKE "%/openid/v1/jwks%"
-            OR p.cmdline LIKE "--progress-bar"
+            OR p.cmdline LIKE "%--progress-bar%"
            OR parent_cmdline LIKE "%brew.rb%"
            OR parent_cmdline LIKE "%brew.sh%"
            OR p.cmdline LIKE "git %"
            OR p.cmdline LIKE "%LICENSES/vendor/%"
+            OR p.cmdline LIKE "%localhost:%"
+            OR p.cmdline LIKE "%127.0.0.1:%"
        )
    )