diff --git a/fs/unexpected-tmp-executables.sql b/fs/unexpected-tmp-executables.sql index 5fc3ec0..4b4eb51 100644 --- a/fs/unexpected-tmp-executables.sql +++ b/fs/unexpected-tmp-executables.sql @@ -27,4 +27,6 @@ AND NOT ( -- Nix AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350) -- Don't alert if it's only on disk for a moment -AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60) \ No newline at end of file +AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60) +-- macOS updates +AND NOT file.directory LIKE "/tmp/msu-target-%" \ No newline at end of file diff --git a/process/sketchy-fetcher.sql b/process/sketchy-fetcher.sql index 50af934..2bf50d8 100644 --- a/process/sketchy-fetcher.sql +++ b/process/sketchy-fetcher.sql @@ -78,8 +78,12 @@ WHERE OR p.cmdline LIKE "%ctlog%" OR p.cmdline LIKE "%.well-known/openid-configuration%" OR p.cmdline LIKE "%/openid/v1/jwks%" - OR p.cmdline LIKE "--progress-bar" + OR p.cmdline LIKE "%--progress-bar%" OR parent_cmdline LIKE "%brew.rb%" OR parent_cmdline LIKE "%brew.sh%" + OR p.cmdline LIKE "git %" + OR p.cmdline LIKE "%LICENSES/vendor/%" + OR p.cmdline LIKE "%localhost:%" + OR p.cmdline LIKE "%127.0.0.1:%" ) ) \ No newline at end of file diff --git a/process_events/sketchy-fetcher-events.sql b/process_events/sketchy-fetcher-events.sql index 787036e..da2b15d 100644 --- a/process_events/sketchy-fetcher-events.sql +++ b/process_events/sketchy-fetcher-events.sql @@ -80,10 +80,12 @@ WHERE p.time > (strftime('%s', 'now') -300) OR p.cmdline LIKE "%ctlog%" OR p.cmdline LIKE "%.well-known/openid-configuration%" OR p.cmdline LIKE "%/openid/v1/jwks%" - OR p.cmdline LIKE "--progress-bar" + OR p.cmdline LIKE "%--progress-bar%" OR parent_cmdline LIKE "%brew.rb%" OR parent_cmdline LIKE "%brew.sh%" OR p.cmdline LIKE "git %" OR p.cmdline LIKE "%LICENSES/vendor/%" + OR p.cmdline LIKE "%localhost:%" + OR p.cmdline LIKE "%127.0.0.1:%" ) ) \ No newline at end of file