More tuning

fs/unexpected-tmp-executables.sql

@@ -28,3 +28,5 @@ AND NOT (
 AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
 -- Don't alert if it's only on disk for a moment
 AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
+-- macOS updates
+AND NOT file.directory LIKE "/tmp/msu-target-%"

process/sketchy-fetcher.sql

@@ -78,8 +78,12 @@ WHERE
             OR p.cmdline LIKE "%ctlog%"
             OR p.cmdline LIKE "%.well-known/openid-configuration%"
             OR p.cmdline LIKE "%/openid/v1/jwks%"
-            OR p.cmdline LIKE "--progress-bar"
+            OR p.cmdline LIKE "%--progress-bar%"
             OR parent_cmdline LIKE "%brew.rb%"
             OR parent_cmdline LIKE "%brew.sh%"
+            OR p.cmdline LIKE "git %"
+            OR p.cmdline LIKE "%LICENSES/vendor/%"
+            OR p.cmdline LIKE "%localhost:%"
+            OR p.cmdline LIKE "%127.0.0.1:%"
         )
     )

process_events/sketchy-fetcher-events.sql

@@ -80,10 +80,12 @@ WHERE p.time > (strftime('%s', 'now') -300)
             OR p.cmdline LIKE "%ctlog%"
             OR p.cmdline LIKE "%.well-known/openid-configuration%"
             OR p.cmdline LIKE "%/openid/v1/jwks%"
-            OR p.cmdline LIKE "--progress-bar"
+            OR p.cmdline LIKE "%--progress-bar%"
             OR parent_cmdline LIKE "%brew.rb%"
             OR parent_cmdline LIKE "%brew.sh%"
             OR p.cmdline LIKE "git %"
             OR p.cmdline LIKE "%LICENSES/vendor/%"
+            OR p.cmdline LIKE "%localhost:%"
+            OR p.cmdline LIKE "%127.0.0.1:%"
         )
     )