mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-01-03 03:52:02 +00:00
fpr: lghub, brew, pve, chrome exts, etc
This commit is contained in:
Thomas Stromberg
parent
9c3f783491
commit
df925eaa6c
@ -92,9 +92,11 @@ WHERE
|
|||||||
'105,http,0u,0g,https',
|
'105,http,0u,0g,https',
|
||||||
'106,geoclue,0u,0g,geoclue',
|
'106,geoclue,0u,0g,geoclue',
|
||||||
'129,fwupdmgr,0u,0g,fwupdmgr',
|
'129,fwupdmgr,0u,0g,fwupdmgr',
|
||||||
|
'500,node,0u,0g,npm install',
|
||||||
'500,1password,0u,0g,1password',
|
'500,1password,0u,0g,1password',
|
||||||
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
||||||
'500,act,0u,0g,act',
|
'500,act,0u,0g,act',
|
||||||
|
'500,Logseq,u,g,Logseq',
|
||||||
'500,apk,500u,500g,apk',
|
'500,apk,500u,500g,apk',
|
||||||
'500,apko,500u,500g,apko',
|
'500,apko,500u,500g,apko',
|
||||||
'500,apko,u,g,apko',
|
'500,apko,u,g,apko',
|
||||||
|
|||||||
@ -162,6 +162,7 @@ WHERE
|
|||||||
'443,17,500,Slack Helper,,',
|
'443,17,500,Slack Helper,,',
|
||||||
'443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
'443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
||||||
'443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
'443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||||
|
'443,6,0,AGSService,com.adobe.ags,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||||
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
||||||
'443,6,0,com.apple.NRD.UpdateBrainService,com.apple.NRD.UpdateBrainService,Software Signing',
|
'443,6,0,com.apple.NRD.UpdateBrainService,com.apple.NRD.UpdateBrainService,Software Signing',
|
||||||
'443,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
'443,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||||
@ -176,7 +177,6 @@ WHERE
|
|||||||
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
||||||
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
||||||
'443,6,0,nix,nix,',
|
'443,6,0,nix,nix,',
|
||||||
'80,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
||||||
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||||
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||||
'443,6,307,curl,curl,',
|
'443,6,307,curl,curl,',
|
||||||
@ -184,7 +184,6 @@ WHERE
|
|||||||
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||||
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||||
'443,6,500,apko,a.out,',
|
'443,6,500,apko,a.out,',
|
||||||
'443,6,0,AGSService,com.adobe.ags,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
|
||||||
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||||
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||||
'443,6,500,bash,bash,',
|
'443,6,500,bash,bash,',
|
||||||
@ -248,6 +247,7 @@ WHERE
|
|||||||
'443,6,500,gvproxy,a.out,',
|
'443,6,500,gvproxy,a.out,',
|
||||||
'443,6,500,helm,,',
|
'443,6,500,helm,,',
|
||||||
'443,6,500,helm,a.out,',
|
'443,6,500,helm,a.out,',
|
||||||
|
'443,6,500,hugo,a.out,',
|
||||||
'443,6,500,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
'443,6,500,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||||
'443,6,500,istioctl,a.out,',
|
'443,6,500,istioctl,a.out,',
|
||||||
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
|
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
|
||||||
@ -277,7 +277,6 @@ WHERE
|
|||||||
'443,6,500,policy-tester,a.out,',
|
'443,6,500,policy-tester,a.out,',
|
||||||
'443,6,500,prober,a.out,',
|
'443,6,500,prober,a.out,',
|
||||||
'443,6,500,provisio,,',
|
'443,6,500,provisio,,',
|
||||||
'443,6,500,hugo,a.out,',
|
|
||||||
'443,6,500,pulumi-resource-gcp,a.out,',
|
'443,6,500,pulumi-resource-gcp,a.out,',
|
||||||
'443,6,500,pulumi-resource-github,a.out,',
|
'443,6,500,pulumi-resource-github,a.out,',
|
||||||
'443,6,500,python2.7,python2.7,',
|
'443,6,500,python2.7,python2.7,',
|
||||||
@ -289,6 +288,7 @@ WHERE
|
|||||||
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
||||||
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
||||||
'443,6,500,release-notes,a.out,',
|
'443,6,500,release-notes,a.out,',
|
||||||
|
'443,6,500,rumble,a.out,',
|
||||||
'443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing',
|
'443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing',
|
||||||
'443,6,500,scorecard-darwin-amd64,,',
|
'443,6,500,scorecard-darwin-amd64,,',
|
||||||
'443,6,500,sdaudioswitch,,',
|
'443,6,500,sdaudioswitch,,',
|
||||||
@ -300,8 +300,8 @@ WHERE
|
|||||||
'443,6,500,Slack Helper,,',
|
'443,6,500,Slack Helper,,',
|
||||||
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||||
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
||||||
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
|
|
||||||
'443,6,500,snyk-ls_darwin_arm64,a.out,',
|
'443,6,500,snyk-ls_darwin_arm64,a.out,',
|
||||||
|
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
|
||||||
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
'443,6,500,steampipe-plugin-aws.plugin,a.out,',
|
'443,6,500,steampipe-plugin-aws.plugin,a.out,',
|
||||||
'443,6,500,step,step,',
|
'443,6,500,step,step,',
|
||||||
@ -327,12 +327,14 @@ WHERE
|
|||||||
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
|
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
|
||||||
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
||||||
'80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
'80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||||
|
'80,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||||
'80,6,500,curl,com.apple.curl,Software Signing',
|
'80,6,500,curl,com.apple.curl,Software Signing',
|
||||||
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||||
'80,6,500,mconvert,a.out,',
|
'80,6,500,mconvert,a.out,',
|
||||||
'80,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
|
'80,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
|
||||||
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
'80,6,500,webhook.test,a.out,',
|
'80,6,500,webhook.test,a.out,',
|
||||||
|
'443,6,500,cloud-sql-proxy,a.out,',
|
||||||
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
||||||
'9418,6,500,git,com.apple.git,Software Signing'
|
'9418,6,500,git,com.apple.git,Software Signing'
|
||||||
)
|
)
|
||||||
@ -342,6 +344,8 @@ WHERE
|
|||||||
AND NOT exception_key LIKE '80,6,500,ZwiftAppMetal,ZwiftAppMetal-%,%'
|
AND NOT exception_key LIKE '80,6,500,ZwiftAppMetal,ZwiftAppMetal-%,%'
|
||||||
AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
|
AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
|
||||||
AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'
|
AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'
|
||||||
|
-- JetBrains
|
||||||
|
AND NOT exception_key LIKE '443,6,500,___%_%,a.out,'
|
||||||
-- aws
|
-- aws
|
||||||
AND NOT exception_key LIKE '443,6,500,aws,%-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)'
|
AND NOT exception_key LIKE '443,6,500,aws,%-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)'
|
||||||
-- Github actions-runner
|
-- Github actions-runner
|
||||||
|
|||||||
@ -62,6 +62,7 @@ WHERE
|
|||||||
'/usr/bin/kitty',
|
'/usr/bin/kitty',
|
||||||
'/usr/bin/tmux',
|
'/usr/bin/tmux',
|
||||||
'/usr/share/code/code',
|
'/usr/share/code/code',
|
||||||
|
'/opt/brave.com/brave/brave',
|
||||||
'/usr/libexec/gdm-wayland-session',
|
'/usr/libexec/gdm-wayland-session',
|
||||||
'/usr/bin/osqueryd',
|
'/usr/bin/osqueryd',
|
||||||
'/usr/bin/sudo',
|
'/usr/bin/sudo',
|
||||||
|
|||||||
@ -49,6 +49,7 @@ WHERE
|
|||||||
AND file.filename NOT NULL
|
AND file.filename NOT NULL
|
||||||
AND exception_key NOT IN (
|
AND exception_key NOT IN (
|
||||||
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
|
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
|
||||||
|
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
|
||||||
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
|
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
|
||||||
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
|
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
|
||||||
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
||||||
@ -61,6 +62,7 @@ WHERE
|
|||||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
||||||
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
|
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
|
||||||
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
|
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
|
||||||
|
'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
|
||||||
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
|
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
|
||||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
|
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
|
||||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
|
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
|
||||||
@ -72,7 +74,6 @@ WHERE
|
|||||||
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
|
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
|
||||||
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
|
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
|
||||||
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
|
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
|
||||||
'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
|
|
||||||
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
|
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
|
||||||
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
|
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
|
||||||
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
|
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
|
||||||
@ -86,7 +87,6 @@ WHERE
|
|||||||
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
|
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
|
||||||
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
|
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
|
||||||
',,/usr/local/sbin/iodined,501'
|
',,/usr/local/sbin/iodined,501'
|
||||||
|
|
||||||
)
|
)
|
||||||
AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
|
AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
|
||||||
AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
|
AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
|
||||||
|
|||||||
@ -41,6 +41,7 @@ WHERE
|
|||||||
OR file.path LIKE '/dev/shm/pulse-shm-%'
|
OR file.path LIKE '/dev/shm/pulse-shm-%'
|
||||||
OR file.path LIKE '/dev/shm/u1000-Shm%'
|
OR file.path LIKE '/dev/shm/u1000-Shm%'
|
||||||
OR file.path LIKE '/dev/shm/u1000-Valve%'
|
OR file.path LIKE '/dev/shm/u1000-Valve%'
|
||||||
|
OR file.path LIKE '/dev/shm/aomshm.%'
|
||||||
OR file.path LIKE '/dev/shm/jack_db%'
|
OR file.path LIKE '/dev/shm/jack_db%'
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|||||||
@ -157,6 +157,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
|
|||||||
magic.data IN (
|
magic.data IN (
|
||||||
"POSIX shell script, ASCII text executable",
|
"POSIX shell script, ASCII text executable",
|
||||||
"libtool library file, ASCII text",
|
"libtool library file, ASCII text",
|
||||||
|
"ASCII text",
|
||||||
"JSON data"
|
"JSON data"
|
||||||
)
|
)
|
||||||
OR magic.data LIKE "Unicode text%"
|
OR magic.data LIKE "Unicode text%"
|
||||||
|
|||||||
@ -76,10 +76,11 @@ WHERE
|
|||||||
AND NOT path LIKE '/Users/%/bin/%'
|
AND NOT path LIKE '/Users/%/bin/%'
|
||||||
AND NOT path LIKE '/Users/%/code/%'
|
AND NOT path LIKE '/Users/%/code/%'
|
||||||
AND NOT path LIKE '/Users/%/dev/%'
|
AND NOT path LIKE '/Users/%/dev/%'
|
||||||
AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
|
|
||||||
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
|
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
|
||||||
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
|
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
|
||||||
|
AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
|
||||||
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
|
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
|
||||||
|
AND NOT PATH LIKE '/Users/%/Library/Caches/JetBrains/GoLand2023.1/tmp/GoLand/___%'
|
||||||
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
|
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
|
||||||
AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%'
|
AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%'
|
||||||
AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'
|
AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'
|
||||||
|
|||||||
@ -228,6 +228,7 @@ WHERE
|
|||||||
AND pe.path NOT LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS/Updater'
|
AND pe.path NOT LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS/Updater'
|
||||||
AND dir NOT LIKE '/Applications/%'
|
AND dir NOT LIKE '/Applications/%'
|
||||||
AND dir NOT LIKE '~/%/bin'
|
AND dir NOT LIKE '~/%/bin'
|
||||||
|
AND dir NOT LIKE '~/%/node_modules/.bin/%'
|
||||||
AND dir NOT LIKE '/opt/%/bin'
|
AND dir NOT LIKE '/opt/%/bin'
|
||||||
AND dir NOT LIKE '~/%/google-cloud-sdk/bin/%'
|
AND dir NOT LIKE '~/%/google-cloud-sdk/bin/%'
|
||||||
AND dir NOT LIKE '~/Library/Caches/ms-playwright/%'
|
AND dir NOT LIKE '~/Library/Caches/ms-playwright/%'
|
||||||
|
|||||||
@ -144,6 +144,7 @@ WHERE
|
|||||||
'/Library/Application Support/EcammLive',
|
'/Library/Application Support/EcammLive',
|
||||||
'~/Library/Application Support/Foxit Software/',
|
'~/Library/Application Support/Foxit Software/',
|
||||||
'~/Library/Application Support/JetBrains/',
|
'~/Library/Application Support/JetBrains/',
|
||||||
|
'~/Library/Caches/JetBrains/',
|
||||||
'~/Library/Application Support/OpenLens',
|
'~/Library/Application Support/OpenLens',
|
||||||
'~/Library/Application Support/sourcegraph-sp/',
|
'~/Library/Application Support/sourcegraph-sp/',
|
||||||
'~/Library/Application Support/Zwift/',
|
'~/Library/Application Support/Zwift/',
|
||||||
|
|||||||
@ -76,6 +76,7 @@ WHERE
|
|||||||
'curl,500,bash,zsh',
|
'curl,500,bash,zsh',
|
||||||
'curl,500,env,env',
|
'curl,500,env,env',
|
||||||
'curl,500,fish,gnome-terminal-',
|
'curl,500,fish,gnome-terminal-',
|
||||||
|
'curl,500,bash,yay',
|
||||||
'curl,500,ruby,zsh',
|
'curl,500,ruby,zsh',
|
||||||
'curl,500,ShellLauncher,',
|
'curl,500,ShellLauncher,',
|
||||||
'curl,500,ShellLauncher,login',
|
'curl,500,ShellLauncher,login',
|
||||||
|
|||||||
@ -62,6 +62,7 @@ WHERE
|
|||||||
-- Other oddball binary paths
|
-- Other oddball binary paths
|
||||||
AND NOT path LIKE '/opt/homebrew/Cellar/%'
|
AND NOT path LIKE '/opt/homebrew/Cellar/%'
|
||||||
AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
|
AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
|
||||||
|
AND NOT path LIKE '/Users/%/go/src/%/%.test'
|
||||||
AND NOT (
|
AND NOT (
|
||||||
path LIKE '/Users/%/homebrew/Cellar/%'
|
path LIKE '/Users/%/homebrew/Cellar/%'
|
||||||
AND name IN ('limactl', 'Python', 'bash')
|
AND name IN ('limactl', 'Python', 'bash')
|
||||||
@ -77,66 +78,65 @@ WHERE
|
|||||||
'0,nix,nix,',
|
'0,nix,nix,',
|
||||||
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||||
'500,bash,com.apple.bash,Software Signing',
|
'500,bash,com.apple.bash,Software Signing',
|
||||||
|
'500,Bazecor Helper,,',
|
||||||
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
|
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
|
||||||
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
|
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
|
||||||
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
|
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||||
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
|
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||||
|
'500,BloomRPC Helper,,',
|
||||||
'500,bufls,a.out,',
|
'500,bufls,a.out,',
|
||||||
'500,stern,a.out,',
|
|
||||||
'500,registry,a.out,',
|
|
||||||
'500,mattermost,a.out,',
|
|
||||||
'500,plugin-darwin-arm64,a.out,',
|
|
||||||
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
|
|
||||||
'500,.cargo-wrapped,.cargo-wrapped,',
|
'500,.cargo-wrapped,.cargo-wrapped,',
|
||||||
|
'500,chainctl,a.out,',
|
||||||
|
'500,cloud-sql-proxy,a.out,',
|
||||||
'500,cloud_sql_proxy,a.out,',
|
'500,cloud_sql_proxy,a.out,',
|
||||||
|
'500,cloud-sql-proxy.darwin.arm64,a.out,',
|
||||||
|
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
|
||||||
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
|
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
|
||||||
'500,cosign,a.out,',
|
'500,cosign,a.out,',
|
||||||
'500,hugo,a.out,',
|
|
||||||
'500,chainctl,a.out,',
|
|
||||||
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
|
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
|
||||||
|
'500,crane,a.out,',
|
||||||
|
'500,debug.test,a.out,',
|
||||||
|
'500,dive,a.out,',
|
||||||
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
|
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
|
||||||
|
'500,dlv,a.out,',
|
||||||
|
'500,Duckly,Electron,',
|
||||||
|
'500,Duckly Helper,Electron Helper,',
|
||||||
|
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
|
||||||
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
|
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
|
||||||
'500,epdfinfo,epdfinfo,',
|
'500,epdfinfo,epdfinfo,',
|
||||||
'500,esbuild,a.out,',
|
'500,esbuild,a.out,',
|
||||||
'500,fake,a.out,',
|
'500,fake,a.out,',
|
||||||
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
|
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
|
||||||
|
'500,git,git,',
|
||||||
'500,gitsign-credential-cache,a.out,',
|
'500,gitsign-credential-cache,a.out,',
|
||||||
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
||||||
|
'500,go,a.out,',
|
||||||
'500,gopls,a.out,',
|
'500,gopls,a.out,',
|
||||||
'500,gopls,gopls,',
|
'500,gopls,gopls,',
|
||||||
'500,dive,a.out,',
|
|
||||||
'500,snyk-ls_darwin_arm64,a.out,',
|
|
||||||
'500,gpg-agent,gpg-agent,',
|
'500,gpg-agent,gpg-agent,',
|
||||||
|
'500,hugo,a.out,',
|
||||||
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
||||||
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
'500,ipcserver.old,,',
|
'500,ipcserver.old,,',
|
||||||
'500,debug.test,a.out,',
|
|
||||||
'500,Bazecor Helper,,',
|
|
||||||
'500,cloud-sql-proxy.darwin.arm64,a.out,',
|
|
||||||
'500,ko,a.out,',
|
'500,ko,a.out,',
|
||||||
'500,kubectl,a.out,',
|
'500,kubectl,a.out,',
|
||||||
'500,crane,a.out,',
|
|
||||||
'500,lua-language-server,lua-language-server,',
|
'500,lua-language-server,lua-language-server,',
|
||||||
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
|
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
|
||||||
|
'500,mattermost,a.out,',
|
||||||
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
|
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||||
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
|
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
|
||||||
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
|
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||||
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
|
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
|
||||||
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
|
||||||
'500,PrinterProxy,com.apple.print.PrinterProxy,',
|
|
||||||
'500,BloomRPC Helper,,',
|
|
||||||
'500,melange-run,a.out,',
|
'500,melange-run,a.out,',
|
||||||
'500,dlv,a.out,',
|
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||||
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
|
'500,plugin-darwin-arm64,a.out,',
|
||||||
'500,Duckly Helper,Electron Helper,',
|
'500,PrinterProxy,com.apple.print.PrinterProxy,',
|
||||||
|
'500,registry,a.out,',
|
||||||
'500,registry-redirect,a.out,',
|
'500,registry-redirect,a.out,',
|
||||||
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
|
|
||||||
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
|
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
|
||||||
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
|
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
|
||||||
'500,scdaemon,scdaemon,',
|
'500,scdaemon,scdaemon,',
|
||||||
'500,sdaudioswitch,,',
|
'500,sdaudioswitch,,',
|
||||||
'500,Duckly,Electron,',
|
|
||||||
'500,git,git,',
|
|
||||||
'500,sdaudioswitch,sdaudioswitch,',
|
'500,sdaudioswitch,sdaudioswitch,',
|
||||||
'500,sdzoomplugin,,',
|
'500,sdzoomplugin,,',
|
||||||
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
|
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
|
||||||
@ -144,17 +144,19 @@ WHERE
|
|||||||
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||||
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||||
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||||
|
'500,snyk-ls_darwin_arm64,a.out,',
|
||||||
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
|
'500,stern,a.out,',
|
||||||
'500,syncthing,syncthing,',
|
'500,syncthing,syncthing,',
|
||||||
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
|
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
|
||||||
|
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
|
||||||
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
|
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
|
||||||
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
|
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
|
||||||
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
|
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
|
||||||
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
|
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
|
||||||
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||||
'500,vim,,',
|
'500,vim,,',
|
||||||
'500,go,a.out,',
|
|
||||||
'500,vim,vim,',
|
'500,vim,vim,',
|
||||||
'500,WinAppHelper,,',
|
'500,WinAppHelper,,',
|
||||||
'500,WinAppHelper,WinAppHelper,'
|
'500,WinAppHelper,WinAppHelper,'
|
||||||
|
|||||||
@ -231,6 +231,7 @@ FROM
|
|||||||
'/sbin/mullvad-exclude',
|
'/sbin/mullvad-exclude',
|
||||||
'/bin/mullvad-exclude',
|
'/bin/mullvad-exclude',
|
||||||
'/usr/bin/su',
|
'/usr/bin/su',
|
||||||
|
'/usr/local/bin/doas',
|
||||||
'/usr/bin/sudo',
|
'/usr/bin/sudo',
|
||||||
'/usr/bin/sudoedit',
|
'/usr/bin/sudoedit',
|
||||||
'/usr/bin/keybase-redirector',
|
'/usr/bin/keybase-redirector',
|
||||||
|
|||||||
@ -174,6 +174,7 @@ WHERE
|
|||||||
p0.name = ""
|
p0.name = ""
|
||||||
AND p1.name = "nvim"
|
AND p1.name = "nvim"
|
||||||
)
|
)
|
||||||
|
AND NOT p0_cmd LIKE '%/gcloud.py components update'
|
||||||
AND NOT (p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
|
AND NOT (p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
|
||||||
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
||||||
GROUP BY
|
GROUP BY
|
||||||
|
|||||||
@ -113,6 +113,7 @@ WHERE
|
|||||||
file.symlink = 1
|
file.symlink = 1
|
||||||
AND magic.data != 'symbolic link to /Applications'
|
AND magic.data != 'symbolic link to /Applications'
|
||||||
AND magic.data != 'symbolic link to /Applications/'
|
AND magic.data != 'symbolic link to /Applications/'
|
||||||
|
AND magic.data != 'symbolic link to .'
|
||||||
AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
|
AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
|
||||||
AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment'
|
AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment'
|
||||||
)
|
)
|
||||||
|
|||||||
@ -119,6 +119,7 @@ WHERE
|
|||||||
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
|
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
|
||||||
AND host NOT IN (
|
AND host NOT IN (
|
||||||
'arc.net',
|
'arc.net',
|
||||||
|
'adoptium.net',
|
||||||
'balsamiq.com',
|
'balsamiq.com',
|
||||||
'brave.com',
|
'brave.com',
|
||||||
'discord.com',
|
'discord.com',
|
||||||
|
|||||||
@ -278,6 +278,7 @@ WHERE
|
|||||||
OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'
|
OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'
|
||||||
OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
|
OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
|
||||||
OR p0_cmd LIKE '/bin/sh %/bin/gcloud%config config-helper%'
|
OR p0_cmd LIKE '/bin/sh %/bin/gcloud%config config-helper%'
|
||||||
|
OR p0_cmd LIKE '/bin/sh %/google-cloud-sdk/bin/gcloud config get project'
|
||||||
OR p0_cmd LIKE '/bin/sh -c pkg-config %'
|
OR p0_cmd LIKE '/bin/sh -c pkg-config %'
|
||||||
OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
|
OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
|
||||||
OR p0_cmd LIKE '/bin/bash %git credential-osxkeychain get'
|
OR p0_cmd LIKE '/bin/bash %git credential-osxkeychain get'
|
||||||
@ -291,6 +292,7 @@ WHERE
|
|||||||
OR p0_cmd LIKE '%sh -c ntia-checker %'
|
OR p0_cmd LIKE '%sh -c ntia-checker %'
|
||||||
OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
|
OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
|
||||||
OR p1_cmd LIKE '%/bin/pipenv shell'
|
OR p1_cmd LIKE '%/bin/pipenv shell'
|
||||||
|
OR p1_cmd LIKE '/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby -W1 --disable=gems,rubyopt -- /Users/%/homebrew/Library/Homebrew/build.rb%'
|
||||||
OR p1_cmd LIKE 'gcloud% auth%login%'
|
OR p1_cmd LIKE 'gcloud% auth%login%'
|
||||||
OR p1_cmd LIKE '/%google-cloud-sdk/lib/gcloud.py%'
|
OR p1_cmd LIKE '/%google-cloud-sdk/lib/gcloud.py%'
|
||||||
OR (
|
OR (
|
||||||
|
|||||||
@ -83,6 +83,7 @@ WHERE
|
|||||||
'.angular-config.json',
|
'.angular-config.json',
|
||||||
'.mysql_history',
|
'.mysql_history',
|
||||||
'.lesshst',
|
'.lesshst',
|
||||||
|
'pve-installer.squashfs',
|
||||||
'.gitconfig',
|
'.gitconfig',
|
||||||
'.flyrc',
|
'.flyrc',
|
||||||
'.dbshell',
|
'.dbshell',
|
||||||
|
|||||||
@ -456,6 +456,9 @@ WHERE
|
|||||||
'zfs-scrub.timer,zfs-scrub.timer,,0',
|
'zfs-scrub.timer,zfs-scrub.timer,,0',
|
||||||
'zfs-share.service,ZFS file system shares,,225',
|
'zfs-share.service,ZFS file system shares,,225',
|
||||||
'zfs-share.service,ZFS file system shares,,450',
|
'zfs-share.service,ZFS file system shares,,450',
|
||||||
|
'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,900',
|
||||||
|
'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,,900',
|
||||||
|
'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,,900',
|
||||||
'zfs.target,ZFS startup target,,0',
|
'zfs.target,ZFS startup target,,0',
|
||||||
'zfs-volumes.target,ZFS volumes are ready,,0',
|
'zfs-volumes.target,ZFS volumes are ready,,0',
|
||||||
'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,,225',
|
'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,,225',
|
||||||
|
|||||||
@ -52,7 +52,6 @@ WHERE
|
|||||||
-- Deprecated Google Extension
|
-- Deprecated Google Extension
|
||||||
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
|
'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
|
||||||
'false,,base64 encode or decode selected text,',
|
'false,,base64 encode or decode selected text,',
|
||||||
'false,,NVD Cleaner,',
|
|
||||||
'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip',
|
'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip',
|
||||||
'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi',
|
'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi',
|
||||||
'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk',
|
'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk',
|
||||||
@ -60,6 +59,7 @@ WHERE
|
|||||||
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg',
|
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg',
|
||||||
'false,julienv3@gmail.com,treasure-clicker,',
|
'false,julienv3@gmail.com,treasure-clicker,',
|
||||||
'false,juverm@chainguard.dev,auto-close-gitsign,',
|
'false,juverm@chainguard.dev,auto-close-gitsign,',
|
||||||
|
'false,,NVD Cleaner,',
|
||||||
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
|
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
|
||||||
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
|
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
|
||||||
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
|
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
|
||||||
@ -101,6 +101,7 @@ WHERE
|
|||||||
'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo',
|
'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo',
|
||||||
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
|
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
|
||||||
'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
|
'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
|
||||||
|
'true,,Distill Web Monitor,inlikjemeeknofckkjolnjbpehgadgge',
|
||||||
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
|
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
|
||||||
'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
|
'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
|
||||||
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
|
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
|
||||||
@ -166,7 +167,12 @@ WHERE
|
|||||||
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
|
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
|
||||||
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
|
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
|
||||||
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
|
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
|
||||||
|
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
|
||||||
|
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
|
||||||
|
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
|
||||||
|
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
|
||||||
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
|
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
|
||||||
|
'true,,RetailMeNot Deal Finder\xE2\x84\xA2\xEF\xB8\x8F,jjfblogammkiefalfpafidabbnamoknm',
|
||||||
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
|
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
|
||||||
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
|
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
|
||||||
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
|
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
|
||||||
@ -203,6 +209,7 @@ WHERE
|
|||||||
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
|
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
|
||||||
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd',
|
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd',
|
||||||
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
|
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
|
||||||
|
'true,,WAVE Evaluation Tool,jbbplnpkjmmeebjpijfedlgcdilocofh',
|
||||||
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
|
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
|
||||||
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
|
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
|
||||||
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
|
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
|
||||||
|
|||||||
@ -62,6 +62,7 @@ WHERE
|
|||||||
'/dev/cdrom',
|
'/dev/cdrom',
|
||||||
'/dev/char/',
|
'/dev/char/',
|
||||||
'/dev/char/:',
|
'/dev/char/:',
|
||||||
|
'/dev/cec',
|
||||||
'/dev/console',
|
'/dev/console',
|
||||||
'/dev/core',
|
'/dev/core',
|
||||||
'/dev/cpu/',
|
'/dev/cpu/',
|
||||||
|
|||||||
@ -36,6 +36,7 @@ WHERE
|
|||||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||||
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
||||||
|
'Developer ID Application: Louis Pontoise (QXD7GW8FHY)',
|
||||||
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
||||||
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||||
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
||||||
|
|||||||
@ -92,6 +92,7 @@ WHERE
|
|||||||
'3000,6,500,grafana-server',
|
'3000,6,500,grafana-server',
|
||||||
'3000,6,500,node',
|
'3000,6,500,node',
|
||||||
'32768,6,0,tailscaled',
|
'32768,6,0,tailscaled',
|
||||||
|
'32768,6,500,java',
|
||||||
'32768,6,0,.tailscaled-wra',
|
'32768,6,0,.tailscaled-wra',
|
||||||
'32768,6,500,com.docker.backend',
|
'32768,6,500,com.docker.backend',
|
||||||
'32768,6,500,dleyna-renderer',
|
'32768,6,500,dleyna-renderer',
|
||||||
|
|||||||
@ -44,6 +44,7 @@ WHERE
|
|||||||
REPLACE(LOWER(TRIM(u.description)), " ", "-")
|
REPLACE(LOWER(TRIM(u.description)), " ", "-")
|
||||||
) == 1
|
) == 1
|
||||||
-- Common locations of test or demo keys
|
-- Common locations of test or demo keys
|
||||||
|
AND NOT file.path = '/Users/Shared/LGHUB/keys.json'
|
||||||
AND NOT file.directory LIKE '%/pkg/%'
|
AND NOT file.directory LIKE '%/pkg/%'
|
||||||
AND NOT file.directory LIKE '%/go/src/%'
|
AND NOT file.directory LIKE '%/go/src/%'
|
||||||
AND NOT file.directory LIKE '%/pkg/mod/%'
|
AND NOT file.directory LIKE '%/pkg/mod/%'
|
||||||
@ -82,6 +83,7 @@ WHERE
|
|||||||
'81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
|
'81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
|
||||||
'4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
|
'4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
|
||||||
'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472',
|
'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472',
|
||||||
|
'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988',
|
||||||
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
|
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
|
||||||
'11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
|
'11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
|
||||||
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
|
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user