fpr: aws-sdk, melange, Tailscale, Xprotect, etc

This commit is contained in:
Thomas Stromberg 2023-03-03 07:24:42 -05:00
parent 6d05dbc2da
commit f25cfe1399
Failed to extract signature
38 changed files with 335 additions and 259 deletions

View File

@ -93,13 +93,13 @@ WHERE
AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53'
AND p.name != 'nessusd'
-- Local DNS servers and custom clients go here
-- Electron apps
AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper'
AND p.path NOT IN (
'/usr/lib/systemd/systemd-resolved',
'/Library/Nessus/run/sbin/nessusd',
'/usr/bin/apko',
'/opt/google/chrome/chrome',
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper'
'/usr/bin/apko',
'/usr/lib/systemd/systemd-resolved'
)
-- Chromium apps can send stray DNS packets
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'

View File

@ -71,6 +71,7 @@ WHERE
'0,kmod,0u,0g,depmod',
'0,launcher,0u,0g,launcher',
'0,launcher,500u,500g,launcher',
'0,ldconfig,0u,0g,ldconfig',
'0,nessusd,0u,0g,nessusd',
'0,nix,0u,0g,nix',
'0,nix,0u,0g,nix-daemon',
@ -91,12 +92,12 @@ WHERE
'106,geoclue,0u,0g,geoclue',
'500,1password,0u,0g,1password',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,act,0u,0g,act',
'500,apk,500u,500g,apk',
'500,apko,u,g,apko',
'500,apk,u,g,apk',
'500,aws,0u,0g,aws',
'500,bom,500u,500g,bom',
'500,act,0u,0g,act',
'500,Brackets,0u,0g,Brackets',
'500,brave,0u,0g,brave',
'500,buildkitd,500u,500g,buildkitd',
@ -128,11 +129,13 @@ WHERE
'500,flameshot,0u,0g,flameshot',
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
'500,geoclue,0u,0g,geoclue',
'500,gh,0u,0g,gh',
'500,git,0u,0g,git',
'500,git-remote-http,0u,0g,git-remote-http',
'500,gitsign,0u,0g,gitsign',
'500,gitsign,500u,0g,gitsign',
'500,gitsign,500u,500g,gitsign',
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
'500,gjs-console,0u,0g,org.gnome.Maps',
'500,gnome-recipes,0u,0g,gnome-recipes',
'500,gnome-shell,0u,0g,gnome-shell',
@ -160,10 +163,12 @@ WHERE
'500,Keybase,0u,0g,Keybase',
'500,ko,500u,500g,ko',
'500,ko,u,g,ko',
'500,kpromo,500u,500g,kpromo',
'500,krel,500u,500g,krel',
'500,kubectl,0u,0g,kubectl',
'500,kubectl,500u,500g,kubectl',
'500,lens,0u,0g,lens',
'500,limactl,0u,0g,limactl',
'500,mconvert,500u,500g,mconvert',
'500,melange,u,g,melange',
'500,Melvor Idle,500u,500g,exe',
@ -175,10 +180,11 @@ WHERE
'500,node,0u,0g,.node2nix-wrapp',
'500,node,u,g,node',
'500,obs,0u,0g,obs',
'500,obs,u,g,obs',
'500,obs-browser-page,0u,0g,obs-browser-pag',
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
'500,obsidian,u,g,obsidian',
'500,obs,u,g,obs',
'500,pacman,0u,0g,pacman',
'500,php8.1,0u,0g,php',
'500,promoter,500u,500g,promoter',
@ -190,17 +196,16 @@ WHERE
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
'500,python3,500u,500g,python3',
'500,python.test,500u,500g,python.test',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,reporter-ureport,0u,0g,reporter-urepor',
'500,rpi-imager,0u,0g,rpi-imager',
'500,rustup,0u,0g,rustup',
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
'500,scoville,500u,500g,scoville',
'500,signal-desktop,0u,0g,signal-desktop',
'500,kpromo,500u,500g,kpromo',
'500,signal-desktop,u,g,signal-desktop',
'500,slack,0u,0g,slack',
'500,slack,u,g,slack',
'500,python.test,500u,500g,python.test',
'500,slirp4netns,500u,500g,slirp4netns',
'500,snap-store,0u,0g,snap-store',
'500,spotify,0u,0g,spotify',
@ -208,7 +213,6 @@ WHERE
'500,spotify,u,g,spotify',
'500,steam,500u,100g,steam',
'500,steam,500u,500g,steam',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,steamwebhelper,500u,100g,steamwebhelper',
'500,steamwebhelper,500u,500g,steamwebhelper',
'500,step,500u,500g,step',
@ -219,13 +223,11 @@ WHERE
'500,terraform,500u,500g,terraform',
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,limactl,0u,0g,limactl',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,xmobar,0u,0g,xmobar',
@ -258,5 +260,7 @@ WHERE
-- Exclude processes running inside of containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
-- Tests
AND NOT p.path LIKE '/tmp/go-build%.test'
GROUP BY
p.cmdline

View File

@ -122,6 +122,7 @@ WHERE
'80,6,0,bash,0u,0g,update-ca-trust',
'80,6,0,cp,0u,0g,cp',
'80,6,0,fc-cache,0u,0g,fc-cache',
'500,syft,0u,0g,syft',
'80,6,0,find,0u,0g,find',
'80,6,0,gawk,0u,0g,awk',
'80,6,0,gpg,0u,0g,gpg',
@ -132,6 +133,7 @@ WHERE
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,python3.10,0u,0g,dnf',
'1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',
'80,6,0,python3.10,0u,0g,dnf-automatic',
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
@ -170,11 +172,15 @@ WHERE
'80,6,500,steam,500u,100g,steam',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,python3.11,0u,0g,dnf',
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird,u,g,thunderbird',
'587,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,zoom,0u,0g,zoom',
'80,6,500,zoom.real,u,g,zoom.real',
'9418,6,500,git,0u,0g,git',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',

View File

@ -181,6 +181,7 @@ WHERE
'443,6,500,apko,a.out,',
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'443,6,500,bash,bash,',
'443,6,500,BlockBlock Installer,com.objective-see.blockblock.installer,Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'443,6,500,bom,,',

View File

@ -141,6 +141,7 @@ WHERE
'rustup',
'slack',
'snyk',
'snyk-macos',
'spotify',
'staticcheck',
'steam',

View File

@ -101,6 +101,7 @@ WHERE
'netstat,500,IPNExtension,launchd',
'pfctl,0,pia-daemon,launchd',
'ifconfig,500,zsh,stable',
'netstat,0,io.tailscale.ipn.macsys.network-extension,launchd',
'ifconfig,0,pia-openvpn,pia-daemon',
'ifconfig,0,pia-openvpn,pia-daemon',
'ifconfig,0,pia-daemon,launchd',

View File

@ -34,32 +34,33 @@ WHERE
AND p.parent NOT IN (0, 2)
AND NOT p.path IS NULL
AND p.name NOT IN (
'1Password-Keyri',
'applydeltarpm',
'bwrap',
'crond',
'cupsd',
'dhcpcd',
'1Password-Keyri',
'modprobe',
'dnf',
'gdm-x-session',
'systemd-udevd',
'gdm-session-wor',
'systemd-userwor',
'osqueryi',
'fprintd',
'gdm-session-wor',
'gdm-x-session',
'gpg-agent',
'modprobe',
'nginx',
'osqueryi',
'realmd',
'sedispatch',
'ssh',
'sshd',
'sudo',
'systemd',
'gpg-agent',
'systemd-udevd',
'systemd-userdbd',
'nginx',
'sshd',
'systemd-userwor',
'zfs',
'ssh',
'sedispatch',
'zypak-sandbox'
)
AND NOT pp.name IN ('systemd-userdbd', 'crond')
AND NOT pp.name IN ('systemd-userdbd', 'crond', 'systemd')
AND NOT (
p.name LIKE 'systemd-%'
AND p.parent = 1

View File

@ -137,6 +137,8 @@ WHERE
OR dir LIKE '~/%/.config/nvim'
OR dir LIKE '~/dev/%/dots/%/.config%'
OR dir LIKE '~/%/.git'
OR dir LIKE '/private/tmp/%/.git'
OR dir LIKE '/tmp/%/.git'
OR dir LIKE '~/%/.github%'
OR dir LIKE '~/%/.docker%'
OR dir LIKE '~/%/.vercel%'

View File

@ -57,6 +57,7 @@ WHERE
OR cmd LIKE '/opt/homebrew/Cellar/%'
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/Users/%/homebrew/Cellar/%'
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'

View File

@ -70,7 +70,10 @@ WHERE
AND pp.path NOT LIKE '/opt/homebrew/Cellar/%'
AND pp.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
AND pp.path NOT LIKE '/private/var/folders/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
AND pp.path != ""
AND pp.path != "/sbin/launchd"
AND pp.path NOT IN (
"",
"/sbin/launchd",
"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)"
)
AND pp.on_disk != 1
);

View File

@ -67,6 +67,7 @@ WHERE
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
@ -86,6 +87,7 @@ WHERE
AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
AND NOT (
signature.identifier LIKE 'cargo-%'
AND ae.path LIKE '/Users/%/.rustup/%'

View File

@ -191,6 +191,8 @@ WHERE
AND NOT p0_cmd LIKE 'modprobe -ab%'
AND NOT p0_cmd LIKE 'modprobe --all%'
AND NOT p0_cmd LIKE '%modprobe aufs'
AND NOT p0_cmd LIKE '%touch -r /tmp/cc%.o %'
AND NOT p0_cmd LIKE '%chmod -R 777 /app/%'
AND NOT p0_cmd LIKE '%modprobe overlay'
AND NOT p0_cmd LIKE '%modprobe nf_nat_netbios_ns'
AND NOT p0_cmd LIKE '%modprobe -va%'
@ -198,4 +200,5 @@ WHERE
AND NOT p0_cmd LIKE 'tail /%history'
AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.cpp'
AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.h'
AND NOT p0_name IN ('cc1', 'compile', 'cmake', 'cc1plus')
AND NOT p0_name IN ('ar', 'cc1', 'compile', 'cmake', 'cc1plus')
AND NOT exception_key IN ('bash,500,ninja,bash')

View File

@ -147,7 +147,11 @@ WHERE
) -- Things that could reasonably happen at boot.
AND NOT (
pe.path = '/usr/bin/mkfifo'
AND p0_cmd LIKE '%/org.gpgtools.log.%/fifo'
AND (
p0_cmd LIKE '%/org.gpgtools.log.%/fifo'
OR p0_cmd LIKE '/var/%/gitstatus.POWERLEVEL9K.%'
OR p0_cmd LIKE '/var/%/p10k.worker.%'
)
)
AND NOT (
p0_cmd LIKE '%csrutil status'

View File

@ -98,7 +98,8 @@ WHERE
'se',
'sh',
'so',
'uk'
'uk',
'us'
)
-- Or if it matches weird keywords we've seen
OR p.cmdline LIKE '%chmod%'

View File

@ -123,6 +123,7 @@ WHERE
'/Library/Application Support/GPGTools',
'~/Library/Application Support/JetBrains',
'~/Library/Caches/com.knollsoft.Rectangle',
'~/Library/Application Support/zoom.us',
'~/Library/Caches/com.mimestream.Mimestream',
'~/Library/Caches/snyk',
'/Library/Developer/CommandLineTools',
@ -145,23 +146,25 @@ WHERE
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
'~/go/bin',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
'/Library/DropboxHelperTools/Dropbox_u501',
'/Library/Filesystems/kbfuse.fs/Contents/Resources',
'/Library/Frameworks/Python.framework/Versions/3.10/bin',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
'/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
'/Library/Printers/DYMO/Utilities',
'/Library/PrivilegedHelperTools',
'/Library/TeX/texbin',
'~/.local/bin',
'~/.magefile',
'/node_modules/.bin',
'/opt/homebrew/bin',
'/opt/usr/bin',
'/opt/X11/bin',
'/opt/X11/libexec',
@ -170,7 +173,6 @@ WHERE
'/sbin',
'/usr/bin',
'/usr/lib',
'/opt/homebrew/bin',
'/usr/lib/bluetooth',
'/usr/lib/cups/notifier',
'/usr/libexec',
@ -211,6 +213,7 @@ WHERE
AND dir NOT LIKE '/private/tmp/go-build%/exe'
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
AND dir NOT LIKE '/private/tmp/nix-build-%'
AND dir NOT LIKE '/Library/SystemExtensions/%-%/%.systemextension/Contents/MacOS'
AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app/%'

View File

@ -135,12 +135,13 @@ WHERE
AND top3_homedir NOT IN (
'~/Library/Application Support/BraveSoftware/',
'~/Library/Application Support/com.elgato.StreamDeck/',
'~/Library/Application Support/Foxit Software/',
'~/Library/Caches/com.mimestream.Mimestream/',
'/Library/Application Support/EcammLive',
'/Library/Developer/Xcode/',
'~/Library/Application Support/Foxit Software/',
'~/Library/Application Support/OpenLens',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/snyk/',
'/Library/Developer/Xcode/',
'~/.terraform.d/plugin-cache/registry.terraform.io/'
)
AND dir NOT LIKE '/Applications/%'

View File

@ -110,7 +110,7 @@ WHERE
AND NOT (
pe.euid > 500
AND p1_name = 'ruby'
AND p1_cmd LIKE '%/opt/homebrew/Library/Homebrew/brew.rb%'
AND p1_cmd LIKE '%/Homebrew/brew.rb%'
)
AND NOT (
pe.euid > 500

View File

@ -50,6 +50,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
'curl,500,bash,ShellLauncher',
'curl,500,Slack,launchd',
'curl,500,bash,zsh',
'curl,0,09-timezone,nm-dispatcher',
'curl,500,env,env',
'curl,500,fish,gnome-terminal-',
'curl,500,Slack,launchd',

View File

@ -89,6 +89,7 @@ WHERE
-- I'm not too thrilled to have this as an exception, to be honest.
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
'Developer ID Application: Sanford, L.P. (N3S6676K3E)',
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'Software Signing'
)
AND NOT (

View File

@ -100,6 +100,7 @@ WHERE
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,dive,a.out,',
'500,gpg-agent,gpg-agent,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
@ -115,6 +116,7 @@ WHERE
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,BloomRPC Helper,,',
'500,registry-redirect,a.out,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',

View File

@ -96,6 +96,7 @@ WHERE
'/usr/bin/udevadm',
'/usr/libexec/aned',
'/usr/libexec/coreduetd',
'/usr/libexec/diskmanagementd',
'/usr/bin/update-notifier',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/logd',

View File

@ -111,6 +111,7 @@ WHERE
file.symlink = 1
AND magic.data != 'symbolic link to /Applications'
AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment'
)
)
GROUP BY

View File

@ -117,6 +117,7 @@ WHERE
'gnome-terminal-server',
'go',
'goland',
'mc',
'gopls',
'helm',
'HP Diagnose & Fix',
@ -152,8 +153,10 @@ WHERE
'sh',
'ShellLauncher',
'skhd',
'su',
'snyk',
'sshd',
'obs',
'stable',
'Stream Deck',
'sudo',
@ -164,6 +167,8 @@ WHERE
'terraform-ls',
'test2json',
'tmux',
'snyk-macos',
'ression-arm64',
'tmux:server',
'update-notifier',
'vi',
@ -253,6 +258,7 @@ WHERE
'sh,500,Google Drive,launchd',
'dash,0,snapd,systemd',
'bash,500,xdg-desktop-portal,systemd',
'zsh,500,old,old',
'sh,500,snyk-macos,snyk',
'sh,500,ssh,mosh-client',
'sh,500,updater,Foxit PDF Reader',

View File

@ -105,6 +105,7 @@ WHERE
'ssh',
'sshd',
'steam_osx',
'LogiTune',
'swift',
'systemd',
'terminator',
@ -161,6 +162,7 @@ WHERE
AND NOT p.cmdline IN (
-- npm run server
'sh -c -- exec-bin node_modules/.bin/hugo/hugo server',
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
"sh -c acpi -b | grep -v 'unavailable'",
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null',
-- Brother printer

View File

@ -80,6 +80,7 @@ WHERE
'.disk_label_2x',
'.DS_Store',
'.file',
'LogiPresentation Installer.app',
'.file-revisions-by-id',
'._Id.txt',
'.iotest',
@ -95,6 +96,7 @@ WHERE
)
AND authority NOT IN (
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
) -- Unsigned programs here
AND trimpath NOT IN (

View File

@ -127,6 +127,7 @@ WHERE
'dnf-automatic-install.service,dnf automatic install updates,,225',
'dnf-automatic-install.timer,dnf-automatic-install timer,,225',
'dnf-makecache.service,dnf makecache,,225',
'dnf-makecache.service,dnf makecache,,450',
'dnf-makecache.timer,dnf makecache --timer,,225',
'docker.service,Docker Application Container Engine,,1125',
'docker.service,Docker Application Container Engine,,1350',
@ -142,6 +143,7 @@ WHERE
'firewall.service,Firewall,,1350',
'flatpak-system-helper.service,flatpak system helper,,225',
'fprintd.service,Fingerprint Authentication Daemon,,900',
'fprintd.service,Fingerprint Authentication Daemon,,675',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225',
'fstrim.timer,Discard unused blocks once a week,,225',
'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225',
@ -214,12 +216,15 @@ WHERE
'network-interfaces.target,All Network Interfaces (deprecated),,0',
'network-local-commands.service,Extra networking commands.,,1350',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450',
'NetworkManager.service,Network Manager,,1125',
'nvidia-suspend.service,NVIDIA system suspend actions,,225',
'NetworkManager.service,Network Manager,,1350',
'NetworkManager-wait-online.service,Network Manager Wait Online,,1125',
'network-online.target,Network is Online,,450',
'network-pre.target,Network (Pre),,450',
'network-pre.target,Preparation for Network,,450',
'sleep.target,Sleep,,450',
'network-setup.service,Networking Setup,,1350',
'network.target,Network,,225',
'network.target,Network,,450',

View File

@ -11,215 +11,227 @@
-- tags: persistent filesystem state
-- platform: linux
SELECT -- Remove numerals from device names
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
DISTINCT REPLACE(
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
DISTINCT REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(
REPLACE(REPLACE(path, "0", ""), "1", ""),
"2",
""
),
"3",
""
),
"4",
""
),
"5",
""
),
"6",
""
),
"7",
REPLACE(
REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""),
"3",
""
),
"4",
""
),
"8",
"5",
""
),
"6",
""
),
"9",
"7",
""
) AS path_expr,
file.*
FROM file
WHERE (
path LIKE '/dev/%'
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
'/dev/block/:',
'/dev/bsg/',
'/dev/bsg/:::',
'/dev/btrfs-control',
'/dev/bus/',
'/dev/bus/usb',
'/dev/cdrom',
'/dev/char/',
'/dev/char/:',
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
'/dev/disk/by-diskseq',
'/dev/disk/by-id',
'/dev/disk/by-label',
'/dev/disk/by-partlabel',
'/dev/disk/by-partuuid',
'/dev/disk/by-path',
'/dev/disk/by-uuid',
'/dev/dm-',
'/dev/dma_heap/',
'/dev/dma_heap/system',
'/dev/dri/',
'/dev/dri/by-path',
'/dev/dri/card',
'/dev/dri/renderD',
'/dev/drm_dp_aux',
'/dev/dvd',
'/dev/ecryptfs',
'/dev/fb',
'/dev/fd/',
'/dev/full',
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/hugepages/libvirt',
'/dev/hwrng',
'/dev/ic-',
'/dev/iio:device',
'/dev/initctl',
'/dev/input/',
'/dev/input/by-id',
'/dev/input/by-path',
'/dev/input/event',
'/dev/input/js',
'/dev/input/mice',
'/dev/input/mouse',
'/dev/kfd',
'/dev/kmsg',
'/dev/kvm',
'/dev/log',
'/dev/loop',
'/dev/loop-control',
'/dev/lp',
'/dev/mapper/',
'/dev/mapper/control',
'/dev/mcelog',
'/dev/media',
'/dev/mei',
'/dev/mem',
'/dev/mqueue/',
'/dev/mtd',
'/dev/mtdro',
'/dev/net/',
'/dev/net/tun',
'/dev/ngn',
'/dev/null',
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvme',
'/dev/nvmen',
'/dev/nvmenp',
'/dev/nvram',
'/dev/port',
'/dev/ppp',
'/dev/pps',
'/dev/psaux',
'/dev/ptmx',
'/dev/ptp',
'/dev/pts/',
'/dev/pts/ptmx',
'/dev/random',
'/dev/rfkill',
'/dev/rpool/',
'/dev/rpool/keystore',
'/dev/rtc',
'/dev/sda',
'/dev/sg',
'/dev/shm/',
'/dev/snapshot',
'/dev/snd/',
'/dev/snd/by-id',
'/dev/snd/by-path',
'/dev/snd/controlC',
'/dev/snd/hwCD',
'/dev/snd/pcmCDc',
'/dev/snd/pcmCDp',
'/dev/snd/seq',
'/dev/snd/timer',
'/dev/sr',
'/dev/stderr',
'/dev/stdin',
'/dev/stdout',
'/dev/tpm',
'/dev/tpmrm',
'/dev/tty',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/udmabuf',
'/dev/uhid',
'/dev/uinput',
'/dev/urandom',
'/dev/usb/',
'/dev/usb/hiddev',
'/dev/usbmon',
'/dev/userfaultfd',
'/dev/userio',
'/dev/vboxdrv',
'/dev/vboxdrvu',
'/dev/vboxnetctl',
'/dev/vboxusb/',
'/dev/vcs',
'/dev/vcsa',
'/dev/vcsu',
'/dev/vda',
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vgubuntu/',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/vhost-net',
'/dev/vhost-vsock',
'/dev/video',
'/dev/vl/',
'/dev/vl/by-id',
'/dev/vl/by-path',
'/dev/watchdog',
'/dev/wmi/',
'/dev/wmi/dell-smbios',
'/dev/zd',
'/dev/zero',
'/dev/zfs',
'/dev/zram',
'/dev/zvol/',
'/dev/zvol/rpool',
'/dev/vlloopback'
)
AND NOT path LIKE '/dev/mapper/%'
AND NOT path LIKE '/dev/shm/u%-Shm_%'
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
),
"8",
""
),
"9",
""
) AS path_expr,
file.*
FROM
file
WHERE
(
path LIKE '/dev/%'
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
'/dev/block/:',
'/dev/bsg/',
'/dev/bsg/:::',
'/dev/btrfs-control',
'/dev/bus/',
'/dev/bus/usb',
'/dev/cdrom',
'/dev/char/',
'/dev/char/:',
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
'/dev/disk/by-diskseq',
'/dev/disk/by-id',
'/dev/disk/by-label',
'/dev/disk/by-partlabel',
'/dev/disk/by-partuuid',
'/dev/disk/by-path',
'/dev/disk/by-uuid',
'/dev/dm-',
'/dev/dma_heap/',
'/dev/dma_heap/system',
'/dev/dmmidi',
'/dev/dri/',
'/dev/dri/by-path',
'/dev/dri/card',
'/dev/dri/renderD',
'/dev/drm_dp_aux',
'/dev/dvd',
'/dev/ecryptfs',
'/dev/fb',
'/dev/fd/',
'/dev/full',
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/hugepages/libvirt',
'/dev/hwrng',
'/dev/ic-',
'/dev/iio:device',
'/dev/initctl',
'/dev/input/',
'/dev/input/by-id',
'/dev/input/by-path',
'/dev/input/event',
'/dev/input/js',
'/dev/input/mice',
'/dev/input/mouse',
'/dev/kfd',
'/dev/kmsg',
'/dev/kvm',
'/dev/log',
'/dev/loop',
'/dev/loop-control',
'/dev/lp',
'/dev/mapper/',
'/dev/mapper/control',
'/dev/mcelog',
'/dev/md',
'/dev/md/',
'/dev/md/ssraid',
'/dev/media',
'/dev/mei',
'/dev/mem',
'/dev/midi',
'/dev/mqueue/',
'/dev/mtd',
'/dev/mtdro',
'/dev/net/',
'/dev/net/tun',
'/dev/ngn',
'/dev/null',
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvme',
'/dev/nvmen',
'/dev/nvmenp',
'/dev/nvram',
'/dev/port',
'/dev/ppp',
'/dev/pps',
'/dev/psaux',
'/dev/ptmx',
'/dev/ptp',
'/dev/pts/',
'/dev/pts/ptmx',
'/dev/random',
'/dev/rfkill',
'/dev/rpool/',
'/dev/rpool/keystore',
'/dev/rtc',
'/dev/sda',
'/dev/sdb',
'/dev/serial/',
'/dev/serial/by-id',
'/dev/serial/by-path',
'/dev/sg',
'/dev/sgx_provision',
'/dev/sgx_vepc',
'/dev/shm/',
'/dev/shm/libpod_rootless_lock_',
'/dev/snapshot',
'/dev/snd/',
'/dev/snd/by-id',
'/dev/snd/by-path',
'/dev/snd/controlC',
'/dev/snd/hwCD',
'/dev/snd/midiCD',
'/dev/snd/pcmCDc',
'/dev/snd/pcmCDp',
'/dev/snd/seq',
'/dev/snd/timer',
'/dev/sr',
'/dev/stderr',
'/dev/stdin',
'/dev/stdout',
'/dev/tpm',
'/dev/tpmrm',
'/dev/tty',
'/dev/ttyACM',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/udmabuf',
'/dev/uhid',
'/dev/uinput',
'/dev/urandom',
'/dev/usb/',
'/dev/usb/hiddev',
'/dev/usbmon',
'/dev/userfaultfd',
'/dev/userio',
'/dev/vboxdrv',
'/dev/vboxdrvu',
'/dev/vboxnetctl',
'/dev/vboxusb/',
'/dev/vcs',
'/dev/vcsa',
'/dev/vcsu',
'/dev/vda',
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vgubuntu/',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/vhost-net',
'/dev/vhost-vsock',
'/dev/video',
'/dev/vl/',
'/dev/vl/by-id',
'/dev/vl/by-path',
'/dev/vlloopback',
'/dev/watchdog',
'/dev/wmi/',
'/dev/wmi/dell-smbios',
'/dev/zd',
'/dev/zero',
'/dev/zfs',
'/dev/zram',
'/dev/zvol/',
'/dev/zvol/rpool'
)
AND NOT path LIKE '/dev/mapper/%'
AND NOT path LIKE '/dev/shm/u%-Shm_%'
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'

View File

@ -40,6 +40,7 @@ WHERE
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',

View File

@ -37,7 +37,8 @@ WHERE
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)'
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
'Software Signing'
)
AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent')
AND NOT (

View File

@ -117,6 +117,7 @@ WHERE
'5432,6,70,postgres',
'546,17,500,dhcpcd',
'5556,6,500,dex',
'5556,6,500,openshot-qt',
'5558,6,500,dex',
'58,255,0,dhcpcd',
'58,255,0,NetworkManager',

View File

@ -62,12 +62,14 @@ WHERE
'138,17,222,netbiosd,Software Signing',
'16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
'17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'2112,6,500,fake,',
'2112,6,500,rekor-server,',
'2112,6,500,timestamp-server,',
'22000,6,500,syncthing,',
'22,6,0,launchd,Software Signing',
'24678,6,500,node,',
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
'33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'3306,6,500,mariadbd,',
@ -108,7 +110,6 @@ WHERE
'53,17,65,mDNSResponder,Software Signing',
'53,6,500,dnsmasq,',
'53,6,65,mDNSResponder,Software Signing',
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'546,17,0,configd,Software Signing',
'547,17,500,dhcp6d,Software Signing',
'5900,6,0,launchd,Software Signing',
@ -119,8 +120,6 @@ WHERE
'67,17,0,bootpd,Software Signing',
'67,17,0,launchd,Software Signing',
'68,17,0,configd,Software Signing',
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'7000,6,500,ControlCenter,Software Signing',
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'8770,6,500,sharingd,Software Signing',

View File

@ -101,13 +101,13 @@ WHERE
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755 p0_cgroup:/system.slice/networking.service',
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
@ -130,6 +130,7 @@ WHERE
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
@ -147,6 +148,7 @@ WHERE
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
@ -188,7 +190,6 @@ WHERE
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',

View File

@ -67,7 +67,6 @@ WHERE -- Focus on longer-running programs
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
'/bin/bash',
'/usr/sbin/sshd',
'/usr/libexec/trustdFileHelper',
@ -91,6 +90,7 @@ WHERE -- Focus on longer-running programs
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
'/Library/PrivilegedHelperTools/keybase.Helper',
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/sbin/launchd',

View File

@ -13,7 +13,6 @@
-- interval: 600
SELECT
file.mode AS p0_binary_mode,
pe.cmdline_size AS p0_cmd_size,
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,

View File

@ -87,18 +87,19 @@ WHERE
AND p1_path NOT IN (
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
'/usr/libexec/PerfPowerServicesExtended',
'/System/Library/PrivateFrameworks/AOSKit.framework/Versions/A/XPCServices/com.apple.iCloudHelper.xpc/Contents/MacOS/com.apple.iCloudHelper',
'/usr/bin/login',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/libexec/mdmclient',
'/usr/local/bin/doas'
)
-- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
AND NOT (
p0_cmd IN (
'/usr/sbin/cupsd -l',
'/usr/libexec/mdmclient daemon',
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
AND NOT p0_cmd IN (
'/usr/sbin/cupsd -l',
'/usr/libexec/PerfPowerServicesExtended',
'/usr/libexec/mdmclient daemon',
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
AND NOT (
pe.euid = 262 -- core media helper id

View File

@ -31,6 +31,7 @@ WHERE
'distroless.dev/melange',
'docker.io/rancher/k3s',
'gcr.io/k8s-minikube/kicbase',
'ghcr.io/wolfi-dev/sdk',
'kindest/node',
'moby/buildkit',
'wolfi'

View File

@ -14,7 +14,8 @@ FROM
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from'
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
AND ea.key = 'where_from'
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
@ -22,6 +23,9 @@ WHERE
AND file.filename LIKE "%-%-%.json"
AND file.directory NOT LIKE '%/go/pkg/%'
AND file.directory NOT LIKE '%/go/src/%'
AND NOT file.directory LIKE '%/aws-sdk/apis'
AND NOT file.directory LIKE '%/testdata/%'
AND NOT file.directory LIKE '%/schemas'
AND file.directory NOT LIKE '/Users/%/Library/Application Support/%'
AND file.directory NOT LIKE '%demo'
AND file.size BETWEEN 2311 AND 2385
@ -33,5 +37,6 @@ WHERE
REPLACE(LOWER(TRIM(u.description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
AND file.filename NOT IN ('service-account-file.json')
GROUP BY file.path
AND NOT file.filename IN ('service-account-file.json')
GROUP BY
file.path

View File

@ -44,4 +44,4 @@ WHERE
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')
AND NOT file.filename LIKE '%melange.rsa%'