What's Changed

• fpr: tune-ppd, lightdm, nami, brave, grype, gradle, etc by @tstromberg in #401
• Add bwrap as a setuid binary, remove /usr from evenly-timestomped by @r0cketlad in #400
• fpr: bpftool, curl, pulumi, Docker Desktop, go tests by @tstromberg in #402
• fpr: wider exceptions for talkers & security framework users, chrome extensions, postgres by @tstromberg in #403
• fpr, de-extra minimal-socket, +extra touched-executable-macos by @tstromberg in #405
• unexpected-talkers-macos: fix broken merge by @tstromberg in #406
• refactor minimal-socket-client-macos, fpr for AWS, Valve, Sparkle, Streamdeck, Python by @tstromberg in #407
• add extra tag to setxid-cmdline-overflow-attempt.sql by @r0cketlad in #408
• add extra tag to unified_log_macos.sql by @r0cketlad in #409
• add extra tag to high_disk_bytes_read.sql by @r0cketlad in #411
• fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion, GitButler by @tstromberg in #410
• fpr: bwrap by @r0cketlad in #412
• Add exceptions for Xcode, Zen browser, Hugo, Krew, and more by @egibs in #413
• Add exceptions for Arc, busybox, and Edge; fix existing exceptions by @egibs in #414
• Add Arc browser talker exception by @egibs in #415
• Address noisy alerts (https-macos, hidden exec, bytes written, dev entries, long running) by @tstromberg in #416
• Add exceptions for apache2, ChatGPT, and Discord among others by @egibs in #417
• More exceptions to cut down on alert noise by @egibs in #418
• Add rules for bambu-studio, extensions, firefox-bin, goland, xdg, and more by @egibs in #419
• false positive reduction: apt, auditd, dockerd, etc. by @r0cketlad in #420
• FPR: containerd, cupsd, etc by @r0cketlad in #421
• fpr: zypper, bambu, terraform, etc by @r0cketlad in #422
• fpr: mostly uid0 things by @r0cketlad in #423
• fpr: mc, colima, webfilterproxyd, headlamp, record it, etc by @tstromberg in #424
• fpr: mumble, gvproxy, chainlink, telegram, systemd, IRCCloud, nfsd by @tstromberg in #425
• fpr: mark exotic queries as extra, add flatpak/pop-os uid0 procs by @tstromberg in #426
• suspicious systemd: accept any char instead of single quote by @tstromberg in #427
• Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more by @egibs in #428
• small fpr push: chainlink, spotify, pycharm, and goland by @r0cketlad in #429
• Add exceptions for JetBrains, snapd, various printer drivers, and more by @egibs in #430
• fpr: fuscript, linuxbrew, snapd, msedge by @r0cketlad in #431
• fpr: keyd, virtlogd, dnsmasq, Creative Cloud, Orum, etc by @tstromberg in #432
• FPR for extensions, go build artifacts, pkpass files, signed authors, and more by @egibs in #433
• Add Zoom to the launchd list by @mattlorimor in #434
• Add Keybase hosts to allowed disk image source list by @mattlorimor in #435
• End-of-year FPR by @egibs in #437
• makefile: update sql reformat to use in-place --fix by @tstromberg in #439
• fpr: Thunderbird, keyd, old binaries, zed, etckeeper, anacron, macOS updates by @tstromberg in #438
• fpr: Docker, CyberDuck (G69SCX94XU), Duet, Roon, Kolide by @tstromberg in #440
• fpr: udevd, docker, ssh, aws, zed, git, bluefin by @tstromberg in #441
• fpr: docker, nix, macOS, evernote, writerside, newgrp, roon, etc by @tstromberg in #442
• Add newly-documented Chrome Extension authors by @egibs in #443
• fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc. by @tstromberg in #444
• fpr: Chrome, bwrap, rsyslogd, gmail, rust by @tstromberg in #445
• fpr: qemu, cargo-install, adguard, ankerwork, talos, nbd, expressvpn, vim, passwd by @mattlorimor in #446
• Sort a bunch of lines and remove duplicates by @mattlorimor in #447
• fpr: LGBV, Adguard, containerd, mddiagnose, etc. by @mattlorimor in #448
• Remove redundant line by @mattlorimor in #449
• fpr: lots of false positive reduction by @mattlorimor in #450
• More fpr by @mattlorimor in #451
• fpr: and rule consolidation by @mattlorimor in #452
• fpr: regex bug fix; lots of fprs by @mattlorimor in #453
• fpr: sway, buildkitd, chrome, elastic, plugable, minecraft, terraform, etc by @tstromberg in #454
• fpr: eksctl, Chrome Extensions, Vanta, sway, etc by @tstromberg in #455
• Update python3 lines to use VERSION by @tstromberg in #456
• fpr: Linux updates, reset unexpected Chrome Extensions & refactor macos listening by @tstromberg in #457
• fpr: re-add missing Chrome extensions, more Linux adjustments by @tstromberg in #458
• fpr: kubernetes pods, clickshare, repos, zig-cache by @tstromberg in #459
• add 1-3 (low,medium,high) criticality prefix to alert names by @tstromberg in #460
• fpr: Debian Linux, Nix, and Chromium snaps by @tstromberg in #461
• fpr: mal, docker, warp, chromium, bose, mozilla by @tstromberg in #462
• Fix diskimage regexp, disable touched linux, handle recently reintroduced noise by @tstromberg in #463
• fpr: nvidia-caps, wolfi*, random tools by @tstromberg in #464
• fpr: datadog, nordvpn, claude, minecraftlauncher, eksctl by @tstromberg in #465
• fpr: podman, docker, iotop, pop-launcher, go, argo, ObjSee by @tstromberg in #466
• fpr: multipass, ChatGPT, Geocomply, librewolf, mbsync, Canon drivers by @tstromberg in #467
• fpr: local cmd, librewolf, Slack shipit by @tstromberg in #468
• fpr: Slack, ncdu, glances, dovecat, OrbStack, macOS, Beeper Desktop by @tstromberg in #469
• fpr: expensify, avi, dovecot by @mattlorimor in #470
• fpr: Focusrite, Dovecot, ModemManager, Kolide launcher, etc by @tstromberg in #471
• fpr: lxd, geoclue, fast readers, chrome extensions, etc by @tstromberg in #472
• Add Salesforce exfil detection by @tstromberg in #473
• fpr: cloudcode, iris, go, solaar, surfshark, ubuntu, geocomply, etc by @tstromberg in #474
• fpr: Chainguard OS, Finch, xcover, Dropbox by @tstromberg in #475
• fpr: Filter regular HTTPS connections, librewolf, xcover, evernote, etc. by @tstromberg in #476
• fpr: lima, git-lfs, firefox, vmware, Typora, Kolide, Elastic by @tstromberg in #477
• Add exceptions for ~/Development & uv-lock by @tstromberg in #478
• fpr: Canon, Snap, dget, Logitech, kolide, terraform, docker by @tstromberg in #480
• fpr: Debian, popularity-contest, irqbalance, OpenAI, Vercel by @tstromberg in #481
• fpr:Ubiquiti by @michaelsc44 in #483
• fpr:Ubiquiti,Wifiman by @michaelsc44 in #484
• [StepSecurity] Apply security best practices by @stepsecurity-app in #482
• fpr:crc,rsyslog,Determinate_Systems by @michaelsc44 in #485
• fpr:DeterminateSystems,Razer,SUSE,alacritty by @michaelsc44 in #486
• fpr: crc, nix, razer, docker, clair, wispr flow, etc. by @tstromberg in #487

New Contributors

• @mattlorimor made their first contribution in #434
• @michaelsc44 made their first contribution in #483
• @stepsecurity-app made their first contribution in #482

Full Changelog: v1.18.0...v1.19.0