@@ -124,44 +124,6 @@ file where event.action in ("open", "creation", "modification") and event.outcom
124124 "Unattended.xml")
125125 )
126126
127- // Exclusions
128- not (
129- // Claude accessing own credentials
130- (process.name == "security" and
131- process.parent.name in ("claude", "claude.exe", "Claude", "node", "node.exe") and
132- process.command_line like~ ("*Claude Code*", "*Claude Code-credentials*", "*claude-code*")) or
133-
134- // GenAI tools accessing own config
135- (file.path like~ ("*Claude*", "*Cursor*", "*claude-code*", "*/anthropic/*",
136- "*/.ollama/*", "*Ollama*", "*codex*", "*Jan*", "*/jan/*",
137- "*Copilot*", "*LM Studio*", "*gpt4all*") and
138- process.parent.name in ("claude", "claude.exe", "Claude", "cursor", "cursor.exe",
139- "Cursor", "ollama", "ollama.exe", "Ollama", "codex", "codex.exe",
140- "Jan", "jan", "Copilot", "LM Studio", "gpt4all")) or
141-
142- // IDE extensions accessing state files
143- (file.path like~ ("*/.vscode/*", "*/.cursor/*") and
144- process.executable like~ ("*/.vscode/extensions/*", "*/.cursor/extensions/*")) or
145-
146- // Shell config sourcing (read-only)
147- (event.action == "open" and
148- process.name in ("zsh", "bash", "sh", "fish") and
149- process.parent.name in ("claude", "claude.exe", "cursor", "cursor.exe", "codex", "codex.exe",
150- "Jan", "jan", "Ollama", "ollama", "LM Studio") and
151- file.path like~ ("*/.zshrc", "*/.bashrc", "*/.bash_profile", "*/.profile")) or
152-
153- // Code search tools
154- (process.name in ("rg", "ripgrep") or process.command_line like~ "*--ripgrep*") or
155-
156- // Git config (not credentials)
157- (process.name == "git" and
158- file.path like~ ("*/.gitconfig", "*/.git/config", "*/.git/HEAD") and
159- not file.path like~ "*/.git-credentials*") or
160-
161- // System info commands
162- process.name in ("uname", "sw_vers", "which", "hostname", "id", "whoami",
163- "ioreg", "scutil", "defaults", "env", "getconf", "locale")
164- )
165127'''
166128
167129[[rule .threat ]]
0 commit comments