osquery-defense-kit/fs/unexpected-hidden-system-fo...

SELECT file.path, uid, gid, mode, mtime, ctime, type, size, hash.sha256, magic.data
FROM file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (
        file.path LIKE '/lib/.%'
        OR file.path LIKE '/.%'
        OR file.path LIKE '/bin/%/.%'
        OR file.path LIKE '/lib/%/.%'
        OR file.path LIKE '/libexec/.%'
        OR file.path LIKE '/Library/.%'
        OR file.path LIKE '/sbin/.%'
        OR file.path LIKE '/sbin/%/.%'
        OR file.path LIKE '/tmp/.%'
        OR file.path LIKE '/usr/bin/.%'
        OR file.path LIKE '/usr/lib/.%'
        OR file.path LIKE '/usr/lib/%/.%'
        OR file.path LIKE '/usr/libexec/.%'
        OR file.path LIKE '/usr/local/bin/.%'
        OR file.path LIKE '/usr/local/lib/.%'
        OR file.path LIKE '/usr/local/lib/.%'
        OR file.path LIKE '/usr/local/libexec/.%'
        OR file.path LIKE '/usr/local/sbin/.%'
        OR file.path LIKE '/usr/sbin/.%'
        OR file.path LIKE '/var/.%'
        OR file.path LIKE '/var/lib/.%'
        OR file.path LIKE '/var/tmp/.%'
        OR file.path LIKE '/dev/.%'
    )
    -- Avoid mentioning extremely temporary files
    AND strftime('%s', 'now') - file.ctime > 20
    AND file.path NOT IN (
        '/.autorelabel',
        '/.file',
        '/.vol/',
        '/.VolumeIcon.icns',
        '/tmp/._contentbarrier_installed',
        '/tmp/../',
        '/tmp/./',
        '/tmp/.%.lock',
        '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
        '/tmp/.dotnet/',
        '/tmp/.font-unix/',
        '/tmp/.ICE-unix/',
        '/tmp/.Test-unix/',
        '/tmp/.X0-lock',
        '/tmp/.X1-lock',
        '/tmp/.X11-unix/',
        '/tmp/.XIM-unix/',
        '/var/.Parallels_swap/',
        '/dev/.mdadm/'
    )
    AND file.path NOT LIKE '/tmp/.#%'
    AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'
    AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'
    AND file.path NOT LIKE '/tmp/.X1%-lock'
    AND file.path NOT LIKE '/usr/local/%/.keepme'
    AND file.path NOT LIKE '%/../'
    AND file.path NOT LIKE '%/./'
    AND file.path NOT LIKE '%/.build-id/'
    AND file.path NOT LIKE '%/.dwz/'
    AND file.path NOT LIKE '%/.updated'
    AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
    AND file.path NOT LIKE '%/google-cloud-sdk/.install/'
    AND file.path NOT LIKE '/tmp/.%.gcode'
    AND NOT (type == 'regular' AND (filename LIKE "%.swp" OR size < 2))
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`SELECT file.path, uid, gid, mode, mtime, ctime, type, size, hash.sha256, magic.data`
Add osquery packs 2022-08-31 18:34:42 +00:00			`FROM file`
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`LEFT JOIN hash ON file.path = hash.path`
			`LEFT JOIN magic ON file.path = magic.path`
Add osquery packs 2022-08-31 18:34:42 +00:00			`WHERE (`
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`file.path LIKE '/lib/.%'`
			`OR file.path LIKE '/.%'`
			`OR file.path LIKE '/bin/%/.%'`
			`OR file.path LIKE '/lib/%/.%'`
			`OR file.path LIKE '/libexec/.%'`
			`OR file.path LIKE '/Library/.%'`
			`OR file.path LIKE '/sbin/.%'`
			`OR file.path LIKE '/sbin/%/.%'`
			`OR file.path LIKE '/tmp/.%'`
			`OR file.path LIKE '/usr/bin/.%'`
			`OR file.path LIKE '/usr/lib/.%'`
			`OR file.path LIKE '/usr/lib/%/.%'`
			`OR file.path LIKE '/usr/libexec/.%'`
			`OR file.path LIKE '/usr/local/bin/.%'`
			`OR file.path LIKE '/usr/local/lib/.%'`
			`OR file.path LIKE '/usr/local/lib/.%'`
			`OR file.path LIKE '/usr/local/libexec/.%'`
			`OR file.path LIKE '/usr/local/sbin/.%'`
			`OR file.path LIKE '/usr/sbin/.%'`
			`OR file.path LIKE '/var/.%'`
			`OR file.path LIKE '/var/lib/.%'`
			`OR file.path LIKE '/var/tmp/.%'`
			`OR file.path LIKE '/dev/.%'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`)`
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`-- Avoid mentioning extremely temporary files`
			`AND strftime('%s', 'now') - file.ctime > 20`
			`AND file.path NOT IN (`
more updates 2022-09-01 18:47:27 +00:00			`'/.autorelabel',`
			`'/.file',`
			`'/.vol/',`
			`'/.VolumeIcon.icns',`
			`'/tmp/._contentbarrier_installed',`
			`'/tmp/../',`
			`'/tmp/./',`
			`'/tmp/.%.lock',`
			`'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',`
Reorganize paths, tune queries a bit 2022-09-09 16:51:52 +00:00			`'/tmp/.dotnet/',`
more updates 2022-09-01 18:47:27 +00:00			`'/tmp/.font-unix/',`
			`'/tmp/.ICE-unix/',`
			`'/tmp/.Test-unix/',`
			`'/tmp/.X0-lock',`
			`'/tmp/.X1-lock',`
			`'/tmp/.X11-unix/',`
			`'/tmp/.XIM-unix/',`
More monday tuning 2022-09-12 22:25:18 +00:00			`'/var/.Parallels_swap/',`
			`'/dev/.mdadm/'`
Add osquery packs 2022-08-31 18:34:42 +00:00			`)`
Lots of treats for the boys and girls 2022-09-14 00:46:04 +00:00			`AND file.path NOT LIKE '/tmp/.#%'`
			`AND file.path NOT LIKE '/tmp/.com.google.Chrome.%'`
			`AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%'`
			`AND file.path NOT LIKE '/tmp/.X1%-lock'`
			`AND file.path NOT LIKE '/usr/local/%/.keepme'`
			`AND file.path NOT LIKE '%/../'`
			`AND file.path NOT LIKE '%/./'`
			`AND file.path NOT LIKE '%/.build-id/'`
			`AND file.path NOT LIKE '%/.dwz/'`
			`AND file.path NOT LIKE '%/.updated'`
			`AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'`
			`AND file.path NOT LIKE '%/google-cloud-sdk/.install/'`
			`AND file.path NOT LIKE '/tmp/.%.gcode'`
			`AND NOT (type == 'regular' AND (filename LIKE "%.swp" OR size < 2))`