RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
osquery-defense-kit/detection/impact/unexpected-etc-hosts.sql

32 lines
691 B
MySQL
Raw Normal View History

Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
SELECT
*
FROM
etc_hosts
WHERE
hostnames NOT IN (
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'localhost',
'localhost ip6-localhost ip6-loopback',
Add more localhost entries
2022-10-13 22:08:03 +00:00
'localhost localhost.localdomain localhost4 localhost4.localdomain4',
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'ip6-allnodes',
'ip6-allrouters',
'kubernetes'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
)
AND address NOT IN (
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'127.0.1.1',
Add more localhost entries
2022-10-13 22:08:03 +00:00
'127.0.0.1',
Migrate query strings from double to single apostrophes
2022-10-13 18:59:32 +00:00
'::1',
'ff02::1',
'ff02::2',
'255.255.255.255',
'fe00::0',
'ff00::0'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
)
AND hostnames NOT LIKE 'localhost.%'
AND hostnames NOT LIKE '%.svc'
Filter out vaikas dev hostnames
2022-10-13 21:58:29 +00:00
AND hostnames NOT LIKE '%.%-%.%.dev'
Add *.wtf to allow list
2022-10-13 22:06:07 +00:00
AND hostnames NOT LIKE '%.wtf'
Format everything with 'npx sql-formatter -l sqlite'
2022-09-24 15:12:23 +00:00
AND hostnames NOT LIKE '%.test'
AND hostnames NOT LIKE '%.internal'
AND hostnames NOT LIKE '%.local'
AND hostnames NOT LIKE 'ip6-%'