osquery-defense-kit/fs/unexpected-setuid-binaries.sql

258 lines
6.9 KiB
MySQL
Raw Normal View History

2022-09-10 17:10:54 +00:00
SELECT file.path, gid, uid, mode, type, size, sha256
-- missed many directories
FROM file
JOIN hash ON file.path = hash.path
WHERE
(
file.path LIKE "/bin/%"
OR file.path LIKE "/sbin/%"
OR file.path LIKE "/usr/sbin/%"
OR file.path LIKE "/usr/lib/%"
OR file.path LIKE "/usr/lib64/%"
OR file.path LIKE "/usr/bin/%"
OR file.path LIKE "/usr/libexec/%"
OR file.path LIKE "/usr/local/bin/%"
OR file.path LIKE "/usr/local/sbin/%"
OR file.path LIKE "/opt/%/bin/%"
OR file.path LIKE "/opt/%/sbin/%"
OR file.path LIKE "/usr/local/lib/%"
OR file.path LIKE "/usr/local/lib64/%"
OR file.path LIKE "/usr/local/libexec/%"
OR file.path LIKE "/var/lib/%"
OR file.path LIKE "/var/tmp/%"
OR file.path LIKE "/tmp/%"
OR file.path LIKE "/home/%/bin/%"
OR file.path LIKE "/Users/%/bin/%"
)
AND type='regular'
AND mode NOT LIKE "0%"
AND mode NOT LIKE "1%"
2022-09-12 15:17:51 +00:00
AND mode NOT LIKE "2%"
2022-09-10 17:10:54 +00:00
AND NOT (mode LIKE '4%11' AND uid=0 AND gid=0 AND
file.path IN (
'/usr/sbin/wodim',
'/usr/sbin/userhelper',
'/usr/sbin/umount.nfs4',
'/usr/sbin/umount.nfs',
'/usr/sbin/rscsi',
'/usr/sbin/readom',
'/usr/sbin/readcd',
'/usr/sbin/mount.nfs4',
'/usr/sbin/mount.nfs',
'/usr/sbin/icedax',
'/usr/sbin/cdrecord',
'/usr/sbin/cdda2wav',
'/usr/bin/wodim',
'/usr/bin/umount.nfs4',
'/usr/bin/umount.nfs',
'/usr/bin/sudoedit',
'/usr/bin/sudo',
'/usr/bin/rscsi',
'/usr/bin/readom',
'/usr/bin/readcd',
'/usr/bin/mount.nfs4',
'/usr/bin/mount.nfs',
'/usr/bin/icedax',
'/usr/bin/cdrecord',
'/usr/bin/cdda2wav',
'/sbin/wodim',
'/sbin/userhelper',
'/sbin/umount.nfs4',
'/sbin/umount.nfs',
'/sbin/rscsi',
'/sbin/readom',
'/sbin/readcd',
'/sbin/mount.nfs4',
'/sbin/mount.nfs',
'/sbin/icedax',
'/sbin/cdrecord',
'/sbin/cdda2wav',
'/bin/wodim',
'/bin/umount.nfs4',
'/bin/umount.nfs',
'/bin/sudoedit',
'/bin/sudo',
'/bin/rscsi',
'/bin/readom',
'/bin/readcd',
'/bin/mount.nfs4',
'/bin/mount.nfs',
'/bin/icedax',
'/bin/cdrecord',
'/bin/cdda2wav',
2022-09-12 15:17:51 +00:00
'/usr/bin/staprun',
'/bin/staprun',
2022-09-10 17:10:54 +00:00
'/usr/libexec/security_authtrampoline'
)
)
AND NOT (mode LIKE '4%55' AND uid=0 AND gid=0 AND
file.path IN (
'/usr/sbin/unix_chkpwd',
'/usr/sbin/umount.nfs4',
'/usr/sbin/umount.nfs',
'/usr/sbin/umount',
'/usr/libexec/authopen',
'/bin/nvidia-modprobe',
'/sbin/nvidia-modprobe',
'/usr/bin/nvidia-modprobe',
'/usr/sbin/nvidia-modprobe',
'/usr/sbin/traceroute6',
'/usr/sbin/traceroute',
'/usr/sbin/suexec',
'/usr/sbin/sudoedit',
'/usr/sbin/sudo',
'/usr/sbin/su',
'/usr/sbin/sg',
'/usr/sbin/rltraceroute6',
'/usr/sbin/rdisc6',
'/usr/sbin/pkexec',
'/usr/sbin/passwd',
'/usr/sbin/pam_timestamp_check',
'/usr/sbin/newgrp',
'/usr/sbin/ndisc6',
'/usr/sbin/mount.nfs4',
'/usr/sbin/mount.nfs',
'/usr/sbin/mount',
'/usr/sbin/ksu',
'/usr/sbin/grub2-set-bootflag',
'/usr/sbin/gpasswd',
'/usr/sbin/fusermount3',
'/usr/sbin/fusermount',
'/usr/sbin/expiry',
'/usr/sbin/doas',
'/usr/sbin/crontab',
'/usr/sbin/chsh',
'/usr/sbin/chfn',
'/usr/sbin/chage',
'/usr/bin/vmware-user-suid-wrapper',
'/usr/bin/vmware-user',
'/usr/bin/umount',
'/usr/bin/top',
'/usr/bin/suexec',
'/usr/bin/sudoedit',
'/usr/bin/sudo',
'/usr/bin/su',
'/usr/bin/sg',
'/usr/bin/rltraceroute6',
'/usr/bin/rdisc6',
'/usr/bin/quota',
'/usr/bin/pkexec',
'/usr/bin/passwd',
'/usr/bin/newgrp',
'/usr/bin/ndisc6',
'/usr/bin/mount',
'/usr/bin/login',
'/usr/bin/ksu',
'/usr/bin/gpasswd',
'/usr/bin/fusermount-glusterfs',
'/usr/bin/fusermount3',
'/usr/bin/fusermount',
'/usr/bin/expiry',
'/usr/bin/doas',
'/usr/bin/crontab',
'/usr/bin/chsh',
'/usr/bin/chfn',
'/usr/bin/chage',
'/usr/bin/batch',
'/usr/bin/atrm',
'/usr/bin/atq',
'/usr/bin/at',
'/sbin/unix_chkpwd',
'/sbin/umount.nfs4',
'/sbin/umount.nfs',
'/sbin/umount',
'/sbin/suexec',
'/sbin/sudoedit',
'/sbin/sudo',
'/sbin/su',
'/sbin/sg',
'/sbin/rltraceroute6',
'/sbin/rdisc6',
'/sbin/pkexec',
'/sbin/passwd',
'/sbin/pam_timestamp_check',
'/sbin/newgrp',
'/sbin/ndisc6',
'/sbin/mount.nfs4',
'/sbin/mount.nfs',
'/sbin/mount',
'/sbin/ksu',
'/sbin/grub2-set-bootflag',
'/sbin/gpasswd',
'/sbin/fusermount3',
'/sbin/fusermount',
'/sbin/expiry',
'/sbin/doas',
'/sbin/crontab',
'/sbin/chsh',
'/sbin/chfn',
'/sbin/chage',
'/bin/vmware-user-suid-wrapper',
'/bin/vmware-user',
'/bin/umount',
'/bin/suexec',
'/bin/sudoedit',
'/bin/sudo',
'/bin/su',
'/bin/sg',
'/bin/rltraceroute6',
'/bin/rdisc6',
'/bin/ps',
'/bin/pkexec',
'/bin/passwd',
'/bin/newgrp',
'/bin/ndisc6',
'/bin/mount',
'/bin/ksu',
'/bin/gpasswd',
'/bin/fusermount-glusterfs',
'/bin/fusermount3',
'/bin/fusermount',
'/bin/expiry',
'/bin/doas',
'/bin/crontab',
'/bin/chsh',
'/bin/chfn',
'/bin/chage',
'/usr/lib/Xorg.wrap',
'/usr/lib/mail-dotlock',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib64/Xorg.wrap',
'/usr/lib64/mail-dotlock',
'/usr/lib64/xf86-video-intel-backlight-helper',
'/usr/libexec/qemu-bridge-helper',
'/usr/libexec/Xorg.wrap',
2022-09-12 22:25:18 +00:00
'/usr/libexec/polkit-agent-helper-1',
'/bin/newgidmap',
'/bin/newuidmap'
'/usr/bin/newgidmap',
'/usr/bin/newuidmap',
'/bin/ubuntu-core-launcher',
2022-09-10 17:10:54 +00:00
)
)
2022-09-12 22:25:18 +00:00
AND NOT (mode ='4754' AND uid=0 AND gid=30 AND
file.path IN (
'/usr/sbin/pppd',
'/sbin/ppd'
)
2022-09-12 22:25:18 +00:00
)
2022-09-10 17:10:54 +00:00
AND NOT (mode ='6755' AND uid=0 AND gid=0 AND
file.path IN (
'/bin/mount.cifs',
'/bin/mount.smb3',
'/bin/unix_chkpwd',
'/sbin/mount.cifs',
'/sbin/mount.smb3',
'/sbin/unix_chkpwd',
'/usr/bin/mount.cifs',
'/usr/bin/mount.smb3',
'/usr/bin/unix_chkpwd',
'/usr/sbin/mount.cifs',
'/usr/sbin/mount.smb3',
'/usr/sbin/unix_chkpwd',
'/usr/lib/xtest',
'/usr/lib64/xtest'
)
)