osquery-defense-kit/detection/execution/unexpected-env-values-linux...

-- Applications setting environment variables to bypass security protections
--
-- Inpsired by BPFdoor and other intrusions
-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
--
-- WARNING: This query is known to require a higher than average wall time.
--
-- tags: transient state
-- interval: 600
-- platform: linux
SELECT key,
  value,
  p.pid,
  p.path,
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
-- Querying processes first and filtering by time gives a massive 20X speed improvement
-- over querying process_envs first and JOIN'ing against processes
FROM processes p
  LEFT JOIN process_envs pe ON p.pid = pe.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE -- This time should match the interval
  p.start_time > (strftime('%s', 'now') - 600)
  AND (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/home/%/.%_history'
  )
  OR (
    key = 'LD_PRELOAD'
    AND NOT p.path LIKE '%/firefox'
    AND NOT pe.value = 'libfakeroot.so'
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
    AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
    AND NOT pe.value LIKE ':/snap/%'
    AND NOT pe.value LIKE '/app/bin/%'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
  )
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Applications setting environment variables to bypass security protections`
			`--`
Just about done 2022-09-08 21:58:56 +00:00			`-- Inpsired by BPFdoor and other intrusions`
			`-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- WARNING: This query is known to require a higher than average wall time.`
			`--`
Reduce query intervals for some higher overhead queries 2022-10-20 18:56:16 +00:00			`-- tags: transient state`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`-- interval: 600`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- platform: linux`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`SELECT key,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`value,`
			`p.pid,`
			`p.path,`
			`p.cmdline,`
			`p.parent AS parent_pid,`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`pp.cmdline AS parent_cmd`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`-- Querying processes first and filtering by time gives a massive 20X speed improvement`
			`-- over querying process_envs first and JOIN'ing against processes`
			`FROM processes p`
			`LEFT JOIN process_envs pe ON p.pid = pe.pid`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`LEFT JOIN processes pp ON p.parent = pp.pid`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`WHERE -- This time should match the interval`
			`p.start_time > (strftime('%s', 'now') - 600)`
			`AND (`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`key = 'HISTFILE'`
			`AND NOT VALUE LIKE '/home/%/.%_history'`
			`)`
			`OR (`
			`key = 'LD_PRELOAD'`
			`AND NOT p.path LIKE '%/firefox'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND NOT pe.value = 'libfakeroot.so'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT pe.value LIKE ':/home/%/.local/share/Steam'`
			`AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'`
			`AND NOT pe.value LIKE ':/snap/%'`
			`AND NOT pe.value LIKE '/app/bin/%'`
			`AND NOT pe.value LIKE 'libmozsandbox.so%'`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`)`