osquery-defense-kit/policy/unexpected-rsa-keys-mdfind.sql

40 lines
1.3 KiB
MySQL
Raw Normal View History

-- Indicative of stored RSA keys just sitting around unencrypted
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
ea.value AS url
FROM
mdfind
JOIN file ON mdfind.path = file.path
JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
2023-05-08 17:20:47 +00:00
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
AND ea.key = 'where_from'
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
mdfind.query = "kMDItemFSName == '*.rsa'"
AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')
AND size BETWEEN 128 AND 8192
-- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
-- Don't alert on tokens that begin with the users full name and a dash
AND NOT INSTR(
filename,
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
2023-05-05 16:44:46 +00:00
AND NOT file.filename LIKE '%example.com%'
AND NOT file.filename LIKE 'local-%.rsa'
AND NOT file.filename LIKE 'test-%.rsa'
AND NOT file.filename LIKE 'demo-%.rsa'
AND NOT file.path LIKE "%/testdata/%"
2023-05-08 17:20:47 +00:00
GROUP BY
file.path