2022-11-18 14:32:00 +00:00
|
|
|
-- Find programs which spawn root children without propagating environment variables
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
|
|
|
|
--
|
|
|
|
-- tags: persistent state daemon process
|
|
|
|
-- interval: 600
|
|
|
|
-- platform: linux
|
|
|
|
SELECT
|
|
|
|
COUNT(key) AS count,
|
|
|
|
p.pid,
|
|
|
|
p.path,
|
|
|
|
p.name,
|
|
|
|
p.on_disk,
|
|
|
|
p.cgroup_path,
|
|
|
|
hash.sha256,
|
|
|
|
p.parent,
|
|
|
|
p.cmdline,
|
2023-02-01 18:55:55 +00:00
|
|
|
p.cwd,
|
2022-11-18 14:32:00 +00:00
|
|
|
pp.name AS parent_name,
|
|
|
|
pp.cmdline AS parent_cmd
|
|
|
|
-- Processes is 20X faster to scan than process_envs
|
|
|
|
FROM
|
|
|
|
processes p
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
|
|
LEFT JOIN process_envs pe ON p.pid = pe.pid
|
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
|
|
WHERE
|
|
|
|
p.euid = 0
|
|
|
|
-- This time should match the interval
|
2023-02-08 19:37:09 +00:00
|
|
|
AND p.start_time > (strftime('%s', 'now') - 601)
|
|
|
|
-- Filter out transient processes that may not have an envs entry by the time we poll for it
|
2022-11-18 14:32:00 +00:00
|
|
|
AND p.start_time < (strftime('%s', 'now') - 1)
|
|
|
|
AND p.parent NOT IN (0, 2)
|
|
|
|
AND NOT p.path IS NULL
|
|
|
|
AND p.name NOT IN (
|
2022-12-19 23:06:06 +00:00
|
|
|
'applydeltarpm',
|
2022-11-18 14:32:00 +00:00
|
|
|
'bwrap',
|
2023-02-09 22:01:29 +00:00
|
|
|
'crond',
|
2022-11-18 14:32:00 +00:00
|
|
|
'cupsd',
|
2022-12-19 23:06:06 +00:00
|
|
|
'dhcpcd',
|
2023-02-09 01:06:26 +00:00
|
|
|
'1Password-Keyri',
|
2022-12-19 23:06:06 +00:00
|
|
|
'modprobe',
|
|
|
|
'dnf',
|
2023-01-27 01:40:47 +00:00
|
|
|
'gdm-x-session',
|
2023-01-03 13:50:19 +00:00
|
|
|
'systemd-udevd',
|
2022-11-22 14:24:03 +00:00
|
|
|
'gdm-session-wor',
|
2023-01-27 01:40:47 +00:00
|
|
|
'systemd-userwor',
|
2023-01-06 22:11:24 +00:00
|
|
|
'fprintd',
|
2023-01-16 18:55:53 +00:00
|
|
|
'systemd',
|
2022-12-19 23:06:06 +00:00
|
|
|
'gpg-agent',
|
2023-01-14 13:19:26 +00:00
|
|
|
'systemd-userdbd',
|
2022-12-19 23:06:06 +00:00
|
|
|
'nginx',
|
2022-11-18 14:32:00 +00:00
|
|
|
'sshd',
|
2023-01-09 14:34:20 +00:00
|
|
|
'zfs',
|
2023-01-03 13:50:19 +00:00
|
|
|
'ssh',
|
2023-01-06 15:36:48 +00:00
|
|
|
'sedispatch',
|
2022-11-18 14:32:00 +00:00
|
|
|
'zypak-sandbox'
|
|
|
|
)
|
2023-02-09 22:01:29 +00:00
|
|
|
AND NOT pp.name IN ('systemd-userdbd', 'crond')
|
2022-12-15 15:20:16 +00:00
|
|
|
AND NOT (
|
|
|
|
p.name LIKE 'systemd-%'
|
|
|
|
AND p.parent = 1
|
|
|
|
)
|
2023-02-09 22:01:29 +00:00
|
|
|
AND NOT p.cgroup_path IN ('/system.slice/cronie.service')
|
2022-11-18 14:32:00 +00:00
|
|
|
AND NOT pp.cmdline LIKE 'bwrap %'
|
|
|
|
AND NOT p.cmdline LIKE '%--type=zygote%'
|
|
|
|
AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
|
|
|
|
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
|
2023-01-09 20:10:48 +00:00
|
|
|
AND NOT (
|
|
|
|
p.name = 'sh'
|
|
|
|
AND p.cgroup_path = '/system.slice/znapzend.service'
|
|
|
|
)
|
2022-11-18 14:32:00 +00:00
|
|
|
GROUP BY
|
|
|
|
p.pid
|
|
|
|
HAVING
|
|
|
|
count == 0;
|