osquery-defense-kit/fd/unexpected-bpf-user.sql

SELECT pmm.pid,
    p.uid,
    p.path AS proc_path,
    p.cmdline AS proc_cmdline,
    pmm.path AS lib_path
FROM process_memory_map pmm
    JOIN processes p ON pmm.pid = p.pid
WHERE (lib_path LIKE "%:bpf%" OR lib_path LIKE "%libbpf%")
AND p.path != '/usr/lib/systemd/systemd'
GROUP BY pmm.pid
Add bpf detector 2022-09-10 19:14:46 +00:00			`SELECT pmm.pid,`
			`p.uid,`
More tuning, more scripts 2022-09-11 19:07:54 +00:00			`p.path AS proc_path,`
			`p.cmdline AS proc_cmdline,`
			`pmm.path AS lib_path`
Add bpf detector 2022-09-10 19:14:46 +00:00			`FROM process_memory_map pmm`
			`JOIN processes p ON pmm.pid = p.pid`
More tuning, more scripts 2022-09-11 19:07:54 +00:00			`WHERE (lib_path LIKE "%:bpf%" OR lib_path LIKE "%libbpf%")`
			`AND p.path != '/usr/lib/systemd/systemd'`
			`GROUP BY pmm.pid`