osquery-defense-kit/detection/execution/unexpected-env-values-linux...

-- Applications setting environment variables to bypass security protections
--
-- Inpsired by BPFdoor and other intrusions
-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
--
-- WARNING: This query is known to require a higher than average wall time.
--
-- tags: transient state
-- interval: 300
-- platform: linux
SELECT
  p.pid,
  p.name,
  key,
  value,
  LENGTH(value) AS value_len,
  p.path,
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
  -- Querying processes first and filtering by time gives a massive 20X speed improvement
  -- over querying process_envs first and JOIN'ing against processes
FROM
  processes p
  JOIN process_envs pe ON p.pid = pe.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN processes pp ON p.parent = pp.pid
WHERE -- This time should match the interval
  p.start_time > (strftime('%s', 'now') - 300)
  AND (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/home/%/.%_history'
  )
  OR (
    key = 'LD_PRELOAD'
    AND NOT p.path LIKE '%/firefox'
    AND NOT pe.value IN ('libfakeroot.so', '/usr/local/lib/libmimalloc.so')
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
    AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so:/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so'
    AND NOT pe.value LIKE ':/snap/%'
    AND NOT pe.value LIKE '/app/bin/%'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
  )
  -- setuid
  OR (
    LENGTH(value) > 1024
    AND key != 'LS_COLORS'
    AND f.mode IS NOT NULL
    AND f.mode NOT LIKE '0%'
  )
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- Applications setting environment variables to bypass security protections`
			`--`
Just about done 2022-09-08 21:58:56 +00:00			`-- Inpsired by BPFdoor and other intrusions`
			`-- https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`--`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- WARNING: This query is known to require a higher than average wall time.`
			`--`
Reduce query intervals for some higher overhead queries 2022-10-20 18:56:16 +00:00			`-- tags: transient state`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`-- interval: 300`
Split env-values is case it helps decrease CPU time 2022-10-17 21:10:51 +00:00			`-- platform: linux`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`SELECT`
			`p.pid,`
			`p.name,`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`key,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`value,`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`LENGTH(value) AS value_len,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`p.path,`
			`p.cmdline,`
			`p.parent AS parent_pid,`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`pp.cmdline AS parent_cmd`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`-- Querying processes first and filtering by time gives a massive 20X speed improvement`
			`-- over querying process_envs first and JOIN'ing against processes`
			`FROM`
			`processes p`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`JOIN process_envs pe ON p.pid = pe.pid`
			`LEFT JOIN file f ON p.path = f.path`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`LEFT JOIN processes pp ON p.parent = pp.pid`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`WHERE -- This time should match the interval`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`p.start_time > (strftime('%s', 'now') - 300)`
Rewrite process_envs queries for faster performance 2022-10-27 15:26:35 +00:00			`AND (`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`key = 'HISTFILE'`
			`AND NOT VALUE LIKE '/home/%/.%_history'`
			`)`
			`OR (`
			`key = 'LD_PRELOAD'`
			`AND NOT p.path LIKE '%/firefox'`
Add /usr/local/lib/libmimalloc.so to allowed list of LD_PRELOAD 2022-11-10 16:20:58 +00:00			`AND NOT pe.value IN ('libfakeroot.so', '/usr/local/lib/libmimalloc.so')`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT pe.value LIKE ':/home/%/.local/share/Steam'`
			`AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'`
False positives: Chrome extensions, Steam games, tmp files, Photoshop 2023-01-18 19:10:33 +00:00			`AND NOT pe.value LIKE ':/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so:/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so'`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`AND NOT pe.value LIKE ':/snap/%'`
			`AND NOT pe.value LIKE '/app/bin/%'`
			`AND NOT pe.value LIKE 'libmozsandbox.so%'`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`)`
			`-- setuid`
			`OR (`
			`LENGTH(value) > 1024`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`AND key != 'LS_COLORS'`
Add initial setuid env overflow detection 2022-10-30 13:40:31 +00:00			`AND f.mode IS NOT NULL`
			`AND f.mode NOT LIKE '0%'`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`)`