RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-26 15:00:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
dea818239f
osquery-defense-kit/fs/unexpected-tmp-executables.sql

23 lines
997 B
MySQL
Raw Normal View History

More scripts
2022-09-09 14:16:28 +00:00
SELECT file.path, uid, gid, mode, file.mtime, magic.data, hash.sha256
More tuning
2022-09-09 00:50:15 +00:00
FROM file
JOIN magic ON file.path = magic.path
JOIN hash on file.path = hash.path
WHERE (file.path LIKE "/tmp/%%" OR file.path LIKE "/var/tmp/%%")
AND file.type = "regular"
AND (file.mode LIKE "%7%" or file.mode LIKE "%5%" or file.mode LIKE "%1%")
AND file.path NOT LIKE "%go-build%"
AND file.path NOT LIKE "%/bin/%-gen"
AND file.path NOT LIKE "%/bin/%"
AND file.path NOT LIKE "%/ko/%"
AND file.path NOT LIKE "%/CCLBS/%"
AND file.path NOT LIKE "%/tmp/epdf%"
AND file.path NOT LIKE "%/pdf-tools/%"
AND file.path NOT LIKE "/tmp/%.sh"
AND file.path NOT LIKE "/tmp/terraformer/%"
AND file.path NOT LIKE "/tmp/checkout/%"
AND file.path NOT LIKE "/tmp/guile-%/guile-%"
AND file.path NOT LIKE "/tmp/com.apple.installer%"
More tuning
2022-09-08 18:20:42 +00:00
-- Nix
More tuning
2022-09-09 00:50:15 +00:00
AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
More tuning
2022-09-08 18:20:42 +00:00
-- Don't alert if it's only on disk for a moment
More scripts
2022-09-09 14:16:28 +00:00
AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
Reference in New Issue Copy Permalink