mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-27 07:20:28 +00:00
22 lines
478 B
MySQL
22 lines
478 B
MySQL
|
-- Find unexpected executables in /dev
|
||
|
|
SELECT file.path,
|
||
|
|
file.directory,
|
||
|
|
uid,
|
||
|
|
gid,
|
||
|
|
mode,
|
||
|
|
file.mtime,
|
||
|
|
file.size,
|
||
|
|
hash.sha256,
|
||
|
|
magic.data
|
||
|
|
FROM file
|
||
|
|
LEFT JOIN hash on file.path = hash.path
|
||
|
|
LEFT JOIN magic ON file.path = magic.path
|
||
|
|
-- For some reason /dev/%% is not recursive?
|
||
|
|
WHERE (file.path LIKE "/dev/%%" OR file.path LIKE "/dev/%%/%%")
|
||
|
|
AND file.type = "regular"
|
||
|
|
AND (
|
||
|
|
file.mode LIKE "%7%"
|
||
|
|
or file.mode LIKE "%5%"
|
||
|
|
or file.mode LIKE "%1%"
|
||
|
|
)
|