osquery-defense-kit/fs/unexpected-setuid-binaries.sql

284 lines
6.9 KiB
MySQL
Raw Normal View History

SELECT
file.path,
gid,
uid,
mode,
type,
size,
sha256
FROM
file
JOIN hash ON file.path = hash.path
WHERE
(
file.path LIKE "/bin/%"
OR file.path LIKE "/home/%/bin/%"
OR file.path LIKE "/opt/%/bin/%"
OR file.path LIKE "/opt/%/sbin/%"
OR file.path LIKE "/sbin/%"
OR file.path LIKE "/tmp/%"
OR file.path LIKE "/Users/%/bin/%"
OR file.path LIKE "/usr/bin/%"
OR file.path LIKE "/usr/lib/%"
OR file.path LIKE "/usr/lib64/%"
OR file.path LIKE "/usr/libexec/%"
OR file.path LIKE "/usr/local/bin/%"
OR file.path LIKE "/usr/local/lib/%"
OR file.path LIKE "/usr/local/lib64/%"
OR file.path LIKE "/usr/local/libexec/%"
OR file.path LIKE "/usr/local/sbin/%"
OR file.path LIKE "/usr/sbin/%"
OR file.path LIKE "/var/lib/%"
OR file.path LIKE "/var/tmp/%"
)
2022-09-26 22:27:43 +00:00
AND type = "regular"
AND mode NOT LIKE "0%"
AND mode NOT LIKE "1%"
AND mode NOT LIKE "2%"
AND NOT (
2022-09-26 22:27:43 +00:00
mode LIKE "4%11"
AND uid = 0
AND gid = 0
AND file.path IN (
2022-09-26 22:27:43 +00:00
"/bin/cdda2wav",
"/bin/cdrecord",
"/bin/icedax",
"/bin/mount.nfs",
"/bin/mount.nfs4",
"/bin/readcd",
"/bin/readom",
"/bin/rscsi",
"/bin/staprun",
"/bin/sudo",
"/bin/sudoedit",
"/bin/umount.nfs",
"/bin/umount.nfs4",
"/bin/wodim",
"/sbin/cdda2wav",
"/sbin/cdrecord",
"/sbin/icedax",
"/sbin/mount.nfs",
"/sbin/mount.nfs4",
"/sbin/readcd",
"/sbin/readom",
"/sbin/rscsi",
"/sbin/umount.nfs",
"/sbin/umount.nfs4",
"/sbin/userhelper",
"/sbin/wodim",
"/usr/bin/cdda2wav",
"/usr/bin/cdrecord",
"/usr/bin/icedax",
"/usr/bin/mount.nfs",
"/usr/bin/mount.nfs4",
"/usr/bin/readcd",
"/usr/bin/readom",
"/usr/bin/rscsi",
"/usr/bin/staprun",
"/usr/bin/sudo",
"/usr/bin/sudoedit",
"/usr/bin/umount.nfs",
"/usr/bin/umount.nfs4",
"/usr/bin/wodim",
"/usr/libexec/security_authtrampoline",
"/usr/sbin/cdda2wav",
"/usr/sbin/cdrecord",
"/usr/sbin/icedax",
"/usr/sbin/mount.nfs",
"/usr/sbin/mount.nfs4",
"/usr/sbin/readcd",
"/usr/sbin/readom",
"/usr/sbin/rscsi",
"/usr/sbin/umount.nfs",
"/usr/sbin/umount.nfs4",
"/usr/sbin/userhelper",
"/usr/sbin/wodim"
2022-09-10 17:10:54 +00:00
)
)
AND NOT (
2022-09-26 22:27:43 +00:00
mode LIKE "4%55"
AND uid = 0
AND gid = 0
AND file.path IN (
2022-09-26 22:27:43 +00:00
"/bin/chage",
"/bin/chfn",
"/bin/chsh",
"/bin/crontab",
"/bin/doas",
"/bin/expiry",
"/bin/fusermount-glusterfs",
"/bin/fusermount",
"/bin/fusermount3",
"/bin/gpasswd",
"/bin/ksu",
"/bin/mount",
"/bin/ndisc6",
"/bin/newgidmap",
"/bin/newgrp",
"/bin/newuidmap",
"/usr/bin/newgidmap",
"/bin/nvidia-modprobe",
"/bin/passwd",
"/bin/pkexec",
"/bin/ps",
"/bin/rdisc6",
"/bin/rltraceroute6",
"/bin/sg",
"/bin/su",
"/bin/sudo",
"/bin/sudoedit",
"/bin/suexec",
"/bin/ubuntu-core-launcher",
"/bin/umount",
"/bin/vmware-user-suid-wrapper",
"/bin/vmware-user",
"/sbin/chage",
"/sbin/chfn",
"/sbin/chsh",
"/sbin/crontab",
"/sbin/doas",
"/sbin/expiry",
"/sbin/fusermount",
"/sbin/fusermount3",
"/sbin/gpasswd",
"/sbin/grub2-set-bootflag",
"/sbin/ksu",
"/sbin/mount.nfs",
"/sbin/mount.nfs4",
"/sbin/mount",
"/sbin/ndisc6",
"/sbin/newgrp",
"/sbin/nvidia-modprobe",
"/sbin/pam_timestamp_check",
"/sbin/passwd",
"/sbin/pkexec",
"/sbin/rdisc6",
"/sbin/rltraceroute6",
"/sbin/sg",
"/sbin/su",
"/sbin/sudo",
"/sbin/sudoedit",
"/sbin/suexec",
"/sbin/umount.nfs",
"/sbin/umount.nfs4",
"/sbin/umount",
"/sbin/unix_chkpwd",
"/usr/bin/at",
"/usr/bin/atq",
"/usr/bin/atrm",
"/usr/bin/batch",
"/usr/bin/chage",
"/usr/bin/chfn",
"/usr/bin/chsh",
"/usr/bin/crontab",
"/usr/bin/doas",
"/usr/bin/expiry",
"/usr/bin/fusermount-glusterfs",
"/usr/bin/fusermount",
"/usr/bin/fusermount3",
"/usr/bin/gpasswd",
"/usr/bin/ksu",
"/usr/bin/login",
"/usr/bin/mount",
"/usr/bin/ndisc6",
"/usr/bin/newgrp",
"/usr/bin/newuidmap",
"/usr/bin/nvidia-modprobe",
"/usr/bin/passwd",
"/usr/bin/pkexec",
"/usr/bin/quota",
2022-09-29 19:42:27 +00:00
"/usr/bin/mullvad-exclude",
"/usr/sbin/mullvad-exclude",
2022-09-26 22:27:43 +00:00
"/usr/bin/rdisc6",
"/usr/bin/rltraceroute6",
"/usr/bin/sg",
2022-09-29 19:42:27 +00:00
"/sbin/mullvad-exclude",
"/bin/mullvad-exclude",
2022-09-26 22:27:43 +00:00
"/usr/bin/su",
"/usr/bin/sudo",
"/usr/bin/sudoedit",
"/usr/bin/suexec",
"/usr/bin/top",
"/usr/bin/ubuntu-core-launcher",
"/usr/bin/umount",
"/usr/bin/vmware-user-suid-wrapper",
"/usr/bin/vmware-user",
"/usr/lib/mail-dotlock",
"/usr/lib/xf86-video-intel-backlight-helper",
"/usr/lib/Xorg.wrap",
"/usr/lib64/mail-dotlock",
"/usr/lib64/xf86-video-intel-backlight-helper",
"/usr/lib64/Xorg.wrap",
"/usr/libexec/authopen",
"/usr/libexec/polkit-agent-helper-1",
"/usr/libexec/qemu-bridge-helper",
"/usr/libexec/Xorg.wrap",
"/usr/sbin/chage",
"/usr/sbin/chfn",
"/usr/sbin/chsh",
"/usr/sbin/crontab",
"/usr/sbin/doas",
"/usr/sbin/expiry",
"/usr/sbin/fusermount",
"/usr/sbin/fusermount3",
"/usr/sbin/gpasswd",
"/usr/sbin/grub2-set-bootflag",
"/usr/sbin/ksu",
"/usr/sbin/mount.nfs",
"/usr/sbin/mount.nfs4",
"/usr/sbin/mount",
"/usr/sbin/ndisc6",
"/usr/sbin/newgrp",
"/usr/sbin/nvidia-modprobe",
"/usr/sbin/pam_timestamp_check",
"/usr/sbin/passwd",
"/usr/sbin/pkexec",
"/usr/sbin/rdisc6",
"/usr/sbin/rltraceroute6",
"/usr/sbin/sg",
"/usr/sbin/su",
"/usr/sbin/sudo",
"/usr/sbin/sudoedit",
"/usr/sbin/suexec",
"/usr/sbin/traceroute",
"/usr/sbin/traceroute6",
"/usr/sbin/umount.nfs",
"/usr/sbin/umount.nfs4",
"/usr/sbin/umount",
"/usr/sbin/unix_chkpwd"
2022-09-10 17:10:54 +00:00
)
)
AND NOT (
2022-09-26 22:27:43 +00:00
mode = "4754"
AND uid = 0
AND gid = 30
2022-09-26 22:27:43 +00:00
AND file.path IN ("/usr/sbin/pppd", "/sbin/pppd")
)
AND NOT (
2022-09-26 22:27:43 +00:00
mode = "6755"
AND uid = 0
AND gid = 0
AND file.path IN (
2022-09-26 22:27:43 +00:00
"/bin/mount.cifs",
"/bin/mount.smb3",
"/bin/unix_chkpwd",
"/sbin/mount.cifs",
"/sbin/mount.smb3",
"/sbin/unix_chkpwd",
"/usr/bin/mount.cifs",
"/usr/bin/mount.smb3",
"/usr/bin/unix_chkpwd",
"/usr/lib/xtest",
"/usr/lib64/xtest",
"/usr/sbin/mount.cifs",
"/usr/sbin/mount.smb3",
"/usr/sbin/unix_chkpwd"
2022-09-10 17:10:54 +00:00
)
)
AND NOT (
2022-09-26 22:27:43 +00:00
mode = "4110"
AND uid = 0
AND gid = 156
2022-09-26 22:27:43 +00:00
AND file.path IN ("/bin/staprun", "/usr/bin/staprun")
)