osquery-defense-kit/process/unexpected-executable-permi...

SELECT p.pid,
    p.name,
    p.path,
    f.mode,
    f.uid,
    f.gid
FROM processes p
    JOIN file f ON p.path = f.path
WHERE f.mode NOT IN (
    '0755',
    '4555',
    '0555',
    '0775',
    '0500',
    '4511',
    '0544',
)
AND NOT (f.path = '/opt/1Password/1Password-BrowserSupport' AND f.mode = '2755' AND uid>500)
AND NOT (f.path = '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService' AND f.mode = '0777' AND uid>500)
AND NOT (f.path = '/usr/bin/fusermount3' AND f.mode='4755')
Just about done 2022-09-08 21:58:56 +00:00			`SELECT p.pid,`
			`p.name,`
			`p.path,`
			`f.mode,`
			`f.uid,`
			`f.gid`
			`FROM processes p`
			`JOIN file f ON p.path = f.path`
			`WHERE f.mode NOT IN (`
			`'0755',`
			`'4555',`
			`'0555',`
			`'0775',`
			`'0500',`
			`'4511',`
			`'0544',`
			`)`
			`AND NOT (f.path = '/opt/1Password/1Password-BrowserSupport' AND f.mode = '2755' AND uid>500)`
			`AND NOT (f.path = '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService' AND f.mode = '0777' AND uid>500)`
			`AND NOT (f.path = '/usr/bin/fusermount3' AND f.mode='4755')`