diff --git a/net/unexpected-talkers-linux.sql b/net/unexpected-talkers-linux.sql index bb97334..169e9bc 100644 --- a/net/unexpected-talkers-linux.sql +++ b/net/unexpected-talkers-linux.sql @@ -238,6 +238,7 @@ WHERE "8006,6,500,chrome", "80,6,0,dnf", "80,6,0,NetworkManager", + "443,6,500,x11-ssh-askpass", "80,6,0,pacman", "80,6,0,tailscaled", "80,6,0,.tailscaled-wra", diff --git a/process/parent-missing-from-disk.sql b/process/parent-missing-from-disk.sql index 02b2b39..15cc5a5 100644 --- a/process/parent-missing-from-disk.sql +++ b/process/parent-missing-from-disk.sql @@ -1,7 +1,7 @@ -- Parent PID is not on disk -- Reveals boopkit if a child is spawned -SELECT - p.name AS child_name, +-- TODO: Make mount namespace aware +SELECT p.name AS child_name, p.pid AS child_pid, p.path AS child_path, p.cmdline AS child_cmd, @@ -15,24 +15,27 @@ SELECT pp.on_disk AS parent_on_disk, pp.uid AS parent_uid, pp.gid AS parent_gid -FROM - processes p +FROM processes p JOIN processes pp ON pp.pid = p.parent -WHERE - parent_on_disk != 1 +WHERE parent_on_disk != 1 AND child_on_disk = 1 AND NOT child_pid IN (1, 2) AND NOT parent_pid IN (1, 2) -- launchd, kthreadd AND NOT parent_path IN ( - '/opt/google/chrome/chrome', - '/usr/bin/gnome-shell' - ) - -- long-running launchers - AND NOT parent_name IN ('lightdm', 'nvim', 'gnome-shell', 'slack') - -- These alerts were unfortunately useless - lots of spam on macOS + "/opt/google/chrome/chrome", + "/usr/bin/gnome-shell" + ) -- long-running launchers + AND NOT parent_name IN ( + "lightdm", + "nvim", + "gnome-shell", + "slack", + "kube-proxy", + "kubelet" + ) -- These alerts were unfortunately useless - lots of spam on macOS AND NOT ( parent_path = "" AND p.uid > 500 ) - AND parent_path NOT LIKE '/app/extra/%' - AND parent_path NOT LIKE '/opt/homebrew/Cellar/%' + AND parent_path NOT LIKE "/app/extra/%" + AND parent_path NOT LIKE "/opt/homebrew/Cellar/%" \ No newline at end of file diff --git a/process/unexpected-privileged-executable.sql b/process/unexpected-privileged-executable.sql deleted file mode 100644 index b836029..0000000 --- a/process/unexpected-privileged-executable.sql +++ /dev/null @@ -1,28 +0,0 @@ -SELECT - p.pid, - p.name, - p.path, - p.cmdline, - p.cwd, - p.uid, - f.mode -FROM - processes p - JOIN file f ON p.path = f.path -WHERE - f.mode NOT LIKE "0%" - AND f.path NOT IN ( - "/bin/ps", - "/Library/DropboxHelperTools/Dropbox_u501/dbkextd", - "/opt/1Password/1Password-BrowserSupport", - "/opt/1Password/1Password-KeyringHelper", - "/usr/bin/doas", - "/usr/bin/mount", - "/usr/bin/fusermount", - "/usr/bin/fusermount3", - "/usr/bin/login", - "/usr/bin/ssh-agent", - "/usr/bin/su", - "/usr/bin/sudo", - "/usr/bin/top" - ); diff --git a/process/unexpected-uid0-process-linux.sql b/process/unexpected-uid0-process-linux.sql deleted file mode 100644 index e63a29b..0000000 --- a/process/unexpected-uid0-process-linux.sql +++ /dev/null @@ -1,87 +0,0 @@ -SELECT p.pid, - p.name, - p.path, - p.euid, - p.gid, - f.ctime, - f.directory AS dirname, - p.cmdline, - mnt_namespace, - hash.sha256, - pp.name AS parent_name, - pp.cmdline AS parent_cmdline -FROM processes p - LEFT JOIN file f ON p.path = f.path - LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid - LEFT JOIN hash ON p.path = hash.path - LEFT JOIN processes pp ON p.parent = pp.pid -WHERE p.uid = 0 - AND (strftime('%s', 'now') - p.start_time) > 120 - -- use osquery as the reference mount namespace - AND mnt_namespace IN ( - SELECT DISTINCT (mnt_namespace) - FROM process_namespaces - JOIN processes ON processes.pid = process_namespaces.pid - WHERE processes.name IN ("osqueryi", "osqueryd") - ) - AND p.path NOT IN ( - "", -- Not a file-based process - "/usr/lib/systemd/systemd", - "/usr/sbin/tailscaled", - "/usr/bin/dockerd", - "/usr/bin/containerd", - "/usr/bin/gpg-agent", - "/usr/libexec/scdaemon", - "/usr/libexec/docker/docker-proxy", - "/usr/bin/containerd-shim-runc-v2", - "/usr/sbin/pcscd", - "/usr/lib/systemd/systemd-journald", - "/usr/libexec/accounts-daemon", - "/usr/lib/systemd/systemd-homed", - "/usr/lib/systemd/systemd-machined", - "/usr/libexec/udisks2/udisksd", - "/usr/sbin/alsactl", - "/usr/sbin/abrtd", - "/usr/bin/abrt-dump-journal-core", - "/usr/bin/abrt-dump-journal-oops", - "/usr/bin/abrt-dump-journal-xorg", - "/usr/sbin/cupsd", - "/usr/sbin/gssproxy", - "/usr/sbin/wpa_supplicant", - "/usr/sbin/abrt-dbus", - "/usr/sbin/gdm", - "/usr/libexec/packagekitd", - "/usr/libexec/gdm-session-worker", - "/usr/bin/docker-proxy", - "/usr/bin/journalctl", - "/usr/lib/udisks2/udisksd", - "/usr/bin/crond", - "/usr/bin/lightdm", - "/usr/lib/Xorg", - "/usr/bin/osqueryd", - "/usr/bin/wpa_supplicant", - "/usr/sbin/cups-browsed", - "/usr/sbin/acpid", - "/usr/sbin/cron", - "/usr/libexec/polkitd", - "/usr/sbin/zed", - "/usr/sbin/gdm3", - "/usr/libexec/snapd/snapd", - "/usr/libexec/sssd/sssd_kcm", - "/usr/bin/tailscaled", - "/usr/lib/gdm-session-worker", - "/usr/bin/gdm", - "/snap/snapd/17029/usr/lib/snapd/snapd" - ) - -- Because I don't want to whitelist all of Python3 - AND p.cmdline NOT IN ( - "/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid", - "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal", - "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers" - ) - AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd" - AND p.path NOT LIKE "/usr/local/kolide-k2/bin/launcher-updates/%/launcher" - AND p.path NOT LIKE "/nix/store/%/bin/%" - AND p.path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd%" - AND p.path NOT LIKE "/nix/store/%/libexec/%" - AND p.path NOT LIKE "/snap/snapd/%/usr/lib/snapd/snapd" \ No newline at end of file