More false positives removal

net/unexpected-talkers-linux.sql

@@ -238,6 +238,7 @@ WHERE
     "8006,6,500,chrome",
     "80,6,0,dnf",
     "80,6,0,NetworkManager",
+    "443,6,500,x11-ssh-askpass",
     "80,6,0,pacman",
     "80,6,0,tailscaled",
     "80,6,0,.tailscaled-wra",

process/parent-missing-from-disk.sql

@@ -1,7 +1,7 @@
 -- Parent PID is not on disk
 -- Reveals boopkit if a child is spawned
-SELECT
-  p.name AS child_name,
+-- TODO: Make mount namespace aware
+SELECT p.name AS child_name,
   p.pid AS child_pid,
   p.path AS child_path,
   p.cmdline AS child_cmd,
@@ -15,24 +15,27 @@ SELECT
   pp.on_disk AS parent_on_disk,
   pp.uid AS parent_uid,
   pp.gid AS parent_gid
-FROM
-  processes p
+FROM processes p
   JOIN processes pp ON pp.pid = p.parent
-WHERE
-  parent_on_disk != 1
+WHERE parent_on_disk != 1
   AND child_on_disk = 1
   AND NOT child_pid IN (1, 2)
   AND NOT parent_pid IN (1, 2) -- launchd, kthreadd
   AND NOT parent_path IN (
-    '/opt/google/chrome/chrome',
-    '/usr/bin/gnome-shell'
-  )
-  -- long-running launchers
-  AND NOT parent_name IN ('lightdm', 'nvim', 'gnome-shell', 'slack')
-  -- These alerts were unfortunately useless - lots of spam on macOS
+    "/opt/google/chrome/chrome",
+    "/usr/bin/gnome-shell"
+  ) -- long-running launchers
+  AND NOT parent_name IN (
+    "lightdm",
+    "nvim",
+    "gnome-shell",
+    "slack",
+    "kube-proxy",
+    "kubelet"
+  ) -- These alerts were unfortunately useless - lots of spam on macOS
   AND NOT (
     parent_path = ""
     AND p.uid > 500
   )
-  AND parent_path NOT LIKE '/app/extra/%'
-  AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
+  AND parent_path NOT LIKE "/app/extra/%"
+  AND parent_path NOT LIKE "/opt/homebrew/Cellar/%"

process/unexpected-privileged-executable.sql

@@ -1,28 +0,0 @@
-SELECT
-  p.pid,
-  p.name,
-  p.path,
-  p.cmdline,
-  p.cwd,
-  p.uid,
-  f.mode
-FROM
-  processes p
-  JOIN file f ON p.path = f.path
-WHERE
-  f.mode NOT LIKE "0%"
-  AND f.path NOT IN (
-    "/bin/ps",
-    "/Library/DropboxHelperTools/Dropbox_u501/dbkextd",
-    "/opt/1Password/1Password-BrowserSupport",
-    "/opt/1Password/1Password-KeyringHelper",
-    "/usr/bin/doas",
-    "/usr/bin/mount",
-    "/usr/bin/fusermount",
-    "/usr/bin/fusermount3",
-    "/usr/bin/login",
-    "/usr/bin/ssh-agent",
-    "/usr/bin/su",
-    "/usr/bin/sudo",
-    "/usr/bin/top"
-  );

process/unexpected-uid0-process-linux.sql

@@ -1,87 +0,0 @@
-SELECT p.pid,
-    p.name,
-    p.path,
-    p.euid,
-    p.gid,
-    f.ctime,
-    f.directory AS dirname,
-    p.cmdline,
-    mnt_namespace,
-    hash.sha256,
-    pp.name AS parent_name,
-    pp.cmdline AS parent_cmdline
-FROM processes p
-    LEFT JOIN file f ON p.path = f.path
-    LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid
-    LEFT JOIN hash ON p.path = hash.path
-    LEFT JOIN processes pp ON p.parent = pp.pid
-WHERE p.uid = 0
-    AND (strftime('%s', 'now') - p.start_time) > 120
-    -- use osquery as the reference mount namespace
-    AND mnt_namespace IN (
-        SELECT DISTINCT (mnt_namespace)
-        FROM process_namespaces
-            JOIN processes ON processes.pid = process_namespaces.pid
-        WHERE processes.name IN ("osqueryi", "osqueryd")
-    )
-    AND p.path NOT IN (
-        "", -- Not a file-based process
-        "/usr/lib/systemd/systemd",
-        "/usr/sbin/tailscaled",
-        "/usr/bin/dockerd",
-        "/usr/bin/containerd",
-        "/usr/bin/gpg-agent",
-        "/usr/libexec/scdaemon",
-        "/usr/libexec/docker/docker-proxy",
-        "/usr/bin/containerd-shim-runc-v2",
-        "/usr/sbin/pcscd",
-        "/usr/lib/systemd/systemd-journald",
-        "/usr/libexec/accounts-daemon",
-        "/usr/lib/systemd/systemd-homed",
-        "/usr/lib/systemd/systemd-machined",
-        "/usr/libexec/udisks2/udisksd",
-        "/usr/sbin/alsactl",
-        "/usr/sbin/abrtd",
-        "/usr/bin/abrt-dump-journal-core",
-        "/usr/bin/abrt-dump-journal-oops",
-        "/usr/bin/abrt-dump-journal-xorg",
-        "/usr/sbin/cupsd",
-        "/usr/sbin/gssproxy",
-        "/usr/sbin/wpa_supplicant",
-        "/usr/sbin/abrt-dbus",
-        "/usr/sbin/gdm",
-        "/usr/libexec/packagekitd",
-        "/usr/libexec/gdm-session-worker",
-        "/usr/bin/docker-proxy",
-        "/usr/bin/journalctl",
-        "/usr/lib/udisks2/udisksd",
-        "/usr/bin/crond",
-        "/usr/bin/lightdm",
-        "/usr/lib/Xorg",
-        "/usr/bin/osqueryd",
-        "/usr/bin/wpa_supplicant",
-        "/usr/sbin/cups-browsed",
-        "/usr/sbin/acpid",
-        "/usr/sbin/cron",
-        "/usr/libexec/polkitd",
-        "/usr/sbin/zed",
-        "/usr/sbin/gdm3",
-        "/usr/libexec/snapd/snapd",
-        "/usr/libexec/sssd/sssd_kcm",
-        "/usr/bin/tailscaled",
-        "/usr/lib/gdm-session-worker",
-        "/usr/bin/gdm",
-        "/snap/snapd/17029/usr/lib/snapd/snapd"
-    )
-    -- Because I don't want to whitelist all of Python3
-    AND p.cmdline NOT IN (
-        "/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid",
-        "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",
-        "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers"
-    )
-    AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
-    AND p.path NOT LIKE "/usr/local/kolide-k2/bin/launcher-updates/%/launcher"
-    AND p.path NOT LIKE "/nix/store/%/bin/%"
-    AND p.path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd%"
-    AND p.path NOT LIKE "/nix/store/%/libexec/%"
-    AND p.path NOT LIKE "/snap/snapd/%/usr/lib/snapd/snapd"