mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
fpr: libopenblas, snapd, k3d, opera, nix, ssh, cargo, adobe installer
This commit is contained in:
parent
260e9abb5a
commit
0202e87b73
@ -108,6 +108,7 @@ WHERE
|
||||
AND NOT exception_key IN (
|
||||
'500,bash,bash,,bash',
|
||||
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
|
||||
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
|
||||
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
|
||||
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
@ -150,5 +151,10 @@ WHERE
|
||||
AND p0.cwd = '/'
|
||||
AND p0.path = '/private/var/folders/%/Wrapper/%.app/%'
|
||||
)
|
||||
-- nix socket inheritance
|
||||
AND NOT (
|
||||
p0.path LIKE '/nix/store/%/bin/%'
|
||||
AND p1.path LIKE '/nix/store/%/bin/%'
|
||||
)
|
||||
GROUP BY
|
||||
p0.cmdline
|
||||
|
@ -112,7 +112,6 @@ WHERE pos.protocol > 0
|
||||
AND s.authority = 'Software Signing'
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
"500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos",
|
||||
'500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
|
||||
'500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
|
||||
'500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
|
||||
@ -130,11 +129,14 @@ WHERE pos.protocol > 0
|
||||
'500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
|
||||
'500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
|
||||
'500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
|
||||
'500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
|
||||
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
|
||||
'500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
|
||||
'500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
|
||||
'500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
|
||||
'500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
|
||||
'500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
|
||||
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
|
||||
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
|
||||
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
|
||||
) -- Useful for unsigned binaries
|
||||
@ -142,12 +144,17 @@ WHERE pos.protocol > 0
|
||||
'500,6,22,ssh,ssh,500u,20g',
|
||||
'500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g',
|
||||
'500,6,22,ssh,ssh,500u,80g',
|
||||
'500,6,22,ssh,ssh,0u,500g',
|
||||
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g'
|
||||
)
|
||||
AND NOT (
|
||||
exception_key LIKE '500,6,%,syncthing,syncthing,,syncthing'
|
||||
AND remote_port > 1024
|
||||
)
|
||||
AND NOT (
|
||||
exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing'
|
||||
AND remote_port > 1024
|
||||
)
|
||||
AND NOT (
|
||||
alt_exception_key = '500,6,80,main,main,500u,20g'
|
||||
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
|
||||
@ -155,7 +162,7 @@ WHERE pos.protocol > 0
|
||||
AND NOT (
|
||||
(
|
||||
pos.remote_port = 80
|
||||
OR pos.remote_port > 5000
|
||||
OR pos.remote_port > 3400
|
||||
)
|
||||
AND id_exception_key IN (
|
||||
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
|
||||
|
@ -60,7 +60,7 @@ FROM
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
p0.path != ""
|
||||
p0.path != ''
|
||||
AND NOT p0.name == basename
|
||||
AND NOT (
|
||||
LENGTH(basename) > 1
|
||||
@ -75,31 +75,32 @@ WHERE
|
||||
AND INSTR(LOWER(p0.name), LOWER(short_filename)) > 0
|
||||
) -- Extremely common and unpredictable process name setters
|
||||
AND NOT base_letters IN (
|
||||
"bash",
|
||||
"dash",
|
||||
"electron",
|
||||
"firefox",
|
||||
"node",
|
||||
"perl",
|
||||
"python",
|
||||
"ruby",
|
||||
"thunderbird"
|
||||
'bash',
|
||||
'dash',
|
||||
'electron',
|
||||
'firefox',
|
||||
'node',
|
||||
'perl',
|
||||
'python',
|
||||
'ruby',
|
||||
'thunderbird'
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
"0,udevadm,systemd-udevd",
|
||||
"125,systemd,(sd-pam)",
|
||||
"42,systemd,(sd-pam)",
|
||||
"500,vim.basic,vi",
|
||||
"120,systemd,(sd-pam)",
|
||||
"127,systemd,(sd-pam)",
|
||||
"0,udevadm,(udev-worker)",
|
||||
"500,pyrogenesis,main",
|
||||
"500,plugin-container,MainThread",
|
||||
"500,gjs-console,gnome-character",
|
||||
"500,rootlesskit,exe",
|
||||
"500,rootlessport,exe",
|
||||
"500,systemd,(sd-pam)",
|
||||
"500,udevadm,systemd-udevd"
|
||||
'0,udevadm,systemd-udevd',
|
||||
'0,udevadm,(udev-worker)',
|
||||
'120,systemd,(sd-pam)',
|
||||
'125,systemd,(sd-pam)',
|
||||
'127,systemd,(sd-pam)',
|
||||
'42,systemd,(sd-pam)',
|
||||
'500,coreutils,tail',
|
||||
'500,gjs-console,gnome-character',
|
||||
'500,plugin-container,MainThread',
|
||||
'500,pyrogenesis,main',
|
||||
'500,rootlesskit,exe',
|
||||
'500,rootlessport,exe',
|
||||
'500,systemd,(sd-pam)',
|
||||
'500,udevadm,systemd-udevd'
|
||||
'500,vim.basic,vi',
|
||||
)
|
||||
AND NOT p0.path IN ('/usr/lib/systemd/systemd')
|
||||
GROUP by
|
||||
|
@ -49,26 +49,27 @@ WHERE
|
||||
AND NOT p0.pid IN (1, 2)
|
||||
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
|
||||
AND NOT p1.path IN (
|
||||
'/opt/brave.com/brave/brave',
|
||||
'/opt/google/chrome/chrome',
|
||||
'/usr/bin/alacritty',
|
||||
'/usr/bin/doas',
|
||||
'/usr/libexec/gdm-x-session',
|
||||
'/usr/bin/dockerd',
|
||||
'/usr/sbin/gdm3',
|
||||
'/usr/bin/fusermount3',
|
||||
'/usr/bin/gnome-shell',
|
||||
'/usr/sbin/sshd',
|
||||
'/usr/sbin/auditd',
|
||||
'/usr/bin/ibus-daemon',
|
||||
'/usr/bin/kitty',
|
||||
'/usr/bin/tmux',
|
||||
'/usr/share/code/code',
|
||||
'/opt/brave.com/brave/brave',
|
||||
'/usr/libexec/gdm-wayland-session',
|
||||
'/usr/bin/osqueryd',
|
||||
'/usr/bin/sudo',
|
||||
'/usr/bin/tmux',
|
||||
'/usr/bin/yay',
|
||||
'/usr/libexec/gdm-wayland-session',
|
||||
'/usr/libexec/gdm-x-session',
|
||||
'/usr/libexec/gnome-terminal-server',
|
||||
'/usr/lib/systemd/systemd'
|
||||
'/usr/sbin/auditd',
|
||||
'/usr/sbin/gdm3',
|
||||
'/usr/sbin/sshd',
|
||||
'/usr/share/code/code',
|
||||
) -- long-running launchers
|
||||
AND NOT p1.name IN (
|
||||
'lightdm',
|
||||
|
@ -75,6 +75,7 @@ WHERE
|
||||
'/usr/bin/make',
|
||||
'/usr/bin/cargo',
|
||||
'/usr/bin/containerd',
|
||||
'/usr/libexec/power-profiles-daemon',
|
||||
'/usr/bin/containerd-shim-runc-v2',
|
||||
'/usr/bin/docker',
|
||||
'/usr/bin/dockerd',
|
||||
@ -177,6 +178,7 @@ WHERE
|
||||
'/usr/share/teams/team'
|
||||
)
|
||||
AND NOT p0.path LIKE '/home/%/bin/%'
|
||||
AND NOT p0.path LIKE '/home/%/git/%'
|
||||
AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
|
||||
AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
|
||||
AND NOT p0.path LIKE '/home/%/.cache/JetBrains/%/GoLand/___%'
|
||||
|
@ -81,6 +81,7 @@ WHERE
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/Zed/languages/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
|
||||
AND NOT PATH LIKE '/Users/%/Library/Caches/JetBrains/GoLand2023.1/tmp/GoLand/___%'
|
||||
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
|
||||
|
@ -158,6 +158,7 @@ WHERE
|
||||
'~/code/bin',
|
||||
'~/Downloads/google-cloud-sdk/bin',
|
||||
'~/Downloads/protoc/bin',
|
||||
'/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS',
|
||||
'~/go/bin',
|
||||
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS',
|
||||
'~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (GPU).app/Contents/MacOS',
|
||||
|
@ -77,6 +77,7 @@ WHERE
|
||||
AND exception_key NOT IN (
|
||||
'0,nix,nix,',
|
||||
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'500,bash,bash,',
|
||||
'500,bash,com.apple.bash,Software Signing',
|
||||
'500,Bazecor Helper,,',
|
||||
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
|
||||
@ -95,11 +96,8 @@ WHERE
|
||||
'500,cosign,a.out,',
|
||||
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
|
||||
'500,crane,a.out,',
|
||||
'500,gitsign,a.out,',
|
||||
'500,debug.test,a.out,',
|
||||
'500,dive,a.out,',
|
||||
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
|
||||
'500,bash,bash,',
|
||||
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
|
||||
'500,dlv,a.out,',
|
||||
'500,Duckly,Electron,',
|
||||
@ -111,12 +109,14 @@ WHERE
|
||||
'500,fake,a.out,',
|
||||
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
|
||||
'500,git,git,',
|
||||
'500,gitsign,a.out,',
|
||||
'500,gitsign-credential-cache,a.out,',
|
||||
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
||||
'500,go,a.out,',
|
||||
'500,gopls,a.out,',
|
||||
'500,gopls,gopls,',
|
||||
'500,gpg-agent,gpg-agent,',
|
||||
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
|
||||
'500,hugo,a.out,',
|
||||
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
||||
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
@ -148,6 +148,7 @@ WHERE
|
||||
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,snyk-ls_darwin_arm64,a.out,',
|
||||
'500,ssh,ssh,',
|
||||
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,stern,a.out,',
|
||||
@ -172,6 +173,10 @@ WHERE
|
||||
exception_key LIKE '500,python3.%,%,'
|
||||
AND p0.path LIKE '/opt/homebrew/%/bin/python'
|
||||
)
|
||||
AND NOT (
|
||||
exception_Key LIKE '500,%,a.out,'
|
||||
AND p0.path LIKE '/Users/%/go/bin/%'
|
||||
)
|
||||
AND NOT exception_key LIKE '500,___Test%.test,a.out,'
|
||||
AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
|
||||
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'
|
||||
|
@ -57,6 +57,7 @@ WHERE
|
||||
AND p0.name NOT IN (
|
||||
'bash',
|
||||
'bwrap',
|
||||
'cargo',
|
||||
'chrome',
|
||||
'clamscan',
|
||||
'code',
|
||||
@ -112,6 +113,7 @@ WHERE
|
||||
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
|
||||
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
|
||||
'/usr/bin/apt',
|
||||
'/app/libexec/mediawriter/helper',
|
||||
'/usr/bin/darktable',
|
||||
'/usr/bin/dockerd',
|
||||
'/usr/bin/gnome-shell',
|
||||
|
@ -62,6 +62,7 @@ WHERE
|
||||
'false,,NVD Cleaner,',
|
||||
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
|
||||
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
|
||||
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
|
||||
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
|
||||
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
|
||||
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
|
||||
@ -152,6 +153,7 @@ WHERE
|
||||
'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj',
|
||||
'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb',
|
||||
'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall',
|
||||
'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc',
|
||||
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
|
||||
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc',
|
||||
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
|
||||
@ -167,15 +169,10 @@ WHERE
|
||||
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
|
||||
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
|
||||
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
|
||||
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
|
||||
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
|
||||
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
|
||||
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
|
||||
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
|
||||
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
|
||||
'true,,RetailMeNot Deal Finder™️,jjfblogammkiefalfpafidabbnamoknm',
|
||||
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
|
||||
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
|
||||
'true,,RetailMeNot Deal Finder™️,jjfblogammkiefalfpafidabbnamoknm',
|
||||
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
|
||||
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne',
|
||||
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
|
||||
@ -183,6 +180,7 @@ WHERE
|
||||
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
|
||||
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
|
||||
'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc',
|
||||
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
|
||||
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea',
|
||||
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko',
|
||||
'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap',
|
||||
@ -203,6 +201,7 @@ WHERE
|
||||
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
|
||||
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
|
||||
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
|
||||
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
|
||||
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
|
||||
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
|
||||
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
|
||||
@ -214,6 +213,8 @@ WHERE
|
||||
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
|
||||
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
|
||||
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
|
||||
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
|
||||
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
|
||||
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
|
||||
)
|
||||
GROUP BY
|
||||
|
@ -189,6 +189,7 @@ WHERE
|
||||
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
|
||||
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
|
||||
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
|
||||
|
@ -33,6 +33,8 @@ WHERE
|
||||
'gcr.io/k8s-minikube/kicbase',
|
||||
'ghcr.io/wolfi-dev/sdk',
|
||||
'kindest/node',
|
||||
-- blame k3d/k3s for this
|
||||
'docker.io/library/registry',
|
||||
'moby/buildkit',
|
||||
'wolfi'
|
||||
)
|
||||
|
@ -71,8 +71,10 @@ WHERE
|
||||
AND NOT file.filename LIKE '%latest%'
|
||||
AND NOT file.filename LIKE '%2022%'
|
||||
AND NOT file.filename LIKE '%2023%'
|
||||
AND NOT file.filename LIKE 'host-project-%'
|
||||
AND NOT file.filename LIKE '%spdx%'
|
||||
AND NOT file.filename LIKE '%-v1%'
|
||||
AND NOT file.filename LIKE 'libopenblas-%'
|
||||
-- Well known demo keys
|
||||
AND NOT hash.sha256 IN (
|
||||
'11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
|
||||
@ -87,6 +89,7 @@ WHERE
|
||||
'b68896dc8e8c23ade371cf8b5c9d25853d81b4cfa5baa2bc0200d9242a903d80',
|
||||
'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988',
|
||||
'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2',
|
||||
'a0f925d91d2ae1d38c13305572b2bf027e09f39e8bea575d55e8fcd5f3bf8b32',
|
||||
'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14'
|
||||
)
|
||||
GROUP BY
|
||||
|
Loading…
Reference in New Issue
Block a user