fpr: libopenblas, snapd, k3d, opera, nix, ssh, cargo, adobe installer

This commit is contained in:
Thomas Stromberg 2023-05-03 16:28:00 -04:00
parent 260e9abb5a
commit 0202e87b73
Failed to extract signature
13 changed files with 76 additions and 43 deletions

View File

@ -108,6 +108,7 @@ WHERE
AND NOT exception_key IN (
'500,bash,bash,,bash',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
@ -150,5 +151,10 @@ WHERE
AND p0.cwd = '/'
AND p0.path = '/private/var/folders/%/Wrapper/%.app/%'
)
-- nix socket inheritance
AND NOT (
p0.path LIKE '/nix/store/%/bin/%'
AND p1.path LIKE '/nix/store/%/bin/%'
)
GROUP BY
p0.cmdline

View File

@ -112,7 +112,6 @@ WHERE pos.protocol > 0
AND s.authority = 'Software Signing'
)
AND NOT exception_key IN (
"500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos",
'500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
'500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
'500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
@ -130,11 +129,14 @@ WHERE pos.protocol > 0
'500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
'500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
'500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
'500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
'500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
'500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
'500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
) -- Useful for unsigned binaries
@ -142,12 +144,17 @@ WHERE pos.protocol > 0
'500,6,22,ssh,ssh,500u,20g',
'500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g',
'500,6,22,ssh,ssh,500u,80g',
'500,6,22,ssh,ssh,0u,500g',
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g'
)
AND NOT (
exception_key LIKE '500,6,%,syncthing,syncthing,,syncthing'
AND remote_port > 1024
)
AND NOT (
exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing'
AND remote_port > 1024
)
AND NOT (
alt_exception_key = '500,6,80,main,main,500u,20g'
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
@ -155,7 +162,7 @@ WHERE pos.protocol > 0
AND NOT (
(
pos.remote_port = 80
OR pos.remote_port > 5000
OR pos.remote_port > 3400
)
AND id_exception_key IN (
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',

View File

@ -60,7 +60,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.path != ""
p0.path != ''
AND NOT p0.name == basename
AND NOT (
LENGTH(basename) > 1
@ -75,31 +75,32 @@ WHERE
AND INSTR(LOWER(p0.name), LOWER(short_filename)) > 0
) -- Extremely common and unpredictable process name setters
AND NOT base_letters IN (
"bash",
"dash",
"electron",
"firefox",
"node",
"perl",
"python",
"ruby",
"thunderbird"
'bash',
'dash',
'electron',
'firefox',
'node',
'perl',
'python',
'ruby',
'thunderbird'
)
AND NOT exception_key IN (
"0,udevadm,systemd-udevd",
"125,systemd,(sd-pam)",
"42,systemd,(sd-pam)",
"500,vim.basic,vi",
"120,systemd,(sd-pam)",
"127,systemd,(sd-pam)",
"0,udevadm,(udev-worker)",
"500,pyrogenesis,main",
"500,plugin-container,MainThread",
"500,gjs-console,gnome-character",
"500,rootlesskit,exe",
"500,rootlessport,exe",
"500,systemd,(sd-pam)",
"500,udevadm,systemd-udevd"
'0,udevadm,systemd-udevd',
'0,udevadm,(udev-worker)',
'120,systemd,(sd-pam)',
'125,systemd,(sd-pam)',
'127,systemd,(sd-pam)',
'42,systemd,(sd-pam)',
'500,coreutils,tail',
'500,gjs-console,gnome-character',
'500,plugin-container,MainThread',
'500,pyrogenesis,main',
'500,rootlesskit,exe',
'500,rootlessport,exe',
'500,systemd,(sd-pam)',
'500,udevadm,systemd-udevd'
'500,vim.basic,vi',
)
AND NOT p0.path IN ('/usr/lib/systemd/systemd')
GROUP by

View File

@ -49,26 +49,27 @@ WHERE
AND NOT p0.pid IN (1, 2)
AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
AND NOT p1.path IN (
'/opt/brave.com/brave/brave',
'/opt/google/chrome/chrome',
'/usr/bin/alacritty',
'/usr/bin/doas',
'/usr/libexec/gdm-x-session',
'/usr/bin/dockerd',
'/usr/sbin/gdm3',
'/usr/bin/fusermount3',
'/usr/bin/gnome-shell',
'/usr/sbin/sshd',
'/usr/sbin/auditd',
'/usr/bin/ibus-daemon',
'/usr/bin/kitty',
'/usr/bin/tmux',
'/usr/share/code/code',
'/opt/brave.com/brave/brave',
'/usr/libexec/gdm-wayland-session',
'/usr/bin/osqueryd',
'/usr/bin/sudo',
'/usr/bin/tmux',
'/usr/bin/yay',
'/usr/libexec/gdm-wayland-session',
'/usr/libexec/gdm-x-session',
'/usr/libexec/gnome-terminal-server',
'/usr/lib/systemd/systemd'
'/usr/sbin/auditd',
'/usr/sbin/gdm3',
'/usr/sbin/sshd',
'/usr/share/code/code',
) -- long-running launchers
AND NOT p1.name IN (
'lightdm',

View File

@ -75,6 +75,7 @@ WHERE
'/usr/bin/make',
'/usr/bin/cargo',
'/usr/bin/containerd',
'/usr/libexec/power-profiles-daemon',
'/usr/bin/containerd-shim-runc-v2',
'/usr/bin/docker',
'/usr/bin/dockerd',
@ -177,6 +178,7 @@ WHERE
'/usr/share/teams/team'
)
AND NOT p0.path LIKE '/home/%/bin/%'
AND NOT p0.path LIKE '/home/%/git/%'
AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
AND NOT p0.path LIKE '/home/%/.cache/JetBrains/%/GoLand/___%'

View File

@ -81,6 +81,7 @@ WHERE
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
AND NOT path LIKE '/Users/%/Library/Application Support/Zed/languages/%'
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
AND NOT PATH LIKE '/Users/%/Library/Caches/JetBrains/GoLand2023.1/tmp/GoLand/___%'
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'

View File

@ -158,6 +158,7 @@ WHERE
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS',
'~/go/bin',
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS',
'~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (GPU).app/Contents/MacOS',

View File

@ -77,6 +77,7 @@ WHERE
AND exception_key NOT IN (
'0,nix,nix,',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,Bazecor Helper,,',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
@ -95,11 +96,8 @@ WHERE
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
'500,gitsign,a.out,',
'500,debug.test,a.out,',
'500,dive,a.out,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,bash,bash,',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,dlv,a.out,',
'500,Duckly,Electron,',
@ -111,12 +109,14 @@ WHERE
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,git,git,',
'500,gitsign,a.out,',
'500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,go,a.out,',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,hugo,a.out,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
@ -148,6 +148,7 @@ WHERE
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,snyk-ls_darwin_arm64,a.out,',
'500,ssh,ssh,',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,stern,a.out,',
@ -172,6 +173,10 @@ WHERE
exception_key LIKE '500,python3.%,%,'
AND p0.path LIKE '/opt/homebrew/%/bin/python'
)
AND NOT (
exception_Key LIKE '500,%,a.out,'
AND p0.path LIKE '/Users/%/go/bin/%'
)
AND NOT exception_key LIKE '500,___Test%.test,a.out,'
AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'

View File

@ -57,6 +57,7 @@ WHERE
AND p0.name NOT IN (
'bash',
'bwrap',
'cargo',
'chrome',
'clamscan',
'code',
@ -112,6 +113,7 @@ WHERE
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
'/usr/bin/apt',
'/app/libexec/mediawriter/helper',
'/usr/bin/darktable',
'/usr/bin/dockerd',
'/usr/bin/gnome-shell',

View File

@ -62,6 +62,7 @@ WHERE
'false,,NVD Cleaner,',
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
@ -152,6 +153,7 @@ WHERE
'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj',
'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb',
'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall',
'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc',
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
@ -167,15 +169,10 @@ WHERE
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
'true,,RetailMeNot Deal Finder™,jjfblogammkiefalfpafidabbnamoknm',
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
'true,,RetailMeNot Deal Finder™,jjfblogammkiefalfpafidabbnamoknm',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
@ -183,6 +180,7 @@ WHERE
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc',
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea',
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko',
'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap',
@ -203,6 +201,7 @@ WHERE
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
@ -214,6 +213,8 @@ WHERE
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
)
GROUP BY

View File

@ -189,6 +189,7 @@ WHERE
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',

View File

@ -33,6 +33,8 @@ WHERE
'gcr.io/k8s-minikube/kicbase',
'ghcr.io/wolfi-dev/sdk',
'kindest/node',
-- blame k3d/k3s for this
'docker.io/library/registry',
'moby/buildkit',
'wolfi'
)

View File

@ -71,8 +71,10 @@ WHERE
AND NOT file.filename LIKE '%latest%'
AND NOT file.filename LIKE '%2022%'
AND NOT file.filename LIKE '%2023%'
AND NOT file.filename LIKE 'host-project-%'
AND NOT file.filename LIKE '%spdx%'
AND NOT file.filename LIKE '%-v1%'
AND NOT file.filename LIKE 'libopenblas-%'
-- Well known demo keys
AND NOT hash.sha256 IN (
'11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
@ -87,6 +89,7 @@ WHERE
'b68896dc8e8c23ade371cf8b5c9d25853d81b4cfa5baa2bc0200d9242a903d80',
'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988',
'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2',
'a0f925d91d2ae1d38c13305572b2bf027e09f39e8bea575d55e8fcd5f3bf8b32',
'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14'
)
GROUP BY