From 02337c28f00c025e37ba88dd69727afdcc5f3086 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 27 Apr 2023 12:00:08 -0400 Subject: [PATCH] fpr: cleanup and new additions --- detection/c2/unexpected-talkers-macos.sql | 1 + detection/evasion/old-binaries-running.sql | 5 +- .../evasion/unexpected-ld-so-files-linux.sql | 7 +- ...xec-failed-launch-constraint-violation.sql | 1 + .../execution/unexpected-fetcher-parents.sql | 1 + .../unexpected-shell-parent-events.sql | 1 + .../unexpected-active-systemd-units.sql | 73 ++++--------------- policy/gcp-service-account-keys-mdfind.sql | 17 ++--- 8 files changed, 30 insertions(+), 76 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 3c56c39..a21e83c 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -312,6 +312,7 @@ WHERE '443,6,500,Transmit,com.panic.Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5)', '443,6,500,trivy,,', '443,6,500,trivy,a.out,', + '443,6,500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642)', '443,6,500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '443,6,500,vegeta,a.out,', '443,6,500,vim,vim,', diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index a0a9876..a19511f 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -44,6 +44,7 @@ WHERE '/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler', '/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper', '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', + '/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor', '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver', '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver', '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl', @@ -53,8 +54,8 @@ WHERE '/snap/brackets/138/opt/brackets/Brackets-node', '/usr/bin/i3blocks', '/usr/bin/sshfs', - '/usr/local/bin/dive', - '/usr/bin/xss-lock' + '/usr/bin/xss-lock', + '/usr/local/bin/dive' ) AND p.name NOT IN ( 'buildkitd', diff --git a/detection/evasion/unexpected-ld-so-files-linux.sql b/detection/evasion/unexpected-ld-so-files-linux.sql index 92aca31..cfae8f0 100644 --- a/detection/evasion/unexpected-ld-so-files-linux.sql +++ b/detection/evasion/unexpected-ld-so-files-linux.sql @@ -36,17 +36,17 @@ WHERE '/etc/ld.so.conf.d/bind-export-x86_64.conf,0644,26,efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e', '/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28', '/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50', - '/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181', '/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee', + '/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181', '/etc/ld.so.conf.d/gds-11-8.conf,0644,46,2b48cb0abd03ff1d8926eca02a71540f4ee00ebccad5515e4d28a542dae8438a', '/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a', - '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime-libs.conf,0644,44,9f123b367c8afdcd116047d24f91339a95724d6f6cd189967696d2eb8eda63b4', '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,48,c0c6efda46a86b0d0cbc620b910cec4ba455d09a2bc7a39adf45ce113093366d', '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', + '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime-libs.conf,0644,44,9f123b367c8afdcd116047d24f91339a95724d6f6cd189967696d2eb8eda63b4', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-opencl-cpu.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', - '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime-libs.conf,0644,65,0e9c472578fe009314f02ab64613fc41114f4d07cfd3a805191a5b755d780a43', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,157,0b4a1c81fcab2d345f99e0187f29cf28f085ae67bf42c86d7b509c06b345186e', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', + '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime-libs.conf,0644,65,0e9c472578fe009314f02ab64613fc41114f4d07cfd3a805191a5b755d780a43', '/etc/ld.so.conf.d/intel-oneapi-openmp.conf,0644,155,76736fa4deb3f3f4a7a96a068eb01b610faf9492814d47d36b3acbc1b4fb9fd3', '/etc/ld.so.conf.d/intel-oneapi-tbb.conf,0644,48,ab4d154371df8bf81c4fd8f079137994c5c9a60f43bef4132e6ffcbfbb08e99d', '/etc/ld.so.conf.d/kernel-3.10.0-1160.83.1.el7.x86_64.conf,0444,63,37cb41e22b4cb69bb7b8652111c59d3d07b6522ac1f4a635e794ca7eaf411dd7', @@ -55,6 +55,7 @@ WHERE '/etc/ld.so.conf.d/libc.conf,0644,44,90d4c7e43e7661cd116010eb9f50ad5817e43162df344bd1ad10898851b15d41', '/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3', '/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0', + '/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa', '/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626', '/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9', '/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708', diff --git a/detection/execution/exec-failed-launch-constraint-violation.sql b/detection/execution/exec-failed-launch-constraint-violation.sql index e559840..8ced30b 100644 --- a/detection/execution/exec-failed-launch-constraint-violation.sql +++ b/detection/execution/exec-failed-launch-constraint-violation.sql @@ -64,6 +64,7 @@ WHERE AND pe.status = 1 AND pe.cmdline != '' AND pe.cmdline IS NOT NULL + AND p0_cmd != '/opt/homebrew/opt/tailscale/bin/tailscaled' GROUP BY pe.euid, pe.path, diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 2cca5aa..1306c11 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -48,6 +48,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,302,bash,nix', 'curl,303,bash,nix', 'curl,305,bash,nix', + 'curl,500,nvim,nvim', 'curl,307,bash,nix', 'curl,500,bash,bash', 'curl,500,bash,fakeroot', diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index d935f22..ecf7f2d 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -259,6 +259,7 @@ WHERE 'dash,0,kube-proxy,containerd-shim-runc-v2', 'dash,0,run-parts,dash', 'dash,0,snapd,systemd', + 'dash,0,dpkg,python3.10', 'sh,0,auditd,launchd', 'sh,500,cloud_sql_proxy,zsh', 'sh,500,docs,zsh', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 54bdb98..7d269d9 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -32,7 +32,10 @@ WHERE active_state != 'inactive' AND sub_state != 'plugged' AND sub_state != 'mounted' - AND fragment_path != '' + AND file.filename != '' + -- Don't care about logical groupings. + AND NOT file.filename LIKE '%.target' + -- All of these are known good exceptions in known good paths AND NOT ( ( -- Only allow fragment paths in known good directories @@ -55,7 +58,6 @@ WHERE 'acpid.service,ACPI Daemon,,1125', 'acpid.service,ACPI event daemon,,225', 'acpid.socket,ACPID Listen Socket,,0', - 'akmods-keygen.target,akmods-keygen.target,,0', 'akmods.service,Builds and install new kmods from akmod packages,,225', 'alsa-restore.service,Save/Restore Sound Card State,,225', 'alsa-restore.service,Save/Restore Sound Card State,,450', @@ -79,28 +81,19 @@ WHERE 'audit.service,Kernel Auditing,,1125', 'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,,900', 'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,,675', - 'basic.target,Basic System,,900', 'binfmt-support.service,Enable support for additional executable binary formats,,1125', 'blk-availability.service,Availability of block devices,,225', - "blockdev@dev-mapper-cryptdata.target,Block Device Preparation for /dev/mapper/cryptdata,,225", - 'blockdev@dev-mapper-cryptoswap.target,Block Device Preparation for /dev/mapper/cryptoswap,,225', - "blockdev@dev-mapper-cryptswap.target,Block Device Preparation for /dev/mapper/cryptswap,,225", 'bluetooth.service,Bluetooth service,,675', - 'bluetooth.target,Bluetooth Support,,225', 'bolt.service,Thunderbolt system service,,450', 'chronyd.service,NTP client/server,,1350', "chrony.service,chrony, an NTP client/server,,1575", 'chrony.service,chrony, an NTP client/server,,450', 'cloud-config.service,Apply the settings specified in cloud-config,,225', - 'cloud-config.target,Cloud-config availability,,450', - 'cloud-config.target,Cloud-config availability,,675', 'cloud-final.service,Execute cloud user/final scripts,,450', 'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,,225', 'cloud-init-local.service,Initial cloud-init job (pre-networking),,450', 'cloud-init.service,Initial cloud-init job (metadata service crawler),,450', 'cloud-init.service,Initial cloud-init job (metadata service crawler),,675', - 'cloud-init.target,Cloud-init target,,225', - 'cloud-init.target,Cloud-init target,,450', 'colord.service,Manage, Install and Generate Color Profiles,colord,225', "com.system76.PowerDaemon.service,System76 Power Daemon,,225", "com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,,225", @@ -110,7 +103,6 @@ WHERE 'crond.service,Command Scheduler,,225', 'cronie.service,Periodic Command Scheduler,,0', 'cron.service,Regular background program processing daemon,,225', - 'cryptsetup.target,Local Encrypted Volumes,,225', 'cups-browsed.service,Make remote CUPS printers available locally,,225', 'cups.path,CUPS Scheduler,,0', 'cups.service,CUPS Scheduler,,225', @@ -154,16 +146,12 @@ WHERE 'gdm.service,GNOME Display Manager,,675', 'gdm.service,GNOME Display Manager,,900', 'geoclue.service,Location Lookup Service,geoclue,450', - 'getty-pre.target,Preparation for Logins,,450', - 'getty.target,Login Prompts,,450', 'gitsign.service,Keyless Git signing with Sigstore!,,900', - 'graphical.target,Graphical Interface,,450', 'gssproxy.service,GSSAPI Proxy Daemon,,450', 'haproxy.service,HAProxy Load Balancer,,1350', "ifupdown-pre.service,Helper to synchronize boot up for ifupdown,,225", 'iio-sensor-proxy.service,IIO Sensor Proxy service,,225', 'import-state.service,Import network configuration from initramfs,,225', - 'integritysetup.target,Local Integrity Protected Volumes,,225', 'irqbalance.service,irqbalance daemon,,225', 'irqbalance.service,irqbalance daemon,,450', 'iscsid.socket,Open-iSCSI iscsid Socket,,0', @@ -187,9 +175,6 @@ WHERE 'lm_sensors.service,Hardware Monitoring Sensors,,225', 'lm-sensors.service,Initialize hardware monitoring sensors,,0', 'lm_sensors.service,Initialize hardware monitoring sensors,,225', - 'local-fs-pre.target,Local File Systems (Pre),,225', - 'local-fs-pre.target,Preparation for Local File Systems,,450', - 'local-fs.target,Local File Systems,,450', 'logrotate-checkconf.service,Logrotate configuration check,,1125', 'logrotate.timer,Daily rotation of log files,,0', 'logrotate.timer,logrotate.timer,,0', @@ -198,7 +183,6 @@ WHERE 'lvm2-lvmpolld.socket,LVM2 poll daemon socket,,225', 'lvm2-monitor.service,Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling,,450', 'machine.slice,Virtual Machine and Container Slice,,450', - 'machines.target,Containers,,225', 'man-db.service,Daily man-db regeneration,root,675', 'man-db.timer,Daily man-db regeneration,,0', 'mcelog.service,Machine Check Exception Logging Daemon,,225', @@ -213,40 +197,28 @@ WHERE 'mount-pstore.service,mount-pstore.service,,1125', 'multipathd.service,Device-Mapper Multipath Device Controller,,675', 'multipathd.socket,multipathd control socket,,225', - 'multi-user.target,Multi-User System,,450', 'nessusd.service,The Nessus Vulnerability Scanner,,675', 'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,225', 'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,225', "networking.service,Raise network interfaces,,450", - 'network-interfaces.target,All Network Interfaces (deprecated),,0', 'network-local-commands.service,Extra networking commands.,,1350', 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450', 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675', 'NetworkManager.service,Network Manager,,1125', 'NetworkManager.service,Network Manager,,1350', 'NetworkManager-wait-online.service,Network Manager Wait Online,,1125', - 'network-online.target,Network is Online,,450', - 'network-pre.target,Network (Pre),,450', - 'network-pre.target,Preparation for Network,,450', 'network-setup.service,Networking Setup,,1350', - 'network.target,Network,,225', - 'network.target,Network,,450', - 'nfs-client.target,NFS client services,,225', 'nginx.service,Nginx Web Server,nginx,2400', 'nix-daemon.service,Nix Daemon,,225', 'nix-daemon.socket,Nix Daemon Socket,,225', 'nix-gc.timer,nix-gc.timer,,0', 'nscd.service,Name Service Cache Daemon,nscd,1800', - 'nss-lookup.target,Host and Network Name Lookups,,450', - 'nss-user-lookup.target,User and Group Name Lookups,,450', 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,225', 'nvidia-persistenced.service,NVIDIA Persistence Daemon,,225', 'nvidia-powerd.service,nvidia-powerd service,,0', 'nvidia-suspend.service,NVIDIA system suspend actions,,225', 'openvpn.service,OpenVPN service,,225', 'packagekit.service,PackageKit Daemon,root,225', - 'paths.target,Paths,,225', - 'paths.target,Path Units,,225', 'pcscd.service,PC/SC Smart Card Daemon,,225', 'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,,0', 'phpsessionclean.timer,Clean PHP session files every 30 mins,,0', @@ -268,13 +240,10 @@ WHERE 'reflector.service,Refresh Pacman mirrorlist with Reflector.,,1350', 'reflector.timer,Refresh Pacman mirrorlist weekly with Reflector.,,0', 'reload-systemd-vconsole-setup.service,Reset console on configuration changes,,1125', - 'remote-fs-pre.target,Preparation for Remote File Systems,,450', - 'remote-fs.target,Remote File Systems,,450', "resolvconf-pull-resolved.path,resolvconf-pull-resolved.path,,0", "resolvconf.service,Nameserver information manager,,225", 'resolvconf.service,resolvconf update,,1125', 'rngd.service,Hardware RNG Entropy Gatherer Daemon,,225', - 'rpc_pipefs.target,rpc_pipefs.target,,0', 'rpc-statd-notify.service,Notify NFS peers of a restart,,225', 'rsyslog.service,System Logging Service,,225', 'rsyslog.service,System Logging Service,,450', @@ -284,37 +253,32 @@ WHERE 'setvtrgb.service,Set console scheme,,225', 'shadow.service,Verify integrity of password and group files,,900', 'shadow.timer,Daily verification of password and group files,,0', - 'sleep.target,Sleep,,225', - 'sleep.target,Sleep,,450', - 'slices.target,Slices,,450', - 'slices.target,Slice Units,,450', - 'smartcard.target,Smart Card,,225', + 'abrt-journal-core.service,ABRT coredumpctl message creator,,0', + 'abrtd.service,ABRT Daemon,,225', + 'nginx.service,Nginx Web Server,nginx,2250', + 'network-local-commands.service,Extra networking commands.,,1125', + 'logrotate-checkconf.service,Logrotate configuration check,,900', + '-.slice,Root Slice,,0', + 'accounts-daemon.service,Accounts Service,,2025', + 'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,225', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,450', 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,675', - 'snapd.mounts-pre.target,Mounting snaps,,0', - 'snapd.mounts.target,Mounted snaps,,0', 'snapd.seeded.service,Wait until snapd is fully seeded,,225', 'snapd.service,Snap Daemon,,450', 'snapd.socket,Socket activation for snappy daemon,,225', 'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,,225', 'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,,225', 'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,,450', - 'sockets.target,Sockets,,225', - 'sockets.target,Socket Units,,225', - 'sound.target,Sound Card,,225', - 'sshd-keygen.target,sshd-keygen.target,,0', 'sshd.service,OpenSSH Daemon,,225', 'sshd.service,OpenSSH server daemon,,225', + 'sshd.service,OpenSSH server daemon,,450', 'sshd.service,SSH Daemon,,1575', 'ssh.service,OpenBSD Secure Shell server,,450', 'sssd-kcm.service,SSSD Kerberos Cache Manager,,225', 'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,,0', 'supergfxd.service,SUPERGFX,,450', - 'swap.target,Swap,,225', - 'swap.target,Swaps,,225', 'switcheroo-control.service,Switcheroo Control Proxy service,,450', - 'sysinit.target,System Initialization,,450', 'syslog.socket,Syslog Socket,,1350', 'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,,225', 'sysstat.service,Resets System Activity Logs,root,225', @@ -402,11 +366,6 @@ WHERE 'system.slice,System Slice,,0', 'tailscaled.service,Tailscale node agent,,675', 'thermald.service,Thermal Daemon Service,,225', - 'timers.target,Timers,,450', - 'timers.target,Timer Units,,450', - 'time-set.target,System Time Set,,225', - "time-sync.target,System Time Synchronized,,225", - 'time-sync.target,System Time Synchronized,,450', 'tlp.service,TLP system startup/shutdown,,450', "touchegg.service,Touchégg Daemon,,225", 'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,,0', @@ -427,7 +386,6 @@ WHERE 'vboxballoonctrl-service.service,vboxballoonctrl-service.service,,450', 'vboxdrv.service,VirtualBox Linux kernel module,,450', 'vboxweb-service.service,vboxweb-service.service,,450', - 'veritysetup.target,Local Verity Protected Volumes,,225', 'virtinterfaced.socket,Libvirt interface local socket,,225', 'virtlockd.socket,Virtual machine lock manager socket,,0', 'virtlogd-admin.socket,Virtual machine log manager socket,,225', @@ -448,7 +406,6 @@ WHERE 'whoopsie.path,Start whoopsie on modification of the /var/crash directory,,0', 'wpa_supplicant.service,WPA supplicant,,225', 'zfs-import-cache.service,Import ZFS pools by cache file,,450', - 'zfs-import.target,ZFS pool import target,,0', 'zfs-load-key-rpool.service,Load ZFS key for rpool,,675', 'zfs-load-module.service,Install ZFS kernel module,,225', 'zfs-mount.service,Mount ZFS filesystems,,225', @@ -459,8 +416,6 @@ WHERE 'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,900', 'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,,900', 'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,,900', - 'zfs.target,ZFS startup target,,0', - 'zfs-volumes.target,ZFS volumes are ready,,0', 'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,,225', 'zfs-zed.service,ZFS Event Daemon (zed),,225', 'znapzend.service,ZnapZend - ZFS Backup System,root,1575', @@ -472,8 +427,6 @@ WHERE OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,,900' OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,225' OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,,0' - OR id LIKE 'blockdev@dev-mapper-luks%.target' - OR id LIKE 'blockdev@dev-mapper-nvme%.target' OR id LIKE '' OR id LIKE 'dev-disk-by%.swap' OR id LIKE 'dev-mapper-%.swap' diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql index 34123f0..4c17344 100644 --- a/policy/gcp-service-account-keys-mdfind.sql +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -75,23 +75,18 @@ WHERE AND NOT file.filename LIKE '%-v1%' -- Well known demo keys AND NOT hash.sha256 IN ( + '11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1', '2d330d059f4af4d314a85418fb031ee628f41dcf3e31fbce46858e52e73180c4', + '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c', + '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f', + '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12', '8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809', - 'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2', '998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528', 'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472', - '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12', - '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c', - 'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472', - 'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988', - '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f', - '11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1', - '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f', - '2d330d059f4af4d314a85418fb031ee628f41dcf3e31fbce46858e52e73180c4', 'b68896dc8e8c23ade371cf8b5c9d25853d81b4cfa5baa2bc0200d9242a903d80', + 'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988', 'cea85342377ef1bce115629c3d9d3ec405964a43545805c9f7ace98940aa0be2', - 'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14', - 'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988' + 'ef2c928c69403e023a332002d8c5c430e1022850b12f834563f6aec111d99f14' ) GROUP BY file.path