RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add wrapper -> cache exception

Browse Source
This commit is contained in:
Thomas Stromberg 2022-09-30 11:10:06 -04:00
parent 007332ead4
commit 0c2b98addd
Failed to extract signature
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fd/unexpected-sensitive-file-access-linux.sql
View File

@ -3,7 +3,6 @@
-- It's unfortunately of limited use, as the query is slow (250ms)
-- and it requires catching a program at the exact moment it has
-- the file open.
SELECT pof.pid,
pof.fd,
pof.path,
@ -39,9 +38,9 @@ FROM process_open_files pof
LEFT JOIN file pf ON p.path = pf.path
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN hash ON hash.path = p.path
WHERE
f.uid != "" AND
(
WHERE f.uid != ""
AND pf.filename != ""
AND (
pof.path LIKE "/home/%/.ssh/%"
OR pof.path LIKE "/home/%/.mozilla/firefox/%"
OR pof.path LIKE "/home/%/.config/google-chrome/%"
@ -62,6 +61,7 @@ WHERE
"firefox,firefox,~/.cache/mozilla",
"firefox,firefox,~/.mozilla/firefox",
"firefox,firefox,~/snap/firefox",
"firefox,.firefox-wrappe,~/.cache/mozilla",
"firefox,.firefox-wrappe,~/.mozilla/firefox",
"firefox,Isolated Servic,~/.cache/mozilla",
"firefox,Isolated Servic,~/snap/firefox",