Merge pull request #342 from tstromberg/fpr-jan5
fpr: Elastic Defend, Rapid7 InsightIDR & others
This commit is contained in:
Thomas Strömberg
GitHub
commit
16dd48b2f5
|
|
@ -60,7 +60,9 @@ WHERE
|
|||
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
'0,apk,u,g,apk',
|
||||
'0,applydeltarpm,0u,0g,applydeltarpm',
|
||||
'0,elastic-endpoint,0u,0g,elastic-endpoin',
|
||||
'0,bash,0u,0g,bash',
|
||||
'0,filebeat,0u,0g,filebeat',
|
||||
'0,bash,0u,0g,mkinitcpio',
|
||||
'0,bash,0u,0g,sh',
|
||||
'0,chainctl,0u,0g,chainctl',
|
||||
|
|
@ -68,6 +70,8 @@ WHERE
|
|||
'0,containerd,u,g,containerd',
|
||||
'0,dirmngr,0u,0g,dirmngr',
|
||||
'0,dockerd,0u,0g,dockerd',
|
||||
'0,elastic-agent,0u,0g,elastic-agent',
|
||||
'0,metricbeat,0u,0g,metricbeat',
|
||||
'0,flatpak-system-helper,0u,0g,flatpak-system-',
|
||||
'0,git-remote-http,0u,0g,git-remote-http',
|
||||
'0,go,0u,0g,go',
|
||||
|
|
|
|||
|
|
@ -112,16 +112,20 @@ WHERE
|
|||
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
|
||||
'0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
|
||||
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
|
||||
'0,elastic-agent,elastic-agent,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.elastic-agent',
|
||||
'0,elastic-endpoint,elastic-endpoint,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.endpoint',
|
||||
'0,filebeat,filebeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),filebeat',
|
||||
'0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
|
||||
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
|
||||
'0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
|
||||
'0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
|
||||
'0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
|
||||
'0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
|
||||
'0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
|
||||
'0,metricbeat,metricbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),metricbeat',
|
||||
'0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
|
||||
'0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
|
||||
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
|
||||
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
|
||||
'500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
|
||||
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
|
||||
|
|
@ -129,32 +133,33 @@ WHERE
|
|||
'500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
|
||||
'500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
|
||||
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
|
||||
'500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
|
||||
'500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
|
||||
'500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
|
||||
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
|
||||
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
|
||||
'500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
|
||||
'500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
|
||||
'500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
|
||||
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
|
||||
'500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
|
||||
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
|
||||
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
|
||||
'500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
|
||||
'500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
|
||||
'500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
|
||||
'500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
|
||||
'500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
|
||||
'500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
|
||||
'500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
|
||||
'500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
|
||||
'500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
|
||||
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
|
||||
'500,bash,bash,,bash',
|
||||
'500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
|
||||
'500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
|
||||
'500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
|
||||
'0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
|
||||
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
|
||||
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
|
||||
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
|
||||
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
|
||||
'500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
|
||||
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
|
||||
'500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
|
||||
'500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
|
||||
'500,melange,melange,,a.out',
|
||||
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
|
||||
|
|
@ -162,6 +167,7 @@ WHERE
|
|||
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
|
||||
'500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
|
||||
'500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
|
||||
'500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
|
||||
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
|
||||
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
|
||||
'500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
|
||||
|
|
|
|||
|
|
@ -165,6 +165,7 @@ WHERE
|
|||
'500,0,53,launcher',
|
||||
'500,0,53,nessusd',
|
||||
'500,0,53,NetworkManager',
|
||||
'500,99,32768,Slack',
|
||||
'500,0,53,slack',
|
||||
'500,0,53,spotify',
|
||||
'500,500,32768,G2MUpdate',
|
||||
|
|
|
|||
|
|
@ -75,8 +75,9 @@ WHERE
|
|||
AND p0.path NOT LIKE '/usr/sbin/%'
|
||||
AND exception_key NOT IN (
|
||||
'/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
|
||||
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
|
||||
'/dev/auditpipe,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
|
||||
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent',
|
||||
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
|
||||
'/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
|
||||
'/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
|
||||
'/dev/auditsessions,authd,Software Signing,com.apple.authd',
|
||||
|
|
|
|||
|
|
@ -66,7 +66,8 @@ WHERE
|
|||
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'Apple Mac OS Application Signing',
|
||||
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R)'
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)'
|
||||
)
|
||||
GROUP BY
|
||||
p0.pid
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ WHERE
|
|||
'sshd',
|
||||
'sudo',
|
||||
'systemd',
|
||||
'elastic-agent',
|
||||
'systemd-udevd',
|
||||
'systemd-userdbd',
|
||||
'systemd-userwor',
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ WHERE
|
|||
AND NOT f.directory LIKE '%/.go/bin'
|
||||
AND NOT f.directory LIKE '%/.rustup/%'
|
||||
AND NOT f.directory LIKE '%/.terraform%'
|
||||
AND NOT f.directory LIKE '%/.steampipe/db/%'
|
||||
AND NOT f.directory LIKE '%/.docker/cli-plugins'
|
||||
AND NOT f.directory LIKE '%/.cursor/%'
|
||||
AND NOT f.directory LIKE '%/.tflint.d/%'
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ WHERE
|
|||
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
|
||||
'/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor',
|
||||
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
|
||||
'/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
|
||||
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
|
||||
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
|
||||
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',
|
||||
|
|
|
|||
|
|
@ -73,6 +73,7 @@ WHERE
|
|||
AND pp.path NOT IN (
|
||||
"",
|
||||
"/sbin/launchd",
|
||||
'/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper',
|
||||
"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)",
|
||||
"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ WHERE
|
|||
AND p.path != '/'
|
||||
AND f.path NOT IN (
|
||||
'/opt/google/endpoint-verification/bin/apihelper',
|
||||
'/opt/Elastic/Endpoint/elastic-endpoint',
|
||||
'/usr/bin/melange'
|
||||
)
|
||||
AND f.path NOT LIKE '/home/%'
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ WHERE
|
|||
AND file.path NOT IN (
|
||||
'/.VolumeIcon.icns',
|
||||
'/.autorelabel',
|
||||
'/.equarantine/',
|
||||
'/.file',
|
||||
'/.lesshst',
|
||||
'/.mozilla/',
|
||||
|
|
|
|||
|
|
@ -62,5 +62,6 @@ WHERE
|
|||
'utmpx',
|
||||
'wifi'
|
||||
)
|
||||
AND NOT file.filename LIKE '%.pid'
|
||||
GROUP BY
|
||||
file.path;
|
||||
|
|
|
|||
|
|
@ -155,6 +155,7 @@ WHERE
|
|||
'/Volumes/Slack/Slack.app',
|
||||
'/opt/homebrew/Caskroom',
|
||||
'/opt/homebrew/Cellar',
|
||||
'/Library/Elastic/Agent',
|
||||
'/opt/homebrew/Library',
|
||||
'/private/var/kolide-k2',
|
||||
'/usr/libexec/AssetCache',
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ WHERE
|
|||
'0544',
|
||||
'0555',
|
||||
'0711',
|
||||
'0750',
|
||||
'0755',
|
||||
'0775',
|
||||
'0744',
|
||||
|
|
@ -115,3 +116,7 @@ WHERE
|
|||
f.path LIKE '/Users/%/Library/Application Support/com.raycast.macos/NodeJS/runtime/%/bin/node'
|
||||
AND f.mode = '0754'
|
||||
)
|
||||
AND NOT (
|
||||
f.path LIKE '/opt/Elastic/Agent/data/elastic-agent%/elastic-agent'
|
||||
AND f.mode = '0770'
|
||||
)
|
||||
|
|
@ -78,125 +78,127 @@ WHERE
|
|||
)
|
||||
AND pmm.path LIKE '%Security.framework%'
|
||||
AND exception_key NOT IN (
|
||||
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||
'0,nix,nix,',
|
||||
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'0,velociraptor,a.out,',
|
||||
'500,.cargo-wrapped,.cargo-wrapped,',
|
||||
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
|
||||
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'500,bash,bash,',
|
||||
'500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing',
|
||||
'500,bash,com.apple.bash,Software Signing',
|
||||
'500,nvim,nvim,',
|
||||
'500,keyboxd,keyboxd,',
|
||||
'500,Bazecor Helper,,',
|
||||
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
|
||||
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
|
||||
'500,BloomRPC Helper,,',
|
||||
'500,bufls,a.out,',
|
||||
'500,.cargo-wrapped,.cargo-wrapped,',
|
||||
'500,chainctl,a.out,',
|
||||
'500,Chromium,Chromium,',
|
||||
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
|
||||
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
|
||||
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
|
||||
'500,Duckly Helper,Electron Helper,',
|
||||
'500,Duckly,Electron,',
|
||||
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
|
||||
'500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
|
||||
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
|
||||
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
|
||||
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
||||
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
|
||||
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
|
||||
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
||||
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
|
||||
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
|
||||
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
|
||||
'500,PrinterProxy,com.apple.print.PrinterProxy,',
|
||||
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
|
||||
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
|
||||
'500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing',
|
||||
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
|
||||
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
|
||||
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'500,WinAppHelper,,',
|
||||
'500,WinAppHelper,WinAppHelper,',
|
||||
'500,bash,bash,',
|
||||
'500,bash,com.apple.bash,Software Signing',
|
||||
'500,bufls,a.out,',
|
||||
'500,chainctl,a.out,',
|
||||
'500,clangd,clangd,',
|
||||
'500,cloud-sql-proxy,a.out,',
|
||||
'500,cloud_sql_proxy,a.out,',
|
||||
'500,cloud-sql-proxy.darwin.arm64,a.out,',
|
||||
'500,cloud_sql_proxy,a.out,',
|
||||
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
|
||||
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
|
||||
'500,cosign,a.out,',
|
||||
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
|
||||
'500,crane,a.out,',
|
||||
'500,debug.test,a.out,',
|
||||
'500,dive,a.out,',
|
||||
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
|
||||
'500,dlv,a.out,',
|
||||
'500,docker,a.out,',
|
||||
'500,Duckly,Electron,',
|
||||
'500,Duckly Helper,Electron Helper,',
|
||||
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
|
||||
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
|
||||
'500,epdfinfo,epdfinfo,',
|
||||
'500,esbuild,,',
|
||||
'500,esbuild,a.out,',
|
||||
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
|
||||
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
|
||||
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,fake,a.out,',
|
||||
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
|
||||
'500,git,git,',
|
||||
'500,gitsign,a.out,',
|
||||
'500,gitsign-credential-cache,a.out,',
|
||||
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
||||
'500,gke-gcloud-auth-plugin,a.out,',
|
||||
'500,go,a.out,',
|
||||
'500,gopls,a.out,',
|
||||
'500,gopls,gopls,',
|
||||
'500,monday.com,com.monday.desktop,Apple Mac OS Application Signing',
|
||||
'500,gpg-agent,gpg-agent,',
|
||||
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
|
||||
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
|
||||
'500,hugo,a.out,',
|
||||
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
||||
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,ipcserver.old,,',
|
||||
'500,k9s,a.out,',
|
||||
'500,keyboxd,keyboxd,',
|
||||
'500,ko,,',
|
||||
'500,ko,a.out,',
|
||||
'500,kubectl,a.out,',
|
||||
'500,lua-language-server,lua-language-server,',
|
||||
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
|
||||
'500,mattermost,a.out,',
|
||||
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
|
||||
'500,melange,a.out,',
|
||||
'500,melange-run,a.out,',
|
||||
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
|
||||
'500,monday.com,com.monday.desktop,Apple Mac OS Application Signing',
|
||||
'500,monorail,a.out,',
|
||||
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
|
||||
'500,nvim,nvim,',
|
||||
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'500,plugin-darwin-arm64,a.out,',
|
||||
'500,PrinterProxy,com.apple.print.PrinterProxy,',
|
||||
'500,registry,a.out,',
|
||||
'500,registry-redirect,a.out,',
|
||||
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
|
||||
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
|
||||
'500,scdaemon,scdaemon,',
|
||||
'500,sdaudioswitch,,',
|
||||
'500,sdaudioswitch,sdaudioswitch,',
|
||||
'500,sdzoomplugin,,',
|
||||
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
||||
'500,snyk-ls_darwin_arm64,a.out,',
|
||||
'500,ssh,ssh,',
|
||||
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,stern,a.out,',
|
||||
'500,syncthing,syncthing,',
|
||||
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
|
||||
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
|
||||
'500,tflint,a.out,',
|
||||
'500,tflint-ruleset-aws,a.out,',
|
||||
'500,tflint-ruleset-google,a.out,',
|
||||
'500,timestamp-server,a.out,',
|
||||
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
|
||||
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'500,vim,,',
|
||||
'500,vim,vim,',
|
||||
'500,WinAppHelper,,',
|
||||
'500,WinAppHelper,WinAppHelper,'
|
||||
'500,vim,vim,'
|
||||
)
|
||||
AND NOT (
|
||||
exception_key LIKE '500,%,a.out,'
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ WHERE
|
|||
'baloo_file',
|
||||
'baloo_file_extr',
|
||||
'bash',
|
||||
'apko',
|
||||
'bwrap',
|
||||
'cargo',
|
||||
'chrome',
|
||||
|
|
|
|||
|
|
@ -42,4 +42,4 @@ WHERE
|
|||
}'
|
||||
AND yara.count > 0
|
||||
AND file.path NOT LIKE '/Users/%/Downloads/chainctl%'
|
||||
AND file.filename NOT IN ('grype', 'chainctl')
|
||||
AND file.filename NOT IN ('grype', 'chainctl', 'elastic-agent')
|
||||
|
|
|
|||
|
|
@ -95,6 +95,9 @@ WHERE
|
|||
'BluejeansHelper',
|
||||
'docker',
|
||||
'lima-guestagent',
|
||||
'elastic-agent',
|
||||
'metricbeat',
|
||||
'filebeat',
|
||||
'containerd-star',
|
||||
'gopls',
|
||||
'ollama',
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ FROM
|
|||
WHERE
|
||||
file.path IN (
|
||||
SELECT
|
||||
file.path
|
||||
DISTINCT file.path
|
||||
FROM
|
||||
block_devices
|
||||
JOIN mounts ON mounts.device = block_devices.name
|
||||
|
|
@ -52,6 +52,11 @@ WHERE
|
|||
AND mounts.path LIKE "/Volumes/%"
|
||||
-- osquery will traverse symlinks, this prevents following symlinks to /Applications (poorly)
|
||||
AND file.path NOT LIKE "/Volumes/%/Applications/%"
|
||||
AND file.path NOT LIKE "/Volumes/%/ /%"
|
||||
AND NOT (
|
||||
file.type != "regular"
|
||||
AND file.directory LIKE '%/Contents/Resources/'
|
||||
)
|
||||
)
|
||||
AND (
|
||||
-- Rule 0. App binaries that are hidden, like WnBJLaF/1302.app/Contents/MacOS/1302 (1302.app)
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ WHERE
|
|||
'doc',
|
||||
'docx',
|
||||
'dwg',
|
||||
'rtf',
|
||||
'eml',
|
||||
'eps',
|
||||
'gif',
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ WHERE
|
|||
AND exception_key NOT IN (
|
||||
'500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
|
||||
'500,Final Cut Pro,/Applications/Final Cut Pro.app/Contents/MacOS/Final Cut Pro',
|
||||
'500,Clipy,/Applications/Clipy.app/Contents/MacOS/Clipy',
|
||||
'500,Evernote,/Applications/Evernote.app/Contents/MacOS/Evernote',
|
||||
'500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch',
|
||||
'500,Macdown,/Applications/MacDown.app/Contents/MacOS/MacDown',
|
||||
|
|
|
|||
|
|
@ -271,10 +271,12 @@ WHERE
|
|||
'systemd-coredump.socket,Process Core Dump Socket,',
|
||||
'systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,',
|
||||
'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,',
|
||||
'ElasticEndpoint.service,ElasticEndpoint,',
|
||||
'systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,',
|
||||
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
|
||||
'systemd-fsck-root.service,File System Check on Root Device,',
|
||||
'systemd-growfs@-.service,Grow File System on /,',
|
||||
'elastic-agent.service,Elastic Agent is a unified agent to observe, monitor and protect your system.,',
|
||||
'systemd-homed-activate.service,Home Area Activation,',
|
||||
'systemd-homed.service,Home Area Manager,',
|
||||
'loadcpufreq.service,LSB: Load kernel modules needed to enable cpufreq scaling,',
|
||||
|
|
|
|||
|
|
@ -62,6 +62,8 @@ WHERE
|
|||
'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO
|
||||
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
|
||||
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
||||
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
||||
'Software Signing', -- Apple
|
||||
'yabai-cert'
|
||||
|
|
|
|||
|
|
@ -33,19 +33,22 @@ WHERE
|
|||
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
||||
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
|
||||
'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
|
||||
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
|
||||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
||||
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
|
||||
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
|
||||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
|
||||
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
|
||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'Developer ID Application: Louis Pontoise (QXD7GW8FHY)',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
||||
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
||||
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)',
|
||||
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
||||
'Software Signing'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -137,6 +137,7 @@ WHERE
|
|||
'546,17,0,configd,Software Signing',
|
||||
'547,17,500,dhcp6d,Software Signing',
|
||||
'5900,6,0,launchd,Software Signing',
|
||||
'8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
|
||||
'5900,6,0,screensharingd,Software Signing',
|
||||
'5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
|
||||
'6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)',
|
||||
|
|
|
|||
|
|
@ -74,18 +74,6 @@ WHERE
|
|||
AND p0.path != ""
|
||||
AND p0.start_time < (strftime('%s', 'now') - 1200)
|
||||
AND exception_key NOT IN (
|
||||
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
|
||||
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
|
||||
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
|
||||
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
|
||||
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
|
||||
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
|
||||
|
|
@ -97,7 +85,6 @@ WHERE
|
|||
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
|
||||
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
|
||||
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
|
||||
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
|
||||
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
|
||||
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
|
||||
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
|
||||
|
|
@ -106,29 +93,29 @@ WHERE
|
|||
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
|
||||
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
|
||||
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
|
||||
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
|
||||
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
|
||||
'blueman-mechanism.service,Bluetooth management mechanism,,200',
|
||||
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
|
||||
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
|
||||
'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
|
||||
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555',
|
||||
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
|
||||
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
|
||||
'bpfilter_umh,/bpfilter_umh,0,,,',
|
||||
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
|
||||
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
|
||||
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
|
||||
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
|
||||
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
|
||||
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
|
||||
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
|
||||
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
|
||||
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
|
||||
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
|
||||
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
|
||||
'dirmngr,/usr/bin/dirmngr,0,system.slice,archlinux-keyring-wkd-sync.service,0755',
|
||||
|
|
@ -136,67 +123,74 @@ WHERE
|
|||
'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755',
|
||||
'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
|
||||
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
|
||||
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
|
||||
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
|
||||
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
|
||||
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
|
||||
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
|
||||
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
|
||||
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
|
||||
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
|
||||
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
|
||||
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
|
||||
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
|
||||
'login,/usr/bin/login,0,user.slice,user-1000.slice,0755',
|
||||
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
|
||||
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
|
||||
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
|
||||
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
|
||||
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
|
||||
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
|
||||
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
|
||||
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
|
||||
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
|
||||
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
|
||||
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
|
||||
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
|
||||
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
|
||||
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
|
||||
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
|
||||
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
|
||||
'geoclue.service,Location Lookup Service,geoclue,500',
|
||||
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
|
||||
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
|
||||
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
|
||||
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
|
||||
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
|
||||
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
|
||||
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
|
||||
'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755',
|
||||
'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
|
||||
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
|
||||
'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
|
||||
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
|
||||
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
|
||||
'launcher,/nix/store/__VERSION__/bin/launcher,0,system.slice,kolide-launcher.service,0555',
|
||||
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555',
|
||||
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
|
||||
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
|
||||
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
|
||||
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
|
||||
'login,/usr/bin/login,0,user.slice,user-1000.slice,0755',
|
||||
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
|
||||
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
|
||||
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
|
||||
'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
|
||||
'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
|
||||
'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755',
|
||||
'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
|
||||
'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755',
|
||||
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
|
||||
'nm-dispatcher,/usr/lib/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
|
||||
'nm-openvpn-serv,/usr/libexec/nm-openvpn-service,0,system.slice,NetworkManager.service,0755',
|
||||
'nvidia-powerd,/usr/bin/nvidia-powerd,0,system.slice,nvidia-powerd.service,0755',
|
||||
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755',
|
||||
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
|
||||
'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555',
|
||||
'osqueryd,/opt/orbit/bin/osqueryd/linux/stable/osqueryd,0,system.slice,orbit.service,0755',
|
||||
'osqueryd,/usr/local/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
|
||||
'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755',
|
||||
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
|
||||
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
|
||||
|
|
@ -204,37 +198,38 @@ WHERE
|
|||
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
|
||||
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
|
||||
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
|
||||
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
|
||||
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
|
||||
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
|
||||
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
|
||||
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
|
||||
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
|
||||
'runc,/usr/bin/runc,0,system.slice,docker.service,0755',
|
||||
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
|
||||
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
|
||||
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
|
||||
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
|
||||
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
|
||||
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
|
||||
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
|
||||
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
|
||||
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
|
||||
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
|
||||
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',
|
||||
'sshd,/usr/bin/sshd,0,user.slice,user-1000.slice,0755',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
|
||||
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
|
||||
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
|
||||
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
|
||||
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
|
||||
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
|
||||
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
|
||||
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
|
||||
'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755',
|
||||
|
|
@ -249,18 +244,22 @@ WHERE
|
|||
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
|
||||
'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755',
|
||||
'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755',
|
||||
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
|
||||
'tailscaled,/usr/bin/tailscaled,0,system.slice,tailscaled.service,0755',
|
||||
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
|
||||
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
|
||||
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
|
||||
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
|
||||
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
|
||||
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
|
||||
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
|
||||
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
|
||||
'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
|
||||
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
|
||||
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
|
||||
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
|
||||
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
|
||||
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
|
||||
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
|
||||
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
|
||||
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
|
||||
|
|
@ -270,17 +269,22 @@ WHERE
|
|||
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
|
||||
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
|
||||
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
|
||||
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
|
||||
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
|
||||
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
|
||||
'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555'
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
|
||||
)
|
||||
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
|
||||
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
|
||||
AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750'
|
||||
AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770'
|
||||
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
|
||||
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
||||
GROUP BY
|
||||
|
|
|
|||
|
|
@ -306,6 +306,8 @@ WHERE -- Focus on longer-running programs
|
|||
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
|
||||
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
||||
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
||||
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
|
||||
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
|
|
|
|||
|
|
@ -110,6 +110,7 @@ WHERE
|
|||
'/usr/bin/NetworkManager',
|
||||
'/usr/bin/nvidia-persistenced',
|
||||
'/usr/bin/nvim',
|
||||
'/opt/Elastic/Endpoint/elastic-endpoint',
|
||||
'/usr/bin/pulseaudio',
|
||||
'/usr/bin/sshd',
|
||||
'/usr/bin/sudo',
|
||||
|
|
|
|||
Loading…
Reference in New Issue