RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-09 22:16:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

add exceptions for nix, kde paths, rvictl, and profile

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-21 11:37:55 -04:00
parent ed2bede71f
commit 1afd3f6a75
Failed to extract signature
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
detection/evasion/unexpected-etc-executables.sql
View File

@ -31,10 +31,13 @@ WHERE
'/etc/acpi',
'/etc/alternatives',
'/etc/apcupsd',
'/etc/kde/shutdown',
'/etc/apm/resume.d',
'/etc/apm/scripts.d',
'/etc/nix/result',
'/etc/apm/suspend.d',
'/etc/avahi',
'/etc/nix/result/sw/bin',
'/etc/bash_completion.d',
'/etc/brltty/Contraction',
'/etc/chromium/native-messaging-hosts',
@ -132,7 +135,11 @@ WHERE
AND file.path NOT IN (
'/etc/nftables.conf',
'/etc/rmt',
'/etc/paths.d/100-rvictl',
'/etc/profile',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json'
)
-- Nix (on macOS) -- actually a symbolic link
AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%'