RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-03 11:11:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove numerous false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2022-09-26 18:27:43 -04:00
parent 26e1070bc6
commit 318d26602f
Failed to extract signature
12 changed files with 312 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
fd/unexpected-dev-opener-linux.sql
View File

@ -121,9 +121,12 @@ WHERE
"/dev/net/tun,slirp4netns",
"/dev/tty,agetty",
"/dev/tty,gdm-wayland-session",
"/dev/input/event,thermald",
"/dev/tty,gdm-x-session",
"/dev/tty,systemd-logind",
"/dev/mcelog,mcelog",
"/dev/tty,Xorg",
"/dev/zfs,zpool",
"/dev/uinput,bluetoothd",
"/dev/usb/hiddev,apcupsd",
"/dev/usb/hiddev,upowerd",
@ -139,7 +142,7 @@ WHERE
-- shows up as python
AND NOT (
device LIKE "/dev/bus/usb/%"
AND program_name IN ("streamdeck", "gphoto2", "fwupd")
AND program_name IN ("streamdeck", "gphoto2", "fwupd", "pcscd")
)
GROUP BY
pof.pid

2
fd/unexpected-dev-opener-macos.sql
View File

@ -28,7 +28,7 @@ FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN hash ON hash.path = p.path
LEFT JOIN signature s ON s.path = p.path
LEFT JOIN signature s ON p.path = s.path
WHERE
pof.path LIKE "/dev/%"
AND pof.path NOT IN (

0
fd/unexpected-pcap-user.sql → fd/unexpected-pcap-user-linux.sql
View File

50
fd/unexpected-pcap-user-macos.sql Normal file
View File

@ -0,0 +1,50 @@
-- Find root-run processes which link against libpcap
-- WARNING: This check consumes an unusual amount of system memory (up to 225MB)
SELECT
pmm.pid,
p.uid,
p.gid,
pmm.path AS lib_path,
p.path AS child_path,
p.name AS child_name,
p.cmdline AS child_cmd,
p.cwd AS child_cwd,
h.sha256 AS child_sha256,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmd,
pp.cwd AS parent_cwd,
pp.euid AS parent_euid,
ph.sha256 AS parent_sha256,
s.authority,
s.identifier
FROM
process_memory_map pmm
LEFT JOIN processes p ON pmm.pid = p.pid
LEFT JOIN hash h ON p.path = h.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash AS ph ON pp.path = ph.path
LEFT JOIN signature s ON p.path = s.path
WHERE
pmm.path LIKE "%libpcap%"
AND p.euid = 0
AND child_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND child_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
AND child_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND child_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND child_path NOT LIKE "/opt/homebrew/Cellar/telepresence%"
AND child_path NOT LIKE "/System/Library/%"
AND child_path NOT LIKE "/nix/store/%/bin/nix"
AND child_path NOT IN (
"/usr/libexec/UserEventAgent",
"/usr/sbin/systemstats",
"/usr/bin/libvirtd",
"/usr/sbin/cupsd"
)
AND child_cmd NOT IN (
"/nix/var/nix/profiles/default/bin/nix-daemon",
"/run/current-system/systemd/lib/systemd/systemd",
"/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid"
)
GROUP BY
pmm.pid

433
fs/unexpected-setuid-binaries.sql
View File

@ -31,248 +31,249 @@ WHERE
OR file.path LIKE "/var/lib/%"
OR file.path LIKE "/var/tmp/%"
)
AND type = 'regular'
AND type = "regular"
AND mode NOT LIKE "0%"
AND mode NOT LIKE "1%"
AND mode NOT LIKE "2%"
AND NOT (
mode LIKE '4%11'
mode LIKE "4%11"
AND uid = 0
AND gid = 0
AND file.path IN (
'/bin/cdda2wav',
'/bin/cdrecord',
'/bin/icedax',
'/bin/mount.nfs',
'/bin/mount.nfs4',
'/bin/readcd',
'/bin/readom',
'/bin/rscsi',
'/bin/staprun',
'/bin/sudo',
'/bin/sudoedit',
'/bin/umount.nfs',
'/bin/umount.nfs4',
'/bin/wodim',
'/sbin/cdda2wav',
'/sbin/cdrecord',
'/sbin/icedax',
'/sbin/mount.nfs',
'/sbin/mount.nfs4',
'/sbin/readcd',
'/sbin/readom',
'/sbin/rscsi',
'/sbin/umount.nfs',
'/sbin/umount.nfs4',
'/sbin/userhelper',
'/sbin/wodim',
'/usr/bin/cdda2wav',
'/usr/bin/cdrecord',
'/usr/bin/icedax',
'/usr/bin/mount.nfs',
'/usr/bin/mount.nfs4',
'/usr/bin/readcd',
'/usr/bin/readom',
'/usr/bin/rscsi',
'/usr/bin/staprun',
'/usr/bin/sudo',
'/usr/bin/sudoedit',
'/usr/bin/umount.nfs',
'/usr/bin/umount.nfs4',
'/usr/bin/wodim',
'/usr/libexec/security_authtrampoline',
'/usr/sbin/cdda2wav',
'/usr/sbin/cdrecord',
'/usr/sbin/icedax',
'/usr/sbin/mount.nfs',
'/usr/sbin/mount.nfs4',
'/usr/sbin/readcd',
'/usr/sbin/readom',
'/usr/sbin/rscsi',
'/usr/sbin/umount.nfs',
'/usr/sbin/umount.nfs4',
'/usr/sbin/userhelper',
'/usr/sbin/wodim'
"/bin/cdda2wav",
"/bin/cdrecord",
"/bin/icedax",
"/bin/mount.nfs",
"/bin/mount.nfs4",
"/bin/readcd",
"/bin/readom",
"/bin/rscsi",
"/bin/staprun",
"/bin/sudo",
"/bin/sudoedit",
"/bin/umount.nfs",
"/bin/umount.nfs4",
"/bin/wodim",
"/sbin/cdda2wav",
"/sbin/cdrecord",
"/sbin/icedax",
"/sbin/mount.nfs",
"/sbin/mount.nfs4",
"/sbin/readcd",
"/sbin/readom",
"/sbin/rscsi",
"/sbin/umount.nfs",
"/sbin/umount.nfs4",
"/sbin/userhelper",
"/sbin/wodim",
"/usr/bin/cdda2wav",
"/usr/bin/cdrecord",
"/usr/bin/icedax",
"/usr/bin/mount.nfs",
"/usr/bin/mount.nfs4",
"/usr/bin/readcd",
"/usr/bin/readom",
"/usr/bin/rscsi",
"/usr/bin/staprun",
"/usr/bin/sudo",
"/usr/bin/sudoedit",
"/usr/bin/umount.nfs",
"/usr/bin/umount.nfs4",
"/usr/bin/wodim",
"/usr/libexec/security_authtrampoline",
"/usr/sbin/cdda2wav",
"/usr/sbin/cdrecord",
"/usr/sbin/icedax",
"/usr/sbin/mount.nfs",
"/usr/sbin/mount.nfs4",
"/usr/sbin/readcd",
"/usr/sbin/readom",
"/usr/sbin/rscsi",
"/usr/sbin/umount.nfs",
"/usr/sbin/umount.nfs4",
"/usr/sbin/userhelper",
"/usr/sbin/wodim"
)
)
AND NOT (
mode LIKE '4%55'
mode LIKE "4%55"
AND uid = 0
AND gid = 0
AND file.path IN (
'/bin/chage',
'/bin/chfn',
'/bin/chsh',
'/bin/crontab',
'/bin/doas',
'/bin/expiry',
'/bin/fusermount-glusterfs',
'/bin/fusermount',
'/bin/fusermount3',
'/bin/gpasswd',
'/bin/ksu',
'/bin/mount',
'/bin/ndisc6',
'/bin/newgidmap',
'/bin/newgrp',
'/bin/newuidmap',
'/usr/bin/newgidmap',
'/bin/nvidia-modprobe',
'/bin/passwd',
'/bin/pkexec',
'/bin/ps',
'/bin/rdisc6',
'/bin/rltraceroute6',
'/bin/sg',
'/bin/su',
'/bin/sudo',
'/bin/sudoedit',
'/bin/suexec',
'/bin/ubuntu-core-launcher',
'/bin/umount',
'/bin/vmware-user-suid-wrapper',
'/bin/vmware-user',
'/sbin/chage',
'/sbin/chfn',
'/sbin/chsh',
'/sbin/crontab',
'/sbin/doas',
'/sbin/expiry',
'/sbin/fusermount',
'/sbin/fusermount3',
'/sbin/gpasswd',
'/sbin/grub2-set-bootflag',
'/sbin/ksu',
'/sbin/mount.nfs',
'/sbin/mount.nfs4',
'/sbin/mount',
'/sbin/ndisc6',
'/sbin/newgrp',
'/sbin/nvidia-modprobe',
'/sbin/pam_timestamp_check',
'/sbin/passwd',
'/sbin/pkexec',
'/sbin/rdisc6',
'/sbin/rltraceroute6',
'/sbin/sg',
'/sbin/su',
'/sbin/sudo',
'/sbin/sudoedit',
'/sbin/suexec',
'/sbin/umount.nfs',
'/sbin/umount.nfs4',
'/sbin/umount',
'/sbin/unix_chkpwd',
'/usr/bin/at',
'/usr/bin/atq',
'/usr/bin/atrm',
'/usr/bin/batch',
'/usr/bin/chage',
'/usr/bin/chfn',
'/usr/bin/chsh',
'/usr/bin/crontab',
'/usr/bin/doas',
'/usr/bin/expiry',
'/usr/bin/fusermount-glusterfs',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/gpasswd',
'/usr/bin/ksu',
'/usr/bin/login',
'/usr/bin/mount',
'/usr/bin/ndisc6',
'/usr/bin/newgrp',
'/usr/bin/newuidmap',
'/usr/bin/nvidia-modprobe',
'/usr/bin/passwd',
'/usr/bin/pkexec',
'/usr/bin/quota',
'/usr/bin/rdisc6',
'/usr/bin/rltraceroute6',
'/usr/bin/sg',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/bin/sudoedit',
'/usr/bin/suexec',
'/usr/bin/top',
'/usr/bin/umount',
'/usr/bin/vmware-user-suid-wrapper',
'/usr/bin/vmware-user',
'/usr/lib/mail-dotlock',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib/Xorg.wrap',
'/usr/lib64/mail-dotlock',
'/usr/lib64/xf86-video-intel-backlight-helper',
'/usr/lib64/Xorg.wrap',
'/usr/libexec/authopen',
'/usr/libexec/polkit-agent-helper-1',
'/usr/libexec/qemu-bridge-helper',
'/usr/libexec/Xorg.wrap',
'/usr/sbin/chage',
'/usr/sbin/chfn',
'/usr/sbin/chsh',
'/usr/sbin/crontab',
'/usr/sbin/doas',
'/usr/sbin/expiry',
'/usr/sbin/fusermount',
'/usr/sbin/fusermount3',
'/usr/sbin/gpasswd',
'/usr/sbin/grub2-set-bootflag',
'/usr/sbin/ksu',
'/usr/sbin/mount.nfs',
'/usr/sbin/mount.nfs4',
'/usr/sbin/mount',
'/usr/sbin/ndisc6',
'/usr/sbin/newgrp',
'/usr/sbin/nvidia-modprobe',
'/usr/sbin/pam_timestamp_check',
'/usr/sbin/passwd',
'/usr/sbin/pkexec',
'/usr/sbin/rdisc6',
'/usr/sbin/rltraceroute6',
'/usr/sbin/sg',
'/usr/sbin/su',
'/usr/sbin/sudo',
'/usr/sbin/sudoedit',
'/usr/sbin/suexec',
'/usr/sbin/traceroute',
'/usr/sbin/traceroute6',
'/usr/sbin/umount.nfs',
'/usr/sbin/umount.nfs4',
'/usr/sbin/umount',
'/usr/sbin/unix_chkpwd'
"/bin/chage",
"/bin/chfn",
"/bin/chsh",
"/bin/crontab",
"/bin/doas",
"/bin/expiry",
"/bin/fusermount-glusterfs",
"/bin/fusermount",
"/bin/fusermount3",
"/bin/gpasswd",
"/bin/ksu",
"/bin/mount",
"/bin/ndisc6",
"/bin/newgidmap",
"/bin/newgrp",
"/bin/newuidmap",
"/usr/bin/newgidmap",
"/bin/nvidia-modprobe",
"/bin/passwd",
"/bin/pkexec",
"/bin/ps",
"/bin/rdisc6",
"/bin/rltraceroute6",
"/bin/sg",
"/bin/su",
"/bin/sudo",
"/bin/sudoedit",
"/bin/suexec",
"/bin/ubuntu-core-launcher",
"/bin/umount",
"/bin/vmware-user-suid-wrapper",
"/bin/vmware-user",
"/sbin/chage",
"/sbin/chfn",
"/sbin/chsh",
"/sbin/crontab",
"/sbin/doas",
"/sbin/expiry",
"/sbin/fusermount",
"/sbin/fusermount3",
"/sbin/gpasswd",
"/sbin/grub2-set-bootflag",
"/sbin/ksu",
"/sbin/mount.nfs",
"/sbin/mount.nfs4",
"/sbin/mount",
"/sbin/ndisc6",
"/sbin/newgrp",
"/sbin/nvidia-modprobe",
"/sbin/pam_timestamp_check",
"/sbin/passwd",
"/sbin/pkexec",
"/sbin/rdisc6",
"/sbin/rltraceroute6",
"/sbin/sg",
"/sbin/su",
"/sbin/sudo",
"/sbin/sudoedit",
"/sbin/suexec",
"/sbin/umount.nfs",
"/sbin/umount.nfs4",
"/sbin/umount",
"/sbin/unix_chkpwd",
"/usr/bin/at",
"/usr/bin/atq",
"/usr/bin/atrm",
"/usr/bin/batch",
"/usr/bin/chage",
"/usr/bin/chfn",
"/usr/bin/chsh",
"/usr/bin/crontab",
"/usr/bin/doas",
"/usr/bin/expiry",
"/usr/bin/fusermount-glusterfs",
"/usr/bin/fusermount",
"/usr/bin/fusermount3",
"/usr/bin/gpasswd",
"/usr/bin/ksu",
"/usr/bin/login",
"/usr/bin/mount",
"/usr/bin/ndisc6",
"/usr/bin/newgrp",
"/usr/bin/newuidmap",
"/usr/bin/nvidia-modprobe",
"/usr/bin/passwd",
"/usr/bin/pkexec",
"/usr/bin/quota",
"/usr/bin/rdisc6",
"/usr/bin/rltraceroute6",
"/usr/bin/sg",
"/usr/bin/su",
"/usr/bin/sudo",
"/usr/bin/sudoedit",
"/usr/bin/suexec",
"/usr/bin/top",
"/usr/bin/ubuntu-core-launcher",
"/usr/bin/umount",
"/usr/bin/vmware-user-suid-wrapper",
"/usr/bin/vmware-user",
"/usr/lib/mail-dotlock",
"/usr/lib/xf86-video-intel-backlight-helper",
"/usr/lib/Xorg.wrap",
"/usr/lib64/mail-dotlock",
"/usr/lib64/xf86-video-intel-backlight-helper",
"/usr/lib64/Xorg.wrap",
"/usr/libexec/authopen",
"/usr/libexec/polkit-agent-helper-1",
"/usr/libexec/qemu-bridge-helper",
"/usr/libexec/Xorg.wrap",
"/usr/sbin/chage",
"/usr/sbin/chfn",
"/usr/sbin/chsh",
"/usr/sbin/crontab",
"/usr/sbin/doas",
"/usr/sbin/expiry",
"/usr/sbin/fusermount",
"/usr/sbin/fusermount3",
"/usr/sbin/gpasswd",
"/usr/sbin/grub2-set-bootflag",
"/usr/sbin/ksu",
"/usr/sbin/mount.nfs",
"/usr/sbin/mount.nfs4",
"/usr/sbin/mount",
"/usr/sbin/ndisc6",
"/usr/sbin/newgrp",
"/usr/sbin/nvidia-modprobe",
"/usr/sbin/pam_timestamp_check",
"/usr/sbin/passwd",
"/usr/sbin/pkexec",
"/usr/sbin/rdisc6",
"/usr/sbin/rltraceroute6",
"/usr/sbin/sg",
"/usr/sbin/su",
"/usr/sbin/sudo",
"/usr/sbin/sudoedit",
"/usr/sbin/suexec",
"/usr/sbin/traceroute",
"/usr/sbin/traceroute6",
"/usr/sbin/umount.nfs",
"/usr/sbin/umount.nfs4",
"/usr/sbin/umount",
"/usr/sbin/unix_chkpwd"
)
)
AND NOT (
mode = '4754'
mode = "4754"
AND uid = 0
AND gid = 30
AND file.path IN ('/usr/sbin/pppd', '/sbin/pppd')
AND file.path IN ("/usr/sbin/pppd", "/sbin/pppd")
)
AND NOT (
mode = '6755'
mode = "6755"
AND uid = 0
AND gid = 0
AND file.path IN (
'/bin/mount.cifs',
'/bin/mount.smb3',
'/bin/unix_chkpwd',
'/sbin/mount.cifs',
'/sbin/mount.smb3',
'/sbin/unix_chkpwd',
'/usr/bin/mount.cifs',
'/usr/bin/mount.smb3',
'/usr/bin/unix_chkpwd',
'/usr/lib/xtest',
'/usr/lib64/xtest',
'/usr/sbin/mount.cifs',
'/usr/sbin/mount.smb3',
'/usr/sbin/unix_chkpwd'
"/bin/mount.cifs",
"/bin/mount.smb3",
"/bin/unix_chkpwd",
"/sbin/mount.cifs",
"/sbin/mount.smb3",
"/sbin/unix_chkpwd",
"/usr/bin/mount.cifs",
"/usr/bin/mount.smb3",
"/usr/bin/unix_chkpwd",
"/usr/lib/xtest",
"/usr/lib64/xtest",
"/usr/sbin/mount.cifs",
"/usr/sbin/mount.smb3",
"/usr/sbin/unix_chkpwd"
)
)
AND NOT (
mode = '4110'
mode = "4110"
AND uid = 0
AND gid = 156
AND file.path = '/bin/staprun'
AND file.path IN ("/bin/staprun", "/usr/bin/staprun")
)

18
fs/unexpected-volume-contents.sql
View File

@ -45,6 +45,7 @@ WHERE
'gz',
'sh',
'sql'
)
OR file.symlink != 0
OR basename LIKE ".%"
@ -61,17 +62,20 @@ WHERE
OR basename LIKE "cg%"
) -- exceptions go here
AND basename NOT IN (
'.',
'..',
'.vol',
'.VolumeIcon.icns',
'.',
'.background',
'.file',
'.Trashes',
'.TemporaryItems',
'.disk_label_2x',
'.disk_label',
'.DS_Store',
'.file-revisions-by-id',
'.file',
'.metadata_never_index_unless_rootfs',
'.shortcut-targets-by-id',
'.DS_Store'
'.TemporaryItems',
'.Trashes',
'.vol',
'.VolumeIcon.icns'
)
AND authority NOT IN (
'Developer ID Application: Google LLC (EQHXZ8M8AV)'

6
net/unexpected-dns-traffic-events.sql
View File

@ -49,13 +49,17 @@ WHERE
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
AND s.remote_address NOT IN (
"1.1.1.1", -- Cloudflare
"1.1.1.2", -- Cloudflare
"8.8.8.8", -- Google
"8.8.4.4", -- Google (backup)
"208.67.222.222", -- OpenDNS
"75.75.75.75" -- Comcast
)
-- Exceptions that specifically talk to one server
AND exception_key NOT IN ("nessusd,50.16.123.71,53", "coredns,0.0.0.0,53")
AND exception_key NOT IN (
"nessusd,50.16.123.71,53",
"coredns,0.0.0.0,53"
)
-- Local DNS servers and custom clients go here
AND p.path NOT IN ("/usr/lib/systemd/systemd-resolved")
AND p.path NOT LIKE "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper"

2
net/unexpected-dns-traffic.sql
View File

@ -65,7 +65,9 @@ WHERE
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
AND s.remote_address NOT IN (
'1.1.1.1', -- Cloudflare
"1.1.1.2", -- Cloudflare
'8.8.8.8', -- Google
'8.8.8.4', -- Google
'208.67.222.222', -- OpenDNS
'75.75.75.75' -- Comcast
)

2
net/unexpected-listening-port-linux.sql
View File

@ -88,6 +88,7 @@ WHERE
"6379,6,500,redis-server",
"6443,6,0,kube-apiserver",
"67,17,500,dnsmasq",
"8009,6,0,java",
"68,17,500,dhcpcd",
"7000,6,500,ControlCenter",
"80,6,60,nginx",
@ -95,6 +96,7 @@ WHERE
"8080,6,0,coredns",
"8086,6,0,influxd",
"4443,6,500,metrics-server",
"8080,6,0,java",
"8086,6,500,influxd",
"53,17,500,dnsmasq",
"8123,6,500,Brackets-node",

1
net/unexpected-listening-port-macos.sql
View File

@ -55,6 +55,7 @@ WHERE
"49152,6,500,GarageBand,Apple Mac OS Application Signing",
"1338,6,500,registry,",
"137,17,0,launchd,Software Signing",
"49152,6,500,telepresence,",
"137,17,222,netbiosd,Software Signing",
"138,17,0,launchd,Software Signing",
"138,17,222,netbiosd,Software Signing",

13
process/unexpected-executable-permissions.sql
View File

@ -35,3 +35,16 @@ WHERE
AND f.mode = '0777'
AND f.uid > 500
)
AND NOT (
f.path = '/Applications/Camera Settings.app/Contents/MacOS/LogitechCamera'
AND f.mode = '0777'
AND f.uid > 500
)
AND NOT (
f.path = '/usr/bin/sudo'
AND f.mode = '0411'
AND f.uid = 0
)

6
startup/unexpected-active-systemd-units.sql
View File

@ -82,15 +82,19 @@ WHERE
"cups.socket,CUPS Scheduler,,100",
"systemd-suspend.service,System Suspend,,500",
"dbus-broker.service,D-Bus System Message Bus,,500",
"archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,,900",
"dbus.service,D-Bus System Message Bus,,400",
"dbus.service,D-Bus System Message Bus,,500",
"dbus.socket,D-Bus System Message Bus Socket,,100",
"dhcpcd.service,DHCP Client,,1700",
"display-manager.service,X11 Server,,1700",
"zfs-scrub.service,ZFS pools scrubbing,,1000",
"dkms.service,Builds and install new kernel modules through DKMS,,200",
"dm-event.socket,Device-mapper event daemon FIFOs,,200",
"iio-sensor-proxy.service,IIO Sensor Proxy service,,400",
"dnf-makecache.service,dnf makecache,,400",
"dnf-makecache.timer,dnf makecache --timer,,300",
"mcelog.service,Machine Check Exception Logging Daemon,,200",
"docker.service,Docker Application Container Engine,,1100",
"docker.service,Docker Application Container Engine,,1200",
"docker.service,Docker Application Container Engine,,1300",
@ -106,6 +110,7 @@ WHERE
"fprintd.service,Fingerprint Authentication Daemon,,800",
"fprintd.service,Fingerprint Authentication Daemon,,900",
"fstrim.timer,Discard unused blocks once a week,,200",
"fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,400",
"fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,400",
"fwupd-refresh.timer,Refresh fwupd metadata regularly,,100",
"fwupd.service,Firmware update daemon,,600",
@ -343,6 +348,7 @@ WHERE
"zfs-volumes.target,ZFS volumes are ready,,100",
"zfs-zed.service,ZFS Event Daemon (zed),,200",
"zfs.target,ZFS startup target,,0",
"znapzend.service,ZnapZend - ZFS Backup System,root,1700",
"zpool-trim.timer,zpool-trim.timer,,0"
)