From 350b0d897071ffaec66388c7b64aa5902752c33c Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 20 Dec 2022 07:51:29 -0500
Subject: [PATCH] Add k3s /dev/kmsg exception, add parent info

---
 detection/credentials/unexpected-dev-opener-linux.sql | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql
index 2c4ab5a..0530500 100644
--- a/detection/credentials/unexpected-dev-opener-linux.sql
+++ b/detection/credentials/unexpected-dev-opener-linux.sql
@@ -14,6 +14,8 @@ SELECT
   p.path AS program,
   p.name AS program_name,
   p.cmdline AS cmdline,
+  pp.cmdline AS parent_cmdline,
+  gp.cmdline AS gparent_cmdline,
   hash.sha256,
   CONCAT (
     IIF(
@@ -61,6 +63,8 @@ SELECT
 FROM
   process_open_files pof
   LEFT JOIN processes p ON pof.pid = p.pid
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN processes gp ON pp.parent = gp.pid
   LEFT JOIN hash ON hash.path = p.path
 WHERE
   pof.path LIKE '/dev/%'
@@ -115,6 +119,7 @@ WHERE
     '/dev/shm,Brackets',
     '/dev/shm,chrome',
     '/dev/shm,code',
+    '/dev/kmsg,k3s',
     '/dev/shm,electron',
     '/dev/shm,firefox',
     '/dev/shm,gopls',