RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-23 05:43:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add k3s /dev/kmsg exception, add parent info

Browse Source
This commit is contained in:
Thomas Stromberg 2022-12-20 07:51:29 -05:00
parent 06e5d15e72
commit 350b0d8970
Failed to extract signature
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -14,6 +14,8 @@ SELECT
p.path AS program, p.path AS program,
p.name AS program_name, p.name AS program_name,
p.cmdline AS cmdline, p.cmdline AS cmdline,
pp.cmdline AS parent_cmdline,
gp.cmdline AS gparent_cmdline,
hash.sha256, hash.sha256,
CONCAT ( CONCAT (
IIF( IIF(
@ -61,6 +63,8 @@ SELECT
FROM FROM
process_open_files pof process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN processes gp ON pp.parent = gp.pid
LEFT JOIN hash ON hash.path = p.path LEFT JOIN hash ON hash.path = p.path
WHERE WHERE
pof.path LIKE '/dev/%' pof.path LIKE '/dev/%'
@ -115,6 +119,7 @@ WHERE
'/dev/shm,Brackets', '/dev/shm,Brackets',
'/dev/shm,chrome', '/dev/shm,chrome',
'/dev/shm,code', '/dev/shm,code',
'/dev/kmsg,k3s',
'/dev/shm,electron', '/dev/shm,electron',
'/dev/shm,firefox', '/dev/shm,firefox',
'/dev/shm,gopls', '/dev/shm,gopls',