Merge pull request #319 from tstromberg/fpr-sep21

Address issues which kept some Linux alerts from firing
This commit is contained in:
Thomas Strömberg 2023-09-25 08:26:09 -04:00 committed by GitHub
commit 417b0a6408
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 5 deletions

View File

@ -47,7 +47,10 @@ WHERE
file.uid = 1000
AND file.gid = 1000
AND file.mode = '0700'
AND magic.data = 'data'
AND (
magic.data IS NULL
OR magic.data = 'data'
)
AND file.path LIKE '/dev/shm/pulse-shm-%'
AND file.size > 60000000
) -- Seen with Steam
@ -57,7 +60,8 @@ WHERE
AND file.mode IN ('0755', '0775')
AND file.path LIKE '/dev/shm/u1000-Shm_%'
AND (
magic.data NOT LIKE "%executable%"
magic.data IS NULL
OR magic.data NOT LIKE "%executable%"
OR magic.data IN (
'data',
'Applesoft BASIC program data, first line number 86',

View File

@ -54,5 +54,8 @@ WHERE
'/var/run/lima-boot-done',
'/var/run/lima-ssh-ready'
)
AND magic.data NOT IN ('JSON data')
AND (
magic.data IS NULL
OR magic.data != 'JSON data'
)
AND file.size > 10

View File

@ -5,7 +5,8 @@
--
-- tags: transient process state
-- platform: linux
SELECT -- Child
SELECT
-- Child
p0.pid AS p0_pid,
p0.cgroup_path AS p0_cgroup,
p0.path AS p0_path,
@ -66,7 +67,7 @@ WHERE
AND INSTR(path, "/app/") != 1
AND INSTR(path, "/ko-app") != 1
AND INSTR(path, "/usr/share/teams/") != 1
AND INSTR(path, "/.terraform/") > 0
AND path NOT LIKE "%/.terraform%"
AND NOT path LIKE '/tmp/%/osqtool'
AND NOT path LIKE '/tmp/GoLand/___go_build_%_go'
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'