RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix vpl, kolide exceptions, increase timeouts for yara

This commit is contained in:
Thomas Stromberg 2023-10-02 11:45:27 -04:00
parent 5f2680ca8b
commit 42c0a15e2a
3 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -23,7 +23,7 @@ out/odk-detection-evasion.conf: out/osqtool-$(ARCH) $(wildcard detection/evasion
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion
out/odk-detection-execution.conf: out/osqtool-$(ARCH) $(wildcard detection/execution/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=8s --verify -output out/odk-detection-execution.conf pack detection/execution
./out/osqtool-$(ARCH) --max-query-duration=16s --verify -output out/odk-detection-execution.conf pack detection/execution
out/odk-detection-exfil.conf: out/osqtool-$(ARCH) $(wildcard detection/exfil/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-exfil.conf pack detection/exfil
@ -47,7 +47,7 @@ out/odk-vulnerabilities.conf: out/osqtool-$(ARCH) $(wildcard vulnerabilities/*.
./out/osqtool-$(ARCH) --output out/odk-vulnerabilities.conf pack vulnerabilities/
out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/
./out/osqtool-$(ARCH) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/
# A privacy-aware variation of IR rules
out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
@ -101,7 +101,7 @@ verify-ci: ./out/osqtool-$(ARCH)
verify: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
all: out/odk-packs.zip

19
detection/evasion/unexpected-etc-executables.sql
View File

@ -33,7 +33,6 @@ WHERE
'/etc/alternatives',
'/etc/apcupsd',
'/etc/apm/resume.d',
'/etc/vmware-tools/scripts/vmware',
'/etc/apm/scripts.d',
'/etc/apm/suspend.d',
'/etc/avahi',
@ -42,10 +41,10 @@ WHERE
'/etc/ca-certificates/update.d',
'/etc/chromium/native-messaging-hosts',
'/etc/cifs-utils',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/console-setup',
'/etc/cron.daily',
'/etc/cron.hourly',
'/etc/mc',
'/etc/cron.monthly',
'/etc/cron.weekly',
'/etc/dhcp/dhclient.d',
@ -80,8 +79,13 @@ WHERE
'/etc/kernel/prerm.d',
'/etc/lightdm',
'/etc/localtime',
'/etc/mc',
'/etc/mcelog/triggers',
'/etc/menu-methods',
'/etc/needrestart/hook.d',
'/etc/needrestart/notify.d',
'/etc/needrestart/restart.d',
'/etc/network',
'/etc/network/if-down.d',
'/etc/network/if-post-down.d',
'/etc/network/if-pre-up.d',
@ -93,8 +97,8 @@ WHERE
'/etc/periodic/daily',
'/etc/periodic/monthly',
'/etc/periodic/weekly',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/pinentry',
'/etc/pki/tls/misc',
'/etc/pm/sleep.d',
'/etc/pop-os/update-motd.d',
'/etc/ppp',
@ -122,24 +126,20 @@ WHERE
'/etc/rdnssd',
'/etc/redhat-lsb',
'/etc/resolvconf/update.d',
'/etc/needrestart/notify.d',
'/etc/needrestart/hook.d',
'/etc/needrestart/restart.d',
'/etc/sysconfig/network-scripts',
'/etc/security',
'/etc/skel',
'/etc/network',
'/etc/pki/tls/misc',
'/etc/smartmontools',
'/etc/ssl/certs',
'/etc/ssl/misc',
'/etc/ssl/trust-source',
'/etc/sysconfig/network-scripts',
'/etc/systemd/system',
'/etc/systemd/system/graphical.target.wants',
'/etc/systemd/system-shutdown',
'/etc/udev/rules.d',
'/etc/update-motd.d',
'/etc/vmware-tools',
'/etc/vmware-tools/scripts/vmware',
'/etc/vpnc',
'/etc/wpa_supplicant',
'/etc/X11',
@ -165,6 +165,7 @@ WHERE
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/modulefiles/vpl',
'/etc/rmt',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',

15
detection/persistence/yara-suspicious-strings-process-linux.sql
View File

@ -84,10 +84,10 @@ WHERE
AND p0.path NOT LIKE '%/chrome_crashpad_handler'
AND p0.path NOT LIKE '/nix/store/%/bin/%'
AND p0.path NOT LIKE '/nix/store/%/libexec/%'
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
AND p0.path NOT IN (
'/bin/fish',
'/usr/bin/NetworkManager',
'/usr/bin/Xwayland',
'/usr/bin/sudo',
'/usr/bin/bash',
'/usr/bin/containerd-shim-runc-v2',
'/usr/bin/docker-proxy',
@ -96,22 +96,23 @@ WHERE
'/usr/bin/gpg-agent',
'/usr/bin/ibus-daemon',
'/usr/bin/make',
'/usr/bin/NetworkManager',
'/usr/bin/nvidia-persistenced',
'/usr/bin/pulseaudio',
'/usr/bin/udevadm',
'/usr/bin/update-notifier',
'/usr/bin/Xwayland',
'/usr/lib/bluetooth/bluetoothd',
'/usr/lib/bluetooth/obexd',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-machined',
'/usr/libexec/accounts-daemon',
'/usr/libexec/bluetooth/bluetoothd',
'/usr/libexec/bluetooth/obexd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/libexec/xdg-desktop-portal',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-machined',
'/usr/local/kolide-k2/bin/launcher',
'/usr/sbin/NetworkManager',
'/usr/sbin/acpid',
'/usr/sbin/auditd',
'/usr/sbin/cron',
@ -119,7 +120,7 @@ WHERE
'/usr/sbin/gdm',
'/usr/sbin/gssproxy',
'/usr/sbin/mcelog',
'/usr/sbin/NetworkManager',
'/usr/sbin/rsyslogd',
'/usr/sbin/smartd'
)