Add detectors for unexpected executables in strange places

2022-09-29 11:38:14 -04:00 · 2022-09-29 11:38:14 -04:00 · 49f2d5a579
parent 5b7858e3cf
commit 49f2d5a579
1 changed files with 2 additions and 0 deletions
--- a/fs/unexpected-tmp-executables.sql
+++ b/fs/unexpected-tmp-executables.sql
@ -70,3 +70,5 @@ WHERE
  AND NOT file.directory LIKE "/tmp/msu-target-%"
  -- I don't know man. I don't work here.
  AND NOT (file.path LIKE ("/tmp/%compressed") AND size < 4000 AND uid>500)
+  -- Executables too small to even hold "#!/bin/sh\nuid"
+  AND NOT (file.type = "regular" AND size < 10)