RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-21 20:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add new exceptions

Browse Source
This commit is contained in:
Thomas Stromberg 2022-09-26 18:08:21 -04:00
parent dfa5ed39e1
commit 4ca5233fe8
Failed to extract signature
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
process_events/unexpected-executable-directory-events-macos.sql
View File

@ -41,42 +41,45 @@ WHERE
"/usr/libexec",
"/usr/libexec/ApplicationFirewall",
"/usr/libexec/rosetta",
"/node_modules/.bin",
"/nix/var/nix/profiles/default/bin",
"/run/current-system/sw/bin",
"/usr/libexec/firmwarecheckers/eficheck",
"/usr/sbin",
"/usr/share/code"
)
AND dirname NOT LIKE "./%"
AND dirname NOT LIKE "/Applications/%.app/%"
AND dirname NOT LIKE "/etc/profiles/per-user/%/bin"
AND dirname NOT LIKE "/home/%"
AND dirname NOT LIKE "/Library/%/%.bundle/Contents/Helpers"
AND dirname NOT LIKE "/Library/%/Resources/%/Contents/MacOS"
AND dirname NOT LIKE "/Library/%/sbin" -- Nessus
AND dirname NOT LIKE "/Library/Apple/System/%"
AND dirname NOT LIKE "/Library/Application Support/%/Contents/MacOS"
AND dirname NOT LIKE "/Library/Application Support/Adobe/%"
AND dirname NOT LIKE "/Library/Audio/Plug-Ins/%/Contents/MacOS"
AND dirname NOT LIKE "/Library/CoreMediaIO/Plug-Ins/%"
AND dirname NOT LIKE "/Library/Developer/%"
AND dirname NOT LIKE "/Library/Developer/CommandLineTools/Library/%"
AND dirname NOT LIKE "/Library/Internet Plug-Ins/%/Contents/MacOS"
AND dirname NOT LIKE "/Library/Java/JavaVirtualMachines/%"
AND dirname NOT LIKE "/Library/SystemExtensions/%"
AND dirname NOT LIKE "/nix/store/%"
AND dirname NOT LIKE "/store/%/bin"
AND dirname NOT LIKE "/opt/%"
AND dirname NOT LIKE "/private/tmp/go-build%/exe"
AND dirname NOT LIKE "/private/tmp/nix-build-%"
AND dirname NOT LIKE "/etc/profiles/per-user/%/bin"
AND dirname NOT LIKE "/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS"
AND dirname NOT LIKE "/private/var/folders/%/bin"
AND dirname NOT LIKE "/private/var/folders/%/Contents/%"
AND dirname NOT LIKE "/private/var/folders/%/go-build%"
AND dirname NOT LIKE "/private/var/folders/%/GoLand"
AND dirname NOT LIKE "/snap/%"
AND dirname NOT LIKE "/store/%/bin"
AND dirname NOT LIKE "/System/%"
AND dirname NOT LIKE "/Users/%"
AND dirname NOT LIKE "/Library/%/%.bundle/Contents/Helpers"
AND dirname NOT LIKE "/Library/%/sbin" -- Nessus
AND dirname NOT LIKE "/Library/%/Resources/%/Contents/MacOS"
AND dirname NOT LIKE "/Library/Application Support/Adobe/%"
AND dirname NOT LIKE "/Library/Developer/CommandLineTools/Library/%"
AND dirname NOT LIKE "/usr/local/%"
AND dirname NOT LIKE "/usr/libexec/%"
AND dirname NOT LIKE "/usr/local/%"
-- Unexplained data issue
AND dirname NOT LIKE "../%"
AND p.path NOT IN (
@ -84,6 +87,7 @@ WHERE
"/usr/libexec/AssetCache/AssetCache",
"_build/krew/bin/git",
"/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2",
"/Library/DropboxHelperTools/DropboxHelperInstaller",
"/Library/PrivilegedHelperTools/com.adobe.ARMDC.Communicator",
"/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper",
"/Library/PrivilegedHelperTools/com.docker.vmnetd",