RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-19 19:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #331 from tstromberg/fpr-oct25

Browse Source 
fpr: rootlesskit, sshd, Fedora, Oracle Linux
This commit is contained in:
Thomas Strömberg 2023-10-25 13:42:56 -04:00 committed by GitHub
commit 51baf32292
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 64 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -120,7 +120,7 @@ WHERE
)
AND NOT (
magic.data IS NULL
AND file.size < 50000
AND f.size < 50000
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/%/shims'

84
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -40,26 +40,15 @@ WHERE
)
AND (
exception_key IN (
'-.slice,Root Slice,',
'cups-browsed.service,Make remote CUPS printers available locally,cups-browsed',
'ModemManager.service,Modem Manager,root',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'NetworkManager.service,Network Manager,',
'abrtd.service,ABRT Automated Bug Reporting Tool,',
'abrtd.service,ABRT Daemon,',
'abrt-journal-core.service,ABRT coredumpctl message creator,',
'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,',
'abrt-oops.service,ABRT kernel log watcher,',
'abrt-xorg.service,ABRT Xorg log watcher,',
'swap.img.swap,/swap.img,',
'abrtd.service,ABRT Automated Bug Reporting Tool,',
'abrtd.service,ABRT Daemon,',
'accounts-daemon.service,Accounts Service,',
'acpid.path,ACPI Events Check,',
'acpid.service,ACPI Daemon,',
'serial-getty@hvc0.service,Serial Getty on hvc0,',
'ssh.socket,OpenBSD Secure Shell server socket,',
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'systemd-machine-id-commit.service,Commit a transient machine-id on disk,',
'acpid.service,ACPI event daemon,',
'acpid.socket,ACPID Listen Socket,',
'akmods.service,Builds and install new kmods from akmod packages,',
@ -72,24 +61,24 @@ WHERE
'apparmor.service,Load AppArmor profiles,',
'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),',
'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),',
'apport.service,automatic crash report generation,',
'apport.service,LSB: automatic crash report generation,',
'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,',
'apt-daily.service,Daily apt download activities,',
'apt-daily.timer,Daily apt download activities,',
'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,',
'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,',
'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,',
'atd.service,Deferred execution scheduler,',
'audit.service,Kernel Auditing,',
'auditd.service,Security Auditing Service,',
'audit.service,Kernel Auditing,',
'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,',
'apport.service,automatic crash report generation,',
'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,',
'binfmt-support.service,Enable support for additional executable binary formats,',
'blk-availability.service,Availability of block devices,',
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'chrony.service,chrony, an NTP client/server',
'chronyd.service,NTP client/server,',
'chrony.service,chrony, an NTP client/server',
'cloud-config.service,Apply the settings specified in cloud-config,',
'cloud-final.service,Execute cloud user/final scripts,',
'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,',
@ -100,20 +89,20 @@ WHERE
'com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,',
'console-setup.service,Set console font and keymap,',
'containerd.service,containerd container runtime,',
'cron.service,Regular background program processing daemon,',
'crond.service,Command Scheduler,',
'cronie.service,Periodic Command Scheduler,',
'cron.service,Regular background program processing daemon,',
'cups-browsed.service,Make remote CUPS printers available locally,',
'cups-browsed.service,Make remote CUPS printers available locally,cups-browsed',
'cups.path,CUPS Scheduler,',
'cups.service,CUPS Scheduler,',
'cups.socket,CUPS Scheduler,',
'dbus-:1.2-org.pop_os.transition_system@0.service,dbus-:1.2-org.pop_os.transition_system@0.service,0',
'dbus-broker.service,D-Bus System Message Bus,',
'dbus.service,D-Bus System Message Bus,',
'display-manager.service,Display Manager,',
'systemd-tmpfiles-setup-dev-early.service,Create Static Device Nodes in /dev gracefully,',
'dbus.socket,D-Bus System Message Bus Socket,',
'dhcpcd.service,DHCP Client,',
'display-manager.service,Display Manager,',
'display-manager.service,X11 Server,',
'dkms.service,Builds and install new kernel modules through DKMS,',
'dm-event.socket,Device-mapper event daemon FIFOs,',
@ -127,8 +116,8 @@ WHERE
'dracut-shutdown.service,Restore /run/initramfs on shutdown,',
'e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,',
'finalrd.service,Create final runtime dir for shutdown pivot root,',
'firewall.service,Firewall,',
'firewalld.service,firewalld - dynamic firewall daemon,',
'firewall.service,Firewall,',
'flatpak-system-helper.service,flatpak system helper,',
'fprintd.service,Fingerprint Authentication Daemon,',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,',
@ -155,6 +144,7 @@ WHERE
'kmod-static-nodes.service,Create list of static device nodes for the current kernel,',
'kolide-launcher.service,Kolide launcher,',
'launcher.kolide-k2.service,The Kolide Launcher,',
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'ldconfig.service,Rebuild Dynamic Linker Cache,',
'libvirtd-admin.socket,Libvirt admin socket,',
'libvirtd-ro.socket,Libvirt local read-only socket,',
@ -164,8 +154,8 @@ WHERE
'lima-guestagent.service,lima-guestagent,',
'livesys-late.service,SYSV: Late init script for live image.,',
'livesys.service,LSB: Init script for live image.,',
'lm-sensors.service,Initialize hardware monitoring sensors,',
'lm_sensors.service,Hardware Monitoring Sensors,',
'lm-sensors.service,Initialize hardware monitoring sensors,',
'lm_sensors.service,Initialize hardware monitoring sensors,',
'logrotate-checkconf.service,Logrotate configuration check,',
'logrotate.timer,Daily rotation of log files,',
@ -178,6 +168,7 @@ WHERE
'man-db.timer,Daily man-db regeneration,',
'mcelog.service,Machine Check Exception Logging Daemon,',
'mlocate-updatedb.timer,Updates mlocate database every day,',
'ModemManager.service,Modem Manager,root',
'modprobe@efi_pstore.service,Load Kernel Module efi_pstore,',
'modprobe@pstore_blk.service,Load Kernel Module pstore_blk,',
'modprobe@pstore_zone.service,Load Kernel Module pstore_zone,',
@ -189,16 +180,20 @@ WHERE
'multipathd.socket,multipathd control socket,',
'nessusd.service,The Nessus Vulnerability Scanner,',
'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,',
'network-local-commands.service,Extra networking commands.,',
'network-setup.service,Networking Setup,',
'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,',
'networking.service,Raise network interfaces,',
'network-local-commands.service,Extra networking commands.,',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,',
'NetworkManager.service,Network Manager,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'network-setup.service,Networking Setup,',
'nginx.service,Nginx Web Server,nginx',
'nis-domainname.service,Read and set NIS domainname from /etc/sysconfig/network,',
'nix-daemon.service,Nix Daemon,',
'nix-daemon.socket,Nix Daemon Socket,',
'nix-gc.timer,nix-gc.timer,',
'nscd.service,Name Service Cache Daemon (nsncd),nscd',
'nscd.service,Name Service Cache Daemon,nscd',
'nscd.service,Name Service Cache Daemon (nsncd),nscd',
'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,',
'nvidia-persistenced.service,NVIDIA Persistence Daemon,',
'nvidia-powerd.service,nvidia-powerd service,',
@ -212,8 +207,8 @@ WHERE
'phpsessionclean.timer,Clean PHP session files every 30 mins,',
'plocate-updatedb.service,Update the plocate database,',
'plocate-updatedb.timer,Update the plocate database daily,',
'plymouth-quit-wait.service,Hold until boot process finishes up,',
'plymouth-quit.service,Terminate Plymouth Boot Screen,',
'plymouth-quit-wait.service,Hold until boot process finishes up,',
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,',
'plymouth-start.service,Show Plymouth Boot Screen,',
'polkit.service,Authorization Manager,',
@ -236,32 +231,36 @@ WHERE
'rsyslog.service,System Logging Service,',
'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,',
'sddm.service,Simple Desktop Display Manager,',
'serial-getty@hvc0.service,Serial Getty on hvc0,',
'serial-getty@ttyAMA0.service,Serial Getty on ttyAMA0,',
'serial-getty@ttyS0.service,Serial Getty on ttyS0,',
'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot',
'setvtrgb.service,Set console scheme,',
'shadow.service,Verify integrity of password and group files,',
'shadow.timer,Daily verification of password and group files,',
'-.slice,Root Slice,',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,',
'snapd.seeded.service,Wait until snapd is fully seeded,',
'snapd.service,Snap Daemon,',
'snapd.socket,Socket activation for snappy daemon,',
'ssh.service,OpenBSD Secure Shell server,',
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
'sshd.service,OpenSSH Daemon,',
'sshd.service,OpenSSH server daemon,',
'sshd.service,SSH Daemon,',
'ssh.service,OpenBSD Secure Shell server,',
'ssh.socket,OpenBSD Secure Shell server socket,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,',
'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,',
'supergfxd.service,SUPERGFX,',
'swap.img.swap,/swap.img,',
'switcheroo-control.service,Switcheroo Control Proxy service,',
'syslog.socket,Syslog Socket,',
'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
'sysstat.service,Resets System Activity Logs,root',
'system.slice,System Slice,',
'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,',
'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,',
'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,',
@ -272,8 +271,8 @@ WHERE
'systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,',
'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,',
'systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,',
'systemd-fsck-root.service,File System Check on Root Device,',
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
'systemd-fsck-root.service,File System Check on Root Device,',
'systemd-growfs@-.service,Grow File System on /,',
'systemd-homed-activate.service,Home Area Activation,',
'systemd-homed.service,Home Area Manager,',
@ -281,24 +280,25 @@ WHERE
'systemd-hwdb-update.service,Rebuild Hardware Database,',
'systemd-initctl.socket,initctl Compatibility Named Pipe,',
'systemd-journal-catalog-update.service,Rebuild Journal Catalog,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-journald-audit.socket,Journal Audit Socket,',
'systemd-journald-dev-log.socket,Journal Socket (/dev/log),',
'systemd-journald.service,Journal Service,',
'systemd-journald.socket,Journal Socket,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-localed.service,Locale Service,',
'systemd-logind.service,User Login Management,',
'systemd-machined.service,Virtual Machine and Container Registration Service,',
'systemd-machine-id-commit.service,Commit a transient machine-id on disk,',
'systemd-modules-load.service,Load Kernel Modules,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-networkd.service,Network Configuration,systemd-network',
'systemd-networkd.socket,Network Service Netlink Socket,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom',
'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,',
'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),',
'systemd-pcrphase.service,TPM2 PCR Barrier (User),',
'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),',
'systemd-random-seed.service,Load/Save OS Random Seed,',
'systemd-random-seed.service,Load/Save Random Seed,',
'systemd-remount-fs.service,Remount Root and Kernel File Systems,',
@ -310,21 +310,23 @@ WHERE
'systemd-timedated.service,Time & Date Service,',
'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync',
'systemd-tmpfiles-clean.timer,Daily Cleanup of Temporary Directories,',
'systemd-tmpfiles-setup-dev-early.service,Create Static Device Nodes in /dev gracefully,',
'systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,',
'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-udevd-control.socket,udev Control Socket,',
'systemd-udevd-kernel.socket,udev Kernel Socket,',
'systemd-udevd.service,Rule-based Manager for Device Events and Files,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-update-done.service,Update is Completed,',
'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,',
'systemd-update-utmp.service,Update UTMP about System Boot/Shutdown,',
'systemd-user-sessions.service,Permit User Sessions,',
'systemd-userdbd.service,User Database Manager,',
'systemd-userdbd.socket,User Database Manager Socket,',
'systemd-user-sessions.service,Permit User Sessions,',
'systemd-vconsole-setup.service,Setup Virtual Console,',
'systemd-vconsole-setup.service,Virtual Console Setup,',
'system.slice,System Slice,',
'tailscaled.service,Tailscale node agent,',
'thermald.service,Thermal Daemon Service,',
'tlp.service,TLP system startup/shutdown,',
@ -334,9 +336,9 @@ WHERE
'ufw.service,Uncomplicated firewall,',
'unattended-upgrades.service,Unattended Upgrades Shutdown,',
'unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,',
'updatedb.timer,Daily locate database update,',
'update-notifier-download.timer,Download data for packages that failed at package install time,',
'update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,',
'updatedb.timer,Daily locate database update,',
'upower.service,Daemon for power management,',
'uresourced.service,User resource assignment daemon,',
'usbmuxd.service,Socket daemon for the usbmux protocol used by Apple devices,',

22
detection/persistence/unexpected-device.sql
View File

@ -50,7 +50,6 @@ WHERE
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/HID-SENSOR-e..auto',
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
@ -67,12 +66,13 @@ WHERE
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu/microcode',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
'/dev/disk/by-diskseq',
'/dev/disk/by-dname',
'/dev/disk/by-id',
'/dev/disk/by-label',
'/dev/disk/by-partlabel',
@ -96,9 +96,11 @@ WHERE
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/hugepages/libvirt',
'/dev/hvc',
'/dev/hwrng',
'/dev/ic-',
'/dev/iio:device',
@ -114,18 +116,15 @@ WHERE
'/dev/kmsg',
'/dev/kvm',
'/dev/libmtp--',
'/dev/libmtp--.',
'/dev/log',
'/dev/loop',
'/dev/loop-control',
'/dev/lp',
'/dev/hvc',
'/dev/vportp',
'/dev/mapper/',
'/dev/mapper/control',
'/dev/mcelog',
'/dev/mmcblk',
'/dev/md',
'/dev/libmtp--.',
'/dev/md/',
'/dev/md/ssdraid',
'/dev/md/ssraid',
@ -133,6 +132,7 @@ WHERE
'/dev/mei',
'/dev/mem',
'/dev/midi',
'/dev/mmcblk',
'/dev/mqueue/',
'/dev/mtd',
'/dev/mtdro',
@ -143,11 +143,12 @@ WHERE
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvidiactl',
'/dev/nvme',
'/dev/nvme-fabrics',
'/dev/nvmen',
'/dev/nvmenp',
'/dev/nvram',
@ -197,9 +198,10 @@ WHERE
'/dev/tpmrm',
'/dev/tty',
'/dev/ttyACM',
'/dev/ttyAMA',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/ttyUSB',
'/dev/ttyprintk',
'/dev/ubuntu-vg/',
'/dev/udmabuf',
'/dev/uhid',
@ -221,14 +223,13 @@ WHERE
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vga_arbiter',
'/dev/vgubuntu/',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/disk/by-dname',
'/dev/vhost-net',
'/dev/vhost-vsock',
'/dev/video',
@ -236,6 +237,7 @@ WHERE
'/dev/vl/by-id',
'/dev/vl/by-path',
'/dev/vlloopback',
'/dev/vportp',
'/dev/watchdog',
'/dev/wmi/',
'/dev/wmi/dell-smbios',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -279,6 +279,7 @@ WHERE
)
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY
p0.pid

12
detection/persistence/yara-suspicious-strings-process-linux.sql
View File

@ -85,14 +85,11 @@ WHERE
AND p0.path NOT LIKE '/nix/store/%/libexec/%'
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
AND p0.path NOT IN (
'/bin/fish',
'/usr/bin/nvim',
'/bin/bash',
'/usr/bin/sudo',
'/bin/containerd-shim-runc-v2',
'/bin/fish',
'/usr/bin/bash',
'/usr/bin/containerd-shim-runc-v2',
'/usr/libexec/flatpak-system-helper',
'/bin/containerd-shim-runc-v2',
'/usr/bin/docker-proxy',
'/usr/bin/fish',
'/usr/bin/gnome-software',
@ -101,7 +98,10 @@ WHERE
'/usr/bin/make',
'/usr/bin/NetworkManager',
'/usr/bin/nvidia-persistenced',
'/usr/bin/nvim',
'/usr/bin/pulseaudio',
'/usr/bin/sshd',
'/usr/bin/sudo',
'/usr/bin/udevadm',
'/usr/bin/update-notifier',
'/usr/bin/Xwayland',
@ -110,11 +110,13 @@ WHERE
'/usr/libexec/accounts-daemon',
'/usr/libexec/bluetooth/bluetoothd',
'/usr/libexec/bluetooth/obexd',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/sssd/sssd_kcm',
'/usr/libexec/xdg-desktop-portal',
'/usr/lib/systemd/systemd',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-machined',
'/usr/local/bin/rootlesskit',
'/usr/local/kolide-k2/bin/launcher',
'/usr/sbin/acpid',
'/usr/sbin/auditd',