mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-18 03:54:30 +00:00
fpr: tilt, electron, cilium, write/read improvements
This commit is contained in:
Thomas Stromberg
parent
cc45f9b3c3
commit
570c36dc71
@ -206,6 +206,7 @@ WHERE protocol IN (6, 17)
|
|||||||
'500,python3.11,0u,0g,protonvpn',
|
'500,python3.11,0u,0g,protonvpn',
|
||||||
'500,python3.11,0u,0g,prowler',
|
'500,python3.11,0u,0g,prowler',
|
||||||
'500,python3,500u,500g,python3',
|
'500,python3,500u,500g,python3',
|
||||||
|
'500,cilium,500u,123g,cilium',
|
||||||
'500,python.test,500u,500g,python.test',
|
'500,python.test,500u,500g,python.test',
|
||||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||||
'500,reporter-ureport,0u,0g,reporter-urepor',
|
'500,reporter-ureport,0u,0g,reporter-urepor',
|
||||||
|
|||||||
@ -191,6 +191,7 @@ WHERE
|
|||||||
'443,6,500,chainctl,chainctl,',
|
'443,6,500,chainctl,chainctl,',
|
||||||
'443,6,500,chainctl_darwin_arm64,a.out,',
|
'443,6,500,chainctl_darwin_arm64,a.out,',
|
||||||
'443,6,500,chainctl_Darwin_arm64,a.out,',
|
'443,6,500,chainctl_Darwin_arm64,a.out,',
|
||||||
|
'443,6,500,cilium,,',
|
||||||
'443,6,500,civo,a.out,',
|
'443,6,500,civo,a.out,',
|
||||||
'443,6,500,cloud_sql_proxy,a.out,',
|
'443,6,500,cloud_sql_proxy,a.out,',
|
||||||
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||||
@ -325,6 +326,7 @@ WHERE
|
|||||||
'80,6,500,webhook.test,a.out,',
|
'80,6,500,webhook.test,a.out,',
|
||||||
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
||||||
'9418,6,500,git,com.apple.git,Software Signing'
|
'9418,6,500,git,com.apple.git,Software Signing'
|
||||||
|
|
||||||
)
|
)
|
||||||
AND NOT exception_key LIKE '443,6,500,java,com.oracle.java.%.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)'
|
AND NOT exception_key LIKE '443,6,500,java,com.oracle.java.%.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)'
|
||||||
AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)'
|
AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)'
|
||||||
|
|||||||
@ -48,7 +48,7 @@ FROM
|
|||||||
WHERE
|
WHERE
|
||||||
-- On my Linux machine, creating a gzip archive clocks in at 6780210
|
-- On my Linux machine, creating a gzip archive clocks in at 6780210
|
||||||
bytes_written_rate > 4000000
|
bytes_written_rate > 4000000
|
||||||
AND age > 60
|
AND age > 180
|
||||||
AND p0.pid > 2
|
AND p0.pid > 2
|
||||||
AND p0.path NOT IN (
|
AND p0.path NOT IN (
|
||||||
'/bin/bash',
|
'/bin/bash',
|
||||||
|
|||||||
@ -56,6 +56,7 @@ WHERE
|
|||||||
',,/Applications/IntelliJ%20IDEA.app/,',
|
',,/Applications/IntelliJ%20IDEA.app/,',
|
||||||
',,/Applications/ProtonMail%20Bridge.app/,',
|
',,/Applications/ProtonMail%20Bridge.app/,',
|
||||||
',,/Applications/Visual%20Studio%20Code.app/,',
|
',,/Applications/Visual%20Studio%20Code.app/,',
|
||||||
|
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
|
||||||
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
|
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
|
||||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
|
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
|
||||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
||||||
|
|||||||
@ -54,6 +54,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
|
|||||||
AND (
|
AND (
|
||||||
file.path LIKE '%/go-build%'
|
file.path LIKE '%/go-build%'
|
||||||
OR file.path LIKE '%/bin/%'
|
OR file.path LIKE '%/bin/%'
|
||||||
|
OR file.path LIKE '/tmp/%ctl'
|
||||||
OR file.path LIKE '%/CCLBS/%'
|
OR file.path LIKE '%/CCLBS/%'
|
||||||
OR file.path LIKE '%/checkout/%'
|
OR file.path LIKE '%/checkout/%'
|
||||||
OR file.path LIKE '%/ci/%'
|
OR file.path LIKE '%/ci/%'
|
||||||
|
|||||||
@ -83,6 +83,7 @@ WHERE
|
|||||||
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
|
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
|
||||||
'/Library/PrivilegedHelperTools',
|
'/Library/PrivilegedHelperTools',
|
||||||
'/Library/TeX/texbin',
|
'/Library/TeX/texbin',
|
||||||
|
'/usr/local/aws-cli',
|
||||||
'/nix/store',
|
'/nix/store',
|
||||||
'/nix/var/nix/profiles/default/bin',
|
'/nix/var/nix/profiles/default/bin',
|
||||||
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
|
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
|
||||||
|
|||||||
@ -47,8 +47,8 @@ FROM
|
|||||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||||
WHERE
|
WHERE
|
||||||
-- On my Linux machine, tarring up a home directory clocks in at 2,800,000 - 4,986,722
|
-- On my Linux machine, tarring up a home directory clocks in at 2,800,000 - 4,986,722
|
||||||
bytes_read_rate > 2250000
|
bytes_read_rate > 2500000
|
||||||
AND age > 60
|
AND age > 180
|
||||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
|
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
|
||||||
AND p0.path NOT LIKE '/System/Library/%'
|
AND p0.path NOT LIKE '/System/Library/%'
|
||||||
AND p0.path NOT LIKE '/System/Applications/%'
|
AND p0.path NOT LIKE '/System/Applications/%'
|
||||||
@ -65,6 +65,7 @@ WHERE
|
|||||||
'com.apple.NRD.UpdateBrainService',
|
'com.apple.NRD.UpdateBrainService',
|
||||||
'docker',
|
'docker',
|
||||||
'emacs',
|
'emacs',
|
||||||
|
'electron',
|
||||||
'firefox',
|
'firefox',
|
||||||
'osqueryi',
|
'osqueryi',
|
||||||
'fish',
|
'fish',
|
||||||
@ -87,6 +88,7 @@ WHERE
|
|||||||
'nessusd',
|
'nessusd',
|
||||||
'melange',
|
'melange',
|
||||||
'nix',
|
'nix',
|
||||||
|
'tilt',
|
||||||
'nix-daemon',
|
'nix-daemon',
|
||||||
'nvim',
|
'nvim',
|
||||||
'osqueryd',
|
'osqueryd',
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
-- Currently running programs, only the columns that are not constantly changing
|
-- Currently running programs, only the columns that are not constantly changing
|
||||||
--
|
--
|
||||||
-- tags: postmortem
|
-- tags: postmortem often
|
||||||
-- platform: posix
|
-- platform: posix
|
||||||
SELECT
|
SELECT
|
||||||
pid,
|
pid,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user