mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-17 19:44:31 +00:00
fpr: tilt, electron, cilium, write/read improvements
This commit is contained in:
parent
cc45f9b3c3
commit
570c36dc71
@ -206,6 +206,7 @@ WHERE protocol IN (6, 17)
|
||||
'500,python3.11,0u,0g,protonvpn',
|
||||
'500,python3.11,0u,0g,prowler',
|
||||
'500,python3,500u,500g,python3',
|
||||
'500,cilium,500u,123g,cilium',
|
||||
'500,python.test,500u,500g,python.test',
|
||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||
'500,reporter-ureport,0u,0g,reporter-urepor',
|
||||
|
@ -191,6 +191,7 @@ WHERE
|
||||
'443,6,500,chainctl,chainctl,',
|
||||
'443,6,500,chainctl_darwin_arm64,a.out,',
|
||||
'443,6,500,chainctl_Darwin_arm64,a.out,',
|
||||
'443,6,500,cilium,,',
|
||||
'443,6,500,civo,a.out,',
|
||||
'443,6,500,cloud_sql_proxy,a.out,',
|
||||
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
||||
@ -325,6 +326,7 @@ WHERE
|
||||
'80,6,500,webhook.test,a.out,',
|
||||
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
||||
'9418,6,500,git,com.apple.git,Software Signing'
|
||||
|
||||
)
|
||||
AND NOT exception_key LIKE '443,6,500,java,com.oracle.java.%.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)'
|
||||
AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)'
|
||||
|
@ -48,7 +48,7 @@ FROM
|
||||
WHERE
|
||||
-- On my Linux machine, creating a gzip archive clocks in at 6780210
|
||||
bytes_written_rate > 4000000
|
||||
AND age > 60
|
||||
AND age > 180
|
||||
AND p0.pid > 2
|
||||
AND p0.path NOT IN (
|
||||
'/bin/bash',
|
||||
|
@ -56,6 +56,7 @@ WHERE
|
||||
',,/Applications/IntelliJ%20IDEA.app/,',
|
||||
',,/Applications/ProtonMail%20Bridge.app/,',
|
||||
',,/Applications/Visual%20Studio%20Code.app/,',
|
||||
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
|
||||
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
|
||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
|
||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
||||
|
@ -54,6 +54,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
|
||||
AND (
|
||||
file.path LIKE '%/go-build%'
|
||||
OR file.path LIKE '%/bin/%'
|
||||
OR file.path LIKE '/tmp/%ctl'
|
||||
OR file.path LIKE '%/CCLBS/%'
|
||||
OR file.path LIKE '%/checkout/%'
|
||||
OR file.path LIKE '%/ci/%'
|
||||
|
@ -83,6 +83,7 @@ WHERE
|
||||
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
|
||||
'/Library/PrivilegedHelperTools',
|
||||
'/Library/TeX/texbin',
|
||||
'/usr/local/aws-cli',
|
||||
'/nix/store',
|
||||
'/nix/var/nix/profiles/default/bin',
|
||||
'/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
|
||||
|
@ -47,8 +47,8 @@ FROM
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
-- On my Linux machine, tarring up a home directory clocks in at 2,800,000 - 4,986,722
|
||||
bytes_read_rate > 2250000
|
||||
AND age > 60
|
||||
bytes_read_rate > 2500000
|
||||
AND age > 180
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
|
||||
AND p0.path NOT LIKE '/System/Library/%'
|
||||
AND p0.path NOT LIKE '/System/Applications/%'
|
||||
@ -65,6 +65,7 @@ WHERE
|
||||
'com.apple.NRD.UpdateBrainService',
|
||||
'docker',
|
||||
'emacs',
|
||||
'electron',
|
||||
'firefox',
|
||||
'osqueryi',
|
||||
'fish',
|
||||
@ -87,6 +88,7 @@ WHERE
|
||||
'nessusd',
|
||||
'melange',
|
||||
'nix',
|
||||
'tilt',
|
||||
'nix-daemon',
|
||||
'nvim',
|
||||
'osqueryd',
|
||||
|
@ -1,6 +1,6 @@
|
||||
-- Currently running programs, only the columns that are not constantly changing
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- tags: postmortem often
|
||||
-- platform: posix
|
||||
SELECT
|
||||
pid,
|
||||
|
Loading…
Reference in New Issue
Block a user