mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-02-19 19:26:55 +00:00
False Positive Reduction
This commit is contained in:
Thomas Stromberg
parent
0f2339dea7
commit
58ae0e6724
@ -101,6 +101,8 @@ WHERE
|
||||
'/usr/sbin/mDNSResponder'
|
||||
)
|
||||
AND p.path NOT LIKE '%/podman/gvproxy'
|
||||
AND p.path NOT LIKE '%/eksctl'
|
||||
AND p.path NOT LIKE '/opt/homebrew/Cellar/lima/%/bin/limactl'
|
||||
AND p.path NOT LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper'
|
||||
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
|
||||
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
|
||||
|
||||
@ -91,12 +91,15 @@ WHERE
|
||||
'123,17,500,chronyd,0u,0g,chronyd',
|
||||
'19305,6,500,msedge,0u,0g,msedge',
|
||||
'21,6,0,rpm-ostree,0u,0g,rpm-ostree',
|
||||
'25565,6,500,java,500u,500g,java',
|
||||
'27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
|
||||
'32768,6,500,mumble,0u,0g,mumble',
|
||||
'32768,6,500,slirp4netns,0u,0g,slirp4netns',
|
||||
'32768,6,0,tailscaled,0u,0g,tailscaled',
|
||||
'4070,6,500,spotify,0u,0g,spotify',
|
||||
'4070,6,500,spotify,u,g,spotify',
|
||||
'4433,6,500,openssl,0u,0g,openssl',
|
||||
'4460,6,106,chronyd,0u,0g,chronyd',
|
||||
'4460,6,125,chronyd,0u,0g,chronyd',
|
||||
'49152,6,500,ContinuityCaptureAgent,Software Signing',
|
||||
'5222,6,500,msedge,0u,0g,msedge',
|
||||
@ -109,21 +112,22 @@ WHERE
|
||||
'80,6,0,kmod,0u,0g,depmod',
|
||||
'80,6,0,kubelet,u,g,kubelet',
|
||||
'80,6,0,ldconfig,0u,0g,ldconfig',
|
||||
'80,6,0,melange,500u,500g,melange',
|
||||
'80,6,0,NetworkManager,0u,0g,NetworkManager',
|
||||
'80,6,0,packagekit-dnf-refresh-repo,0u,0g,packagekit-dnf-',
|
||||
'80,6,0,packagekitd,0u,0g,packagekitd',
|
||||
'80,6,0,pacman,0u,0g,pacman',
|
||||
'80,6,0,pdftex,0u,0g,pdftex',
|
||||
'80,6,0,python2.7,500u,500g,yum',
|
||||
'80,6,0,python3.10,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.10,0u,0g,dnf',
|
||||
'80,6,0,python3.10,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.10,0u,0g,yum',
|
||||
'80,6,0,python3.11,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.11,0u,0g,dnf',
|
||||
'80,6,0,python3.11,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.11,0u,0g,yum',
|
||||
'80,6,0,python3.12,0u,0g,apport-gtk',
|
||||
'80,6,0,python3.12,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.12,0u,0g,dnf',
|
||||
'80,6,0,python3.12,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.12,0u,0g,yum',
|
||||
'80,6,0,python3.12,500u,500g,dnf-automatic',
|
||||
'80,6,0,python3.9,u,g,yum',
|
||||
@ -142,18 +146,18 @@ WHERE
|
||||
'80,6,500,chrome,0u,0g,chrome',
|
||||
'80,6,500,chrome,u,g,chrome',
|
||||
'80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
|
||||
'80,6,500,code-oss,u,g,code-oss',
|
||||
'80,6,500,code,0u,0g,code',
|
||||
'80,6,500,code-oss,u,g,code-oss',
|
||||
'80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
|
||||
'80,6,500,curl,0u,0g,curl',
|
||||
'80,6,500,dotnet,u,g,dotnet',
|
||||
'80,6,500,dropbox,500u,500g,dropbox',
|
||||
'80,6,500,electron,0u,0g,electron',
|
||||
'80,6,500,firefox,0u,0g,.firefox-wrappe',
|
||||
'80,6,500,firefox,0u,0g,firefox',
|
||||
'80,6,500,firefox-bin,0u,0g,firefox-bin',
|
||||
'80,6,500,firefox-bin,500u,500g,firefox-bin',
|
||||
'80,6,500,firefox-bin,u,g,firefox-bin',
|
||||
'80,6,500,firefox,0u,0g,.firefox-wrappe',
|
||||
'80,6,500,firefox,0u,0g,firefox',
|
||||
'80,6,500,flatpak,0u,0g,flatpak',
|
||||
'80,6,500,git-remote-http,0u,0g,git-remote-http',
|
||||
'80,6,500,gnome-software,0u,0g,gnome-software',
|
||||
@ -162,11 +166,14 @@ WHERE
|
||||
'80,6,500,java,0u,0g,java',
|
||||
'80,6,500,java,u,g,java',
|
||||
'80,6,500,main,500u,500g,main',
|
||||
'80,6,500,mateweather-applet,0u,0g,mateweather-app',
|
||||
'80,6,500,mconvert,500u,500g,mconvert',
|
||||
'80,6,500,mediawriter,u,g,mediawriter',
|
||||
'80,6,500,melange,500u,500g,melange',
|
||||
'80,6,500,minecraft-launcher,500u,500g,minecraft-launc',
|
||||
'80,6,500,msedge,0u,0g,msedge',
|
||||
'80,6,500,obs-browser-page,u,g,obs-browser-pag',
|
||||
'80,6,500,ocsp.test,u,g,ocsp.test',
|
||||
'80,6,500,pacman,0u,0g,pacman',
|
||||
'80,6,500,python3.10,0u,0g,aws',
|
||||
'80,6,500,python3.10,0u,0g,yum',
|
||||
@ -181,20 +188,20 @@ WHERE
|
||||
'80,6,500,signal-desktop,u,g,signal-desktop',
|
||||
'80,6,500,slack,0u,0g,slack',
|
||||
'80,6,500,slirp4netns,500u,500g,slirp4netns',
|
||||
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
|
||||
'80,6,500,spotify,0u,0g,spotify',
|
||||
'80,6,500,spotify,500u,500g,spotify',
|
||||
'80,6,500,spotify,u,g,spotify',
|
||||
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
|
||||
'80,6,500,steam,500u,100g,steam',
|
||||
'80,6,500,steam,500u,500g,steam',
|
||||
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
|
||||
'80,6,500,telegram-desktop,u,g,telegram-deskto',
|
||||
'80,6,500,terraform,0u,0g,terraform',
|
||||
'80,6,500,terraform,500u,500g,terraform',
|
||||
'80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
|
||||
'80,6,500,thunderbird-bin,u,g,thunderbird-bin',
|
||||
'80,6,500,thunderbird,0u,0g,thunderbird',
|
||||
'80,6,500,thunderbird,u,g,thunderbird',
|
||||
'80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
|
||||
'80,6,500,thunderbird-bin,u,g,thunderbird-bin',
|
||||
'80,6,500,updater,500u,500g,updater',
|
||||
'80,6,500,vlc,0u,0g,vlc',
|
||||
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
||||
@ -214,9 +221,7 @@ WHERE
|
||||
'8080,6,500,goland,500u,500g,goland',
|
||||
'8080,6,500,idea,0u,0g,idea',
|
||||
'8080,6,500,java,u,g,java',
|
||||
'80,6,500,minecraft-launcher,500u,500g,minecraft-launc',
|
||||
'8080,6,500,msedge,0u,0g,msedge',
|
||||
'80,6,500,ocsp.test,u,g,ocsp.test',
|
||||
'8080,6,500,pycharm,500u,500g,pycharm',
|
||||
'8080,6,500,python3.11,0u,0g,speedtest-cli',
|
||||
'8080,6,500,python3.12,u,g,hass',
|
||||
@ -234,9 +239,9 @@ WHERE
|
||||
'9418,6,0,git,0u,0g,git',
|
||||
'9418,6,500,git,0u,0g,git',
|
||||
'993,6,500,evolution,0u,0g,evolution',
|
||||
'993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
|
||||
'993,6,500,thunderbird,0u,0g,thunderbird',
|
||||
'993,6,500,thunderbird,u,g,thunderbird',
|
||||
'993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
|
||||
'9999,6,500,firefox,0u,0g,firefox'
|
||||
)
|
||||
AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
|
||||
@ -324,8 +329,6 @@ WHERE
|
||||
OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
|
||||
)
|
||||
)
|
||||
AND NOT parent_cmd IN (
|
||||
'/opt/microsoft/msedge/msedge'
|
||||
)
|
||||
AND NOT parent_cmd IN ('/opt/microsoft/msedge/msedge')
|
||||
GROUP BY
|
||||
p.cmdline
|
||||
|
||||
@ -86,9 +86,11 @@ WHERE
|
||||
AND remote_address NOT LIKE 'fdfd:%'
|
||||
AND state != 'LISTEN'
|
||||
) -- Ignore most common application paths
|
||||
AND protocol > 0
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/%/MacOS/%'
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/Resources/%'
|
||||
AND p0.path NOT LIKE '/Users/%/Applications/%.app/Contents/MacOS/%'
|
||||
AND p0.path NOT LIKE '/Library/Apple/%'
|
||||
AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%'
|
||||
AND p0.path NOT LIKE '/opt/%/bin/%'
|
||||
@ -130,6 +132,7 @@ WHERE
|
||||
AND NOT unsigned_exception IN (
|
||||
'500,0,0,,',
|
||||
'500,0,0,.Telegram-wrapped,.Telegram-wrapped',
|
||||
'500,6,80,.Telegram-wrapped,.Telegram-wrapped',
|
||||
'500,0,0,chainlink,chainlink',
|
||||
'500,0,0,git,git',
|
||||
'500,0,0,gvproxy,gvproxy',
|
||||
|
||||
@ -156,6 +156,7 @@ WHERE
|
||||
'/dev/shm,Melvor Idle',
|
||||
'/dev/shm,msedge',
|
||||
'/dev/shm,osqueryd',
|
||||
'/dev/input,sway',
|
||||
'/dev/shm,reaper',
|
||||
'/dev/shm,slack',
|
||||
'/dev/shm,spotify',
|
||||
|
||||
@ -137,5 +137,6 @@ WHERE
|
||||
)
|
||||
-- Keyboard flashing
|
||||
AND NOT exception_key LIKE '/dev/cu.usbmodem%,Google Chrome,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome'
|
||||
AND NOT exception_key LIKE '/dev/tty.usbserial-%,java,,net.java.openjdk.java'
|
||||
GROUP BY
|
||||
pof.pid
|
||||
|
||||
@ -54,6 +54,7 @@ WHERE
|
||||
'launcher',
|
||||
'modprobe',
|
||||
'nginx',
|
||||
'osqueryd',
|
||||
'osqueryi',
|
||||
'packagekit-dnf-',
|
||||
'realmd',
|
||||
|
||||
@ -33,6 +33,7 @@ FROM
|
||||
WHERE
|
||||
p.on_disk != 1
|
||||
AND p.path != ''
|
||||
AND p.start_time < (strftime('%s', 'now') - 3600)
|
||||
-- use osquery as the reference mount namespace
|
||||
AND mnt_namespace IN (
|
||||
SELECT DISTINCT
|
||||
|
||||
@ -100,6 +100,7 @@ WHERE
|
||||
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/app-steam@%'
|
||||
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
|
||||
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
|
||||
AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/docker-%'
|
||||
AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
|
||||
AND p1.path NOT LIKE '/tmp/.mount_%/%'
|
||||
AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
|
||||
|
||||
@ -41,6 +41,7 @@ WHERE
|
||||
OR file.path LIKE '/sbin/.%'
|
||||
OR file.path LIKE '/sbin/%/.%'
|
||||
OR file.path LIKE '/tmp/.%'
|
||||
OR file.path LIKE '/tmp/.gradle%'
|
||||
OR file.path LIKE '/usr/bin/.%'
|
||||
OR file.path LIKE '/usr/lib/.%'
|
||||
OR file.path LIKE '/usr/lib/%/.%'
|
||||
@ -114,8 +115,8 @@ WHERE
|
||||
'/tmp/.melange.yaml',
|
||||
'/tmp/.metrics-agent/',
|
||||
'/tmp/.PKGINFO',
|
||||
'/tmp/.s.PGSQL.5432.lock',
|
||||
'/tmp/.s.PGSQL.5432',
|
||||
'/tmp/.s.PGSQL.5432.lock',
|
||||
'/tmp/.searcher.tmp/',
|
||||
'/tmp/.ses',
|
||||
'/tmp/.settings-agent/',
|
||||
@ -141,6 +142,7 @@ WHERE
|
||||
'/tmp/.X2-lock',
|
||||
'/tmp/.XIM-unix/',
|
||||
'/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
|
||||
'/usr/lib/nvidia-visual-profiler/.eclipseproduct',
|
||||
'/usr/local/bin/.swtpm',
|
||||
'/usr/local/libexec/.ksysguard/',
|
||||
'/var/.ntw_cache',
|
||||
@ -208,8 +210,8 @@ WHERE
|
||||
'/var/setup/.fseventsd/',
|
||||
'/var/setup/.TemporaryItems',
|
||||
'/var/setup/.TemporaryItems/',
|
||||
'/var/tmp/.ses.bak',
|
||||
'/var/tmp/.ses'
|
||||
'/var/tmp/.ses',
|
||||
'/var/tmp/.ses.bak'
|
||||
)
|
||||
AND file.directory NOT IN (
|
||||
'/etc/etckeeper/commit.d',
|
||||
|
||||
@ -43,16 +43,14 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
|
||||
AND (
|
||||
file.path LIKE '%/go-build%'
|
||||
OR file.directory LIKE '/tmp/%/out'
|
||||
OR file.path IN (
|
||||
'/tmp/mission',
|
||||
'/tmp/mkinitramfs'
|
||||
)
|
||||
OR file.path IN ('/tmp/mission', '/tmp/mkinitramfs')
|
||||
OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
|
||||
OR file.path LIKE '/tmp/ko%/out'
|
||||
OR file.path LIKE '/tmp/lima/%/out/%'
|
||||
OR file.path LIKE '/tmp/wolfi%'
|
||||
OR file.path LIKE '%-release%/%'
|
||||
OR file.path LIKE '%/bin/%'
|
||||
OR file.path LIKE '/tmp/%.sh'
|
||||
OR file.path LIKE '%/checkout/%'
|
||||
OR file.path LIKE '%/ci/%'
|
||||
OR file.path LIKE '%/configure'
|
||||
|
||||
@ -50,6 +50,7 @@ WHERE
|
||||
'/var/lib/colord',
|
||||
'/var/ossec/agentless',
|
||||
'/var/ossec/bin',
|
||||
'/var/vanta',
|
||||
'/var/ossec/wodles',
|
||||
'/var/run/booted-system',
|
||||
'/var/run/current-system'
|
||||
|
||||
@ -58,6 +58,7 @@ WHERE
|
||||
'lxcfs.pid',
|
||||
'machine-id',
|
||||
'mcelog.pid',
|
||||
'metalauncher.pid',
|
||||
'motd.dynamic',
|
||||
'motd',
|
||||
'multipathd.pid',
|
||||
|
||||
@ -99,7 +99,9 @@ WHERE
|
||||
AND basename NOT IN (
|
||||
"acpid",
|
||||
"busybox",
|
||||
"nm-openvpn-auth",
|
||||
"com.docker.backend",
|
||||
"nm-openvpn-service",
|
||||
"com.docker.build",
|
||||
"com.docker.extensions",
|
||||
"cpulimit",
|
||||
|
||||
@ -55,6 +55,7 @@ WHERE
|
||||
AND p0.cmdline LIKE '%/%'
|
||||
AND (
|
||||
ip NOT IN ('', '127.0.0.1', '::1')
|
||||
AND ip NOT LIKE '172.17.%'
|
||||
OR port != ''
|
||||
OR tld NOT IN (
|
||||
'',
|
||||
|
||||
@ -76,6 +76,8 @@ WHERE
|
||||
AND INSTR(path, "/var/lib/snapd/") != 1
|
||||
AND INSTR(path, "/var/opt/") != 1
|
||||
AND INSTR(path, "/var/usrlocal/bin/") != 1
|
||||
AND INSTR(path, "/var/cache/melange") != 1
|
||||
AND INSTR(path, "/var/vanta/") != 1
|
||||
AND path NOT LIKE "%/.terraform%"
|
||||
AND path != '/bpfilter_umh'
|
||||
AND NOT path LIKE '/tmp/%/osqtool'
|
||||
@ -83,6 +85,7 @@ WHERE
|
||||
AND NOT cgroup_path LIKE '/system.slice/docker-%' -- Interactive terminal
|
||||
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
|
||||
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
|
||||
AND NOT cgroup_path LIKE '/kubepods.slice/%'
|
||||
AND NOT (
|
||||
cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-Alacritty-%.scope'
|
||||
AND path LIKE '/tmp/%'
|
||||
|
||||
@ -121,6 +121,7 @@ WHERE
|
||||
'~/.tflint.d/',
|
||||
'~/.terraform.d/',
|
||||
'~/.Trash/',
|
||||
'~/chainguard-dev/',
|
||||
'~/.vs-kubernetes/',
|
||||
'~/.vscode/',
|
||||
'~/Applications (Parallels)/',
|
||||
@ -224,8 +225,14 @@ WHERE
|
||||
AND NOT (
|
||||
s.identifier = "a.out"
|
||||
AND homedir LIKE '~/%'
|
||||
AND p1.name LIKE '%sh'
|
||||
AND p2.name = 'login'
|
||||
AND (
|
||||
p1.name LIKE '%sh'
|
||||
OR p1.name = 'make'
|
||||
)
|
||||
AND (
|
||||
p2.name = 'login'
|
||||
OR p2.name LIKE '%sh'
|
||||
)
|
||||
AND p0.path NOT LIKE '%/Cache%'
|
||||
AND p0.path NOT LIKE '%/Library/%'
|
||||
AND p0.path NOT LIKE '%/.%'
|
||||
|
||||
@ -72,7 +72,10 @@ WHERE
|
||||
AND f.uid > 500
|
||||
)
|
||||
AND NOT (
|
||||
f.path = '/Applications/EA app.app/Contents/Applications/EABackgroundService.app/Contents/MacOS/EABackgroundService'
|
||||
f.path IN (
|
||||
'/Applications/EA app.app/Contents/Applications/EABackgroundService.app/Contents/MacOS/EABackgroundService',
|
||||
'/Applications/EA app.app/Contents/Applications/EABackgroundAgent.app/Contents/MacOS/EABackgroundAgent'
|
||||
)
|
||||
AND f.mode = '0777'
|
||||
AND f.uid = 0
|
||||
)
|
||||
|
||||
@ -86,6 +86,7 @@ WHERE -- Focus on longer-running programs
|
||||
AND NOT s.authority IN (
|
||||
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'Developer ID Application: Valve Corporation (MXGJJ98X76)'
|
||||
)
|
||||
|
||||
@ -54,26 +54,41 @@ WHERE
|
||||
OR perms LIKE "%webRequest%"
|
||||
)
|
||||
)
|
||||
-- Can make requests and see interesting information
|
||||
OR (
|
||||
perms LIKE '%://*/%'
|
||||
OR perms LIKE '%<all_urls>%'
|
||||
OR perms LIKE '%blockchain%'
|
||||
OR perms LIKE '%clipboardRead%'
|
||||
OR perms LIKE '%coinbase%'
|
||||
OR perms LIKE '%cookies%'
|
||||
OR perms LIKE '%debugger%'
|
||||
OR perms LIKE '%declarativeNetRequestFeedback%'
|
||||
OR perms LIKE '%desktopCapture%'
|
||||
OR perms LIKE '%github.com%'
|
||||
OR perms LIKE '%google.com%'
|
||||
OR perms LIKE "%history%"
|
||||
OR perms LIKE "%management%"
|
||||
OR perms LIKE "%nativeMessaging%"
|
||||
OR perms LIKE "%proxy%"
|
||||
OR perms LIKE "%webAuthenticationProxy%"
|
||||
perms like '%webRequest%'
|
||||
OR perms LIKE '%dns%'
|
||||
AND (
|
||||
perms LIKE '%://*/%'
|
||||
OR perms LIKE '%<all_urls>%'
|
||||
OR perms LIKE '%blockchain%'
|
||||
OR perms LIKE '%clipboardRead%'
|
||||
OR perms LIKE '%coinbase%'
|
||||
OR perms LIKE '%cookies%'
|
||||
OR perms LIKE '%github.com%'
|
||||
OR perms LIKE '%google.com%'
|
||||
OR perms LIKE '%pageCapture%'
|
||||
OR perms LIKE '%privacy%'
|
||||
OR perms LIKE '%tabCapture%'
|
||||
OR perms LIKE '%tabs%'
|
||||
OR perms LIKE '%webNavigation%'
|
||||
)
|
||||
)
|
||||
-- Unusual permissions
|
||||
OR perms LIKE "%contentSettings%"
|
||||
OR perms LIKE "%history%"
|
||||
OR perms LIKE "%management%"
|
||||
OR perms LIKE "%nativeMessaging%"
|
||||
OR perms LIKE "%proxy%"
|
||||
OR perms LIKE "%vpnProvider%"
|
||||
OR perms LIKE "%webAuthenticationProxy%"
|
||||
OR perms LIKE '%debugger%'
|
||||
OR perms LIKE '%declarativeNetRequestFeedback%'
|
||||
OR perms LIKE '%desktopCapture%'
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
|
||||
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
|
||||
'false,,Grammarly: AI Writing and Grammar Checker App,cnlefmmeadmemmdciolhbnfeacpdfbkd',
|
||||
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
|
||||
'true,,[DEPRECATED] Tag Assistant Legacy,kejbdjndbnbjgmefkgdddjlbokphdefk',
|
||||
@ -89,6 +104,7 @@ WHERE
|
||||
'true,,Awesome Screen Recorder & Screenshot,nlipoenfbbikpbjkfpfillcgkoblgpmj',
|
||||
'true,,axe DevTools - Web Accessibility Testing,lhdoppojpmngadmnindnejefpokejbdd',
|
||||
'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
|
||||
'true,Omnivore Media, Inc,Omnivore,blkggjdmcfjdbmmmlfcpplkchpeaiiab',
|
||||
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
|
||||
'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj',
|
||||
'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh',
|
||||
@ -194,9 +210,9 @@ WHERE
|
||||
'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia',
|
||||
'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg',
|
||||
'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',
|
||||
'true,,Loom \xE2\x80\x93 Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
|
||||
'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
|
||||
'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
|
||||
'true,,Loom \xE2\x80\x93 Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
|
||||
'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn',
|
||||
'true,,Mailvelope,kajibbejlbohfaggdiogboambcijhkke',
|
||||
'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl',
|
||||
@ -206,6 +222,7 @@ WHERE
|
||||
'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji',
|
||||
'true,,Moesif Origin/CORS Changer & API Logger,digfbfaphojjndkpccljibejjbppifbc',
|
||||
'true,,MQTTLens,hemojaaeigabkbcookmlgmdigohjobjm',
|
||||
'true,,Newsletter Creator for Gmail - Flashissue,cihaednhfbocfdiflmpccekcmjepcnmb',
|
||||
'true,,Nooks,kbbdibmbjngifdgbmlleelghocpeimhe',
|
||||
'true,,NordVPN - VPN proxy for privacy and security,fjoaledfpmneenckfbpdfhkmimnjocfa',
|
||||
'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
|
||||
@ -299,6 +316,7 @@ WHERE
|
||||
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
|
||||
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
|
||||
'true,,Video Downloader PLUS,njgehaondchbmjmajphnhlojfnbfokng',
|
||||
'true,,Video Downloader Professional,elicpjhcidhpjomhibiffojpinpmmpil',
|
||||
'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan',
|
||||
'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh',
|
||||
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
|
||||
@ -323,13 +341,15 @@ WHERE
|
||||
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
|
||||
'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee',
|
||||
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
|
||||
'true,Adblock, Inc.,AdBlock — block ads across the web,gighmmpiobklfepjocnamgkkbiglidom',
|
||||
'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg',
|
||||
'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
|
||||
'true,AgileBits,1Password \xE2\x80\x93 Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
|
||||
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk',
|
||||
'true,AgileBits,1Password Nightly – Password Manager,gejiddohjgogedgjnonbofjigllpkmbf',
|
||||
'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
|
||||
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh',
|
||||
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn',
|
||||
'true,AwardWallet LLC,AwardWallet,lppkddfmnlpjbojooindbmcokchjgbib',
|
||||
'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
|
||||
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
|
||||
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
|
||||
@ -347,12 +367,13 @@ WHERE
|
||||
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb',
|
||||
'true,Federico Brigante,GitHub Issue Link Status,nbiddhncecgemgccalnoanpnenalmkic',
|
||||
'true,François Duprat,Mobile simulator - responsive testing tool,ckejmhbmlajgoklhgbapkiccekfoccmk',
|
||||
'true,Ghostery,Ghostery – Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij',
|
||||
'true,Ghostery,Ghostery Tracker & Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
|
||||
'true,Ghostery,Ghostery Tracker Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
|
||||
'true,Ghostery,Ghostery – Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij',
|
||||
'true,GLIDER,Glider Proctoring,dcnidakmkbkbohdaelljpgdhmbbpbdbg',
|
||||
'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi',
|
||||
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag',
|
||||
'true,GZ systems Ltd.,PureVPN Proxy - Best VPN for Chrome,bfidboloedlamgdmenmlbipfnccokknp',
|
||||
'true,homerchen19,File Icons for GitHub and GitLab,ficfmibkjjnpogdcfhfokmihanoldbfe',
|
||||
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn',
|
||||
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok',
|
||||
@ -387,9 +408,7 @@ WHERE
|
||||
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
|
||||
'true,Web to Figma,Web to Figma,mafpepbepbabkenbfpcdjmmjmeeemoal',
|
||||
'true,Yuri Konotopov <ykonotopov@gnome.org>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
|
||||
'true,Zinlab <sebastian@Zinlab>,Better History,egehpkpgpgooebopjihjmnpejnjafefi',
|
||||
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
|
||||
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk"
|
||||
'true,Zinlab <sebastian@Zinlab>,Better History,egehpkpgpgooebopjihjmnpejnjafefi'
|
||||
)
|
||||
AND NOT (
|
||||
exception_key IN (
|
||||
|
||||
@ -29,5 +29,6 @@ WHERE
|
||||
AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate'
|
||||
AND command NOT LIKE 'root%run-parts%'
|
||||
AND command NOT IN (
|
||||
"ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill"
|
||||
"ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill",
|
||||
'root [ -d "/run/systemd/system" ] && systemctl restart atop'
|
||||
)
|
||||
|
||||
@ -152,9 +152,12 @@ WHERE
|
||||
'49152,6,500,Logic Pro X,Apple Mac OS Application Signing',
|
||||
'49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'49152,6,500,LogiPluginService,Developer ID Application: Loupedeck Oy (M24R8BN5BK)',
|
||||
'49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
|
||||
'49152,6,500,Music,Software Signing',
|
||||
'49152,6,500,node,',
|
||||
'49152,6,500,OBSBOT_Center,Developer ID Application: Remo Tech Co.,Ltd. (7GJANK3822)',
|
||||
'49152,6,500,OBSBOT_Main,Developer ID Application: Remo Tech Co.,Ltd. (7GJANK3822)',
|
||||
'49152,6,500,OmniFocus,Apple Mac OS Application Signing',
|
||||
'49152,6,500,qemu-system-aarch64,',
|
||||
'49152,6,500,RAATServer,Developer ID Application: Roon Labs LLC (WU8DGC424P)',
|
||||
@ -188,8 +191,8 @@ WHERE
|
||||
'53,17,65,mDNSResponder,Software Signing',
|
||||
'53,6,500,dnsmasq,',
|
||||
'53,6,65,mDNSResponder,Software Signing',
|
||||
'5432,6,500,postgres,Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
|
||||
'5432,6,500,postgres',
|
||||
'5432,6,500,postgres,Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
|
||||
'5433,6,500,postgres',
|
||||
'5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
||||
'546,17,0,configd,Software Signing',
|
||||
|
||||
@ -79,6 +79,7 @@ WHERE
|
||||
'500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp',
|
||||
'500,Ecamm Live Stream Deck Plugin,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
|
||||
'500,flyctl,~/.fly',
|
||||
'500,sway,/run/user/1000',
|
||||
'500,gnome-shell,/run/user/1000',
|
||||
'500,Hyprland,/run/user/1000',
|
||||
'500,iMovie,~/Movies/iMovie Library.imovielibrary',
|
||||
|
||||
@ -16,7 +16,7 @@ SELECT
|
||||
p0.path,
|
||||
COALESCE(
|
||||
REGEX_MATCH (p0.path, "/nix/store/(.*?)/.*", 1),
|
||||
REGEX_MATCH (p0.path, "(\d[\.\d]+)/.*", 1),
|
||||
REGEX_MATCH (p0.path, "(\d[\.\d]+)", 1),
|
||||
"3.11"
|
||||
),
|
||||
"__VERSION__"
|
||||
@ -113,6 +113,7 @@ WHERE
|
||||
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
|
||||
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
|
||||
'bpfilter_umh,/bpfilter_umh,0,,,',
|
||||
'ollama,/snap/ollama/__VERSION__/bin/ollama,0,system.slice,snap.ollama.listener.service,0755',
|
||||
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
|
||||
'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
|
||||
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
|
||||
@ -122,6 +123,7 @@ WHERE
|
||||
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
|
||||
'containerd,/usr/sbin/containerd,0,system.slice,docker.service,0755',
|
||||
'indicator-cpufr,/usr/bin/python3.12,0,system.slice,dbus.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
|
||||
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
|
||||
|
||||
@ -1,8 +1,11 @@
|
||||
-- Retrieves recent entries from the macOS unified log
|
||||
--
|
||||
-- tags: postmortem extra
|
||||
-- tags: postmortem extra disabled
|
||||
-- platform: darwin
|
||||
-- interval: 1800
|
||||
SELECT
|
||||
*
|
||||
timestamp, pid, process, category, subsystem, message
|
||||
FROM
|
||||
unified_log;
|
||||
unified_log
|
||||
WHERE
|
||||
timestamp > (strftime('%s', 'now') - 1800)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user