From 5fa706805e536e44d342e8fd6465b2ce0b45f72a Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 23 Feb 2023 21:24:52 -0500 Subject: [PATCH] incident_response: bugfixes across queries --- incident_response/disk_events_macos.sql | 2 +- incident_response/files-dev.sql | 12 ++++++++---- incident_response/process_open_pipes.sql | 13 ++++++++----- incident_response/processes.sql | 8 +++++--- incident_response/seccomp_events.sql | 5 ++++- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/incident_response/disk_events_macos.sql b/incident_response/disk_events_macos.sql index aa99b0e..c829d6e 100644 --- a/incident_response/disk_events_macos.sql +++ b/incident_response/disk_events_macos.sql @@ -5,4 +5,4 @@ SELECT * FROM - authorizations; \ No newline at end of file + disk_events; diff --git a/incident_response/files-dev.sql b/incident_response/files-dev.sql index e0d1dfa..59351e2 100644 --- a/incident_response/files-dev.sql +++ b/incident_response/files-dev.sql @@ -2,7 +2,11 @@ -- -- tags: postmortem -- platform: posix -SELECT * -FROM file - JOIN hash ON file.path = hash.path -WHERE file.path LIKE "/dev/%%"; \ No newline at end of file +SELECT + file.*, + magic.data +FROM + file + JOIN magic ON file.path = magic.path +WHERE + file.path LIKE "/dev/%%"; diff --git a/incident_response/process_open_pipes.sql b/incident_response/process_open_pipes.sql index ebe257f..6cc6bfd 100644 --- a/incident_response/process_open_pipes.sql +++ b/incident_response/process_open_pipes.sql @@ -1,8 +1,11 @@ --- Return the list of interface addresses +-- Return the list of open pipes per process -- -- tags: postmortem -- platform: posix -SELECT p.path AS p_path, p.name AS p_name, - pop.* -FROM process_open_pipes AS pop - LEFT JOIN processes p ON pop.pid = p.pid; \ No newline at end of file +SELECT + p.path AS p_path, + p.name AS p_name, + pop.* +FROM + process_open_pipes AS pop + LEFT JOIN processes p ON pop.pid = p.pid; diff --git a/incident_response/processes.sql b/incident_response/processes.sql index fa71b3c..1fca213 100644 --- a/incident_response/processes.sql +++ b/incident_response/processes.sql @@ -2,7 +2,8 @@ -- -- tags: postmortem -- platform: posix -SELECT pid, +SELECT + pid, name, path, cmdline, @@ -13,7 +14,7 @@ SELECT pid, gid, euid, egid, - seuid, + suid, sgid, on_disk, start_time, @@ -22,4 +23,5 @@ SELECT pid, threads, nice, cgroup_path -FROM processes \ No newline at end of file +FROM + processes diff --git a/incident_response/seccomp_events.sql b/incident_response/seccomp_events.sql index 3446f0d..715c5f4 100644 --- a/incident_response/seccomp_events.sql +++ b/incident_response/seccomp_events.sql @@ -2,4 +2,7 @@ -- -- tags: postmortem -- platform: linux -SELECT * FROM seccomp_events; \ No newline at end of file +SELECT + * +FROM + seccomp_events;