mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-17 19:44:31 +00:00
Merge pull request #397 from tstromberg/linux-device-refactor
This commit is contained in:
commit
67ce4cd92a
@ -12,262 +12,257 @@
|
||||
-- platform: linux
|
||||
SELECT -- Remove numerals from device names
|
||||
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
|
||||
DISTINCT REPLACE(
|
||||
CONCAT(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""),
|
||||
"3",
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(REPLACE(path, "0", ""), "1", ""),
|
||||
"2",
|
||||
""
|
||||
),
|
||||
"3",
|
||||
""
|
||||
),
|
||||
"4",
|
||||
""
|
||||
),
|
||||
"4",
|
||||
"5",
|
||||
""
|
||||
),
|
||||
"5",
|
||||
"6",
|
||||
""
|
||||
),
|
||||
"6",
|
||||
"7",
|
||||
""
|
||||
),
|
||||
"7",
|
||||
"8",
|
||||
""
|
||||
),
|
||||
"8",
|
||||
"9",
|
||||
""
|
||||
),
|
||||
"9",
|
||||
""
|
||||
) AS path_expr,
|
||||
",",
|
||||
file.type
|
||||
) AS exception_key,
|
||||
file.*
|
||||
FROM
|
||||
file
|
||||
WHERE
|
||||
(
|
||||
FROM file
|
||||
WHERE (
|
||||
path LIKE '/dev/%'
|
||||
OR directory LIKE '/dev/%'
|
||||
OR directory LIKE '/dev/%/.%'
|
||||
OR directory LIKE '/dev/.%'
|
||||
)
|
||||
AND path_expr NOT IN (
|
||||
'/dev/accel/',
|
||||
'/dev/accel/accel',
|
||||
'/dev/acpi_thermal_rel',
|
||||
'/dev/autofs',
|
||||
'/dev/block/',
|
||||
'/dev/block/:',
|
||||
'/dev/bsg/',
|
||||
'/dev/bsg/:::',
|
||||
'/dev/btrfs-control',
|
||||
'/dev/bus/',
|
||||
'/dev/bus/usb',
|
||||
'/dev/cdrom',
|
||||
'/dev/cec',
|
||||
'/dev/char/',
|
||||
'/dev/char/:',
|
||||
'/dev/console',
|
||||
'/dev/core',
|
||||
'/dev/cpu/',
|
||||
'/dev/cpu_dma_latency',
|
||||
AND path NOT LIKE '%/./%'
|
||||
AND path NOT LIKE '%/../%'
|
||||
AND exception_key NOT IN (
|
||||
'/dev/accel/accel,character',
|
||||
'/dev/accel/,directory',
|
||||
'/dev/acpi_thermal_rel,character',
|
||||
'/dev/autofs,character',
|
||||
'/dev/binder,character',
|
||||
'/dev/binderfs/binder,character',
|
||||
'/dev/binderfs/binder-control,character',
|
||||
'/dev/binderfs/,directory',
|
||||
'/dev/binderfs/features,directory',
|
||||
'/dev/binderfs/hwbinder,character',
|
||||
'/dev/binderfs/vndbinder,character',
|
||||
'/dev/block/:,block',
|
||||
'/dev/block/,directory',
|
||||
'/dev/bsg/:::,character',
|
||||
'/dev/bsg/,directory',
|
||||
'/dev/btrfs-control,character',
|
||||
'/dev/bus/,directory',
|
||||
'/dev/bus/usb,directory',
|
||||
'/dev/cdrom,block',
|
||||
'/dev/cec,character',
|
||||
'/dev/char/:,character',
|
||||
'/dev/char/,directory',
|
||||
'/dev/char/:,unknown',
|
||||
'/dev/console,character',
|
||||
'/dev/core,regular',
|
||||
'/dev/cpu/,directory',
|
||||
'/dev/cpu_dma_latency,character',
|
||||
'/dev/cpu/microcode',
|
||||
'/dev/cros_ec',
|
||||
'/dev/cuse',
|
||||
'/dev/dbc',
|
||||
'/dev/disk/',
|
||||
'/dev/disk/by-diskseq',
|
||||
'/dev/disk/by-dname',
|
||||
'/dev/disk/by-id',
|
||||
'/dev/disk/by-label',
|
||||
'/dev/disk/by-loop-inode',
|
||||
'/dev/disk/by-loop-ref',
|
||||
'/dev/disk/by-partlabel',
|
||||
'/dev/disk/by-partuuid',
|
||||
'/dev/disk/by-path',
|
||||
'/dev/disk/by-uuid',
|
||||
'/dev/dm-',
|
||||
'/dev/dma_heap/',
|
||||
'/dev/dma_heap/system',
|
||||
'/dev/dmmidi',
|
||||
'/dev/dri/',
|
||||
'/dev/dri/by-path',
|
||||
'/dev/dri/card',
|
||||
'/dev/dri/renderD',
|
||||
'/dev/drm_dp_aux',
|
||||
'/dev/dvd',
|
||||
'/dev/ecryptfs',
|
||||
'/dev/fb',
|
||||
'/dev/fd/',
|
||||
'/dev/full',
|
||||
'/dev/fuse',
|
||||
'/dev/gpiochip',
|
||||
'/dev/hidraw',
|
||||
'/dev/HID-SENSOR-e..auto',
|
||||
'/dev/hpet',
|
||||
'/dev/hugepages/',
|
||||
'/dev/hugepages/libvirt',
|
||||
'/dev/hvc',
|
||||
'/dev/hwrng',
|
||||
'/dev/ic-',
|
||||
'/dev/iio:device',
|
||||
'/dev/initctl',
|
||||
'/dev/input/',
|
||||
'/dev/input/by-id',
|
||||
'/dev/input/by-path',
|
||||
'/dev/input/event',
|
||||
'/dev/input/js',
|
||||
'/dev/input/mice',
|
||||
'/dev/input/mouse',
|
||||
'/dev/ipu-psys',
|
||||
'/dev/kfd',
|
||||
'/dev/kmsg',
|
||||
'/dev/kvm',
|
||||
'/dev/libmtp--',
|
||||
'/dev/libmtp--.',
|
||||
'/dev/log',
|
||||
'/dev/loop',
|
||||
'/dev/loop-control',
|
||||
'/dev/lp',
|
||||
'/dev/mapper/',
|
||||
'/dev/mapper/control',
|
||||
'/dev/mcelog',
|
||||
'/dev/md',
|
||||
'/dev/md/',
|
||||
'/dev/md/ssdraid',
|
||||
'/dev/md/ssraid',
|
||||
'/dev/media',
|
||||
'/dev/mei',
|
||||
'/dev/mem',
|
||||
'/dev/midi',
|
||||
'/dev/mmcblk',
|
||||
'/dev/mqueue/',
|
||||
'/dev/mtd',
|
||||
'/dev/mtd/',
|
||||
'/dev/mtd/by-name',
|
||||
'/dev/mtdro',
|
||||
'/dev/net/',
|
||||
'/dev/net/tun',
|
||||
'/dev/ngn',
|
||||
'/dev/ntsync',
|
||||
'/dev/null',
|
||||
'/dev/nvidia',
|
||||
'/dev/nvidia-caps/',
|
||||
'/dev/nvidia-caps/nvidia-cap',
|
||||
'/dev/nvidiactl',
|
||||
'/dev/nvidia-modeset',
|
||||
'/dev/nvidia-uvm',
|
||||
'/dev/nvidia-uvm-tools',
|
||||
'/dev/nvme',
|
||||
'/dev/nvme-fabrics',
|
||||
'/dev/nvmen',
|
||||
'/dev/nvmenp',
|
||||
'/dev/nvram',
|
||||
'/dev/port',
|
||||
'/dev/ppp',
|
||||
'/dev/pps',
|
||||
'/dev/psaux',
|
||||
'/dev/ptmx',
|
||||
'/dev/ptp',
|
||||
'/dev/pts/',
|
||||
'/dev/pts/ptmx',
|
||||
'/dev/random',
|
||||
'/dev/rfkill',
|
||||
'/dev/rpool/',
|
||||
'/dev/rpool/keystore',
|
||||
'/dev/rtc',
|
||||
'/dev/sda',
|
||||
'/dev/sdb',
|
||||
'/dev/sdc',
|
||||
'/dev/sdd',
|
||||
'/dev/sde',
|
||||
'/dev/serial/',
|
||||
'/dev/serial/by-id',
|
||||
'/dev/serial/by-path',
|
||||
'/dev/sg',
|
||||
'/dev/cros_ec,character',
|
||||
'/dev/cuse,character',
|
||||
'/dev/dbc,character',
|
||||
'/dev/disk/by-diskseq,directory',
|
||||
'/dev/disk/by-dname,directory',
|
||||
'/dev/disk/by-id,directory',
|
||||
'/dev/disk/by-label,directory',
|
||||
'/dev/disk/by-loop-inode,directory',
|
||||
'/dev/disk/by-loop-ref,directory',
|
||||
'/dev/disk/by-partlabel,directory',
|
||||
'/dev/disk/by-partuuid,directory',
|
||||
'/dev/disk/by-path,directory',
|
||||
'/dev/disk/by-uuid,directory',
|
||||
'/dev/disk/,directory',
|
||||
'/dev/dma_heap/,directory',
|
||||
'/dev/dma_heap/system,character',
|
||||
'/dev/dm-,block',
|
||||
'/dev/dri/by-path,directory',
|
||||
'/dev/dri/card,character',
|
||||
'/dev/dri/,directory',
|
||||
'/dev/dri/renderD,character',
|
||||
'/dev/drm_dp_aux,character',
|
||||
'/dev/ecryptfs,character',
|
||||
'/dev/fb,character',
|
||||
'/dev/fd/,character',
|
||||
'/dev/fd/,directory',
|
||||
'/dev/fd/,fifo',
|
||||
'/dev/fd/,regular',
|
||||
'/dev/fd/,socket',
|
||||
'/dev/fd/,unknown',
|
||||
'/dev/full,character',
|
||||
'/dev/fuse,character',
|
||||
'/dev/gpiochip,character',
|
||||
'/dev/hidraw,character',
|
||||
'/dev/HID-SENSOR-e..auto,character',
|
||||
'/dev/hpet,character',
|
||||
'/dev/hugepages/,directory',
|
||||
'/dev/hugepages/libvirt,directory',
|
||||
'/dev/hwbinder,character',
|
||||
'/dev/hwrng,character',
|
||||
'/dev/ic-,character',
|
||||
'/dev/iio:device,character',
|
||||
'/dev/initctl,fifo',
|
||||
'/dev/input/by-id,directory',
|
||||
'/dev/input/by-path,directory',
|
||||
'/dev/input/,directory',
|
||||
'/dev/input/event,character',
|
||||
'/dev/input/js,character',
|
||||
'/dev/input/mice,character',
|
||||
'/dev/input/mouse,character',
|
||||
'/dev/ipu-psys,character',
|
||||
'/dev/kfd,character',
|
||||
'/dev/kmsg,character',
|
||||
'/dev/kvm,character',
|
||||
'/dev/log,socket',
|
||||
'/dev/loop,block',
|
||||
'/dev/loop-control,character',
|
||||
'/dev/lp,character',
|
||||
'/dev/mcelog,character',
|
||||
'/dev/media,character',
|
||||
'/dev/mei,character',
|
||||
'/dev/mem,character',
|
||||
'/dev/mqueue/,directory',
|
||||
'/dev/mtd/by-name,directory',
|
||||
'/dev/mtd,character',
|
||||
'/dev/mtd/,directory',
|
||||
'/dev/mtdro,character',
|
||||
'/dev/net/,directory',
|
||||
'/dev/net/tun,character',
|
||||
'/dev/ngn,character',
|
||||
'/dev/ntsync,character',
|
||||
'/dev/null,character',
|
||||
'/dev/nvidia,character',
|
||||
'/dev/nvidiactl,character',
|
||||
'/dev/nvidia-modeset,character',
|
||||
'/dev/nvidia-uvm,character',
|
||||
'/dev/nvidia-uvm-tools,character',
|
||||
'/dev/nvme,character',
|
||||
'/dev/nvmen,block',
|
||||
'/dev/nvmenp,block',
|
||||
'/dev/nvram,character',
|
||||
'/dev/port,character',
|
||||
'/dev/ppp,character',
|
||||
'/dev/pps,character',
|
||||
'/dev/psaux,character',
|
||||
'/dev/ptmx,character',
|
||||
'/dev/ptp,character',
|
||||
'/dev/pts/,character',
|
||||
'/dev/pts/,directory',
|
||||
'/dev/pts/ptmx,character',
|
||||
'/dev/random,character',
|
||||
'/dev/rfkill,character',
|
||||
'/dev/rtc,character',
|
||||
'/dev/sda,block',
|
||||
'/dev/sdb,block',
|
||||
'/dev/sdc,block',
|
||||
'/dev/sdd,block',
|
||||
'/dev/sde,block',
|
||||
'/dev/serial/by-id,directory',
|
||||
'/dev/serial/by-path,directory',
|
||||
'/dev/serial/,directory',
|
||||
'/dev/sg,character',
|
||||
'/dev/sgx_provision',
|
||||
'/dev/sgx_vepc',
|
||||
'/dev/shm/',
|
||||
'/dev/shm/i-log-',
|
||||
'/dev/shm/jack_db-',
|
||||
'/dev/shm/libpod_lock',
|
||||
'/dev/shm/libpod_rootless_lock_',
|
||||
'/dev/shm/lttng-ust-wait--',
|
||||
'/dev/shm/pulse-shm-',
|
||||
'/dev/snapshot',
|
||||
'/dev/snd/',
|
||||
'/dev/snd/by-id',
|
||||
'/dev/snd/by-path',
|
||||
'/dev/snd/controlC',
|
||||
'/dev/snd/hwCD',
|
||||
'/dev/snd/midiCD',
|
||||
'/dev/snd/pcmCDc',
|
||||
'/dev/snd/pcmCDp',
|
||||
'/dev/snd/seq',
|
||||
'/dev/snd/timer',
|
||||
'/dev/sr',
|
||||
'/dev/stderr',
|
||||
'/dev/stdin',
|
||||
'/dev/stdout',
|
||||
'/dev/tee',
|
||||
'/dev/tpm',
|
||||
'/dev/tpmrm',
|
||||
'/dev/tty',
|
||||
'/dev/ttyACM',
|
||||
'/dev/ttyAMA',
|
||||
'/dev/ttyprintk',
|
||||
'/dev/ttyS',
|
||||
'/dev/ttyUSB',
|
||||
'/dev/ubuntu-vg/',
|
||||
'/dev/udmabuf',
|
||||
'/dev/uhid',
|
||||
'/dev/uinput',
|
||||
'/dev/urandom',
|
||||
'/dev/usb/',
|
||||
'/dev/usb/hiddev',
|
||||
'/dev/usbmon',
|
||||
'/dev/userfaultfd',
|
||||
'/dev/userio',
|
||||
'/dev/vboxdrv',
|
||||
'/dev/vboxdrvu',
|
||||
'/dev/vboxnetctl',
|
||||
'/dev/vboxusb/',
|
||||
'/dev/vcs',
|
||||
'/dev/vcsa',
|
||||
'/dev/vcsu',
|
||||
'/dev/vda',
|
||||
'/dev/vfio/',
|
||||
'/dev/vfio/vfio',
|
||||
'/dev/vg/',
|
||||
'/dev/vga_arbiter',
|
||||
'/dev/vg/root',
|
||||
'/dev/vg/swap',
|
||||
'/dev/vgubuntu/',
|
||||
'/dev/vgubuntu/incus-default',
|
||||
'/dev/vgubuntu/root',
|
||||
'/dev/vgubuntu/swap',
|
||||
'/dev/vgubuntu/swap_',
|
||||
'/dev/vhba_ctl',
|
||||
'/dev/vhci',
|
||||
'/dev/shm/,directory',
|
||||
'/dev/shm/libpod_lock,regular',
|
||||
'/dev/shm/libpod_rootless_lock_,regular',
|
||||
'/dev/shm/lttng-ust-wait-,regular',
|
||||
'/dev/shm/lttng-ust-wait--,regular',
|
||||
'/dev/snapshot,character',
|
||||
'/dev/snd/by-id,directory',
|
||||
'/dev/snd/by-path,directory',
|
||||
'/dev/snd/controlC,character',
|
||||
'/dev/snd/,directory',
|
||||
'/dev/snd/hwCD,character',
|
||||
'/dev/snd/pcmCDc,character',
|
||||
'/dev/snd/pcmCDp,character',
|
||||
'/dev/snd/seq,character',
|
||||
'/dev/snd/timer,character',
|
||||
'/dev/sr,block',
|
||||
'/dev/stderr,fifo',
|
||||
'/dev/stderr,character',
|
||||
'/dev/stdin,character',
|
||||
'/dev/stdout,fifo',
|
||||
'/dev/stdout,character',
|
||||
'/dev/tee,character',
|
||||
'/dev/tpm,character',
|
||||
'/dev/tpmrm,character',
|
||||
'/dev/ttyACM,character',
|
||||
'/dev/tty,character',
|
||||
'/dev/ttyprintk,character',
|
||||
'/dev/ttyS,character',
|
||||
'/dev/ubuntu-vg/,directory',
|
||||
'/dev/udmabuf,character',
|
||||
'/dev/uhid,character',
|
||||
'/dev/uinput,character',
|
||||
'/dev/urandom,character',
|
||||
'/dev/usb/,directory',
|
||||
'/dev/usb/hiddev,character',
|
||||
'/dev/usbmon,character',
|
||||
'/dev/userfaultfd,character',
|
||||
'/dev/userio,character',
|
||||
'/dev/vcsa,character',
|
||||
'/dev/vcs,character',
|
||||
'/dev/vcsu,character',
|
||||
'/dev/vfio/,directory',
|
||||
'/dev/vfio/vfio,character',
|
||||
'/dev/vga_arbiter,character',
|
||||
'/dev/vgubuntu/,directory',
|
||||
'/dev/vgubuntu/incus-default,block',
|
||||
'/dev/vgubuntu/root,block',
|
||||
'/dev/vgubuntu/swap,block',
|
||||
'/dev/vgubuntu/swap_,block',
|
||||
'/dev/vhba_ctl,character',
|
||||
'/dev/vhci,character',
|
||||
'/dev/vhost-net',
|
||||
'/dev/vhost-net,character',
|
||||
'/dev/vhost-vsock',
|
||||
'/dev/video',
|
||||
'/dev/vl/',
|
||||
'/dev/vl/by-id',
|
||||
'/dev/vl/by-path',
|
||||
'/dev/vlloopback',
|
||||
'/dev/vl-subdev',
|
||||
'/dev/vportp',
|
||||
'/dev/vsock',
|
||||
'/dev/watchdog',
|
||||
'/dev/wmi/',
|
||||
'/dev/wmi/dell-smbios',
|
||||
'/dev/wwanat',
|
||||
'/dev/wwanmbim',
|
||||
'/dev/zd',
|
||||
'/dev/zero',
|
||||
'/dev/zfs',
|
||||
'/dev/zram',
|
||||
'/dev/zvol/',
|
||||
'/dev/zvol/rpool'
|
||||
'/dev/vhost-vsock,character',
|
||||
'/dev/video,character',
|
||||
'/dev/vl/by-id,directory',
|
||||
'/dev/vl/by-path,directory',
|
||||
'/dev/vl/,directory',
|
||||
'/dev/vlloopback,character',
|
||||
'/dev/vl-subdev,character',
|
||||
'/dev/vndbinder,character',
|
||||
'/dev/vsock,character',
|
||||
'/dev/watchdog,character',
|
||||
'/dev/wwanat,character',
|
||||
'/dev/wwanmbim,character',
|
||||
'/dev/zd,block',
|
||||
'/dev/zero,character',
|
||||
'/dev/zfs,character',
|
||||
'/dev/zram,block',
|
||||
'/dev/zvol/,directory',
|
||||
'/dev/zvol/rpool,directory'
|
||||
)
|
||||
AND NOT path LIKE '/dev/mapper/%'
|
||||
AND NOT path LIKE '/dev/shm/byobu-%'
|
||||
@ -280,3 +275,11 @@ WHERE
|
||||
AND NOT path LIKE '/dev/shm/libv4l-%'
|
||||
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
|
||||
AND NOT path LIKE '/dev/%-vg/%-lv'
|
||||
AND NOT (
|
||||
directory = '/dev/shm/'
|
||||
AND type = 'regular'
|
||||
AND mode = '0666'
|
||||
AND uid IN (0,1000,1001)
|
||||
AND size IN (32,4096)
|
||||
)
|
||||
GROUP BY exception_key
|
Loading…
Reference in New Issue
Block a user