RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-20 20:40:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add carevout for /nix/store and caskroom

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-21 11:40:47 -04:00
parent 1afd3f6a75
commit 6bb1785df9
Failed to extract signature
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
detection/evasion/touched-executable-macos.sql
View File

@ -84,10 +84,14 @@ WHERE
OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
OR p.path LIKE '/Applications/%.app/Contents/MacOS/%'
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%'
OR p.path LIKE '/Users/%/google-cloud-sdk/bin/kubectl'
OR p.path LIKE '/nix/store/%'
)
)
AND NOT (
p.euid > 300
AND p.path LIKE '/nix/store/%'
)
AND NOT (
p.euid = 0
AND (