RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #211 from tstromberg/keyfinder 

Add RSA key finders, and mdfind-based GCP key finder
This commit is contained in:
Thomas Strömberg 2023-03-01 11:08:09 -05:00 committed by GitHub
parent b7d7ad1a1b fa7a0971d4
commit 6d05dbc2da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 117 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
policy/gcp-service-account-keys-mdfind.sql Normal file
View File

@ -0,0 +1,37 @@
-- Indicative of stored GCP service account keys just sitting around unencrypted
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
ea.value AS url
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from'
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
mdfind.query = "kMDItemFSName == '*.json'"
AND file.filename LIKE "%-%-%.json"
AND file.directory NOT LIKE '%/go/pkg/%'
AND file.directory NOT LIKE '%/go/src/%'
AND file.directory NOT LIKE '/Users/%/Library/Application Support/%'
AND file.directory NOT LIKE '%demo'
AND file.size BETWEEN 2311 AND 2385
-- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(file.filename, CONCAT (u.username, "-")) == 1
-- Don't alert on tokens that begin with the users full name and a dash
AND NOT INSTR(
file.filename,
REPLACE(LOWER(TRIM(u.description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
AND file.filename NOT IN ('service-account-file.json')
GROUP BY file.path

33
policy/unexpected-rsa-keys-mdfind.sql Normal file
View File

@ -0,0 +1,33 @@
-- Indicative of stored RSA keys just sitting around unencrypted
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
file.path,
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
ea.value AS url
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from'
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
mdfind.query = "kMDItemFSName == '*.rsa'"
AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')
AND size BETWEEN 128 AND 8192
-- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
-- Don't alert on tokens that begin with the users full name and a dash
AND NOT INSTR(
filename,
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
GROUP BY file.path

47
policy/unexpected-rsa-keys.sql Normal file
View File

@ -0,0 +1,47 @@
-- Indicative of stored RSA keys just sitting around unencrypted
--
-- tags: persistent state filesystem seldom
-- platform: posix
SELECT
file.path,
file.type,
file.size,
file.mtime,
file.uid,
file.ctime,
file.gid,
hash.sha256,
magic.data
FROM
file
LEFT JOIN hash ON file.path = hash.path
LEFT JOIN users u ON file.uid = u.uid
LEFT JOIN magic ON file.path = magic.path
WHERE
(
file.directory LIKE '/Users/%/Downloads/%'
OR file.directory LIKE '/home/%/%'
OR file.directory LIKE '/home/%/'
OR file.directory LIKE '/home/%/.%'
OR file.directory LIKE '/home/%/Downloads/%'
OR file.directory LIKE '/tmp/%'
OR file.directory LIKE '/tmp/'
OR file.directory LIKE '/Users/%/%'
OR file.directory LIKE '/Users/%/'
OR file.directory LIKE '/Users/%/.%'
OR file.directory LIKE '/var/tmp/%'
OR file.directory LIKE '/var/tmp/'
)
AND file.directory NOT LIKE "%/../%"
AND file.directory NOT LIKE "%/./%"
AND filename LIKE "%.rsa"
AND size BETWEEN 128 AND 8192
-- Don't alert on tokens that begin with the username-, as they may be personal
AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1
-- Don't alert on tokens that begin with the users full name and a dash
AND NOT INSTR(
filename,
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')