mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
Add exceptions for Steam on Linux
This commit is contained in:
parent
cf7b8dcbef
commit
6e2f7059b5
@ -86,6 +86,7 @@ WHERE
|
||||
'500,/home/go,500u,500g,go',
|
||||
'500,/home/grype,500u,500g,grype',
|
||||
'500,/home/jcef_helper,500u,500g,jcef_helper',
|
||||
'500,/home/steamwebhelper,500u,100g,steamwebhelper',
|
||||
'500,/ko-app/chainctl,u,g,chainctl',
|
||||
'500,/ko-app/controlplane,u,g,controlplane',
|
||||
'500,/opt/1password,0u,0g,1password',
|
||||
|
@ -68,6 +68,7 @@ WHERE
|
||||
'17,255,500,mtr-packet',
|
||||
'22000,6,500,syncthing',
|
||||
'22,6,0,sshd',
|
||||
'27036,6,500,steam',
|
||||
'3000,6,472,grafana-server',
|
||||
'3000,6,500,grafana-server',
|
||||
'32768,6,0,tailscaled',
|
||||
@ -80,6 +81,7 @@ WHERE
|
||||
'4191,6,500,linkerd2-proxy',
|
||||
'443,6,500,jcef_helper',
|
||||
'4443,6,500,metrics-server',
|
||||
'5000,6,0,registry',
|
||||
'5000,6,500,ControlCenter',
|
||||
'5001,6,0,registry',
|
||||
'53,17,0,coredns',
|
||||
@ -94,7 +96,6 @@ WHERE
|
||||
'58,255,500,dhcpcd',
|
||||
'58,255,500,mtr-packet',
|
||||
'631,17,0,cups-browsed',
|
||||
'5000,6,0,registry',
|
||||
'6379,6,500,redis-server',
|
||||
'6443,6,0,kube-apiserver',
|
||||
'67,17,500,dnsmasq',
|
||||
@ -119,7 +120,7 @@ WHERE
|
||||
'9090,6,500,controlplane',
|
||||
'9153,6,0,coredns',
|
||||
'9300,6,500,authentik-proxy'
|
||||
)
|
||||
)
|
||||
AND NOT (
|
||||
p.path LIKE ',ko-app,%'
|
||||
AND lp.port > 1024
|
||||
|
@ -105,6 +105,7 @@ WHERE
|
||||
'80,6,500,/app/thunderbird,u,g,thunderbird',
|
||||
'80,6,500,/home/steam,500u,100g,steam',
|
||||
'80,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'27035,6,500,/home/steam,500u,100g,steam',
|
||||
'80,6,500,/opt/firefox,0u,0g,firefox',
|
||||
'80,6,500,/usr/chrome,0u,0g,chrome',
|
||||
'80,6,500,/usr/curl,0u,0g,curl',
|
||||
|
@ -108,6 +108,7 @@ WHERE
|
||||
'jetbrains-toolb',
|
||||
'launcher',
|
||||
'slack',
|
||||
'steam',
|
||||
'wineserver'
|
||||
)
|
||||
AND p.path NOT LIKE '/Applications/%.app/Contents/%'
|
||||
|
@ -102,6 +102,7 @@ WHERE
|
||||
OR dir LIKE '~/.local/share/JetBrains/%'
|
||||
OR dir LIKE '~/.local/share/kotlin/%'
|
||||
OR dir LIKE '~/.local/share/nvim/%'
|
||||
OR dir LIKE '~/.local/share/Steam/%'
|
||||
OR dir LIKE '~/.provisio%'
|
||||
OR dir LIKE '~/src/%'
|
||||
OR dir LIKE '~/%/.terraform%'
|
||||
|
@ -46,6 +46,7 @@ WHERE
|
||||
AND file.path NOT LIKE '/var/folders/%/T/go.%.%.sum'
|
||||
AND file.path NOT LIKE '/var/folders%/T/sp_relauncher'
|
||||
AND file.path NOT LIKE '/var/tmp/epdfinfo%'
|
||||
AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib'
|
||||
AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'
|
||||
AND (
|
||||
file.mode LIKE '%7%'
|
||||
|
@ -88,6 +88,7 @@ WHERE
|
||||
AND NOT p.path LIKE '/nix/store/%/bin/%'
|
||||
AND NOT p.path LIKE '/usr/local/bin/%'
|
||||
AND NOT p.path LIKE '/usr/local/Cellar/%'
|
||||
AND NOT p.path LIKE '/home/%/.local/share/Steam/ubuntu12_64/%'
|
||||
AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
|
||||
AND NOT p.path LIKE '%/.vscode/extensions/%'
|
||||
AND NOT pp.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
|
||||
|
@ -29,3 +29,5 @@ WHERE
|
||||
AND file.size < 10000
|
||||
AND NOT file.path LIKE '/Users/%/.zsh/completion'
|
||||
AND NOT file.path LIKE '/home/%/.zsh/completion'
|
||||
AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
|
||||
AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%'
|
||||
|
@ -32,6 +32,7 @@ WHERE
|
||||
AND p.path NOT LIKE '/System/Library/%'
|
||||
AND p.path NOT LIKE '/System/Applications/%'
|
||||
AND p.path NOT LIKE '/Library/Apple/System/Library/%'
|
||||
AND p.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
|
||||
AND name NOT IN (
|
||||
'bash',
|
||||
'bwrap',
|
||||
@ -54,6 +55,7 @@ WHERE
|
||||
'qemu-system-x86',
|
||||
'qemu-system-x86-64',
|
||||
'slack',
|
||||
'steam',
|
||||
'systemd',
|
||||
'wineserver',
|
||||
'ykman-gui',
|
||||
|
Loading…
Reference in New Issue
Block a user