RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

More tuning

Browse Source
This commit is contained in:
Thomas Stromberg 2022-09-12 06:52:28 -04:00
parent 6df0447760
commit 78b49a38b2
Failed to extract signature
6 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fd/unexpected-dev-opener.sql
View File

@ -29,6 +29,7 @@ WHERE pof.path LIKE '/dev/%'
'/dev/vga_arbiter',
'/dev/tty'
)
AND NOT pof.path LIKE '/dev/hidraw%'
AND NOT pof.path LIKE '/dev/ttys%'
AND NOT pof.path LIKE '/dev/pts/%'
AND NOT pof.path LIKE '/dev/snd/pcm%'
@ -36,7 +37,6 @@ WHERE pof.path LIKE '/dev/%'
AND NOT pof.path LIKE '/dev/shm/.com.google.%'
AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%'
AND NOT (device LIKE '/dev/hidraw%' AND p.name IN ('chrome', 'depmod'))
AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox')
AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg', 'obs-ffmpeg-mux', 'ffmpeg-mux', 'vlc'))
AND NOT (
@ -115,6 +115,7 @@ WHERE pof.path LIKE '/dev/%'
'/System/Library/Frameworks/GSS.framework/Helpers/GSSCred',
'/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd',
'/usr/libexec/TouchBarServer',
'/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm',
'/usr/sbin/securityd'
)
)

24
fd/unexpected-pcap-user.sql
View File

@ -8,10 +8,20 @@ SELECT pmm.pid,
FROM process_memory_map pmm
JOIN processes p ON pmm.pid = p.pid
WHERE pmm.path LIKE "%libpcap%"
AND euid=0
AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND proc_cmd NOT IN ('/nix/var/nix/profiles/default/bin/nix-daemon', '/run/current-system/systemd/lib/systemd/systemd', '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid')
GROUP BY pmm.pid
AND euid = 0
AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND proc_path NOT LIKE "/System/Library/%"
AND proc_path NOT IN (
'/usr/libexec/UserEventAgent',
'/usr/sbin/systemstats',
'/usr/sbin/cupsd'
)
AND proc_cmd NOT IN (
'/nix/var/nix/profiles/default/bin/nix-daemon',
'/run/current-system/systemd/lib/systemd/systemd',
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid'
)
GROUP BY pmm.pid

1
process/name_path_mismatch.sql
View File

@ -6,6 +6,7 @@ FROM processes p
JOIN file f ON p.path = f.path
WHERE SUBSTR(f.filename, 0, 8) != SUBSTR(p.name, 0, 8)
AND NOT (p.name='gjs' AND filename='gjs-console')
AND NOT (p.name='gnome-character' AND filename='gjs-console')
AND NOT (p.name='mysqld' AND filename='mariadbd')
AND NOT (p.name='tmux:client' AND filename='tmux')
AND NOT (p.name='tmux:server' AND filename='tmux')

1
process/parent-missing-from-disk.sql
View File

@ -17,3 +17,4 @@ FROM processes p
WHERE pp.on_disk != 1
AND p.pid > 2
AND pp.pid != 2 -- kthreadd
AND pp.path NOT IN ('/opt/google/chrome/chrome')

5
process/unusual-fetcher.sql → process/sketchy-fetcher.sql
View File

@ -40,6 +40,8 @@ WHERE
p.cmdline LIKE "%curl %:9%" OR
p.cmdline LIKE "%curl %--user-agent%" OR
p.cmdline LIKE "%curl -fsSL%" OR
p.cmdline LIKE "%curl -k%" OR
p.cmdline LIKE "%curl%--insecure%" OR
p.cmdline LIKE "%wget %/.%" OR
p.cmdline LIKE "%wget %.0%" OR
p.cmdline LIKE "%wget %.1%" OR
@ -54,4 +56,5 @@ WHERE
p.cmdline LIKE "%wget %--user-agent%" OR
p.cmdline LIKE "%wget %--no-check-certificate%"
)
AND parent_name NOT IN ('makepkg')
AND parent_name NOT IN ('makepkg')
AND parent_cmdline NOT LIKE "%brew.rb upgrade"

1
process/unexpected-executable-directory.sql
View File

@ -85,5 +85,6 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
'/usr/lib64/firefox/firefox'
)
AND directory NOT LIKE '/Library/Application Support/Adobe/%'
AND directory NOT LIKE '/Library/Developer/CommandLineTools/Library/%'
AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
AND NOT (directory='' AND name LIKE "runc%")