First weekend tuning

fd/unexpected-dev-opener.sql

@@ -29,82 +29,151 @@ WHERE pof.path LIKE '/dev/%'
         '/dev/vga_arbiter',
         '/dev/tty'
     )
-AND NOT pof.path LIKE '/dev/ttys%'
-AND NOT pof.path LIKE '/dev/pts/%'
-AND NOT pof.path LIKE '/dev/snd/pcm%'
-AND NOT pof.path LIKE '/dev/snd/control%'
-AND NOT pof.path LIKE '/dev/shm/.com.google.%'
-AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
-AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%'
-AND NOT (program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND device='/dev/auditpipe')
-AND NOT (program LIKE '/home/%/.local/share/Steam/%' AND device LIKE '/dev/shm/%')
-AND NOT (program LIKE '/nix/store/%/bin/.tailscaled-wrapped' AND device='/dev/net/tun')
-AND NOT (program LIKE '/nix/store/%/bin/agetty' AND device LIKE '/dev/tty%')
-AND NOT (program LIKE '/nix/store/%/bin/Xorg' AND device LIKE '/dev/input/event%')
-AND NOT (program LIKE '/nix/store/%/bin/Xorg' AND device LIKE '/dev/tty%')
-AND NOT (program LIKE '/nix/store/%/bin/zed' AND device='/dev/zfs')
-AND NOT (program LIKE '/nix/store/%/bin/zfs' AND device='/dev/zfs')
-AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-journald' AND device='/dev/kmsg')
-AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/input/event%')
-AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd' AND device='/dev/kmsg')
-AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%')
-AND NOT (p.name='chrome' AND device LIKE '/dev/video%')
-AND NOT (p.name='chrome' AND device LIKE '/dev/hidraw%')
-AND NOT (p.name='firefox' AND device LIKE '/dev/shm/.%')
-AND NOT (p.name='firefox' AND device LIKE '/dev/video%')
-AND NOT (p.name='obs' AND device LIKE '/dev/video%')
-AND NOT (program='/sbin/launchd' AND device='/dev/console')
-AND NOT (program='/System/Library/Frameworks/GSS.framework/Helpers/GSSCred' AND device='/dev/auditsessions')
-AND NOT (program='/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd' AND device='/dev/auditsessions')
-AND NOT (program='/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond' AND device LIKE '/dev/afsc_type%')
-AND NOT (program='/usr/bin/apcupsd' AND device LIKE '/dev/usb/hiddev%')
-AND NOT (program='/usr/bin/bash' AND device LIKE '/dev/shm/%')
-AND NOT (program='/usr/bin/cat' AND device LIKE '/dev/shm/%')
-AND NOT (program='/usr/bin/ffmpeg' AND device='/dev/nvidia-uvm')
-AND NOT (program='/usr/bin/ffmpeg' AND device LIKE '/dev/video%')
-AND NOT (program='/usr/sbin/netbiosd' AND device LIKE '/dev/nsmb%')
-AND NOT (program='/usr/bin/gnome-calendar' AND device='/dev/nvidiactl')
-AND NOT (program='/usr/bin/gnome-shell' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/bin/gphoto2' AND device LIKE '/dev/bus/usb/%')
-AND NOT (program='/usr/bin/kubelet' AND device='/dev/kmsg')
-AND NOT (program='/usr/bin/pipewire' AND device LIKE '/dev/snd/%')
-AND NOT (program='/usr/bin/tailscaled' AND device='/dev/net/tun')
-AND NOT (program='/usr/lib/gdm-x-session' AND device='/dev/tty2')
-AND NOT (program='/usr/lib/systemd/systemd-journald' AND device='/dev/kmsg')
-AND NOT (program='/usr/lib/systemd/systemd-logind' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/lib/systemd/systemd' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/lib/systemd/systemd' AND device='/dev/autofs')
-AND NOT (program='/usr/lib/systemd/systemd' AND device='/dev/kmsg')
-AND NOT (program='/usr/lib/upowerd' AND device LIKE '/dev/usb/hiddev%')
-AND NOT (program='/usr/lib/upowerd' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/lib/Xorg' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/lib/Xorg' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/lib/xorg/Xorg' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/lib/xorg/Xorg' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/libexec/airportd' AND device LIKE '/dev/bpf%')
-AND NOT (program='/usr/libexec/airportd' AND device='/dev/io8logmt')
-AND NOT (program='/usr/libexec/automountd' AND device='/dev/autofs')
-AND NOT (program='/usr/libexec/gdm-wayland-session' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/libexec/gdm-x-session' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/libexec/kernelmanagerd' AND device='/dev/console')
-AND NOT (program='/usr/libexec/logd' AND device='/dev/oslog')
-AND NOT (program='/usr/libexec/PerfPowerServices' AND device='/dev/xcpm')
-AND NOT (program='/usr/libexec/thermald' AND device='/dev/xcpm')
-AND NOT (program='/usr/libexec/TouchBarServer' AND device='/dev/auditsessions')
-AND NOT (program='/usr/libexec/upowerd' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/libexec/upowerd' AND device='/dev/input/event%')
-AND NOT (program='/usr/libexec/Xorg' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/libexec/Xorg' AND device LIKE '/dev/tty%')
-AND NOT (program='/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND device='/dev/auditpipe')
-AND NOT (program='/usr/sbin/acpid' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/sbin/bluetoothd' AND device='/dev/cu.BLTH')
-AND NOT (program='/usr/sbin/mcelog' AND device='/dev/mcelog')
-AND NOT (program='/usr/sbin/pcscd' AND device LIKE '/dev/bus/usb/%')
-AND NOT (program='/usr/sbin/securityd' AND device='/dev/auditsessions')
-AND NOT (program='/usr/sbin/syslogd' AND device='/dev/klog')
-AND NOT (program='/usr/sbin/systemstats' AND device='/dev/xcpm')
-AND NOT (program='/usr/sbin/tailscaled' AND device='/dev/net/tun')
-AND NOT (program='/usr/sbin/thermald' AND device LIKE '/dev/input/event%')
-AND NOT (program='/usr/sbin/zed' AND device='/dev/zfs')
-AND NOT (cmdline LIKE "%/bin/streamdeck" AND device LIKE '/dev/bus/usb/%')
+    AND NOT pof.path LIKE '/dev/ttys%'
+    AND NOT pof.path LIKE '/dev/pts/%'
+    AND NOT pof.path LIKE '/dev/snd/pcm%'
+    AND NOT pof.path LIKE '/dev/snd/control%'
+    AND NOT pof.path LIKE '/dev/shm/.com.google.%'
+    AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
+    AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%'
+    AND NOT (device LIKE '/dev/hidraw%' AND p.name = 'chrome')
+    AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox')
+    AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg'))
+    AND NOT (
+        device LIKE '/dev/afsc_type%'
+        AND program = '/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond'
+    )
+    AND NOT (
+        device LIKE '/dev/bpf%'
+        AND program = '/usr/libexec/airportd'
+    )
+    AND NOT (
+        device LIKE '/dev/bus/usb/%'
+        AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd'))
+        OR cmdline LIKE "%/bin/streamdeck"
+    )
+    AND NOT (
+        device LIKE '/dev/input/event%'
+        AND program LIKE '/nix/store/%/bin/Xorg'
+    )
+    AND NOT (
+        device LIKE '/dev/input/event%'
+        AND program LIKE '/nix/store/%/lib/systemd/systemd-logind'
+    )
+    AND NOT (
+        device LIKE '/dev/input/event%'
+        AND program IN (
+            '/usr/bin/gnome-shell',
+            '/usr/lib/systemd/systemd-logind',
+            '/usr/lib/systemd/systemd',
+            '/usr/lib/upowerd',
+            '/usr/lib/Xorg',
+            '/usr/lib/xorg/Xorg',
+            '/usr/libexec/upowerd',
+            '/usr/libexec/Xorg',
+            '/usr/sbin/acpid',
+            '/usr/sbin/thermald'
+        )
+    )
+    AND NOT (
+        device LIKE '/dev/nsmb%'
+        AND program = '/usr/sbin/netbiosd'
+    )
+    AND NOT (
+        device LIKE '/dev/shm/%'
+        AND program LIKE '/home/%/.local/share/Steam/%'
+    )
+    AND NOT (
+        device LIKE '/dev/snd/%'
+        AND program = '/usr/bin/pipewire'
+    )
+    AND NOT (
+        device LIKE '/dev/tty%'
+        AND p.name IN (
+            'systemd-logind',
+            'Xorg',
+            'gdm-wayland-session',
+            'gdm-x-session',
+            'X'
+        )
+    )
+    AND NOT (
+        device LIKE '/dev/usb/hiddev%'
+        AND program IN ('/usr/bin/apcupsd', '/usr/lib/upowerd')
+    )
+    AND NOT (
+        device = '/dev/auditpipe'
+        AND program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
+    )
+    AND NOT (
+        device = '/dev/auditpipe'
+        AND program = '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
+    )
+    AND NOT (
+        device = '/dev/auditsessions'
+        AND program IN (
+            '/System/Library/Frameworks/GSS.framework/Helpers/GSSCred',
+            '/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd',
+            '/usr/libexec/TouchBarServer',
+            '/usr/sbin/securityd'
+        )
+    )
+    AND NOT (
+        device = '/dev/autofs'
+        AND program IN (
+            '/usr/lib/systemd/systemd',
+            '/usr/libexec/automountd'
+        )
+    )
+    AND NOT (
+        device = '/dev/console'
+        AND program IN ('/sbin/launchd', '/usr/libexec/kernelmanagerd')
+    )
+    AND NOT (
+        device = '/dev/cu.BLTH'
+        AND program = '/usr/sbin/bluetoothd'
+    )
+    AND NOT (
+        device = '/dev/input/event%'
+        AND program = '/usr/libexec/upowerd'
+    )
+    AND NOT (
+        device = '/dev/io8logmt'
+        AND program = '/usr/libexec/airportd'
+    )
+    AND NOT (
+        device = '/dev/klog'
+        AND program = '/usr/sbin/syslogd'
+    )
+    AND NOT (
+        device = '/dev/kmsg'
+        AND p.name IN ('systemd-journald', 'systemd-journal', 'systemd', 'kubelet')
+    )
+    AND NOT (
+        device = '/dev/mcelog'
+        AND program = '/usr/sbin/mcelog'
+    )
+    AND NOT (
+        device = '/dev/net/tun'
+        AND p.name LIKE '%tailscaled%'
+    )
+    AND NOT (
+        device = '/dev/oslog'
+        AND program = '/usr/libexec/logd'
+    )
+    AND NOT (
+        device = '/dev/uinput'
+        AND program = '/usr/lib/bluetooth/bluetoothd'
+    )
+    AND NOT (
+        device = '/dev/xcpm'
+        AND program IN (
+            '/usr/libexec/PerfPowerServices',
+            '/usr/libexec/thermald',
+            '/usr/sbin/systemstats'
+        )
+    )
+    AND NOT (
+        device = '/dev/zfs'
+        AND p.name IN ('zed', 'zfs')
+    )

net/unexpected-listening-port.sql

@@ -35,11 +35,12 @@ WHERE port != 0
     AND NOT (p.name='kube-apiserver' AND p.cwd='/' AND lp.port IN (6443,8443) AND lp.protocol=6)
     AND NOT (p.name='kube-proxy' AND p.cwd='/' AND lp.port>10000 AND lp.protocol=6)
     AND NOT (p.name='kubelet' AND p.cwd='/' AND lp.port=10250 AND lp.protocol=6)
+    AND NOT (p.name='kubectl' AND p.cmdline LIKE '%port-forward%' AND lp.port>1023 AND lp.protocol=6)
     AND NOT (p.name='metrics-sidecar' AND p.cwd='/' AND lp.port=8000 AND lp.protocol=6)
     AND NOT (p.name='NetworkManager' AND p.cwd='/' AND lp.port=58 AND lp.protocol=255)
     AND NOT (p.name='nginx' AND p.cwd='/' AND lp.port=80 AND lp.protocol=6)
     AND NOT (p.name='plugin-container' AND lp.port>32000 AND lp.protocol IN (6,17))
-    AND NOT (p.name='node' AND lp.port>5000 AND lp.protocol = 6)
+    AND NOT (p.name='node' AND lp.port>1024 AND lp.protocol = 6)
     AND NOT (p.name='registry' AND lp.port>1024 AND lp.protocol = 6)
     AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6)
     AND NOT (p.name='tailscaled' AND lp.port=4161 AND lp.protocol=6)
@@ -71,6 +72,7 @@ WHERE port != 0
     AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port=3722 AND lp.protocol=17)
     AND NOT (p.name='remoted' AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17))
     AND NOT (p.name='RescueTime' AND p.cwd='/' AND lp.port=16587 AND lp.protocol=6)
+    AND NOT (p.name='kdenlive' AND lp.port=1337 AND lp.protocol=6)
     AND NOT (p.name='sharingd' AND p.cwd='/' AND lp.port IN (8770,8771) AND lp.protocol=6)
     AND NOT (p.name='syncthing' AND lp.port > 20000 AND lp.protocol IN (6,17))
     AND NOT (p.name='steam' AND lp.port = 270366 AND lp.protocol IN (6,17))

process/hidden-cwd.sql

@@ -15,7 +15,8 @@ WHERE
 p.cwd LIKE "%/.%" AND NOT (
     p.cwd LIKE "%/.local/share%" OR
     p.cwd LIKE "%/.vscode/extensions%" OR
-    p.cwd LIKE "/Users/%/.%"
-    p.cwd LIKE "/home/%/.%"
-    p.name = 'bindfs'
+    p.cwd LIKE "/Users/%/.%" OR
+    p.cwd LIKE "/home/%/.%" OR
+    p.name = 'bindfs' OR
+    p.path="/usr/libexec/dirhelper"
 )

process/high-disk-bytes-written.sql

@@ -27,7 +27,8 @@ WHERE bytes_per_second > 2000000
         '/usr/libexec/secd',
         '/usr/bin/aptd',
         '/usr/sbin/screencapture',
-        '/usr/lib64/thunderbird/thunderbird'
+        '/usr/lib64/thunderbird/thunderbird',
+        '/usr/bin/yay'
     )
     AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1)
     AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%')

process/high_disk_bytes_read.sql

@@ -2,7 +2,7 @@ SELECT *, (strftime('%s', 'now') - start_time) AS age, disk_bytes_read / (strfti
 FROM processes
 WHERE bytes_per_second > 1750000
 AND age > 180
-AND NOT (name IN ('slack', 'firefox', 'GoogleSoftwareUpdateAgent', 'zsh', 'bash', 'ykman-gui'))
+AND NOT (name IN ('slack', 'firefox', 'GoogleSoftwareUpdateAgent', 'zsh', 'bash', 'ykman-gui', 'nautilus'))
 AND NOT (name='aned' AND cmdline='/usr/libexec/aned' AND parent=1)
 AND NOT (name='bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%')
 AND NOT (name='chrome' AND path='/opt/google/chrome/chrome')

process/name_path_mismatch.sql

@@ -9,8 +9,10 @@ AND NOT (p.name='gjs' AND filename='gjs-console')
 AND NOT (p.name='mysqld' AND filename='mariadbd')
 AND NOT (p.name='tmux:client' AND filename='tmux')
 AND NOT (p.name='tmux:server' AND filename='tmux')
+AND NOT (p.name LIKE 'clangd:%' AND filename='clangd')
 AND NOT (p.name='nix-daemon' AND filename='nix')
 AND NOT (p.name='systemd-udevd' AND filename='udevadm')
+AND NOT (p.name='GUI Thread' AND filename='resolve')
 AND NOT (p.name='X' AND filename='Xorg')
 AND NOT p.path LIKE '/nix/store/%/bin/bash'
 AND NOT p.path LIKE '/usr/bin/python3%'
@@ -21,5 +23,6 @@ AND NOT filename IN (
     'sh',
     'firefox',
     'systemd',
-    'thunderbird'
+    'thunderbird',
+    'ruby'
 )

process/sketchy-cmdline.sql

@@ -48,5 +48,3 @@ p.cmdline LIKE "%xmr%" OR
 p.cmdline LIKE "%ransom%" OR
 p.cmdline LIKE "%malware%" OR
 p.cmdline LIKE "%plant%" OR
-(p.cmdline LIKE "%hack%" AND p.cmdline NOT LIKE "hack/%") OR
-(p.cmdline LIKE "%crypt%" AND p.path NOT LIKE "%CryptoTokenKit%" AND p.name NOT IN ('crashpad_handler'))

process/unexpected-executable-directory.sql

@@ -39,6 +39,8 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
     and directory NOT LIKE '/usr/local/Cellar/%'
     AND directory NOT LIKE '/usr/lib/%'
     AND directory NOT LIKE '/usr/lib64/%'
+    AND directory NOT LIKE '/private/var/folders/%/bin'
+    AND directory NOT LIKE '/tmp/%/bin'
     AND directory NOT IN (
         '/bin',
         '/Library/DropboxHelperTools/Dropbox_u501',
@@ -79,4 +81,6 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
         '/usr/lib/firefox/firefox',
         '/usr/lib64/firefox/firefox'
     )
-    AND directory NOT LIKE '/Library/Application Support/Adobe/%';
+    AND directory NOT LIKE '/Library/Application Support/Adobe/%'
+    AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
+    AND NOT (directory='' AND name LIKE "runc%")

process/unexpected-setuid-running.sql

@@ -1,19 +0,0 @@
-SELECT p.pid,
-    p.name,
-    p.path,
-    f.mode
-FROM processes p
-    JOIN file f ON p.path = f.path
-WHERE f.mode NOT LIKE '0%'
-    AND f.path NOT IN (
-        '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
-        '/opt/1Password/1Password-BrowserSupport',
-        '/opt/1Password/1Password-KeyringHelper',
-        '/usr/bin/fusermount',
-        '/usr/bin/fusermount3',
-        '/usr/bin/login',
-        '/usr/bin/sudo',
-        '/usr/bin/doas',
-        '/bin/ps',
-        '/usr/bin/ssh-agent'
-    );

startup/unexpected-launchd.sql

@@ -88,3 +88,5 @@ AND NOT (path = '/Library/LaunchAgents/com.epson.eventmanager.agent.plist' AND p
 AND NOT (path = '/Library/LaunchAgents/com.epson.scannermonitor.plist' AND program_arguments = '/Library/Application Support/EPSON/Scanner/ScannerMonitor/Epson Scanner Monitor.app/Contents/MacOS/Epson Scanner Monitor')
 AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.skhd.plist' AND program_arguments = '/opt/homebrew/opt/skhd/bin/skhd')
 AND NOT (path LIKE '/Users/%/Library/LaunchAgents/ProtonMail Bridge.plist' AND program_arguments = '/Applications/ProtonMail Bridge.app/Contents/MacOS/ProtonMail Bridge --no-window')
+AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.glouel.AerialUpdaterAgent.plist' AND program_arguments = '/usr/bin/open /Applications/Aerial Companion.app')
+AND NOT (path = '/Library/LaunchDaemons/com.oracle.oss.mysql.mysqld.plist' AND program_arguments LIKE '/usr/local/mysql/bin/mysqld%')