From 7e210049bfa05f60924123972b1a97d44c9fee5f Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 10 Sep 2022 07:24:17 -0400 Subject: [PATCH] First weekend tuning --- ...key_tap.sql => macos_keyboard_sniffer.sql} | 0 fd/unexpected-dev-opener.sql | 227 ++++++++++++------ net/unexpected-listening-port.sql | 4 +- process/hidden-cwd.sql | 7 +- process/high-disk-bytes-written.sql | 3 +- process/high_disk_bytes_read.sql | 2 +- process/name_path_mismatch.sql | 5 +- process/sketchy-cmdline.sql | 2 - process/unexpected-executable-directory.sql | 6 +- process/unexpected-setuid-running.sql | 19 -- startup/unexpected-launchd.sql | 2 + 11 files changed, 169 insertions(+), 108 deletions(-) rename fd/{macos_event_key_tap.sql => macos_keyboard_sniffer.sql} (100%) delete mode 100644 process/unexpected-setuid-running.sql diff --git a/fd/macos_event_key_tap.sql b/fd/macos_keyboard_sniffer.sql similarity index 100% rename from fd/macos_event_key_tap.sql rename to fd/macos_keyboard_sniffer.sql diff --git a/fd/unexpected-dev-opener.sql b/fd/unexpected-dev-opener.sql index 4c4ca17..c5fd830 100644 --- a/fd/unexpected-dev-opener.sql +++ b/fd/unexpected-dev-opener.sql @@ -29,82 +29,151 @@ WHERE pof.path LIKE '/dev/%' '/dev/vga_arbiter', '/dev/tty' ) -AND NOT pof.path LIKE '/dev/ttys%' -AND NOT pof.path LIKE '/dev/pts/%' -AND NOT pof.path LIKE '/dev/snd/pcm%' -AND NOT pof.path LIKE '/dev/snd/control%' -AND NOT pof.path LIKE '/dev/shm/.com.google.%' -AND NOT pof.path LIKE '/dev/shm/.org.chromium.%' -AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%' -AND NOT (program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND device='/dev/auditpipe') -AND NOT (program LIKE '/home/%/.local/share/Steam/%' AND device LIKE '/dev/shm/%') -AND NOT (program LIKE '/nix/store/%/bin/.tailscaled-wrapped' AND device='/dev/net/tun') -AND NOT (program LIKE '/nix/store/%/bin/agetty' AND device LIKE '/dev/tty%') -AND NOT (program LIKE '/nix/store/%/bin/Xorg' AND device LIKE '/dev/input/event%') -AND NOT (program LIKE '/nix/store/%/bin/Xorg' AND device LIKE '/dev/tty%') -AND NOT (program LIKE '/nix/store/%/bin/zed' AND device='/dev/zfs') -AND NOT (program LIKE '/nix/store/%/bin/zfs' AND device='/dev/zfs') -AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-journald' AND device='/dev/kmsg') -AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/input/event%') -AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd' AND device='/dev/kmsg') -AND NOT (program LIKE '/nix/store/%/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%') -AND NOT (p.name='chrome' AND device LIKE '/dev/video%') -AND NOT (p.name='chrome' AND device LIKE '/dev/hidraw%') -AND NOT (p.name='firefox' AND device LIKE '/dev/shm/.%') -AND NOT (p.name='firefox' AND device LIKE '/dev/video%') -AND NOT (p.name='obs' AND device LIKE '/dev/video%') -AND NOT (program='/sbin/launchd' AND device='/dev/console') -AND NOT (program='/System/Library/Frameworks/GSS.framework/Helpers/GSSCred' AND device='/dev/auditsessions') -AND NOT (program='/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd' AND device='/dev/auditsessions') -AND NOT (program='/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond' AND device LIKE '/dev/afsc_type%') -AND NOT (program='/usr/bin/apcupsd' AND device LIKE '/dev/usb/hiddev%') -AND NOT (program='/usr/bin/bash' AND device LIKE '/dev/shm/%') -AND NOT (program='/usr/bin/cat' AND device LIKE '/dev/shm/%') -AND NOT (program='/usr/bin/ffmpeg' AND device='/dev/nvidia-uvm') -AND NOT (program='/usr/bin/ffmpeg' AND device LIKE '/dev/video%') -AND NOT (program='/usr/sbin/netbiosd' AND device LIKE '/dev/nsmb%') -AND NOT (program='/usr/bin/gnome-calendar' AND device='/dev/nvidiactl') -AND NOT (program='/usr/bin/gnome-shell' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/bin/gphoto2' AND device LIKE '/dev/bus/usb/%') -AND NOT (program='/usr/bin/kubelet' AND device='/dev/kmsg') -AND NOT (program='/usr/bin/pipewire' AND device LIKE '/dev/snd/%') -AND NOT (program='/usr/bin/tailscaled' AND device='/dev/net/tun') -AND NOT (program='/usr/lib/gdm-x-session' AND device='/dev/tty2') -AND NOT (program='/usr/lib/systemd/systemd-journald' AND device='/dev/kmsg') -AND NOT (program='/usr/lib/systemd/systemd-logind' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/lib/systemd/systemd-logind' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/lib/systemd/systemd' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/lib/systemd/systemd' AND device='/dev/autofs') -AND NOT (program='/usr/lib/systemd/systemd' AND device='/dev/kmsg') -AND NOT (program='/usr/lib/upowerd' AND device LIKE '/dev/usb/hiddev%') -AND NOT (program='/usr/lib/upowerd' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/lib/Xorg' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/lib/Xorg' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/lib/xorg/Xorg' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/lib/xorg/Xorg' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/libexec/airportd' AND device LIKE '/dev/bpf%') -AND NOT (program='/usr/libexec/airportd' AND device='/dev/io8logmt') -AND NOT (program='/usr/libexec/automountd' AND device='/dev/autofs') -AND NOT (program='/usr/libexec/gdm-wayland-session' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/libexec/gdm-x-session' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/libexec/kernelmanagerd' AND device='/dev/console') -AND NOT (program='/usr/libexec/logd' AND device='/dev/oslog') -AND NOT (program='/usr/libexec/PerfPowerServices' AND device='/dev/xcpm') -AND NOT (program='/usr/libexec/thermald' AND device='/dev/xcpm') -AND NOT (program='/usr/libexec/TouchBarServer' AND device='/dev/auditsessions') -AND NOT (program='/usr/libexec/upowerd' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/libexec/upowerd' AND device='/dev/input/event%') -AND NOT (program='/usr/libexec/Xorg' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/libexec/Xorg' AND device LIKE '/dev/tty%') -AND NOT (program='/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND device='/dev/auditpipe') -AND NOT (program='/usr/sbin/acpid' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/sbin/bluetoothd' AND device='/dev/cu.BLTH') -AND NOT (program='/usr/sbin/mcelog' AND device='/dev/mcelog') -AND NOT (program='/usr/sbin/pcscd' AND device LIKE '/dev/bus/usb/%') -AND NOT (program='/usr/sbin/securityd' AND device='/dev/auditsessions') -AND NOT (program='/usr/sbin/syslogd' AND device='/dev/klog') -AND NOT (program='/usr/sbin/systemstats' AND device='/dev/xcpm') -AND NOT (program='/usr/sbin/tailscaled' AND device='/dev/net/tun') -AND NOT (program='/usr/sbin/thermald' AND device LIKE '/dev/input/event%') -AND NOT (program='/usr/sbin/zed' AND device='/dev/zfs') -AND NOT (cmdline LIKE "%/bin/streamdeck" AND device LIKE '/dev/bus/usb/%') \ No newline at end of file + AND NOT pof.path LIKE '/dev/ttys%' + AND NOT pof.path LIKE '/dev/pts/%' + AND NOT pof.path LIKE '/dev/snd/pcm%' + AND NOT pof.path LIKE '/dev/snd/control%' + AND NOT pof.path LIKE '/dev/shm/.com.google.%' + AND NOT pof.path LIKE '/dev/shm/.org.chromium.%' + AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%' + AND NOT (device LIKE '/dev/hidraw%' AND p.name = 'chrome') + AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox') + AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg')) + AND NOT ( + device LIKE '/dev/afsc_type%' + AND program = '/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond' + ) + AND NOT ( + device LIKE '/dev/bpf%' + AND program = '/usr/libexec/airportd' + ) + AND NOT ( + device LIKE '/dev/bus/usb/%' + AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd')) + OR cmdline LIKE "%/bin/streamdeck" + ) + AND NOT ( + device LIKE '/dev/input/event%' + AND program LIKE '/nix/store/%/bin/Xorg' + ) + AND NOT ( + device LIKE '/dev/input/event%' + AND program LIKE '/nix/store/%/lib/systemd/systemd-logind' + ) + AND NOT ( + device LIKE '/dev/input/event%' + AND program IN ( + '/usr/bin/gnome-shell', + '/usr/lib/systemd/systemd-logind', + '/usr/lib/systemd/systemd', + '/usr/lib/upowerd', + '/usr/lib/Xorg', + '/usr/lib/xorg/Xorg', + '/usr/libexec/upowerd', + '/usr/libexec/Xorg', + '/usr/sbin/acpid', + '/usr/sbin/thermald' + ) + ) + AND NOT ( + device LIKE '/dev/nsmb%' + AND program = '/usr/sbin/netbiosd' + ) + AND NOT ( + device LIKE '/dev/shm/%' + AND program LIKE '/home/%/.local/share/Steam/%' + ) + AND NOT ( + device LIKE '/dev/snd/%' + AND program = '/usr/bin/pipewire' + ) + AND NOT ( + device LIKE '/dev/tty%' + AND p.name IN ( + 'systemd-logind', + 'Xorg', + 'gdm-wayland-session', + 'gdm-x-session', + 'X' + ) + ) + AND NOT ( + device LIKE '/dev/usb/hiddev%' + AND program IN ('/usr/bin/apcupsd', '/usr/lib/upowerd') + ) + AND NOT ( + device = '/dev/auditpipe' + AND program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + ) + AND NOT ( + device = '/dev/auditpipe' + AND program = '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + ) + AND NOT ( + device = '/dev/auditsessions' + AND program IN ( + '/System/Library/Frameworks/GSS.framework/Helpers/GSSCred', + '/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd', + '/usr/libexec/TouchBarServer', + '/usr/sbin/securityd' + ) + ) + AND NOT ( + device = '/dev/autofs' + AND program IN ( + '/usr/lib/systemd/systemd', + '/usr/libexec/automountd' + ) + ) + AND NOT ( + device = '/dev/console' + AND program IN ('/sbin/launchd', '/usr/libexec/kernelmanagerd') + ) + AND NOT ( + device = '/dev/cu.BLTH' + AND program = '/usr/sbin/bluetoothd' + ) + AND NOT ( + device = '/dev/input/event%' + AND program = '/usr/libexec/upowerd' + ) + AND NOT ( + device = '/dev/io8logmt' + AND program = '/usr/libexec/airportd' + ) + AND NOT ( + device = '/dev/klog' + AND program = '/usr/sbin/syslogd' + ) + AND NOT ( + device = '/dev/kmsg' + AND p.name IN ('systemd-journald', 'systemd-journal', 'systemd', 'kubelet') + ) + AND NOT ( + device = '/dev/mcelog' + AND program = '/usr/sbin/mcelog' + ) + AND NOT ( + device = '/dev/net/tun' + AND p.name LIKE '%tailscaled%' + ) + AND NOT ( + device = '/dev/oslog' + AND program = '/usr/libexec/logd' + ) + AND NOT ( + device = '/dev/uinput' + AND program = '/usr/lib/bluetooth/bluetoothd' + ) + AND NOT ( + device = '/dev/xcpm' + AND program IN ( + '/usr/libexec/PerfPowerServices', + '/usr/libexec/thermald', + '/usr/sbin/systemstats' + ) + ) + AND NOT ( + device = '/dev/zfs' + AND p.name IN ('zed', 'zfs') + ) \ No newline at end of file diff --git a/net/unexpected-listening-port.sql b/net/unexpected-listening-port.sql index 5c13c76..990debd 100644 --- a/net/unexpected-listening-port.sql +++ b/net/unexpected-listening-port.sql @@ -35,11 +35,12 @@ WHERE port != 0 AND NOT (p.name='kube-apiserver' AND p.cwd='/' AND lp.port IN (6443,8443) AND lp.protocol=6) AND NOT (p.name='kube-proxy' AND p.cwd='/' AND lp.port>10000 AND lp.protocol=6) AND NOT (p.name='kubelet' AND p.cwd='/' AND lp.port=10250 AND lp.protocol=6) + AND NOT (p.name='kubectl' AND p.cmdline LIKE '%port-forward%' AND lp.port>1023 AND lp.protocol=6) AND NOT (p.name='metrics-sidecar' AND p.cwd='/' AND lp.port=8000 AND lp.protocol=6) AND NOT (p.name='NetworkManager' AND p.cwd='/' AND lp.port=58 AND lp.protocol=255) AND NOT (p.name='nginx' AND p.cwd='/' AND lp.port=80 AND lp.protocol=6) AND NOT (p.name='plugin-container' AND lp.port>32000 AND lp.protocol IN (6,17)) - AND NOT (p.name='node' AND lp.port>5000 AND lp.protocol = 6) + AND NOT (p.name='node' AND lp.port>1024 AND lp.protocol = 6) AND NOT (p.name='registry' AND lp.port>1024 AND lp.protocol = 6) AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6) AND NOT (p.name='tailscaled' AND lp.port=4161 AND lp.protocol=6) @@ -71,6 +72,7 @@ WHERE port != 0 AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port=3722 AND lp.protocol=17) AND NOT (p.name='remoted' AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17)) AND NOT (p.name='RescueTime' AND p.cwd='/' AND lp.port=16587 AND lp.protocol=6) + AND NOT (p.name='kdenlive' AND lp.port=1337 AND lp.protocol=6) AND NOT (p.name='sharingd' AND p.cwd='/' AND lp.port IN (8770,8771) AND lp.protocol=6) AND NOT (p.name='syncthing' AND lp.port > 20000 AND lp.protocol IN (6,17)) AND NOT (p.name='steam' AND lp.port = 270366 AND lp.protocol IN (6,17)) diff --git a/process/hidden-cwd.sql b/process/hidden-cwd.sql index dd3ef10..412901a 100644 --- a/process/hidden-cwd.sql +++ b/process/hidden-cwd.sql @@ -15,7 +15,8 @@ WHERE p.cwd LIKE "%/.%" AND NOT ( p.cwd LIKE "%/.local/share%" OR p.cwd LIKE "%/.vscode/extensions%" OR - p.cwd LIKE "/Users/%/.%" - p.cwd LIKE "/home/%/.%" - p.name = 'bindfs' + p.cwd LIKE "/Users/%/.%" OR + p.cwd LIKE "/home/%/.%" OR + p.name = 'bindfs' OR + p.path="/usr/libexec/dirhelper" ) diff --git a/process/high-disk-bytes-written.sql b/process/high-disk-bytes-written.sql index eaf9cd5..75c7216 100644 --- a/process/high-disk-bytes-written.sql +++ b/process/high-disk-bytes-written.sql @@ -27,7 +27,8 @@ WHERE bytes_per_second > 2000000 '/usr/libexec/secd', '/usr/bin/aptd', '/usr/sbin/screencapture', - '/usr/lib64/thunderbird/thunderbird' + '/usr/lib64/thunderbird/thunderbird', + '/usr/bin/yay' ) AND NOT (name LIKE "jbd%/dm-%" AND on_disk = -1) AND NOT (name = 'bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%') diff --git a/process/high_disk_bytes_read.sql b/process/high_disk_bytes_read.sql index 38e61eb..4344b6f 100644 --- a/process/high_disk_bytes_read.sql +++ b/process/high_disk_bytes_read.sql @@ -2,7 +2,7 @@ SELECT *, (strftime('%s', 'now') - start_time) AS age, disk_bytes_read / (strfti FROM processes WHERE bytes_per_second > 1750000 AND age > 180 -AND NOT (name IN ('slack', 'firefox', 'GoogleSoftwareUpdateAgent', 'zsh', 'bash', 'ykman-gui')) +AND NOT (name IN ('slack', 'firefox', 'GoogleSoftwareUpdateAgent', 'zsh', 'bash', 'ykman-gui', 'nautilus')) AND NOT (name='aned' AND cmdline='/usr/libexec/aned' AND parent=1) AND NOT (name='bindfs' AND cmdline LIKE 'bindfs -f -o fsname=%') AND NOT (name='chrome' AND path='/opt/google/chrome/chrome') diff --git a/process/name_path_mismatch.sql b/process/name_path_mismatch.sql index 5764dd9..90f6079 100644 --- a/process/name_path_mismatch.sql +++ b/process/name_path_mismatch.sql @@ -9,8 +9,10 @@ AND NOT (p.name='gjs' AND filename='gjs-console') AND NOT (p.name='mysqld' AND filename='mariadbd') AND NOT (p.name='tmux:client' AND filename='tmux') AND NOT (p.name='tmux:server' AND filename='tmux') +AND NOT (p.name LIKE 'clangd:%' AND filename='clangd') AND NOT (p.name='nix-daemon' AND filename='nix') AND NOT (p.name='systemd-udevd' AND filename='udevadm') +AND NOT (p.name='GUI Thread' AND filename='resolve') AND NOT (p.name='X' AND filename='Xorg') AND NOT p.path LIKE '/nix/store/%/bin/bash' AND NOT p.path LIKE '/usr/bin/python3%' @@ -21,5 +23,6 @@ AND NOT filename IN ( 'sh', 'firefox', 'systemd', - 'thunderbird' + 'thunderbird', + 'ruby' ) diff --git a/process/sketchy-cmdline.sql b/process/sketchy-cmdline.sql index 2d56a72..1db456b 100644 --- a/process/sketchy-cmdline.sql +++ b/process/sketchy-cmdline.sql @@ -48,5 +48,3 @@ p.cmdline LIKE "%xmr%" OR p.cmdline LIKE "%ransom%" OR p.cmdline LIKE "%malware%" OR p.cmdline LIKE "%plant%" OR -(p.cmdline LIKE "%hack%" AND p.cmdline NOT LIKE "hack/%") OR -(p.cmdline LIKE "%crypt%" AND p.path NOT LIKE "%CryptoTokenKit%" AND p.name NOT IN ('crashpad_handler')) \ No newline at end of file diff --git a/process/unexpected-executable-directory.sql b/process/unexpected-executable-directory.sql index 7e66aac..8a5e856 100644 --- a/process/unexpected-executable-directory.sql +++ b/process/unexpected-executable-directory.sql @@ -39,6 +39,8 @@ WHERE directory NOT LIKE '/Applications/%.app/%' and directory NOT LIKE '/usr/local/Cellar/%' AND directory NOT LIKE '/usr/lib/%' AND directory NOT LIKE '/usr/lib64/%' + AND directory NOT LIKE '/private/var/folders/%/bin' + AND directory NOT LIKE '/tmp/%/bin' AND directory NOT IN ( '/bin', '/Library/DropboxHelperTools/Dropbox_u501', @@ -79,4 +81,6 @@ WHERE directory NOT LIKE '/Applications/%.app/%' '/usr/lib/firefox/firefox', '/usr/lib64/firefox/firefox' ) - AND directory NOT LIKE '/Library/Application Support/Adobe/%'; \ No newline at end of file + AND directory NOT LIKE '/Library/Application Support/Adobe/%' + AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers' + AND NOT (directory='' AND name LIKE "runc%") \ No newline at end of file diff --git a/process/unexpected-setuid-running.sql b/process/unexpected-setuid-running.sql deleted file mode 100644 index 6829611..0000000 --- a/process/unexpected-setuid-running.sql +++ /dev/null @@ -1,19 +0,0 @@ -SELECT p.pid, - p.name, - p.path, - f.mode -FROM processes p - JOIN file f ON p.path = f.path -WHERE f.mode NOT LIKE '0%' - AND f.path NOT IN ( - '/Library/DropboxHelperTools/Dropbox_u501/dbkextd', - '/opt/1Password/1Password-BrowserSupport', - '/opt/1Password/1Password-KeyringHelper', - '/usr/bin/fusermount', - '/usr/bin/fusermount3', - '/usr/bin/login', - '/usr/bin/sudo', - '/usr/bin/doas', - '/bin/ps', - '/usr/bin/ssh-agent' - ); \ No newline at end of file diff --git a/startup/unexpected-launchd.sql b/startup/unexpected-launchd.sql index 70caa02..9697de6 100644 --- a/startup/unexpected-launchd.sql +++ b/startup/unexpected-launchd.sql @@ -88,3 +88,5 @@ AND NOT (path = '/Library/LaunchAgents/com.epson.eventmanager.agent.plist' AND p AND NOT (path = '/Library/LaunchAgents/com.epson.scannermonitor.plist' AND program_arguments = '/Library/Application Support/EPSON/Scanner/ScannerMonitor/Epson Scanner Monitor.app/Contents/MacOS/Epson Scanner Monitor') AND NOT (path LIKE '/Users/%/Library/LaunchAgents/homebrew.mxcl.skhd.plist' AND program_arguments = '/opt/homebrew/opt/skhd/bin/skhd') AND NOT (path LIKE '/Users/%/Library/LaunchAgents/ProtonMail Bridge.plist' AND program_arguments = '/Applications/ProtonMail Bridge.app/Contents/MacOS/ProtonMail Bridge --no-window') +AND NOT (path LIKE '/Users/%/Library/LaunchAgents/com.glouel.AerialUpdaterAgent.plist' AND program_arguments = '/usr/bin/open /Applications/Aerial Companion.app') +AND NOT (path = '/Library/LaunchDaemons/com.oracle.oss.mysql.mysqld.plist' AND program_arguments LIKE '/usr/local/mysql/bin/mysqld%')