mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-01-05 21:09:29 +00:00
Add exception for whois
This commit is contained in:
parent
c1b7829797
commit
889ad9a5fd
@ -88,6 +88,7 @@ WHERE
|
||||
'22,6,500,/usr/ssh,0u,0g,ssh',
|
||||
'3478,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'4070,6,500,/opt/spotify,0u,0g,spotify',
|
||||
'43,6,500,/usr/whois,0u,0g,whois',
|
||||
'5228,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'5228,6,500,/usr/chrome,0u,0g,chrome',
|
||||
'8000,6,500,/opt/chrome,0u,0g,chrome',
|
||||
@ -97,7 +98,6 @@ WHERE
|
||||
'80,6,0,/usr/packagekitd,0u,0g,packagekitd',
|
||||
'80,6,0,/usr/pacman,0u,0g,pacman',
|
||||
'80,6,0,/usr/python3.10,0u,0g,dnf',
|
||||
'80,6,500,/usr/python3.10,0u,0g,yum',
|
||||
'80,6,0,/usr/python3.10,0u,0g,yum',
|
||||
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
|
||||
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
@ -110,6 +110,7 @@ WHERE
|
||||
'80,6,500,/usr/firefox,0u,0g,firefox',
|
||||
'80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
|
||||
'80,6,500,/usr/pacman,0u,0g,pacman',
|
||||
'80,6,500,/usr/python3.10,0u,0g,yum',
|
||||
'8080,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'8080,6,500,/usr/firefox,0u,0g,firefox',
|
||||
'8443,6,500,/opt/chrome,0u,0g,chrome',
|
||||
@ -130,5 +131,11 @@ WHERE
|
||||
AND s.protocol = 6
|
||||
AND p.euid > 500
|
||||
)
|
||||
-- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
|
||||
AND NOT (
|
||||
exception_key = '32768,6,500,/usr/ssh,0u,0g,ssh'
|
||||
AND s.remote_port = 40022
|
||||
AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
|
||||
)
|
||||
GROUP BY
|
||||
p.cmdline
|
||||
|
Loading…
Reference in New Issue
Block a user