From 89cbf9dacfaa47f7729e6ace341fcc667e571575 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 29 Sep 2022 15:42:06 -0400 Subject: [PATCH] Detect unexpected uid0 programs on Linux --- process/unexpected-uid0-process-linux.sql | 87 +++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 process/unexpected-uid0-process-linux.sql diff --git a/process/unexpected-uid0-process-linux.sql b/process/unexpected-uid0-process-linux.sql new file mode 100644 index 0000000..e63a29b --- /dev/null +++ b/process/unexpected-uid0-process-linux.sql @@ -0,0 +1,87 @@ +SELECT p.pid, + p.name, + p.path, + p.euid, + p.gid, + f.ctime, + f.directory AS dirname, + p.cmdline, + mnt_namespace, + hash.sha256, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline +FROM processes p + LEFT JOIN file f ON p.path = f.path + LEFT JOIN process_namespaces ON p.pid = process_namespaces.pid + LEFT JOIN hash ON p.path = hash.path + LEFT JOIN processes pp ON p.parent = pp.pid +WHERE p.uid = 0 + AND (strftime('%s', 'now') - p.start_time) > 120 + -- use osquery as the reference mount namespace + AND mnt_namespace IN ( + SELECT DISTINCT (mnt_namespace) + FROM process_namespaces + JOIN processes ON processes.pid = process_namespaces.pid + WHERE processes.name IN ("osqueryi", "osqueryd") + ) + AND p.path NOT IN ( + "", -- Not a file-based process + "/usr/lib/systemd/systemd", + "/usr/sbin/tailscaled", + "/usr/bin/dockerd", + "/usr/bin/containerd", + "/usr/bin/gpg-agent", + "/usr/libexec/scdaemon", + "/usr/libexec/docker/docker-proxy", + "/usr/bin/containerd-shim-runc-v2", + "/usr/sbin/pcscd", + "/usr/lib/systemd/systemd-journald", + "/usr/libexec/accounts-daemon", + "/usr/lib/systemd/systemd-homed", + "/usr/lib/systemd/systemd-machined", + "/usr/libexec/udisks2/udisksd", + "/usr/sbin/alsactl", + "/usr/sbin/abrtd", + "/usr/bin/abrt-dump-journal-core", + "/usr/bin/abrt-dump-journal-oops", + "/usr/bin/abrt-dump-journal-xorg", + "/usr/sbin/cupsd", + "/usr/sbin/gssproxy", + "/usr/sbin/wpa_supplicant", + "/usr/sbin/abrt-dbus", + "/usr/sbin/gdm", + "/usr/libexec/packagekitd", + "/usr/libexec/gdm-session-worker", + "/usr/bin/docker-proxy", + "/usr/bin/journalctl", + "/usr/lib/udisks2/udisksd", + "/usr/bin/crond", + "/usr/bin/lightdm", + "/usr/lib/Xorg", + "/usr/bin/osqueryd", + "/usr/bin/wpa_supplicant", + "/usr/sbin/cups-browsed", + "/usr/sbin/acpid", + "/usr/sbin/cron", + "/usr/libexec/polkitd", + "/usr/sbin/zed", + "/usr/sbin/gdm3", + "/usr/libexec/snapd/snapd", + "/usr/libexec/sssd/sssd_kcm", + "/usr/bin/tailscaled", + "/usr/lib/gdm-session-worker", + "/usr/bin/gdm", + "/snap/snapd/17029/usr/lib/snapd/snapd" + ) + -- Because I don't want to whitelist all of Python3 + AND p.cmdline NOT IN ( + "/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid", + "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal", + "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers" + ) + AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd" + AND p.path NOT LIKE "/usr/local/kolide-k2/bin/launcher-updates/%/launcher" + AND p.path NOT LIKE "/nix/store/%/bin/%" + AND p.path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd%" + AND p.path NOT LIKE "/nix/store/%/libexec/%" + AND p.path NOT LIKE "/snap/snapd/%/usr/lib/snapd/snapd" \ No newline at end of file