mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-24 23:02:05 +00:00
Less false positives: particularly among systemctl calls
This commit is contained in:
parent
3de05139e3
commit
8e9ae0fda3
@ -114,8 +114,10 @@ WHERE
|
||||
'500,/home/ko,500u,500g,ko',
|
||||
'500,/home/krel,500u,500g,krel',
|
||||
'500,/home/mconvert,500u,500g,mconvert',
|
||||
'500,/home/Melvor Idle,500u,500g,exe',
|
||||
'500,/home/nerdctl,500u,500g,nerdctl',
|
||||
'500,/home/promoter,500u,500g,promoter',
|
||||
'500,/home/publish-release,500u,500g,publish-release',
|
||||
'500,/home/python3,500u,500g,python3',
|
||||
'500,/home/slirp4netns,500u,500g,slirp4netns',
|
||||
'500,/home/steam,500u,100g,steam',
|
||||
@ -123,6 +125,7 @@ WHERE
|
||||
'500,/home/steamwebhelper,500u,100g,steamwebhelper',
|
||||
'500,/home/steamwebhelper,500u,500g,steamwebhelper',
|
||||
'500,/home/terraform,500u,500g,terraform',
|
||||
'500,/home/trivy,500u,500g,trivy',
|
||||
'500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
|
||||
'500,/ko-app/chainctl,u,g,chainctl',
|
||||
'500,/ko-app/controller,u,g,controller',
|
||||
@ -185,6 +188,7 @@ WHERE
|
||||
'500,/usr/go,u,g,go',
|
||||
'500,/usr/grype,0u,0g,grype',
|
||||
'500,/usr/gsd-datetime,0u,0g,gsd-datetime',
|
||||
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
|
||||
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
|
||||
'500,/usr/htop,0u,0g,htop',
|
||||
'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
|
||||
@ -192,14 +196,11 @@ WHERE
|
||||
'500,/usr/java,u,g,java',
|
||||
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
|
||||
'500,/usr/keybase,0u,0g,keybase',
|
||||
'500,/home/trivy,500u,500g,trivy',
|
||||
'500,/usr/ko,u,g,ko',
|
||||
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
|
||||
'500,/usr/kubectl,500u,500g,kubectl',
|
||||
'500,/usr/lens,0u,0g,lens',
|
||||
'500,/usr/melange,u,g,melange',
|
||||
'500,/usr/nautilus,0u,0g,nautilus',
|
||||
'500,/home/Melvor Idle,500u,500g,exe',
|
||||
'500,/usr/nix,0u,0g,nix',
|
||||
'500,/usr/node,0u,0g,node',
|
||||
'500,/usr/node,0u,0g,.node2nix-wrapp',
|
||||
|
@ -5,7 +5,7 @@
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- platform: linux
|
||||
-- interval: 900
|
||||
-- interval: 600
|
||||
SELECT
|
||||
pe.path AS child_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
|
||||
@ -67,7 +67,7 @@ WHERE
|
||||
'/usr/libexec/ApplicationFirewall/socketfilterfw'
|
||||
)
|
||||
AND uptime.total_seconds > 30
|
||||
AND pe.time > (strftime('%s', 'now') -900) -- Ignore partial table joins
|
||||
AND pe.time > (strftime('%s', 'now') -600) -- Ignore partial table joins
|
||||
AND pe.status == 0
|
||||
AND NOT (
|
||||
pe.euid > 500
|
||||
|
@ -107,7 +107,7 @@ WHERE
|
||||
OR dir LIKE '~/.%'
|
||||
OR dir LIKE '~/code/%'
|
||||
OR dir LIKE '~/%/.config/nvim'
|
||||
OR dir LIKE '~/dev/%/dots/%/.config/%'
|
||||
OR dir LIKE '~/dev/%/dots/%/.config%'
|
||||
OR dir LIKE '~/%/.git'
|
||||
OR dir LIKE '~/%/.github%'
|
||||
OR dir LIKE '~/%/github.com/%'
|
||||
|
@ -63,6 +63,7 @@ WHERE
|
||||
'name=file,file=firefox,500',
|
||||
'name=firefox-wrappe,file=firefox,500',
|
||||
'name=firewalld,file=python3,0',
|
||||
'name=apt,file=dash,0',
|
||||
'name=gimp,file=gimp-2,500',
|
||||
'name=gjs,file=gjs-console,120',
|
||||
'name=gjs,file=gjs-console,42',
|
||||
|
@ -30,7 +30,8 @@ WHERE (
|
||||
ctime_age_days > 1050
|
||||
OR mtime_age_days > 1050
|
||||
)
|
||||
AND f.mtime > 1
|
||||
-- Jan 1st, 1980 (the source of many false positives)
|
||||
AND f.mtime > 315561600
|
||||
AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%'
|
||||
AND f.path NOT IN (
|
||||
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
|
||||
@ -44,6 +45,7 @@ WHERE (
|
||||
'/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
|
||||
'/opt/homebrew/Cellar/bash/5.1.16/bin/bash',
|
||||
'/snap/brackets/138/opt/brackets/Brackets',
|
||||
'/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler',
|
||||
'/snap/brackets/138/opt/brackets/Brackets-node',
|
||||
'/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_14',
|
||||
'/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
|
||||
@ -54,7 +56,8 @@ WHERE (
|
||||
'BluejeansHelper',
|
||||
'J8RPQ294UB.com.skitch.SkitchHelper',
|
||||
'Pandora',
|
||||
'Pandora Helper'
|
||||
'Pandora Helper',
|
||||
'dlv'
|
||||
)
|
||||
GROUP BY p.pid,
|
||||
p.path
|
@ -92,6 +92,7 @@ WHERE (
|
||||
'/var/.Parallels_swap/',
|
||||
'/var/.pwd_cache',
|
||||
'/var/root/.bash_history',
|
||||
'/tmp/.go_version',
|
||||
'/var/root/.cache/',
|
||||
'/var/root/.CFUserTextEncoding',
|
||||
'/var/root/.forward',
|
||||
|
@ -49,12 +49,15 @@ WHERE (
|
||||
OR file.path LIKE '/tmp/%/git/%'
|
||||
OR file.path LIKE '/tmp/%/ci/%'
|
||||
OR file.path LIKE '/tmp/kots/%'
|
||||
OR file.path LIKE '/tmp/bin/%'
|
||||
OR file.path LIKE '/tmp/%/github/%'
|
||||
OR file.path LIKE '/tmp/terraformer/%'
|
||||
OR file.path LIKE '/tmp/tmp.%'
|
||||
OR file.path LIKE '/tmp/%/dist/%'
|
||||
OR file.path LIKE '%/bin/%-gen'
|
||||
OR file.path LIKE '/tmp/%/target/debug/build/%'
|
||||
OR file.path LIKE '%/ko/%'
|
||||
OR file.directory LIKE '/tmp/%/out'
|
||||
OR file.path LIKE '%/pdf-tools/%'
|
||||
OR file.path LIKE '%/tmp/epdf%'
|
||||
OR file.path LIKE "/tmp/%/gradlew"
|
||||
|
@ -11,7 +11,7 @@ SELECT
|
||||
pe.pid,
|
||||
pe.cmdline,
|
||||
REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
|
||||
REGEX_MATCH (pe.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
|
||||
REGEX_MATCH (pe.cmdline, '[ /](\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
|
||||
REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port,
|
||||
REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
|
||||
REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
|
||||
|
@ -47,6 +47,7 @@ WHERE
|
||||
'500,bufls,a.out,',
|
||||
'500,.cargo-wrapped,.cargo-wrapped,',
|
||||
'500,cloud_sql_proxy,a.out,',
|
||||
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
|
||||
'500,cosign,a.out,',
|
||||
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
|
||||
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
|
||||
@ -71,6 +72,7 @@ WHERE
|
||||
'500,registry-redirect,a.out,',
|
||||
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
|
||||
'500,scdaemon,scdaemon,',
|
||||
'500,sdaudioswitch,,',
|
||||
'500,sdaudioswitch,sdaudioswitch,',
|
||||
'500,sdzoomplugin,,',
|
||||
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
|
||||
|
@ -65,10 +65,14 @@ WHERE pe.path = '/usr/bin/xattr'
|
||||
pe.euid > 500
|
||||
AND cmd LIKE '%xattr -l %'
|
||||
)
|
||||
AND NOT (
|
||||
pe.euid > 500
|
||||
AND cmd LIKE '%xattr -p com.apple.quarantine %'
|
||||
)
|
||||
AND NOT (
|
||||
pe.euid > 500
|
||||
AND cmd = '/usr/bin/xattr -h'
|
||||
AND parent_cmd LIKE '%/opt/homebrew/bin/brew%'
|
||||
AND parent_cmd LIKE '%homebrew%'
|
||||
)
|
||||
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
|
||||
AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
|
||||
|
@ -122,6 +122,7 @@ WHERE
|
||||
'discord.com',
|
||||
'dl.discordapp.net',
|
||||
'obsproject.com',
|
||||
'getkap.co',
|
||||
'www.messenger.com',
|
||||
'brave.com',
|
||||
'emacsformacosx.com',
|
||||
|
@ -74,6 +74,7 @@ WHERE
|
||||
'make',
|
||||
'monorail',
|
||||
'ninja',
|
||||
'update-notifier',
|
||||
'nix',
|
||||
'nix-build',
|
||||
'nix-daemon',
|
||||
|
@ -5,7 +5,7 @@
|
||||
--
|
||||
-- tags: transient process state often
|
||||
-- platform: linux
|
||||
-- interval: 900
|
||||
-- interval: 300
|
||||
SELECT
|
||||
pe.path AS child_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
|
||||
@ -66,11 +66,22 @@ WHERE
|
||||
'/bin/systemctl',
|
||||
'/sbin/systemctl'
|
||||
)
|
||||
AND pe.time > (strftime('%s', 'now') -29000) -- Ignore partial table joins
|
||||
AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins
|
||||
AND NOT exception_key IN (
|
||||
'systemctl,0,apt-helper,'
|
||||
'systemctl,0,apt-helper,',
|
||||
'systemctl,500,systemd,',
|
||||
'systemctl,0,dash,logrotate',
|
||||
'systemctl,0,,containerd-shim-runc-v2'
|
||||
)
|
||||
AND NOT child_cmd IN (
|
||||
'systemctl status kubelet',
|
||||
'systemctl stop kubelet',
|
||||
'/sbin/runlevel'
|
||||
)
|
||||
-- apt-helper form
|
||||
AND NOT child_cmd LIKE 'systemctl is-active -q %.service'
|
||||
AND NOT child_cmd LIKE 'systemctl show --property=%'
|
||||
AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
|
||||
|
||||
GROUP BY
|
||||
pe.pid
|
||||
|
@ -136,17 +136,20 @@ WHERE
|
||||
)
|
||||
-- Because I don't want to whitelist all of Python3
|
||||
AND p.cmdline NOT IN (
|
||||
'xargs logger -s',
|
||||
'/usr/bin/xargs',
|
||||
'/usr/bin/python3 /usr/sbin/lvmdbusd',
|
||||
'/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held',
|
||||
'/sbin/init splash',
|
||||
'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid',
|
||||
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',
|
||||
'/usr/bin/python /usr/bin/firewalld --nofork --nopid',
|
||||
'/usr/bin/python3 /usr/libexec/blueman-mechanism',
|
||||
'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
|
||||
'/usr/bin/python3 /usr/lib/pop-transition/service.py',
|
||||
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
|
||||
'/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',
|
||||
'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid'
|
||||
'/usr/bin/python3 /usr/bin/unattended-upgrade --download-only',
|
||||
'/usr/bin/python3 /usr/libexec/blueman-mechanism',
|
||||
'/usr/bin/python3 /usr/lib/pop-transition/service.py',
|
||||
'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
|
||||
'/usr/bin/python3 /usr/sbin/lvmdbusd',
|
||||
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
|
||||
'/usr/bin/python /usr/bin/firewalld --nofork --nopid',
|
||||
'/usr/bin/xargs',
|
||||
'xargs logger -s'
|
||||
)
|
||||
AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
|
||||
AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'
|
||||
|
@ -12,4 +12,4 @@ FROM
|
||||
os_version,
|
||||
uptime
|
||||
WHERE
|
||||
uptime.days > 90;
|
||||
uptime.days > 89;
|
||||
|
Loading…
Reference in New Issue
Block a user