Merge pull request #263 from tstromberg/times3

Make process times broadly available, minor opts
2025-01-02 19:42:05 +00:00 · 2023-05-16 20:11:16 -04:00 · 2023-05-16 20:11:16 -04:00 · 96fd9e7729
commit 96fd9e7729
parent fb77f0a811 24c2baef28
33 changed files with 73 additions and 53 deletions
--- a/2
+++ b/2
@ -72,7 +72,7 @@ verify-ci: ./out/osqtool-$(ARCH)
 verify: ./out/osqtool-$(ARCH)
 	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response
 	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection

 all: out/odk-packs.zip

--- a/detection/discovery/unexpected-netutil-calls-linux.sql
+++ b/detection/discovery/unexpected-netutil-calls-linux.sql
@ -13,6 +13,7 @@ SELECT
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
+  pe.time,
  p.cgroup_path AS p0_cgroup,
  -- Parent
  pe.parent AS p1_pid,
--- a/detection/discovery/unexpected-netutil-calls-macos.sql
+++ b/detection/discovery/unexpected-netutil-calls-macos.sql
@ -13,6 +13,7 @@ SELECT
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
+  pe.time AS p0_time,
  pe.euid AS p0_euid,
  s.authority AS p0_authority,
  -- Parent
--- a/detection/evasion/unexpected-tmp-executables-linux.sql
+++ b/detection/evasion/unexpected-tmp-executables-linux.sql
@ -75,6 +75,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
          OR file.path LIKE "%/melange%"
          OR file.path LIKE "%/bin/busybox"
          OR file.path LIKE "%/bin/bash"
+          OR file.path LIKE "/tmp/lima/%"
          OR file.path LIKE '%/pdf-tools/%'
          OR file.path LIKE '%-release%/%'
          OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%'
--- a/detection/execution/exec-failed-launch-constraint-violation.sql
+++ b/detection/execution/exec-failed-launch-constraint-violation.sql
@ -14,6 +14,7 @@ SELECT
  hash.sha256 AS p0_hash,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.time AS p0_time,
  p.cwd AS p0_cwd,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -12,6 +12,7 @@
 SELECT
  -- Child
  pe.path AS p0_path,
+  pe.time AS p0_time,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -11,6 +11,7 @@
 -- interval: 180
 SELECT -- Child
  pe.path AS p0_path,
+  pe.time AS p0_time,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
--- a/detection/execution/relative-exec-low-uid-events.sql
+++ b/detection/execution/relative-exec-low-uid-events.sql
@ -12,6 +12,7 @@ SELECT -- Child
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
+  pe.time AS p0_time,
  p.cgroup_path AS p0_cgroup,
  -- Parent
  pe.parent AS p1_pid,
--- a/detection/execution/sketchy-fetcher-events.sql
+++ b/detection/execution/sketchy-fetcher-events.sql
@ -14,6 +14,7 @@ SELECT
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
+  pe.time AS p0_time,
  p.cgroup_path AS p0_cgroup,
  -- Parent
  pe.parent AS p1_pid,
--- a/detection/execution/unexpected-execdir-events-linux.sql
+++ b/detection/execution/unexpected-execdir-events-linux.sql
@ -14,6 +14,7 @@ SELECT -- Child
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -29,6 +29,7 @@ SELECT
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
+  pe.time AS p0_time,
  -- pe.cwd is NULL on macOS
  p.cwd AS p0_cwd,
  pe.pid AS p0_pid,
--- a/detection/execution/unexpected-fetcher-parent-events.sql
+++ b/detection/execution/unexpected-fetcher-parent-events.sql
@ -13,6 +13,7 @@ SELECT
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
  pe.pid AS p0_pid,
+  pe.time AS p0_time,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/execution/unexpected-file-made-executable.sql
+++ b/detection/execution/unexpected-file-made-executable.sql
@ -12,6 +12,7 @@ SELECT
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.euid AS p0_euid,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/execution/unexpected-root-signer-macos.sql
+++ b/detection/execution/unexpected-root-signer-macos.sql
@ -1,6 +1,7 @@
 -- Programs running as root from unusual signers on macOS
 --
 -- platform: darwin
+-- interval: 900
 -- tags: transient seldom process state
 -- Canonical example of including process parents from process_events
 SELECT
@ -8,6 +9,7 @@ SELECT
  REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir,
  -- Child
  pe.path AS p0_path,
+  pe.time,
  s.authority AS p0_sauth,
  s.identifier AS p0_sid,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
@ -60,6 +62,7 @@ FROM
 WHERE
  -- query optimization: Exclude SIP protected directories
  p.euid = 0
+  AND pe.time > (strftime('%s', 'now') -900)
  AND top_dir NOT IN (
    '/Library/Apple',
    '/System/Library',
--- a/detection/execution/unexpected-sysutils-macos.sql
+++ b/detection/execution/unexpected-sysutils-macos.sql
@ -12,6 +12,7 @@ SELECT
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  s.authority AS p0_authority,
--- a/detection/execution/unexpected-xattr-calls-macos.sql
+++ b/detection/execution/unexpected-xattr-calls-macos.sql
@ -12,6 +12,7 @@ SELECT
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  s.authority AS p0_authority,
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -16,6 +16,7 @@ SELECT
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.pid AS p0_pid,
  pe.euid AS p0_euid,
  p.cgroup_path AS p0_cgroup,
--- a/detection/persistence/unexpected-systemctl-calls-linux.sql
+++ b/detection/persistence/unexpected-systemctl-calls-linux.sql
@ -11,6 +11,7 @@ SELECT -- Child
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
+  pe.time AS p0_time,
  pe.pid AS p0_pid,
  p.cgroup_path AS p0_cgroup,
  -- Parent
--- a/detection/privesc/setxid-cmdline-overflow-attempt.sql
+++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql
@ -5,6 +5,7 @@
 SELECT
  file.mode AS p0_binary_mode,
  pe.cmdline_size AS p0_cmd_size,
+  pe.time AS p0_time,
  -- Child
  pe.path AS p0_path,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
--- a/detection/privesc/setxid-env-overflow-attempt.sql
+++ b/detection/privesc/setxid-env-overflow-attempt.sql
@ -15,6 +15,7 @@
 SELECT
  file.mode AS p0_binary_mode,
  pe.env AS p0_env,
+  pe.time AS p0_time,
  pe.env_size AS p0_env_size,
  -- Child
  pe.path AS p0_path,
--- a/detection/privesc/unexpected-elevated-children-events_linux.sql
+++ b/detection/privesc/unexpected-elevated-children-events_linux.sql
@ -15,6 +15,7 @@ SELECT
  file.mode AS p0_binary_mode,
  -- Child
  pe.path AS p0_path,
+  pe.time AS p0_time,
  REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
  TRIM(pe.cmdline) AS p0_cmd,
  pe.cwd AS p0_cwd,
--- a/fragments/process_event_parents_macos.sql
+++ b/fragments/process_event_parents_macos.sql
@ -2,6 +2,7 @@
 SELECT
  -- Child
  pe.path AS p0_path,
+  pe.time AS p0_time,
  s.authority AS p0_sauth,
  s.identifier AS p0_sid,
  hash.sha256 AS p0_hash,
--- a/fragments/process_parents.sql
+++ b/fragments/process_parents.sql
@ -4,6 +4,7 @@ SELECT
  p0.pid AS p0_pid,
  p0.path AS p0_path,
  p0.name AS p0_name,
+  p0.start_time AS p0_start,
  p0.cmdline AS p0_cmd,
  p0.cwd AS p0_cwd,
  p0.cgroup_path AS p0_cgroup,
@ -13,12 +14,14 @@ SELECT
  p0.parent AS p1_pid,
  p1.path AS p1_path,
  p1.name AS p1_name,
+  p1.start_time AS p1_start,
  p1.euid AS p1_euid,
  p1.cmdline AS p1_cmd,
  p1_hash.sha256 AS p1_sha256,
  -- Grandparent
  p1.parent AS p2_pid,
  p2.name AS p2_name,
+  p2.start_time AS p2_start,
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
--- a/incident_response/files-recently-written.sql
+++ b/incident_response/files-recently-written.sql
@ -6,24 +6,34 @@
 SELECT *
 FROM file
 WHERE (
-        path LIKE "/var/tmp/%%"
-        OR path LIKE "/Applications/%%"
-        OR path LIKE "/home/%/%%"
-        OR path LIKE "/home/%/.%/%%"
-        OR path LIKE "/home/%/.config/%%"
-        OR path LIKE "/Library/%%"
+        path LIKE "/var/tmp/%"
+        OR path LIKE "/var/tmp/%/%"
+        OR path LIKE "/Applications/%"
+        OR path LIKE "/Applications/%/%"
+        OR path LIKE "/home/%/%"
+        OR path LIKE "/home/%/.%/%"
+        OR path LIKE "/home/%/.%/%/%"
+        OR path LIKE "/home/%/.config/%"
+        OR path LIKE "/home/%/.config/%/%"
+        OR path LIKE "/Library/%/%"
        OR path LIKE "/Library/.%"
        OR path LIKE "/Library/Application Support/%"
        OR path LIKE "/Library/Application Support/.%"
-        OR path LIKE "/tmp/%%"
+        OR path LIKE "/tmp/%"
+        OR path LIKE "/tmp/%/%"
        OR path LIKE "/tmp/.%/%%"
-        OR path LIKE "/Users/%/%%"
-        OR path LIKE "/Users/%/.%/%%"
-        OR path LIKE "/Users/Library/%%"
+        OR path LIKE "/Users/%/%"
+        OR path LIKE "/Users/%/%/%"
+        OR path LIKE "/Users/%/.%/%"
+        OR path LIKE "/Users/%/.%/%/%"
+        OR path LIKE "/Users/Library/%"
+        OR path LIKE "/Users/Library/%/%"
        OR path LIKE "/Users/Library/.%"
-        OR path LIKE "/Users/Library/Application Support/%%"
+        OR path LIKE "/Users/Library/Application Support/%"
+        OR path LIKE "/Users/Library/Application Support/%/%"
        OR path LIKE "/Users/Library/Application Support/.%"
-        OR path LIKE "/var/%%"
+        OR path LIKE "/var/%"
+        OR path LIKE "/var/%/%"
    )
    AND (
        mtime > (strftime('%s', 'now') -3600)
--- a/incident_response/listening_ports.sql
+++ b/incident_response/listening_ports.sql
@ -5,6 +5,7 @@
 SELECT
  lp.*,
  p.name AS p_name,
+  p.start_time AS p_time,
  p.path AS p_path,
  p.euid AS p_euid
 FROM
--- a/incident_response/logged_in_users.sql
+++ b/incident_response/logged_in_users.sql
@ -7,6 +7,7 @@ SELECT
  p.name,
  p.cmdline,
  p.cwd,
+  p.start_time,
  p.root
 FROM
  logged_in_users liu,
--- a/incident_response/open_files.sql
+++ b/incident_response/open_files.sql
@ -5,7 +5,12 @@
 SELECT DISTINCT
  pof.pid,
  pof.path,
+  pof.fd,
  p.name,
+  p.start_time,
+  p.euid,
+  p.parent,
+  p.uid,
  p.cmdline
 FROM
  process_open_files pof
--- a/incident_response/process-files.sql
+++ b/incident_response/process-files.sql
@ -1,17 +0,0 @@
-- Returns information about running processes(non-hidden only)
--
-- tags: postmortem
-- platform: posix
-SELECT
-  GROUP_CONCAT(processes.pid) AS processes,
-  GROUP_CONCAT(processes.name) AS names,
-  file.*,
-  hash.sha256,
-  magic.data
-FROM
-  processes
-  LEFT JOIN file ON processes.path = file.path
-  LEFT JOIN hash ON processes.path = hash.path
-  LEFT JOIN magic ON processes.path = magic.path
-GROUP BY
-  processes.path
--- a/incident_response/process_open_files.sql
+++ b/incident_response/process_open_files.sql
@ -5,6 +5,10 @@
 SELECT
  p.path AS p_path,
  p.name AS p_name,
+  p.start_time AS p_time,
+  p.euid AS p_euid,
+  p.uid AS p_uid,
+  p.cmdline AS p_cmdline,
  pof.*
 FROM
  process_open_files AS pof
--- a/incident_response/process_open_pipes.sql
+++ b/incident_response/process_open_pipes.sql
@ -5,6 +5,10 @@
 SELECT
  p.path AS p_path,
  p.name AS p_name,
+  p.start_time AS p_time,
+  p.euid AS p_euid,
+  p.uid AS p_uid,
+  p.cmdline AS p_cmdline,
  pop.*
 FROM
  process_open_pipes AS pop
--- a/incident_response/process_open_sockets.sql
+++ b/incident_response/process_open_sockets.sql
@ -5,6 +5,10 @@
 SELECT
  p.path AS p_path,
  p.name AS p_name,
+  p.start_time AS p_time,
+  p.euid AS p_euid,
+  p.uid AS p_uid,
+  p.cmdline AS p_cmdline,
  pos.*
 FROM
  process_open_sockets AS pos
--- a/incident_response/processes-root-not-apple-macos.sql
+++ b/incident_response/processes-root-not-apple-macos.sql
@ -1,22 +0,0 @@
-- Programs running as root from unusual signers on macOS
--
-- platform: darwin
-- tags: transient process
-- Canonical example of including process parents from process_events
-SELECT
-  p.*,
-  s.*
-FROM
-  processes p
-  LEFT JOIN signature s ON p.path = s.path
-WHERE
-  p.pid IN (
-    SELECT pid FROM processes WHERE
-    p.euid = 0
-    AND p.path NOT LIKE "/System/%"
-    AND p.path NOT LIKE "/Library/Apple/%"
-    AND p.path NOT LIKE "/usr/bin/%"
-    AND p.path NOT LIKE "/usr/libexec/%"
-    AND p.path NOT LIKE "/usr/sbin/%"
-  )
-  AND s.authority NOT IN ('Software Signing')
--- a/incident_response/shared_memory.sql
+++ b/incident_response/shared_memory.sql
@ -4,8 +4,12 @@
 -- platform: linux
 SELECT
  shm.*,
+  p.path AS p_path,
  p.name AS p_name,
-  p.path AS p_path
+  p.start_time AS p_time,
+  p.euid AS p_euid,
+  p.uid AS p_uid,
+  p.cmdline AS p_cmdline
 FROM
  shared_memory AS shm
  LEFT JOIN processes p ON shm.pid = p.pid;