Fixes so that ODK can run under CI

2023-02-24 12:15:56 -05:00 · 2023-02-24 12:15:56 -05:00 · 995c1e1104
parent de899a68bb
commit 995c1e1104
8 changed files with 34 additions and 20 deletions
--- a/12
+++ b/12
@ -8,15 +8,15 @@ out/osqtool-$(ARCH):
 	mv out/osqtool out/osqtool-$(ARCH)

 out/odk-detection.conf: out/osqtool-$(ARCH) $(wildcard detection/*.sql)
-	./out/osqtool-$(ARCH) --max-results=0 --max-total-daily-duration=3h45m --max-query-daily-duration=1.5h --verify pack detection/ > out/.odk-detection.conf
+	./out/osqtool-$(ARCH) --verify pack detection/ > out/.odk-detection.conf
 	mv out/.odk-detection.conf out/odk-detection.conf

 out/odk-policy.conf: out/osqtool-$(ARCH)  $(wildcard policy/*.sql)
-	./out/osqtool-$(ARCH) --max-results=0 --verify pack policy/ > out/.odk-policy.conf
+	./out/osqtool-$(ARCH) --verify pack policy/ > out/.odk-policy.conf
 	mv out/.odk-policy.conf out/odk-policy.conf

 out/odk-incident-response.conf: out/osqtool-$(ARCH)  $(wildcard incident_response/*.sql)
-	./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=8s --max-total-daily-duration=90m --verify pack incident_response/ > out/.odk-incident_response.conf
+	./out/osqtool-$(ARCH) --verify pack incident_response/ > out/.odk-incident_response.conf
 	mv out/.odk-incident_response.conf out/odk-incident_response.conf

 # An alternative rules file for configurations where the "wireless_networks" table is forbidden for querying
@ -44,5 +44,11 @@ collection: ./out/osqtool-$(ARCH)
 	$(SUDO) ./out/osqtool-$(ARCH) run policy | tee $(COLLECT_DIR)/policy.txt
 	$(SUDO) ./out/osqtool-$(ARCH) run detection | tee $(COLLECT_DIR)/detection.txt

+.PHONY: verify
+verify: ./out/osqtool-$(ARCH)
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=8s --max-total-daily-duration=90m verify incident_response
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
+
 all: out/odk-packs.zip

--- a/README.md
+++ b/README.md
@ -1,5 +1,9 @@
 # osquery-defense-kit

+[![Actions Status](https://github.com/chainguard-dev/osquery-defense-kit/workflows/Verify/badge.svg)](https://github.com/chainguard-dev/osquery-defense-kit/actions)
+[![Latest Release](https://img.shields.io/github/v/release/chainguard-dev/osquery-defense-kit?include_prereleases)](https://github.com/chainguard-dev/osquery-defense-kit/releases/latest)
+[![stable](https://badges.github.io/stability-badges/dist/stable.svg)](https://github.com/badges/stability-badges)
+
 Production-ready detection & response queries for osquery

 ![osquery-defense-kit](images/logo-small.png?raw=true "osquery-defense-kit logo")
@ -92,9 +96,9 @@ Users may submit false positive exceptions for popular well-known software packa

 ### Platform Support

-While originally focused on Linux and macOS, we support the addition of queries on any platform supported by osquery. 
+While originally focused on Linux and macOS, we support the addition of queries on any platform supported by osquery.

-In particular, we've been asked about Windows support: Chainguard doesn't have any Windows machines, but if you have Windows queries that you think would be useful and match our philosophy, we're more than willing to accept them! 
+In particular, we've been asked about Windows support: Chainguard doesn't have any Windows machines, but if you have Windows queries that you think would be useful and match our philosophy, we're more than willing to accept them!

 ### False Positives

--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@ -48,6 +48,7 @@ WHERE
    'systemd-userwor',
    'osqueryi',
    'fprintd',
+    'sudo',
    'systemd',
    'gpg-agent',
    'systemd-userdbd',
--- a/detection/evasion/unusually-tainted-kernel-linux.sql
+++ b/detection/evasion/unusually-tainted-kernel-linux.sql
@ -26,4 +26,4 @@ SELECT current_value AS value,
    current_value & 1 AS proprietary
 FROM system_controls
 WHERE name = "kernel.tainted"
-    AND current_value NOT IN (0, 12289, 4097)
+    AND current_value NOT IN (0, 512, 12289, 4097)
--- a/detection/execution/exotic-commands-linux.sql
+++ b/detection/execution/exotic-commands-linux.sql
@ -127,7 +127,8 @@ WHERE -- Known attack scripts
    OR INSTR(p0.cmdline, '%Socket.%') > 0 -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
    OR (
      p0.cmdline LIKE '%tail -f /dev/null%'
-      AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
+      AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
+      AND NOT p1.pid == 0
    )
  )
  AND NOT p0.cmdline like '%socat UNIX-LISTEN:%com.discordapp%discord-ipc%'
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@ -55,8 +55,10 @@ WHERE
    '/usr/lib/systemd/systemd-machined',
    '/usr/lib/upowerd',
    '/usr/bin/alacritty',
+    '/usr/bin/dash',
    '/usr/bin/bash',
    '/usr/bin/rpmbuild',
+    '/usr/bin/make',
    '/usr/bin/cargo',
    '/usr/bin/containerd',
    '/usr/bin/containerd-shim-runc-v2',
@ -162,7 +164,10 @@ WHERE
  AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
  AND NOT p.path LIKE '%/.vscode/extensions/%'
  AND NOT p.path LIKE '/tmp/terraform_%/terraform'
-  AND NOT p.path LIKE '/tmp/%/osqtool'
+  AND NOT (
+    p.name IN ('osqtool-x86_64', 'osqtool-arm64')
+    AND p.cmdline LIKE './%'
+  )
  AND NOT pp.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
  AND NOT (
    p.path LIKE '/home/%'
@ -172,7 +177,7 @@ WHERE
    AND p.cmdline LIKE './%'
  )
  AND NOT (
-    p.path LIKE '/tmp/%/osqtool'
+    p.path LIKE '/tmp/%/osqtool-%'
    AND p.uid > 499
    AND f.ctime = f.mtime
    AND f.uid = p.uid
--- a/detection/execution/relative-exec-low-uid.sql
+++ b/detection/execution/relative-exec-low-uid.sql
@ -45,7 +45,7 @@ WHERE
    WHERE
      euid < 500
      AND cmdline LIKE './%'
-      AND NOT cmdline LIKE './out/osqtool %'
+      AND NOT cmdline LIKE './out/osqtool-% %'
      AND NOT cgroup_path LIKE '/system.slice/docker-%'
  )
 GROUP BY
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -8,8 +8,7 @@
 --
 -- tags: persistent process state
 -- platform: linux
-SELECT
-  CONCAT (
+SELECT CONCAT (
    p0.name,
    ',',
    REPLACE(
@ -58,8 +57,7 @@ SELECT
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
-FROM
-  processes p0
+FROM processes p0
  LEFT JOIN file f ON p0.path = f.path
  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
  LEFT JOIN processes p1 ON p0.parent = p1.pid
@ -67,8 +65,7 @@ FROM
  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
  LEFT JOIN processes p2 ON p1.parent = p2.pid
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE
-  p0.euid = 0
+WHERE p0.euid = 0
  AND p0.parent > 0
  AND p0.path != ""
  AND p0.start_time < (strftime('%s', 'now') - 900)
@ -78,8 +75,6 @@ WHERE
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
-    'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755 p0_cgroup:/system.slice/networking.service',
-    'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
    'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
    'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
    'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
@ -111,6 +106,7 @@ WHERE
    'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
    'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
    'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
+    'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755 p0_cgroup:/system.slice/networking.service',
    'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
    'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
    'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
@ -123,6 +119,7 @@ WHERE
    'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
    'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
    'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
+    'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
    'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
    'fusermount3,/usr/bin/fusermount3,1000,user.slice,user-1000.slice,4755',
    'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
@ -213,6 +210,7 @@ WHERE
    'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
    'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
    'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
+    'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
    'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
    'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
    'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
@ -229,5 +227,4 @@ WHERE
    'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
  )
  AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
-GROUP BY
-  p0.pid
+GROUP BY p0.pid