clarify macOS coverage

2023-05-12 11:08:59 -04:00 · 2023-05-12 11:08:59 -04:00 · 99af29e2df
parent 0c9e3bbf72
commit 99af29e2df
4 changed files with 13 additions and 10 deletions
--- a/incident_response/memory_map.sql
+++ b/incident_response/memory_map.sql
@ -1,7 +1,7 @@
 -- Returns the OS memory region map.
 --
 -- tags: postmortem
-- platform: posix
+-- platform: linux
 SELECT
  *
 FROM
--- a/incident_response/process_open_pipes.sql
+++ b/incident_response/process_open_pipes.sql
@ -1,7 +1,7 @@
 -- Return the list of open pipes per process
 --
 -- tags: postmortem
-- platform: posix
+-- platform: macos
 SELECT
  p.path AS p_path,
  p.name AS p_name,
--- a/incident_response/processes-root-not-apple-macos.sql
+++ b/incident_response/processes-root-not-apple-macos.sql
@ -1,7 +1,7 @@
 -- Programs running as root from unusual signers on macOS
 --
 -- platform: darwin
-- tags: transient often process state
+-- tags: transient process
 -- Canonical example of including process parents from process_events
 SELECT
  p.*,
@ -10,10 +10,13 @@ FROM
  processes p
  LEFT JOIN signature s ON p.path = s.path
 WHERE
-  p.euid = 0
-  AND p.path NOT LIKE "/System/%"
-  AND p.path NOT LIKE "/Library/Apple/%"
-  AND p.path NOT LIKE "/usr/bin/%"
-  AND p.path NOT LIKE "/usr/libexec/%"
-  AND p.path NOT LIKE "/usr/sbin/%"
+  p.pid IN (
+    SELECT pid FROM processes WHERE
+    p.euid = 0
+    AND p.path NOT LIKE "/System/%"
+    AND p.path NOT LIKE "/Library/Apple/%"
+    AND p.path NOT LIKE "/usr/bin/%"
+    AND p.path NOT LIKE "/usr/libexec/%"
+    AND p.path NOT LIKE "/usr/sbin/%"
+  )
  AND s.authority NOT IN ('Software Signing')
--- a/incident_response/shared_memory.sql
+++ b/incident_response/shared_memory.sql
@ -1,7 +1,7 @@
 -- Return shared memory info
 --
 -- tags: postmortem
-- platform: posix
+-- platform: linux
 SELECT
  shm.*,
  p.name AS p_name,