mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-18 03:54:30 +00:00
clarify macOS coverage
This commit is contained in:
parent
0c9e3bbf72
commit
99af29e2df
@ -1,7 +1,7 @@
|
||||
-- Returns the OS memory region map.
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- platform: linux
|
||||
SELECT
|
||||
*
|
||||
FROM
|
||||
|
@ -1,7 +1,7 @@
|
||||
-- Return the list of open pipes per process
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- platform: macos
|
||||
SELECT
|
||||
p.path AS p_path,
|
||||
p.name AS p_name,
|
||||
|
@ -1,7 +1,7 @@
|
||||
-- Programs running as root from unusual signers on macOS
|
||||
--
|
||||
-- platform: darwin
|
||||
-- tags: transient often process state
|
||||
-- tags: transient process
|
||||
-- Canonical example of including process parents from process_events
|
||||
SELECT
|
||||
p.*,
|
||||
@ -10,10 +10,13 @@ FROM
|
||||
processes p
|
||||
LEFT JOIN signature s ON p.path = s.path
|
||||
WHERE
|
||||
p.pid IN (
|
||||
SELECT pid FROM processes WHERE
|
||||
p.euid = 0
|
||||
AND p.path NOT LIKE "/System/%"
|
||||
AND p.path NOT LIKE "/Library/Apple/%"
|
||||
AND p.path NOT LIKE "/usr/bin/%"
|
||||
AND p.path NOT LIKE "/usr/libexec/%"
|
||||
AND p.path NOT LIKE "/usr/sbin/%"
|
||||
)
|
||||
AND s.authority NOT IN ('Software Signing')
|
@ -1,7 +1,7 @@
|
||||
-- Return shared memory info
|
||||
--
|
||||
-- tags: postmortem
|
||||
-- platform: posix
|
||||
-- platform: linux
|
||||
SELECT
|
||||
shm.*,
|
||||
p.name AS p_name,
|
||||
|
Loading…
Reference in New Issue
Block a user