RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #67 from tstromberg/python-dir

Browse Source 
execdir-macos: Add exception for vs-kubernetes, add child hash, fix time interval
This commit is contained in:
Thomas Strömberg 2022-11-04 10:33:40 -04:00 committed by GitHub
commit 9d63c81851
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -24,7 +24,8 @@ SELECT
pp.name AS parent_name,
pp.cmdline AS parent_cmd,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256,
hash.sha256 AS child_sha256,
phash.sha256 AS parent_sha256,
signature.identifier,
signature.authority
FROM
@ -33,10 +34,11 @@ FROM
LEFT JOIN file ON p.path = file.path
LEFT JOIN users u ON p.uid = u.uid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash phash ON pp.path = phash.path
LEFT JOIN signature ON p.path = signature.path
WHERE
p.time > (strftime('%s', 'now') -7200)
p.time > (strftime('%s', 'now') -60)
-- The process_events table on macOS ends up with relative directories for some reason?
AND dir LIKE '/%'
AND file.size > 0
@ -86,6 +88,7 @@ WHERE
'~/.local/bin',
'~/.local/share/nvim/mason/packages/tflint',
'~/.local/share/nvim.old/mason/packages/tflint',
'~/.vs-kubernetes/tools/kubectl',
'~/projects/go/bin'
)
AND signature.authority NOT IN (