mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-22 22:02:07 +00:00
refactor to reduce false positives
This commit is contained in:
parent
14a9098a9a
commit
9f4b8a0b69
@ -62,6 +62,7 @@ WHERE
|
|||||||
)
|
)
|
||||||
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
|
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
|
||||||
AND s.remote_address NOT IN (
|
AND s.remote_address NOT IN (
|
||||||
|
'1.1.1.1', -- Cloudflare
|
||||||
'100.100.100.100', -- Tailscale Magic DNS
|
'100.100.100.100', -- Tailscale Magic DNS
|
||||||
'208.67.220.123', -- OpenDNS FamilyShield
|
'208.67.220.123', -- OpenDNS FamilyShield
|
||||||
'75.75.75.75', -- Comcast
|
'75.75.75.75', -- Comcast
|
||||||
@ -122,6 +123,7 @@ WHERE
|
|||||||
'limactl',
|
'limactl',
|
||||||
'mDNSResponder',
|
'mDNSResponder',
|
||||||
'melange',
|
'melange',
|
||||||
|
'syncthing',
|
||||||
'nessusd',
|
'nessusd',
|
||||||
'nuclei',
|
'nuclei',
|
||||||
'systemd-resolved',
|
'systemd-resolved',
|
||||||
|
@ -38,6 +38,6 @@ WHERE
|
|||||||
)
|
)
|
||||||
-- Kandji temp file
|
-- Kandji temp file
|
||||||
AND NOT (
|
AND NOT (
|
||||||
file.filename LIKE '/Library/LaunchAgents/.dat.nosync%'
|
file.path LIKE '/Library/LaunchAgents/.dat.nosync%'
|
||||||
AND size = 242
|
AND size = 242
|
||||||
)
|
)
|
||||||
|
@ -65,24 +65,23 @@ WHERE
|
|||||||
-- Regular apps
|
-- Regular apps
|
||||||
AND NOT path LIKE '/Applications/%.app/%'
|
AND NOT path LIKE '/Applications/%.app/%'
|
||||||
-- Other oddball binary paths
|
-- Other oddball binary paths
|
||||||
AND NOT path LIKE '/opt/homebrew/Cellar/%'
|
AND NOT path LIKE '/opt/%'
|
||||||
AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
|
AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
|
||||||
AND NOT path LIKE '/Users/%/go/src/%/%.test'
|
AND NOT path LIKE '/Users/%/go/%'
|
||||||
AND NOT (
|
AND NOT path LIKE '/Users/%/dev/%'
|
||||||
path LIKE '/Users/%/homebrew/Cellar/%'
|
AND NOT path LIKE '/Users/%/src/%'
|
||||||
AND name IN ('limactl', 'Python', 'bash')
|
AND NOT path LIKE '/Users/%/homebrew/Cellar/%'
|
||||||
)
|
|
||||||
AND NOT (
|
AND NOT (
|
||||||
path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
|
path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
|
||||||
AND name = 'cpu'
|
AND name = 'cpu'
|
||||||
)
|
)
|
||||||
AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet')
|
|
||||||
)
|
)
|
||||||
AND pmm.path LIKE '%Security.framework%'
|
AND pmm.path LIKE '%Security.framework%'
|
||||||
AND exception_key NOT IN (
|
AND exception_key NOT IN (
|
||||||
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||||
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||||
'0,nix,nix,',
|
'0,nix,nix,',
|
||||||
|
'500,dirmngr,dirmngr,',
|
||||||
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||||
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||||
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
||||||
@ -156,6 +155,7 @@ WHERE
|
|||||||
'500,keyboxd,,',
|
'500,keyboxd,,',
|
||||||
'500,keyboxd,keyboxd,',
|
'500,keyboxd,keyboxd,',
|
||||||
'500,ko,,',
|
'500,ko,,',
|
||||||
|
'500,dirmngr,,',
|
||||||
'500,ko,a.out,',
|
'500,ko,a.out,',
|
||||||
'500,kubectl,a.out,',
|
'500,kubectl,a.out,',
|
||||||
'500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
|
'500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing',
|
||||||
@ -243,6 +243,8 @@ WHERE
|
|||||||
AND p0.path LIKE '/Users/%/go/bin/%'
|
AND p0.path LIKE '/Users/%/go/bin/%'
|
||||||
)
|
)
|
||||||
AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
|
AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
|
||||||
|
AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,'
|
||||||
|
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
|
||||||
AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
|
AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
|
||||||
AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
|
AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
|
||||||
AND NOT exception_key LIKE '500,___%,a.out,'
|
AND NOT exception_key LIKE '500,___%,a.out,'
|
Loading…
Reference in New Issue
Block a user