mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-17 19:44:31 +00:00
Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
This commit is contained in:
parent
d078e4a1ca
commit
a24c3d2333
@ -102,6 +102,7 @@ WHERE
|
||||
'Signal Helper (Renderer),8.8.8.8,53',
|
||||
'signal-desktop,8.8.8.8,53',
|
||||
'slack,8.8.8.8,53',
|
||||
'snapd,185.125.188.54,53',
|
||||
'Socket Process,8.8.8.8,53',
|
||||
'syncthing,46.162.192.181,53',
|
||||
'Telegram,8.8.8.8,53',
|
||||
|
@ -105,7 +105,9 @@ WHERE
|
||||
'500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
|
||||
'500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
|
||||
'500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
|
||||
'500,Developer ID Application: Autodesk (XXKJ396S2Y)',
|
||||
'500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
|
||||
)
|
||||
AND NOT (
|
||||
unsigned_exception = '500,6,80,main,main'
|
||||
@ -121,7 +123,9 @@ WHERE
|
||||
'500,0,0,chainlink,chainlink',
|
||||
'500,17,123,gvproxy,gvproxy',
|
||||
'500,0,0,,',
|
||||
'500,0,0,.Telegram-wrapped,.Telegram-wrapped'
|
||||
'500,0,0,.Telegram-wrapped,.Telegram-wrapped',
|
||||
'500,6,443,cloud_sql_proxy,cloud_sql_proxy',
|
||||
'500,6,32768,cloud_sql_proxy,cloud_sql_proxy'
|
||||
)
|
||||
GROUP BY
|
||||
p0.cmdline
|
||||
|
@ -56,5 +56,6 @@ WHERE
|
||||
AND p.name NOT LIKE 'osqtool%'
|
||||
AND f.path NOT LIKE '%/go/bin/%'
|
||||
AND f.path NOT LIKE '%/osqueryi'
|
||||
AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
|
||||
GROUP by
|
||||
p.pid
|
||||
|
@ -49,6 +49,7 @@ WHERE
|
||||
'jpg',
|
||||
'json',
|
||||
'key',
|
||||
'md',
|
||||
'mov',
|
||||
'mp3',
|
||||
'mp4',
|
||||
|
@ -155,6 +155,7 @@ rule systemd_small_multiuser_not_in_dependency_tree : high {
|
||||
$not_systemd = "ExecStart=systemd-"
|
||||
$not_lima = "Description=lima-guestagent"
|
||||
$not_check_sb = "Description=Service to check for secure boot key enrollment"
|
||||
$not_touchee_gg = "ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/touchegg --daemon"
|
||||
condition:
|
||||
filesize < 384 and $execstart and $multiuser and none of ($not_*)
|
||||
}
|
||||
|
@ -108,6 +108,7 @@ WHERE
|
||||
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
|
||||
'bpfilter_umh,/bpfilter_umh,0,,,',
|
||||
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
|
||||
'cat,/usr/bin/cat,0,user.slice,user-0.slice,0755',
|
||||
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
|
||||
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
|
||||
@ -308,6 +309,7 @@ WHERE
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
|
||||
'sudo,/usr/bin/sudo,1001,user.slice,user-0.slice,4111',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
|
||||
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
|
||||
|
@ -351,7 +351,8 @@ WHERE -- Focus on longer-running programs
|
||||
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
||||
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
||||
'Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
|
||||
'Software Signing'
|
||||
'Software Signing',
|
||||
'Developer ID Application: PaperCut Software International Pty Ltd (B5N3YV5P2H)'
|
||||
)
|
||||
AND NOT (
|
||||
p0.path = '/Library/Printers/DYMO/Utilities/pnpd'
|
||||
|
@ -30,6 +30,7 @@ WHERE
|
||||
'/bin/ps',
|
||||
'/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
|
||||
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
|
||||
'/Library/Application Support/Google/GoogleUpdater/Current/GoogleUpdater.app/Contents/Helpers/launcher',
|
||||
'/opt/1Password/1Password-BrowserSupport',
|
||||
'/usr/lib/opt/1Password/1Password-BrowserSupport',
|
||||
'/opt/1Password/1Password-KeyringHelper',
|
||||
|
Loading…
Reference in New Issue
Block a user