Rewrite unexpecetd uid0 for Linux, include cgroup info
This commit is contained in:
Thomas Stromberg
parent
d039449330
commit
a3ec1bf2bf
|
|
@ -8,7 +8,29 @@
|
|||
--
|
||||
-- tags: persistent process state
|
||||
-- platform: linux
|
||||
SELECT
|
||||
SELECT CONCAT(
|
||||
p0.name,
|
||||
',',
|
||||
REPLACE(
|
||||
p0.path,
|
||||
COALESCE(
|
||||
REGEX_MATCH(p0.path, "/nix/store/(.*?)/.*", 1),
|
||||
REGEX_MATCH(p0.path, "(\d[\.\d]+)/.*", 1),
|
||||
"3.11"
|
||||
),
|
||||
"__VERSION__"
|
||||
),
|
||||
',',
|
||||
p0.uid,
|
||||
',',
|
||||
CONCAT(
|
||||
SPLIT(p0.cgroup_path, "/", 0),
|
||||
",",
|
||||
SPLIT(p0.cgroup_path, "/", 1)
|
||||
),
|
||||
',',
|
||||
f.mode
|
||||
) AS exception_key,
|
||||
DATETIME(f.ctime, 'unixepoch') AS p0_changed,
|
||||
DATETIME(f.mtime, 'unixepoch') AS p0_modified,
|
||||
(strftime('%s', 'now') - p0.start_time) AS p0_runtime_s,
|
||||
|
|
@ -35,8 +57,7 @@ SELECT
|
|||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM
|
||||
processes p0
|
||||
FROM processes p0
|
||||
LEFT JOIN file f ON p0.path = f.path
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||||
|
|
@ -44,141 +65,127 @@ FROM
|
|||
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
||||
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
||||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
WHERE
|
||||
p0.euid = 0
|
||||
WHERE p0.euid = 0
|
||||
AND p0.parent > 0
|
||||
AND (strftime('%s', 'now') - p0.start_time) > 15
|
||||
AND p0.path NOT IN (
|
||||
'',
|
||||
'/sbin/apcupsd',
|
||||
'/sbin/mount.ntfs',
|
||||
'/usr/bin/abrt-dump-journal-core',
|
||||
'/usr/bin/abrt-dump-journal-oops',
|
||||
'/usr/bin/abrt-dump-journal-xorg',
|
||||
'/usr/bin/anacron',
|
||||
'/usr/bin/NetworkManager',
|
||||
'/usr/lib/upowerd',
|
||||
'/usr/bin/fusermount3',
|
||||
'/usr/bin/apcupsd',
|
||||
'/usr/bin/bash',
|
||||
'/usr/bin/clamscan',
|
||||
'/usr/lib/fwupd/fwupd',
|
||||
'/usr/lib/accounts-daemon',
|
||||
'/usr/lib/systemd/systemd-logind',
|
||||
'/usr/lib/boltd',
|
||||
'/usr/lib/power-profiles-daemon',
|
||||
'/usr/bin/udevadm',
|
||||
'/usr/bin/doas',
|
||||
'/usr/bin/auditd',
|
||||
'/usr/lib/boltd',
|
||||
'/usr/lib/bluetooth/bluetoothd',
|
||||
'/usr/bin/containerd',
|
||||
'/usr/bin/containerd-shim-runc-v2',
|
||||
'/usr/bin/crond',
|
||||
'/usr/bin/dbus-broker',
|
||||
'/usr/bin/nvidia-powerd',
|
||||
'/usr/bin/dbus-broker-launch',
|
||||
'/usr/bin/dbus-daemon',
|
||||
'/usr/bin/dbus-launch',
|
||||
'/usr/bin/dnsmasq',
|
||||
'/usr/bin/dockerd',
|
||||
'/usr/bin/docker-proxy',
|
||||
'/usr/bin/fish',
|
||||
'/usr/bin/gdm',
|
||||
'/usr/bin/gpg-agent',
|
||||
'/usr/bin/journalctl',
|
||||
'/usr/bin/lightdm',
|
||||
'/usr/bin/osqueryd',
|
||||
'/usr/bin/pacman',
|
||||
'/usr/bin/sshd',
|
||||
'/usr/bin/system76-power',
|
||||
'/usr/bin/system76-scheduler',
|
||||
'/usr/bin/tailscaled',
|
||||
'/usr/bin/touchegg',
|
||||
'/usr/bin/vim',
|
||||
'/usr/bin/virtlogd',
|
||||
'/usr/bin/wpa_supplicant',
|
||||
'/usr/bin/xargs',
|
||||
'/usr/lib/accountsservice/accounts-daemon',
|
||||
'/usr/libexec/accounts-daemon',
|
||||
'/usr/libexec/at-spi-bus-launcher',
|
||||
'/usr/libexec/dconf-service',
|
||||
'/usr/libexec/docker/docker-proxy',
|
||||
'/usr/libexec/flatpak-system-helper',
|
||||
'/usr/libexec/gdm-session-worker',
|
||||
'/usr/libexec/packagekitd',
|
||||
'/usr/libexec/polkitd',
|
||||
'/usr/libexec/scdaemon',
|
||||
'/usr/libexec/snapd/snapd',
|
||||
'/usr/libexec/sssd/sssd_kcm',
|
||||
'/usr/libexec/udisks2/udisksd',
|
||||
'/usr/libexec/xdg-document-portal',
|
||||
'/usr/libexec/xdg-permission-store',
|
||||
'/usr/lib/flatpak-system-helper',
|
||||
'/usr/lib/gdm-session-worker',
|
||||
'/usr/lib/snapd/snapd',
|
||||
'/usr/lib/software-properties/software-properties-dbus',
|
||||
'/usr/lib/systemd/systemd',
|
||||
'/usr/lib/systemd/systemd-fsckd',
|
||||
'/usr/lib/systemd/systemd-homed',
|
||||
'/usr/lib/systemd/systemd-journald',
|
||||
'/usr/lib/systemd/systemd-machined',
|
||||
'/usr/lib/udisks2/udisksd',
|
||||
'/usr/lib/Xorg',
|
||||
'/usr/local/kolide-k2/bin/launcher',
|
||||
'/usr/local/kolide-k2/bin/osqueryd',
|
||||
'/usr/sbin/abrtd',
|
||||
'/usr/sbin/abrt-dbus',
|
||||
'/usr/sbin/acpid',
|
||||
'/usr/sbin/agetty',
|
||||
'/usr/sbin/alsactl',
|
||||
'/usr/sbin/anacron',
|
||||
'/usr/sbin/atd',
|
||||
'/usr/sbin/cron',
|
||||
'/usr/sbin/crond',
|
||||
'/usr/sbin/cups-browsed',
|
||||
'/usr/sbin/cupsd',
|
||||
'/usr/sbin/dnsmasq',
|
||||
'/usr/sbin/gdm',
|
||||
'/usr/sbin/gdm3',
|
||||
'/usr/sbin/gssproxy',
|
||||
'/usr/sbin/mcelog',
|
||||
'/usr/sbin/pcscd',
|
||||
'/usr/sbin/pwrstatd',
|
||||
'/usr/sbin/rsyslogd',
|
||||
'/usr/sbin/smartd',
|
||||
'/usr/sbin/sshd',
|
||||
'/usr/sbin/tailscaled',
|
||||
'/usr/sbin/thermald',
|
||||
'/usr/sbin/wpa_supplicant',
|
||||
'/usr/sbin/zed'
|
||||
AND p0.path != ""
|
||||
AND (strftime('%s', 'now') - p0.start_time) > 15 -- Exclude processes running inside of Docker containers
|
||||
AND exception_key NOT IN (
|
||||
'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus\x2d:1.16\x2dorg.freedesktop.problems.slice,0755',
|
||||
'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus\x2d:1.3\x2dorg.freedesktop.problems.slice,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
|
||||
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
|
||||
'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
|
||||
'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
|
||||
'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
|
||||
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
|
||||
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
|
||||
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
|
||||
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
|
||||
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
|
||||
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
|
||||
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
|
||||
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
|
||||
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
|
||||
'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
|
||||
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
|
||||
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
|
||||
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
|
||||
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
|
||||
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
|
||||
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
|
||||
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
|
||||
'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
|
||||
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
|
||||
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
|
||||
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
|
||||
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
|
||||
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
|
||||
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
|
||||
'fusermount3,/usr/bin/fusermount3,1000,user.slice,user-1000.slice,4755',
|
||||
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
|
||||
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
|
||||
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
|
||||
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
|
||||
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
|
||||
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
|
||||
'launcher,/nix/store/__VERSION__/bin/launcher,0,system.slice,kolide-launcher.service,0555',
|
||||
'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555',
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
|
||||
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
|
||||
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
|
||||
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
|
||||
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
|
||||
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
|
||||
'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755',
|
||||
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
|
||||
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
|
||||
'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555',
|
||||
'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
|
||||
'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755',
|
||||
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
|
||||
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
|
||||
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
|
||||
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
|
||||
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
|
||||
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
|
||||
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
|
||||
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
|
||||
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
|
||||
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
|
||||
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
|
||||
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
|
||||
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
|
||||
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
|
||||
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
|
||||
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
|
||||
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
|
||||
'systemd-journal,/nix/store/__VERSION__/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0555',
|
||||
'systemd-journal,/usr/lib/systemd/systemd-journald,0,system.slice,systemd-journald.service,0755',
|
||||
'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
|
||||
'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
|
||||
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
|
||||
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
|
||||
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
|
||||
'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755',
|
||||
'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755',
|
||||
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
|
||||
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
|
||||
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
|
||||
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
|
||||
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
|
||||
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
|
||||
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
|
||||
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
|
||||
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
|
||||
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
|
||||
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
|
||||
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
|
||||
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
|
||||
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
|
||||
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
|
||||
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
|
||||
)
|
||||
-- Because I don't want to whitelist all of Python3
|
||||
AND p0.cmdline NOT IN (
|
||||
'/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held',
|
||||
'/sbin/init splash',
|
||||
'/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid',
|
||||
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',
|
||||
'/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',
|
||||
'/usr/bin/python3 /usr/bin/unattended-upgrade --download-only',
|
||||
'/usr/bin/python3 /usr/libexec/blueman-mechanism',
|
||||
'/usr/bin/python3 /usr/lib/pop-transition/service.py',
|
||||
'/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
|
||||
'/usr/bin/python3 /usr/sbin/lvmdbusd',
|
||||
'/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
|
||||
'/usr/bin/python /usr/bin/firewalld --nofork --nopid',
|
||||
'/usr/bin/xargs',
|
||||
'xargs logger -s'
|
||||
)
|
||||
AND NOT p0.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
|
||||
AND NOT p0.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'
|
||||
AND NOT p0.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %'
|
||||
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
|
||||
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
|
||||
AND p0.path NOT LIKE '/nix/store/%/bin/%'
|
||||
AND p0.path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'
|
||||
AND p0.path NOT LIKE '/nix/store/%/libexec/%'
|
||||
AND p0.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
|
||||
-- Exclude processes running inside of Docker containers
|
||||
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
|
||||
GROUP BY p0.pid
|
||||
Loading…
Reference in New Issue