RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

False positive purge, including Ventura additions

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-03 16:27:56 -04:00
parent 1e206f20c3
commit a5820efa5c
Failed to extract signature
22 changed files with 181 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fd/unexpected-pcap-user-linux.sql
View File

@ -26,8 +26,7 @@ WHERE
pmm.path LIKE "%libpcap%"
AND p.euid = 0
AND child_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND child_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
AND child_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND child_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd%"
AND child_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND child_path NOT LIKE "/System/Library/%"
AND child_path NOT LIKE "/nix/store/%/bin/nix"

1
fd/unexpected-sensitive-file-access-linux.sql
View File

@ -60,6 +60,7 @@ WHERE f.uid != ""
"chrome,chrome,~/.config/google-chrome",
"firefox,.firefox-wrappe,~/.cache/mozilla",
"firefox,.firefox-wrappe,~/.mozilla/firefox",
"firefox,file:// Content,~/.mozilla/firefox",
"firefox,firefox,~/.cache/mozilla",
"firefox,firefox,~/.mozilla/firefox",
"firefox,firefox,~/snap/firefox",

2
firewall/unexpected-alf-exceptions-macos.sql
View File

@ -36,6 +36,8 @@ WHERE -- NOTE:We intentionally want to preserve missing files
",,/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig,",
",,/usr/bin/nmblookup,",
",,/usr/libexec/discoveryd,",
",iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501", -- thanks Jed!
",java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501",
"Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0",
"Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0",
"Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0",

1
fs/unexpected-hidden-system-folders.sql
View File

@ -55,6 +55,7 @@ WHERE
"/tmp/.dracula-tmux-weather.lock",
"/tmp/.dracula-tmux-data",
"/tmp/.dotnet/",
"/tmp/.vbox-t-ipc/",
"/tmp/.font-unix/",
"/tmp/.ICE-unix/",
"/tmp/.Test-unix/",

62
fs/unexpected-volume-contents.sql
View File

@ -34,17 +34,17 @@ WHERE
AND file.path NOT LIKE "/Volumes/%/.com.apple.timemachine%"
AND (
extension IN (
'command',
'lnk',
'mpkg',
"command",
"lnk",
"mpkg",
-- Enable later once we know this query works well
-- 'pkg',
'scpt',
'dmg',
'iso',
'gz',
'sh',
'sql'
-- "pkg",
"scpt",
"dmg",
"iso",
"gz",
"sh",
"sql"
)
OR file.symlink != 0
@ -62,27 +62,31 @@ WHERE
OR basename LIKE "cg%"
) -- exceptions go here
AND basename NOT IN (
'..',
'.',
'.background',
'.disk_label_2x',
'.disk_label',
'.DS_Store',
'.iotest',
'.file-revisions-by-id',
'.file',
'.metadata_never_index_unless_rootfs',
'.shortcut-targets-by-id',
'.TemporaryItems',
'.Trashes',
'.vol',
'.VolumeIcon.icns'
"..",
".",
".background",
".disk_label_2x",
".disk_label",
".DS_Store",
".iotest",
".file-revisions-by-id",
".file",
".metadata_never_index_unless_rootfs",
".shortcut-targets-by-id",
".TemporaryItems",
".Trashes",
".vol",
".apdisk",
"._.Trashes",
"._.TemporaryItems",
"._.apdisk",
".VolumeIcon.icns"
)
AND authority NOT IN (
'Developer ID Application: Google LLC (EQHXZ8M8AV)'
"Developer ID Application: Google LLC (EQHXZ8M8AV)"
) -- Unsigned programs here
AND trimpath NOT IN (
'/Volumes/Google Chrome/.keystone_install',
'/Volumes/Google Chrome Canary/.keystone_install',
'/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg'
"/Volumes/Google Chrome/.keystone_install",
"/Volumes/Google Chrome Canary/.keystone_install",
"/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg"
)

1
net/unexpected-dns-traffic-events.sql
View File

@ -54,6 +54,7 @@ WHERE
"8.8.4.4", -- Google (backup)
"208.67.222.222", -- OpenDNS
"75.75.75.75", -- Comcast
"75.75.76.76", -- Comcast
"68.105.28.13" -- Cox
)
-- Exceptions that specifically talk to one server

28
net/unexpected-listening-port-macos.sql
View File

@ -51,55 +51,58 @@ WHERE
AND NOT exception_key IN (
"10011,6,0,launchd,Software Signing",
"1313,6,500,hugo,",
"3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)",
"49152,6,500,GarageBand,Apple Mac OS Application Signing",
"1338,6,500,registry,",
"137,17,0,launchd,Software Signing",
"49152,6,500,telepresence,",
"137,17,222,netbiosd,Software Signing",
"9101,6,500,github_actions_exporter,",
"138,17,0,launchd,Software Signing",
"138,17,222,netbiosd,Software Signing",
"16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)",
"17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)",
"2112,6,500,fake,",
"49152,6,0,AirPlayXPCHelper,Software Signing",
"49152,6,500,Music,Software Signing",
"22000,6,500,syncthing,",
"2112,6,500,rekor-server,",
"22,6,0,launchd,Software Signing",
"22000,6,500,syncthing,",
"24678,6,500,node,",
"2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)",
"33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"3306,6,500,mariadbd,",
"3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)",
"41949,6,500,IPNExtension,Apple Mac OS Application Signing",
"43398,6,500,IPNExtension,Apple Mac OS Application Signing",
"443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)",
"45972,6,500,IPNExtension,Apple Mac OS Application Signing",
"49152,6,0,AirPlayXPCHelper,Software Signing",
"49152,6,0,AirPlayXPCHelper,Software Signing",
"49152,6,0,launchd,Software Signing",
"2112,6,500,rekor-server,",
"49152,6,0,remoted,Software Signing",
"49152,6,0,remotepairingdeviced,Software Signing",
"49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)",
"49152,6,500,GarageBand,Apple Mac OS Application Signing",
"49152,6,500,IPNExtension,Apple Mac OS Application Signing",
"49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)",
"49152,6,500,Music,Software Signing",
"49152,6,500,node,",
"49152,6,500,rapportd,Software Signing",
"49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)",
"49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)",
"49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)",
"49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)",
"49152,6,500,telepresence,",
"49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)",
"49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)",
"5000,6,500,ControlCenter,Software Signing",
"5060,6,500,CommCenter,Software Signing",
"546,17,0,configd,Software Signing",
"5900,6,0,launchd,Software Signing",
"5900,6,0,screensharingd,Software Signing",
"6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)",
"631,6,0,cupsd,Software Signing",
"80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)",
"68,17,0,configd,Software Signing",
"7000,6,500,ControlCenter,Software Signing",
"80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)",
"8770,6,500,sharingd,Software Signing",
"443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)",
"88,6,0,kdc,Software Signing",
"8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
@ -107,6 +110,7 @@ WHERE
"8832,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"9101,6,500,github_actions_exporter,",
"8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)"
)
AND NOT (

1
net/unexpected-talkers-linux.sql
View File

@ -224,6 +224,7 @@ WHERE protocol > 0
"443,6,500,terraform",
"443,6,500,tkn",
"443,6,500,trivy",
"443,6,0,systemctl",
"443,6,500,vcluster",
"443,6,500,vim",
"443,6,500,WebKitNetworkPr",

50
net/unexpected-talkers-macos.sql
View File

@ -54,7 +54,7 @@ WHERE protocol > 0
AND p.path NOT LIKE "/opt/homebrew/Cellar/%/bin/%"
AND p.path NOT LIKE "/usr/libexec/%"
AND p.path NOT LIKE "/usr/sbin/%"
AND p.path NOT LIKE "/private/var/folders/%/go-build%/exe/%"
AND p.path NOT LIKE "/private/var/folders/%/go-build%/%"
AND NOT (
remote_port = 53
AND protocol IN (6, 17)
@ -118,7 +118,9 @@ WHERE protocol > 0
"22,6,500,ssh,com.apple.openssh,Software Signing",
"22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"22,6,500,ssh,ssh,",
"30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"3307,6,500,cloud_sql_proxy,a.out,",
"43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)",
"443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
@ -126,14 +128,19 @@ WHERE protocol > 0
"443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,17,500,Slack Helper,,",
"443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing",
"443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)",
"443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"443,6,0,nix,nix,",
"443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,,,",
"443,6,500,,,",
"443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,500,bash,bash,",
"443,6,500,chainctl_Darwin_arm64,a.out,",
"443,6,500,chainctl,,",
"443,6,500,chainctl,a.out,",
"443,6,500,civo,a.out,",
"443,6,500,cloud_sql_proxy,a.out,",
"443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
@ -141,73 +148,74 @@ WHERE protocol > 0
"443,6,500,cosign,a.out,",
"443,6,500,crane,,",
"443,6,500,crane,a.out,",
"80,6,500,webhook.test,a.out,",
"443,6,500,,,",
"443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing",
"443,6,500,ctclient,a.out,",
"443,6,500,curl,com.apple.curl,Software Signing",
"443,6,500,docker-credential-gcr,a.out,",
"443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)",
"443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,emacs-28.2,emacs-28.2,",
"443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing",
"443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)",
"443,6,500,gh,a.out,",
"443,6,500,gh,gh,",
"443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,",
"443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing",
"443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,",
"443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,",
"443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,",
"443,6,500,git,com.apple.git,Software Signing",
"443,6,500,gitsign,,",
"443,6,500,gitsign,gitsign,",
"443,6,500,git,git,",
"80,6,500,curl,com.apple.curl,Software Signing",
"443,6,500,gitsign,,",
"443,6,500,gitsign,a.out,",
"443,6,500,gitsign,gitsign,",
"443,6,500,go,a.out,",
"443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,helm,a.out,",
"443,6,500,istioctl,a.out,",
"443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"443,6,500,ko,a.out,",
"443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,kubectl,,",
"443,6,500,civo,a.out,",
"443,6,500,kubectl,a.out,",
"443,6,500,,,",
-- No process, but at least it's a reasonable protocol
"443,6,500,gh,a.out,",
"443,6,500,limactl,,",
"443,6,500,main,a.out,",
"80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,melange,a.out,",
"443,6,500,minikube,,",
"443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)",
"443,6,500,nix,nix,",
"443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)",
"443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,prober,a.out,",
"443,6,500,pulumi-resource-gcp,a.out,",
"443,6,500,pulumi-resource-github,a.out,",
"443,6,500,Python,com.apple.python3,Software Signing",
"443,6,500,Python,org.python.python,",
"443,6,500,Python,Python,",
"443,6,500,python2.7,python2.7,",
"443,6,500,python3.10,python3.10,",
"443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing",
"443,6,500,scorecard-darwin-amd64,,",
"443,6,500,Slack Helper,,",
"443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing",
"443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)",
"443,6,500,step,step,",
"443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)",
"443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"443,6,500,vegeta,a.out,",
"443,6,500,vim,vim,",
"443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)",
"443,6,500,zsh,com.apple.zsh,Software Signing",
"53,17,500,docker-credential-gcr,a.out,",
"6000,6,500,ssh,,",
"443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"6000,6,500,ssh,com.apple.openssh,Software Signing",
"6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing",
"80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)"
"80,6,500,curl,com.apple.curl,Software Signing",
"80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)",
"80,6,500,webhook.test,a.out,"
) -- nix-shell infects children with open connections
AND NOT (
parent_cmd LIKE "%/tmp/nix-shell%"
@ -263,6 +271,10 @@ WHERE protocol > 0
p.name IN ("Mail", "thunderbird", "Spark", "Notes")
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
)
AND NOT (
parent_path = "/Applications/Minecraft.app/Contents/MacOS/launcher"
AND remote_port > 30000
)
AND NOT (
p.name IN ("Spotify Helper", "Spotify")
AND remote_port IN (53, 443, 8009, 4070, 32211)
@ -290,6 +302,6 @@ WHERE protocol > 0
)
AND NOT (
remote_port IN (53, 443)
AND p.path LIKE "/private/var/folders/%/T/GoLand/%.test"
AND p.path LIKE "/private/var/folders/%/T/GoLand/%"
)
GROUP BY s.pid

110
process/high-disk-bytes-written.sql
View File

@ -9,87 +9,91 @@ SELECT
hash.sha256,
p.disk_bytes_written,
p.cwd,
(strftime('%s', 'now') - start_time) AS age,
disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second
(strftime("%s", "now") - start_time) AS age,
disk_bytes_written / (strftime("%s", "now") - start_time) AS bytes_per_second
FROM
processes p
LEFT JOIN hash ON p.path = hash.path
WHERE
bytes_per_second > 2000000
AND age > 120
AND pid > 2
AND p.path NOT IN (
'/bin/bash',
'/usr/bin/aptd',
'/usr/bin/bash',
'/usr/bin/bwrap',
'/usr/bin/curl',
'/usr/bin/fish',
'/usr/bin/gnome-shell',
'/usr/bin/qemu-system-x86_64',
'/usr/bin/yay',
'/usr/bin/zsh',
'/usr/lib/flatpak-system-helper',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd',
'/usr/lib64/thunderbird/thunderbird',
'/usr/libexec/coreduetd',
'/usr/libexec/coreduetd',
'/usr/libexec/packagekitd',
'/usr/libexec/rosetta/oahd',
'/usr/libexec/secd',
'/usr/libexec/sharingd',
'/usr/sbin/screencapture'
"/bin/bash",
"/usr/bin/aptd",
"/usr/bin/bash",
"/usr/bin/bwrap",
"/usr/bin/curl",
"/usr/bin/fish",
"/usr/bin/gnome-shell",
"/usr/bin/qemu-system-x86_64",
"/usr/bin/yay",
"/usr/bin/zsh",
"/usr/lib/flatpak-system-helper",
"/usr/lib/systemd/systemd-journald",
"/usr/lib/systemd/systemd",
"/usr/lib64/thunderbird/thunderbird",
"/usr/libexec/coreduetd",
"/usr/libexec/coreduetd",
"/usr/libexec/packagekitd",
"/usr/libexec/rosetta/oahd",
"/usr/libexec/secd",
"/usr/libexec/sharingd",
"/usr/sbin/screencapture"
)
AND NOT (
name LIKE "jbd%/dm-%"
AND on_disk = -1
)
AND NOT (
name = 'bindfs'
AND cmdline LIKE 'bindfs -f -o fsname=%'
name = "bindfs"
AND cmdline LIKE "bindfs -f -o fsname=%"
)
AND NOT (
name = 'btrfs-transaction'
name = "btrfs-transaction"
AND on_disk = -1
)
AND NOT (
name = 'kernel_task'
AND p.path = ''
name = "kernel_task"
AND p.path = ""
AND parent IN (0, 1)
AND on_disk = -1
)
AND NOT (
name = 'launchd'
AND p.path = '/sbin/launchd'
name = "launchd"
AND p.path = "/sbin/launchd"
AND parent = 0
)
AND NOT (
name = 'logd'
AND cmdline = '/usr/libexec/logd'
name = "logd"
AND cmdline = "/usr/libexec/logd"
AND parent = 1
)
AND NOT (
name = 'aptd'
AND cmdline = '/usr/bin/python3 /usr/sbin/aptd'
name = "aptd"
AND cmdline = "/usr/bin/python3 /usr/sbin/aptd"
)
AND NOT name IN (
'chrome',
'com.apple.MobileSoftwareUpdate.UpdateBrainService',
'containerd',
'esbuild',
'firefox',
'go',
'goland',
'gopls',
'jetbrains-toolb',
'slack',
'slack',
'wineserver'
"chrome",
"com.apple.MobileSoftwareUpdate.UpdateBrainService",
"containerd",
"esbuild",
"firefox",
"go",
"goland",
"java",
"launcher",
"gopls",
"jetbrains-toolb",
"slack",
"slack",
"wineserver"
)
AND p.path NOT LIKE '/Applications/%.app/Contents/%'
AND p.path NOT LIKE '/home/%/.local/share/Steam'
AND p.path NOT LIKE '/nix/store/%/bin/%sh'
AND p.path NOT LIKE '/nix/store/%/bin/nix'
AND p.path NOT LIKE '/System/Applications/%'
AND p.path NOT LIKE '/System/Library/%'
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND p.path NOT LIKE "/Applications/%.app/Contents/%"
AND p.path NOT LIKE "/home/%/.local/share/Steam"
AND p.path NOT LIKE "/nix/store/%/bin/%sh"
AND p.path NOT LIKE "/nix/store/%/bin/nix"
AND p.path NOT LIKE "/System/Applications/%"
AND p.path NOT LIKE "/System/Library/%"
AND p.path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND p.path NOT LIKE "/nix/store/%kolide-launcher-%/bin/launcher"

1
process/high_disk_bytes_read.sql
View File

@ -31,6 +31,7 @@ WHERE
'qemu-system-x86-64',
'qemu-system-x86',
'slack',
'java',
'wineserver',
'nix',
'ykman-gui',

1
process/missing-from-disk-linux.sql
View File

@ -44,6 +44,7 @@ WHERE
"/usr/bin/dbus-broker",
"/usr/bin/fusermount3",
"/usr/bin/gjs-console",
"/usr/bin/dbus-daemon",
"/usr/bin/gnome-software",
"/usr/bin/python3.10",
"/usr/bin/gnome-shell",

1
process/missing-from-disk-macos.sql
View File

@ -43,6 +43,7 @@ WHERE
OR cmd LIKE "/Library/Application Support/Logitech.localized/%"
OR cmd LIKE "/Library/Developer/CommandLineTools/%"
OR cmd LIKE "/opt/homebrew/Cellar/%"
OR p.path LIKE "/opt/homebrew/Cellar/%"
OR cmd LIKE "/opt/homebrew/opt/%"
OR cmd LIKE "/private/var/folders/%/Visual Studio Code.app/Contents/%"
OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%"

3
process/name_path_mismatch.sql
View File

@ -40,6 +40,7 @@ WHERE short_filename != short_name
"name=file,file=firefox,500",
"name=firefox-wrappe,file=firefox,500",
"name=firewalld,file=python3,0",
"name=gjs,file=gjs-console,120",
"name=gjs,file=gjs-console,500",
"name=gnome-characte,file=gjs-console,500",
"name=gnome-character,file=gjs-console,500",
@ -64,6 +65,7 @@ WHERE short_filename != short_name
"name=streamdeck,file=python3,500",
"name=systemd-udevd,file=udevadm,0",
"name=terminator,file=python3,500",
"name=Thunar,file=thunar,500",
"name=unattended-upg,file=python3,0",
"name=Utility,file=firefox,500",
"name=vi,file=nvim,500",
@ -73,7 +75,6 @@ WHERE short_filename != short_name
"name=X,file=Xorg,0",
"name=zfs-auto-snaps,file=ruby,0",
"name=zoom,file=ZoomLauncher,500"
)
AND NOT (
short_filename = "systemd"

21
process/low_start_time_ctime_delta.sql → process/recently-created-executables.sql
View File

@ -1,3 +1,7 @@
-- Programs who were recently written to disk, based on btime (macOS) or ctime (Linux)
--
-- NOTE: ctime
SELECT p.pid,
p.path,
p.name,
@ -7,6 +11,7 @@ SELECT p.pid,
p.parent,
f.directory,
f.ctime,
f.btime,
f.mtime,
p.start_time,
pp.path AS parent_path,
@ -23,13 +28,14 @@ FROM processes p
LEFT JOIN hash AS ph ON pp.path = ph.path
WHERE p.start_time > 0
AND f.ctime > 0 -- Only process programs that had an inode modification within the last 3 minutes
AND (p.start_time - f.ctime) < 180
AND p.start_time >= f.ctime
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
AND p.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN (
"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS",
"/Applications/Grammarly Desktop.app/Contents/MacOS",
"/Applications/Opal.app/Contents/Library/LaunchServices",
"/Applications/Opal.app/Contents/MacOS",
"/usr/local/kolide-k2/bin",
"/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS",
"/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS",
@ -45,6 +51,7 @@ WHERE p.start_time > 0
"/Applications/Spotify.app/Contents/MacOS",
"/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS",
"/Applications/Stream Deck.app/Contents/MacOS",
"/Library/Developer/CommandLineTools/usr/bin",
"/Applications/Tailscale.app/Contents/MacOS",
"/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS",
"/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS",
@ -70,6 +77,7 @@ WHERE p.start_time > 0
"/usr/bin/containerd",
"/usr/bin/dockerd",
"/usr/bin/obs",
"/Library/PrivilegedHelperTools/com.docker.vmnetd",
"/usr/lib/at-spi-bus-launcher",
"/usr/lib/at-spi2-registryd",
"/usr/lib/fwupd/fwupd",
@ -77,14 +85,15 @@ WHERE p.start_time > 0
"/usr/lib/slack/slack",
"/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page",
"/usr/libexec/fwupd/fwupd",
"/usr/lib/xf86-video-intel-backlight-helper",
"/usr/libexec/sssd/sssd_kcm",
"/usr/sbin/cupsd",
"/usr/sbin/tailscaled"
)
AND NOT p.path LIKE "/Applications/%.app/%"
AND NOT p.path LIKE "/home/%/%.test"
AND NOT p.path LIKE "/home/%/bin/%"
AND NOT p.path LIKE "/home/%/terraform-provider-%"
AND NOT p.path LIKE "/home/%$/%.test"
AND NOT p.path LIKE "/Library/Apple/System/%"
AND NOT p.path LIKE "/Library/Application Support/Adobe/Adobe Desktop Common/%"
AND NOT p.path LIKE "/Library/Application Support/Logitech.localized/%"
@ -98,15 +107,17 @@ WHERE p.start_time > 0
AND NOT p.path LIKE "/private/var/folders/%/bin/%"
AND NOT p.path LIKE "/private/var/folders/%/go-build%"
AND NOT p.path LIKE "/private/var/folders/%/GoLand/%"
AND NOT p.path LIKE "/Users/%/%.test"
AND NOT p.path LIKE "/Users/%/bin/%"
AND NOT p.path LIKE "/Users/%/code/%"
AND NOT p.path LIKE "/Users/%/Library/Application Support/%/Contents/MacOS/%"
AND NOT p.path LIKE "/Users/%/Library/Application Support/iTerm2/iTermServer-%"
AND NOT p.path LIKE "/Users/%/Library/Caches/company.thebrowser.Browser/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS/Updater"
AND NOT p.path LIKE "/Users/%/Library/Caches/%/Contents/MacOS/%"
AND NOT p.path LIKE "/Users/%/Library/Google/%.bundle/Contents/Helpers/%"
AND NOT p.path LIKE "/Users/%/Library/Mobile Documents/%/Contents/Frameworks%"
AND NOT p.path LIKE "/Users/%/terraform-provider-%"
AND NOT p.path LIKE "/Users/%$/%.test"
AND NOT p.path LIKE "/usr/local/bin/%"
AND NOT p.path LIKE "/usr/local/Cellar/%"
AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND NOT p.path LIKE "%-go-build%"
AND NOT p.path LIKE "%/.vscode/extensions/%"

1
process/sketchy-fetcher.sql
View File

@ -56,6 +56,7 @@ WHERE
OR p.cmdline LIKE "%application/json%"
OR p.cmdline LIKE "%grpcurl%"
OR p.cmdline LIKE "%Homebrew%"
OR p.cmdline LIKE "%Nixpkgs/%"
OR p.cmdline LIKE "%If-None-Match%"
OR p.cmdline LIKE "%ctlog%"
OR p.cmdline LIKE "%.well-known/openid-configuration%"

1
process/unexpected-executable-directory-macos.sql
View File

@ -82,6 +82,7 @@ WHERE
AND dirname NOT LIKE "/Users/%"
AND dirname NOT LIKE "/usr/libexec/%"
AND dirname NOT LIKE "/usr/local/%"
AND dirname NOT LIKE "/Volumes/com.getdropbox.dropbox-%"
AND NOT (
dirname LIKE "/private/var/%"
AND p.name LIKE "pulumi-go.%"

2
process/unexpected-setxid-process.sql
View File

@ -21,9 +21,11 @@ WHERE
"/opt/1Password/1Password-BrowserSupport",
"/opt/1Password/1Password-KeyringHelper",
"/usr/bin/doas",
"/usr/lib/xf86-video-intel-backlight-helper",
"/usr/bin/mount",
"/usr/bin/fusermount",
"/usr/bin/fusermount3",
"/usr/sbin/traceroute",
"/usr/bin/login",
"/usr/bin/ssh-agent",
"/usr/bin/su",

6
process/unexpected-shell-parents.sql
View File

@ -44,6 +44,7 @@ WHERE
"monorail",
"nix-daemon",
"nix",
"nix-build",
"package_script_service",
"node",
"nvim",
@ -64,6 +65,7 @@ WHERE
"vim",
"watch",
"wezterm-gui",
"sshd",
"xargs",
"xcrun",
"xfce4-terminal",
@ -105,6 +107,10 @@ WHERE
pp.name = "bash"
AND p.cmdline LIKE "sh -s _hostname %"
)
AND NOT (
pp.cmdline LIKE "perl%/help2man%"
AND p.cmdline LIKE "sh -c man/%"
)
AND NOT p.cmdline LIKE "%/Library/Apple/System/Library/InstallerSandboxes%"
AND NOT p.cmdline LIKE "%gcloud config config-helper%"

3
process_events/unexpected-execdir-events-macos.sql
View File

@ -83,6 +83,7 @@ WHERE
AND dirname NOT LIKE "/Users/%"
AND dirname NOT LIKE "/usr/libexec/%"
AND dirname NOT LIKE "/usr/local/%"
AND dirname NOT LIKE "/Volumes/com.getdropbox.dropbox-%"
-- Unexplained data issue
AND dirname NOT LIKE "../%"
AND p.path NOT IN (
@ -99,6 +100,8 @@ WHERE
)
-- Nix
AND parent_path NOT LIKE "/nix/store/%"
-- Homebrew and other compilations
AND parent_cmd NOT LIKE "%./configure%"
-- Pulumi executables are often executed from $TMPDIR
AND NOT (
dirname LIKE "/private/var/%"

2
startup/unexpected-active-systemd-units.sql
View File

@ -70,7 +70,9 @@ WHERE
"bluetooth.service,Bluetooth service,,700",
"bluetooth.target,Bluetooth Support,,400",
"bolt.service,Thunderbolt system service,,600",
"systemd-vconsole-setup.service,Setup Virtual Console,,700",
"chronyd.service,NTP client/server,,1500",
"plocate-updatedb.service,Update the plocate database,,200",
"colord.service,Manage, Install and Generate Color Profiles,colord,200",
"console-setup.service,Set console font and keymap,,300",
"containerd.service,containerd container runtime,,1200",

1
startup/unexpected-launchd-program-arguments.sql
View File

@ -27,6 +27,7 @@ WHERE
"Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)",
"Developer ID Application: Foxit Corporation (8GN47HTP75)",
"Developer ID Application: Google LLC (EQHXZ8M8AV)",
"Developer ID Application: Google, Inc. (EQHXZ8M8AV)",
"Developer ID Application: Keybase, Inc. (99229SGT5K)",
"Developer ID Application: Kolide Inc (YZ3EM74M78)",
"Developer ID Application: Logitech Inc. (QED4VVPZWA)",