linux talkers: Treat /snap as /opt
This commit is contained in:
Thomas Stromberg
parent
6624c8c620
commit
ad832bc280
|
|
@ -8,8 +8,7 @@
|
|||
--
|
||||
-- tags: transient state net rapid
|
||||
-- platform: linux
|
||||
SELECT
|
||||
s.remote_address,
|
||||
SELECT s.remote_address,
|
||||
p.name,
|
||||
p.path,
|
||||
p.cmdline AS child_cmd,
|
||||
|
|
@ -24,11 +23,14 @@ SELECT
|
|||
MIN(p.euid, 500),
|
||||
',',
|
||||
REPLACE(
|
||||
REGEX_MATCH (p.path, '(/.*?)/', 1),
|
||||
'/nix',
|
||||
'/usr'
|
||||
),
|
||||
'/',
|
||||
REPLACE(
|
||||
REGEX_MATCH (p.path, '(/.*?)/', 1),
|
||||
'/nix',
|
||||
'/usr'
|
||||
),
|
||||
'/snap',
|
||||
'/opt'
|
||||
) '/',
|
||||
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
|
||||
',',
|
||||
MIN(f.uid, 500),
|
||||
|
|
@ -37,14 +39,12 @@ SELECT
|
|||
'g,',
|
||||
p.name
|
||||
) AS exception_key
|
||||
FROM
|
||||
process_open_sockets s
|
||||
FROM process_open_sockets s
|
||||
LEFT JOIN processes p ON s.pid = p.pid
|
||||
LEFT JOIN processes pp ON p.parent = pp.pid
|
||||
LEFT JOIN file f ON p.path = f.path
|
||||
LEFT JOIN hash ON p.path = hash.path
|
||||
WHERE
|
||||
protocol IN (6, 17)
|
||||
WHERE protocol IN (6, 17)
|
||||
AND s.remote_port = 443
|
||||
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
|
||||
AND s.remote_address NOT LIKE 'fe80:%'
|
||||
|
|
@ -61,10 +61,9 @@ WHERE
|
|||
AND p.path != ''
|
||||
AND NOT exception_key IN (
|
||||
'0,/usr/dockerd,0u,0g,dockerd',
|
||||
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-', -- fedoraproject.org
|
||||
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
|
||||
'0,/usr/launcher,0u,0g,launcher',
|
||||
'0,/usr/packagekitd,0u,0g,packagekitd',
|
||||
'0,/usr/packagekitd,0u,0g,packagekitd', -- Google
|
||||
'0,/usr/tailscaled,0u,0g,tailscaled',
|
||||
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
'500,/app/slack,u,g,slack',
|
||||
|
|
@ -73,24 +72,21 @@ WHERE
|
|||
'500,/ko-app/chainctl,u,g,chainctl',
|
||||
'500,/ko-app/controlplane,u,g,controlplane',
|
||||
'500,/opt/chrome,0u,0g,chrome',
|
||||
'500,/opt/firefox,0u,0g,firefox',
|
||||
'500,/opt/slack,0u,0g,slack',
|
||||
'500,/opt/spotify,0u,0g,spotify',
|
||||
'500,/snap/firefox,0u,0g,firefox',
|
||||
'500,/snap/slack,0u,0g,slack',
|
||||
'500,/usr/chrome,0u,0g,chrome',
|
||||
'500,/usr/code,0u,0g,code',
|
||||
'500,/usr/curl,0u,0g,curl',
|
||||
'500,/usr/firefox,0u,0g,firefox',
|
||||
'500,/usr/firefox,0u,0g,.firefox-wrappe',
|
||||
'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', -- fedoraproject.org
|
||||
'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
|
||||
'500,/usr/geoclue,0u,0g,geoclue',
|
||||
'500,/usr/gitsign,0u,0g,gitsign',
|
||||
'500,/usr/gnome-software,0u,0g,gnome-software',
|
||||
'500,/usr/kubectl,500u,500g,kubectl',
|
||||
'500,/usr/slack,0u,0g,slack',
|
||||
'500,/usr/syncthing,0u,0g,syncthing'
|
||||
)
|
||||
-- stay weird, NixOS (Fastly nix mirror)
|
||||
) -- stay weird, NixOS (Fastly nix mirror)
|
||||
AND NOT child_cmd = '/run/current-system/sw/bin/bash'
|
||||
|
||||
GROUP BY
|
||||
p.cmdline
|
||||
GROUP BY p.cmdline
|
||||
|
|
@ -8,8 +8,7 @@
|
|||
--
|
||||
-- tags: transient state net rapid
|
||||
-- platform: linux
|
||||
SELECT
|
||||
s.remote_address,
|
||||
SELECT s.remote_address,
|
||||
p.name,
|
||||
p.path,
|
||||
p.cmdline AS child_cmd,
|
||||
|
|
@ -28,11 +27,14 @@ SELECT
|
|||
MIN(p.euid, 500),
|
||||
',',
|
||||
REPLACE(
|
||||
REGEX_MATCH (p.path, '(/.*?)/', 1),
|
||||
'/nix',
|
||||
'/usr'
|
||||
),
|
||||
'/',
|
||||
REPLACE(
|
||||
REGEX_MATCH (p.path, '(/.*?)/', 1),
|
||||
'/nix',
|
||||
'/usr'
|
||||
),
|
||||
'/snap',
|
||||
'/opt'
|
||||
) '/',
|
||||
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
|
||||
',',
|
||||
MIN(f.uid, 500),
|
||||
|
|
@ -41,21 +43,17 @@ SELECT
|
|||
'g,',
|
||||
p.name
|
||||
) AS exception_key
|
||||
FROM
|
||||
process_open_sockets s
|
||||
FROM process_open_sockets s
|
||||
LEFT JOIN processes p ON s.pid = p.pid
|
||||
LEFT JOIN processes pp ON p.parent = pp.pid
|
||||
LEFT JOIN file f ON p.path = f.path
|
||||
LEFT JOIN hash ON p.path = hash.path
|
||||
WHERE
|
||||
protocol > 0
|
||||
AND s.remote_port > 0
|
||||
-- See unexpected-https-client
|
||||
WHERE protocol > 0
|
||||
AND s.remote_port > 0 -- See unexpected-https-client
|
||||
AND NOT (
|
||||
s.remote_port = 443
|
||||
AND protocol IN (6, 17)
|
||||
)
|
||||
-- See unexpected-dns-traffic
|
||||
) -- See unexpected-dns-traffic
|
||||
AND NOT (
|
||||
s.remote_port = 53
|
||||
AND protocol IN (6, 17)
|
||||
|
|
@ -85,14 +83,14 @@ WHERE
|
|||
'22,6,500,/usr/ssh,0u,0g,ssh',
|
||||
'4070,6,500,/opt/spotify,0u,0g,spotify',
|
||||
'5228,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'5228,6,500,/usr/chrome,0u,0g,chrome', -- Android Market/GCM
|
||||
'5228,6,500,/usr/chrome,0u,0g,chrome',
|
||||
'8000,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'8000,6,500,/usr/firefox,0u,0g,firefox',
|
||||
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', -- fedoraproject.org
|
||||
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
|
||||
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
|
||||
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
||||
'80,6,500,/opt/chrome,0u,0g,chrome',
|
||||
'80,6,500,/snap/firefox,0u,0g,firefox',
|
||||
'80,6,500,/opt/firefox,0u,0g,firefox',
|
||||
'80,6,500,/usr/curl,0u,0g,curl',
|
||||
'80,6,500,/usr/firefox,0u,0g,firefox',
|
||||
'8080,6,500,/opt/chrome,0u,0g,chrome',
|
||||
|
|
@ -107,5 +105,4 @@ WHERE
|
|||
AND s.protocol = 6
|
||||
AND p.euid > 500
|
||||
)
|
||||
GROUP BY
|
||||
p.cmdline
|
||||
GROUP BY p.cmdline
|
||||
Loading…
Reference in New Issue