More tuning

file/unexpected-dev-entries.sql

@@ -7,4 +7,5 @@ WHERE (
         OR path LIKE "/dev/%/.%"
         OR path LIKE "/dev/mqueue/%"
 )
-AND filename NOT IN ('.', '..')
+AND filename NOT IN ('.', '..')
+OR filename LIKE "pulse-shm-%"

file/unexpected-tmp-executables.sql

@@ -1,4 +1,4 @@
-SELECT * FROM file WHERE
+SELECT path, uid, gid, mode, strftime('%s', 'now') - ctime AS mtime_age, FROM file WHERE
 (path LIKE "/tmp/%%" OR path LIKE "/var/tmp/%%")
 AND type = "regular"
 AND mode LIKE "07%"
@@ -11,3 +11,9 @@ AND PATH NOT LIKE "%/tmp/epdf%"
 AND PATH NOT LIKE "%/pdf-tools/%"
 AND PATH NOT LIKE "/tmp/%.sh"
 AND PATH NOT LIKE "/tmp/terraformer/%"
+AND PATH NOT LIKE "/tmp/checkout/%"
+AND PATH NOT LIKE "/tmp/guile-%/guile-%"
+-- Nix
+AND NOT (directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
+-- Don't alert if it's only on disk for a moment
+AND NOT (directory LIKE "/tmp/%" AND mtime_age < 60)

listening_ports/unexpected-listeners.sql

@@ -1,4 +1,4 @@
-SELECT *
+SELECT lp.address, lp.port, lp.protocol, p.pid, p.name, p.path, p.cmdline
 FROM listening_ports lp
     JOIN processes p ON lp.pid = p.pid
 WHERE port != 0
@@ -16,6 +16,7 @@ WHERE port != 0
     AND NOT (p.name='Brackets-node' AND lp.port=8123 AND lp.protocol=6)
     AND NOT (p.name='chrome' AND lp.port>32000 AND lp.protocol IN (6,17))
     AND NOT (p.name='code' AND p.cwd='/' AND lp.port=43233 AND lp.protocol=6)
+    AND NOT (p.name='code' AND p.cmdline LIKE "%extensionHost%" AND lp.port>32000 AND lp.protocol=6)
     AND NOT (p.name='containerd' AND p.cwd='/' AND lp.port=10010 AND lp.protocol=6)
     AND NOT (p.name='controlplane' AND p.cwd='/' AND lp.port IN (8008,8443) AND lp.protocol=6)
     AND NOT (p.name='coredns' AND p.cwd='/' AND lp.port IN (8181,8080,9153,53) AND lp.protocol=6)

process_envs/unexpected-env-values.sql

@@ -11,6 +11,7 @@ WHERE key = 'HISTFILE'
     OR (
         key = 'HOME'
         AND NOT value LIKE '/home/%'
+        AND NOT value LIKE "/private/tmp/%/.brew_home"
         AND NOT value LIKE "/var/lib/%"
         AND NOT value LIKE "/Users/%"
         AND NOT value IN ('/root', '/var/spool/cups/tmp', '/var/empty', '/var/db/cmiodalassistants', '/run/systemd' '/')

process_open_sockets/unexpected-talkers.sql

@@ -1,7 +1,8 @@
 SELECT
-  s.state, s.family, s.socket, protocol, s.local_port, s.remote_port, s.local_address, s.remote_address, p.name, p.path, p.cmdline, p.cwd, s.fd, s.pid, s.net_namespace
+  s.family, protocol, s.local_port, s.remote_port, s.local_address, s.remote_address, p.name, p.path, p.cmdline AS child_cmd, p.cwd, s.pid, s.net_namespace, pp.cmdline AS parent_cmd
 FROM process_open_sockets s
 JOIN processes p ON s.pid = p.pid
+JOIN processes pp ON pp.pid = p.parent
 WHERE protocol > 0
 AND s.remote_port > 0
 AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
@@ -35,6 +36,7 @@ AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)
 AND NOT (p.path = '/usr/bin/dnf' AND remote_port IN (80,443))
 AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443)
 AND NOT (p.path = '/usr/bin/sample' AND remote_port = 443)
+AND NOT (p.path = '/usr/lib/snapd/snapd' AND remote_port = 443)
 AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6)
 AND NOT (p.path = '/usr/libexec/timed' AND remote_port = 123)
 AND NOT (p.name = 'chronyd' AND remote_port = 123)
@@ -45,7 +47,7 @@ AND NOT (p.path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
 AND NOT (p.path LIKE '/Users/%/.cache/trunk/cli/%/trunk' AND remote_port=443 AND s.protocol=6)
 AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=443 AND protocol=6)
 AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=9000 AND protocol=17)
-AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80))
+AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80) OR remote_port > 1024)
 AND NOT (p.path LIKE '%/NetworkManager' AND remote_port IN (67,80))
 AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
 AND NOT (p.path LIKE '%tailscaled%' AND remote_port > 32000)
@@ -57,6 +59,7 @@ AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServi
 AND NOT (p.path='/System/Library/PrivateFrameworks/ApplePushService.framework/apsd' AND p.cwd='/' AND remote_port=5223 AND protocol=6)
 AND NOT (p.path='/usr/local/libexec/ReceiverHelper.app/Contents/MacOS/ReceiverHelper' AND p.cwd='/' AND remote_port=443 AND protocol=6)
 AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.path = '/usr/bin/yay')
+AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.cmdline = 'npm update')
 AND NOT (remote_port IN (443,53) AND protocol IN (6,17) AND p.path = '/usr/sbin/mDNSResponder')
 AND NOT (remote_port = 443 AND protocol=6 AND p.path LIKE '/usr/libexec/%')
 AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Applications/%.app/Contents/%')
@@ -72,6 +75,7 @@ AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
         'Brackets',
         'chainctl',
         'code',
+        'obs',
         'containerd',
         'controlplane',
         'electron',
@@ -94,6 +98,8 @@ AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
         'ngrok',
         'nix',
         'obsidian',
+        'obs-browser-page',
+        'obs-ffmpeg-mux',
         'pacman',
         'pingsender',
         'signal-desktop',
@@ -107,7 +113,8 @@ AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
         'tkn',
         'vcluster',
         'xmobar',
-        'zoom'
+        'zoom',
+        'node'
     )
 )
 AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')

processes/low_process_ctime_delta.sql

@@ -20,5 +20,7 @@ AND NOT p.path LIKE "/Library/Apple/System/%"
 AND NOT p.path LIKE "/private/var/db/com.apple.xpc.roleaccountd.staging/%"
 AND NOT p.path LIKE "/Library/Apple/System/Library/%"
 AND NOT p.path LIKE "%-go-build%"
+AND NOT p.directory LIKE "/home/%/go/bin"
+AND NOT p.directory LIKE "/Users/%/go/bin"
 AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%"
 AND NOT p.path LIKE "%/.vscode/extensions/%"

processes/old-binaries-running.sql

@@ -1,16 +1,13 @@
 -- Detect poorly done timestamping
--- Alert on programs running that are over a year old
-SELECT *,
+-- Alert on programs running that are unusually old
+SELECT p.path, p.cmdline, p.cwd,
     ((strftime('%s', 'now') - f.ctime) / 86400) AS ctime_age_days,
     ((strftime('%s', 'now') - f.ctime) / 86400) AS mtime_age_days,
     ((strftime('%s', 'now') - f.btime) / 86400) AS btime_age_days
 FROM processes p
     JOIN file f ON p.path = f.path
 WHERE (
-        ctime_age_days > 982
-        OR mtime_age_days > 982
-        OR (
-            f.btime > 1
-            AND btime_age_days > 1200
-        )
-    )
+        ctime_age_days > 1000
+        OR mtime_age_days > 1000
+    )
+AND path NOT LIKE "%/opt/brackets/Brackets%"

processes/unexpectedly-high-readers.sql

@@ -13,6 +13,7 @@ AND NOT (name='gopls' AND path LIKE '/home/%/bin/gopls')
 AND NOT (name='gopls' AND path LIKE '/home/%/gopls/gopls')
 AND NOT (name='gopls' AND path LIKE '/Users/%/bin/gopls')
 AND NOT (name='gopls' AND path LIKE '/Users/%/gopls/gopls')
+AND NOT (name='ruby' AND cmdline LIKE '%brew.rb upgrade')
 AND NOT (name='kernel_task' AND path='' AND parent IN (0,1) AND on_disk=-1)
 AND NOT (name='launcher' AND path='/usr/local/kolide-k2/bin/launcher-updates/1659471464/launcher')
 AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1)