RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into fpr-jul12

Browse Source
This commit is contained in:
Thomas Stromberg 2024-07-12 17:08:41 -04:00
commit bb79251001
Failed to extract signature
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -68,8 +68,8 @@ collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
.PHONY: verify-ci .PHONY: verify-ci
verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=2 --max-query-duration=12s verify policy $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=50 --max-query-duration=30s verify policy
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=15 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=1000 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
# Local verification # Local verification
.PHONY: verify .PHONY: verify

5
detection/c2/unexpected-talkers-macos.sql
View File

@ -192,7 +192,8 @@ WHERE pos.protocol > 0
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
'500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper', '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac' '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'0,6,853,at.obdev.littlesnitch.networkextension,at.obdev.littlesnitch.networkextension,0u,0g'
) -- Useful for unsigned binaries ) -- Useful for unsigned binaries
AND NOT alt_exception_key IN ( AND NOT alt_exception_key IN (
'0,6,80,tailscaled,tailscaled,500u,80g', '0,6,80,tailscaled,tailscaled,500u,80g',
@ -295,4 +296,4 @@ WHERE pos.protocol > 0
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon' 'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
) )
) )
GROUP BY p0.cmdline GROUP BY p0.cmdline