RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #420 from r0cketlad/main 

false positive reduction: apt, auditd, dockerd, etc.
This commit is contained in:
Dave Smith 2024-11-07 11:50:32 -05:00 committed by GitHub
parent 12019d4ae1 335aca58b7
commit c5b507a230
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -87,6 +87,7 @@ WHERE
'coredns,0.0.0.0,53',
'coredns,8.8.8.8,53',
'distnoted,8.8.8.8,53',
'dockerd,162.159.140.238,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'gvproxy,170.247.170.2,53',

1
detection/c2/unexpected-talkers-macos.sql
View File

@ -95,6 +95,7 @@ WHERE pos.pid IN (
'500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'500,Developer ID Application: Cisco (DE8Y96K9QP)',
'500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
'500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
)

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -64,6 +64,7 @@ WHERE
'/dev/.mdadm/',
'/.equarantine/',
'/etc/.bootcount',
'/dev/.blkid.tab',
'/etc/.clean',
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',

1
detection/persistence/unexpected-device-linux.sql
View File

@ -143,6 +143,7 @@ WHERE (
'/dev/kmsg,character',
'/dev/kvm,character',
'/dev/libmtp--.,character',
'/dev/libmtp--,character',
'/dev/log,socket',
'/dev/loop,block',
'/dev/loop-control,character',

6
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -92,11 +92,13 @@ WHERE
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
'apt,/usr/bin/apt,0,user.slice,user-1000.slice,0755',
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750',
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
@ -134,6 +136,7 @@ WHERE
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755',
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
@ -292,6 +295,7 @@ WHERE
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
@ -302,6 +306,7 @@ WHERE
'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
@ -330,6 +335,7 @@ WHERE
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'whiptail,/usr/bin/whiptail,0,user.slice,user-1000.slice,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',