From 9a69bb55ba266247ca235bf65bd4ef28de54dd08 Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Tue, 22 Oct 2024 08:20:24 -0400 Subject: [PATCH 1/4] small fpr push --- detection/execution/unexpected-setuid-binaries.sql | 2 ++ detection/impact/evenly-timestomped.sql | 1 + 2 files changed, 3 insertions(+) diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index 453ca2c..c8ecc23 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -120,6 +120,8 @@ FROM '/usr/sbin/umount.nfs4', '/usr/sbin/userhelper', '/usr/sbin/wodim' + '/bin/bwrap', + '/usr/bin/bwrap' ) ) AND NOT ( diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index 8be112d..89b2260 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -47,6 +47,7 @@ WHERE 'printcap', 'strace-log-merge', 'installer-info.json' + 'debian-keyring.gpg' ) AND file.path NOT LIKE '%/lynis%' AND file.path NOT LIKE '%/yelp-xsl%' From fe868f4bbb2b6aa6b0b20e1cb61032348a11d2f9 Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Wed, 23 Oct 2024 08:31:20 -0400 Subject: [PATCH 2/4] Update evenly-timestomped.sql Signed-off-by: Dave Smith --- detection/impact/evenly-timestomped.sql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index 89b2260..8bdf7a8 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -47,10 +47,8 @@ WHERE 'printcap', 'strace-log-merge', 'installer-info.json' - 'debian-keyring.gpg' ) AND file.path NOT LIKE '%/lynis%' AND file.path NOT LIKE '%/yelp-xsl%' AND file.path NOT LIKE '/etc/cups/%' - AND file.path NOT LIKE '/usr/share/libinput/%.quirks' - AND file.path NOT LIKE '/usr/lib64/electron/locales/%.pak' + AND file.path NOT LIKE '/usr/%' From 899fc1dfca2e56b6e7b7864bbbd77361ac91fcbf Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Wed, 23 Oct 2024 08:32:35 -0400 Subject: [PATCH 3/4] Update unexpected-setuid-binaries.sql Signed-off-by: Dave Smith --- detection/execution/unexpected-setuid-binaries.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index c8ecc23..c095c56 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -119,7 +119,7 @@ FROM '/usr/sbin/umount.nfs', '/usr/sbin/umount.nfs4', '/usr/sbin/userhelper', - '/usr/sbin/wodim' + '/usr/sbin/wodim', '/bin/bwrap', '/usr/bin/bwrap' ) From fbf9a565c6bfef13790b4adc8ede1a942ad9fd24 Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Wed, 23 Oct 2024 10:02:37 -0400 Subject: [PATCH 4/4] Update evenly-timestomped.sql Signed-off-by: Dave Smith --- detection/impact/evenly-timestomped.sql | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index 8bdf7a8..05f29b8 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -26,7 +26,6 @@ WHERE OR file.path LIKE "/etc/%%" OR file.path LIKE "/sbin/%%" OR file.path LIKE "/lib/%%" - OR file.path LIKE "/usr/%%" ) -- This timestamp is in UTC AND file.mtime > (strftime('%s', 'now') - (86400 * 720)) @@ -51,4 +50,3 @@ WHERE AND file.path NOT LIKE '%/lynis%' AND file.path NOT LIKE '%/yelp-xsl%' AND file.path NOT LIKE '/etc/cups/%' - AND file.path NOT LIKE '/usr/%'