From caa6bb43edd588ba7ca91c4d10db4301c389dc5e Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 2 Sep 2022 15:04:34 -0400 Subject: [PATCH] Add more things --- unexpected-hidden-system-folders.sql | 2 + unexpected-listeners.sql | 22 +- unexpected-systemd.sql | 338 ++++++++++++++++++++++++++- unexpected-talkers.sql | 3 +- 4 files changed, 341 insertions(+), 24 deletions(-) diff --git a/unexpected-hidden-system-folders.sql b/unexpected-hidden-system-folders.sql index 6e2d443..9c2bc09 100644 --- a/unexpected-hidden-system-folders.sql +++ b/unexpected-hidden-system-folders.sql @@ -54,6 +54,8 @@ WHERE ( AND PATH NOT LIKE '%/.dwz/' AND PATH NOT LIKE '%/.updated' AND PATH NOT LIKE '/%bin/bootstrapping/.default_components' + AND PATH NOT LIKE '%/google-cloud-sdk/.install/' + AND ( type != 'regular' OR size > 1 diff --git a/unexpected-listeners.sql b/unexpected-listeners.sql index 445b0de..6e6b55d 100644 --- a/unexpected-listeners.sql +++ b/unexpected-listeners.sql @@ -7,6 +7,7 @@ WHERE port != 0 AND lp.address NOT LIKE "172.1%" AND lp.address NOT LIKE "fe80::%" AND lp.address NOT LIKE "::ffff:127.0.0.%" + AND NOT (lp.port > 1024 AND lp.protocol = 17) -- Linux -- AND NOT (p.name IN ('spotify','Spotify') AND lp.port IN (1900,5353) AND lp.protocol=17) AND NOT (p.name IN ('spotify','Spotify') AND lp.port>32000 AND lp.protocol IN (6,17)) @@ -27,10 +28,8 @@ WHERE port != 0 AND NOT (p.name='dleyna-renderer' AND lp.port>1024 AND lp.protocol IN (6,17)) AND NOT (p.name='dockerd' AND p.cwd='/' AND lp.port=2376 AND lp.protocol=6) AND NOT (p.name='etcd' AND p.cwd='/' AND lp.port IN (2379,2380) AND lp.protocol=6) - AND NOT (p.name='firefox' AND lp.port=5353 AND lp.protocol=17) AND NOT (p.name='firefox' AND lp.port>32000 AND lp.protocol IN (6,17)) AND NOT (p.name='.firefox-wrappe' AND lp.port>32000 AND lp.protocol IN (6,17)) - AND NOT (p.name='idea' AND p.cwd='/' AND lp.port>32000 AND lp.protocol=17) AND NOT (p.name='kdeconnectd' AND lp.port=1716 AND lp.protocol IN (6,17)) AND NOT (p.name='kube-apiserver' AND p.cwd='/' AND lp.port IN (6443,8443) AND lp.protocol=6) AND NOT (p.name='kube-proxy' AND p.cwd='/' AND lp.port>10000 AND lp.protocol=6) @@ -44,47 +43,32 @@ WHERE port != 0 AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6) AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=4161 AND lp.protocol=6) AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=41641 AND lp.protocol=17) - AND NOT (p.name='Socket Process' and p.cwd LIKE '/proc/%/fdinfo%' AND lp.port>32000 AND lp.protocol=17) -- macOS -- AND NOT (p.name IN ('launchd','netbiosd') AND p.cwd='/' AND lp.port IN (137,138) AND lp.protocol=17) - AND NOT (p.name='Arc Helper' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) AND NOT (p.name='Arc Helper' AND p.cwd='/' AND lp.port>5000 AND lp.protocol=17) AND NOT (p.name='Arc' AND p.cwd='/' AND lp.port>5000 AND lp.protocol=17) - AND NOT (p.name='Brave Browser Helper' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) - AND NOT (p.name='Brave Browser Helper' AND p.cwd='/' AND lp.port>32000 AND lp.protocol=17) AND NOT (p.name='Code Helper' AND lp.port > 5000 AND lp.protocol=6) AND NOT (p.name='com.docker.backend' AND p.cwd LIKE '/Users/%/Library/Containers/com.docker.docker/Data' AND lp.port > 1024 AND lp.protocol=6) AND NOT (p.name='CommCenter' AND p.cwd='/' AND lp.port=5060 AND lp.protocol IN (6,17)) AND NOT (p.name='configd' AND p.cwd='/' AND lp.port IN (68,546) AND lp.protocol=17) AND NOT (p.name='ControlCenter' AND p.cwd='/' AND lp.port IN (5000,7000) AND lp.protocol=6) AND NOT (p.name='cupsd' AND p.cwd='/' AND lp.port=631 AND lp.protocol=6) - AND NOT (p.name='identityservicesd' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='Dropbox' AND p.cwd='/' AND lp.port=17500 AND lp.protocol IN (6,17)) AND NOT (p.name='EEventManager' AND p.cwd='/' AND lp.port=2968 AND lp.protocol IN (6,17)) AND NOT (p.name='fake' AND p.cwd LIKE '/Users/%/api-impl' AND lp.port IN (2112,8080) AND lp.protocol=6) - AND NOT (p.name='Google Chrome Helper' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) - AND NOT (p.name='Google Chrome Helper' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) - AND NOT (p.name='Google Chrome' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='hugo' AND lp.port>1024 AND lp.protocol=6) AND NOT (p.name='IPNExtension' AND p.cwd LIKE '/Users/%/Library/Containers/io.tailscale.ipn.macos.network-extension/Data' AND lp.port>32000 AND lp.protocol IN (6,17)) AND NOT (p.name='launchd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6) AND NOT (p.name='LogiMgrDaemon' AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17)) AND NOT (p.name='mariadbd' AND p.cwd='/opt/homebrew/var/mysql' AND lp.port=3306 AND lp.protocol=6) - AND NOT (p.name='mDNSResponder' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) - AND NOT (p.name='mDNSResponder' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='node' AND p.cwd LIKE '/Users/%/app' AND lp.port>5000 AND lp.protocol=6) - AND NOT (p.name='OpalCameraDeviceService' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) - AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port=3722 AND lp.protocol=17) AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=6) + AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port=3722 AND lp.protocol=17) AND NOT (p.name='remoted' AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17)) AND NOT (p.name='RescueTime' AND p.cwd='/' AND lp.port=16587 AND lp.protocol=6) AND NOT (p.name='sharingd' AND p.cwd='/' AND lp.port=8770 AND lp.protocol=6) AND NOT (p.name='syncthing' AND lp.port > 20000 AND lp.protocol IN (6,17)) - AND NOT (p.name='syslogd' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='systemd-resolve' AND p.cwd='/' AND lp.port=5355 AND lp.protocol IN (6,17)) - AND NOT (p.name='Slack Helper' AND lp.port>49000 AND lp.protocol=17) - AND NOT (p.name='com.apple.WebKit.Networking' AND lp.port>49000 AND lp.protocol=17) - AND NOT (p.name='TIDAL Helper (Renderer)' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) AND NOT (p.name='vpnkit-bridge' AND p.cwd LIKE '/Users/%/Library/Containers/com.docker.docker/Data' AND lp.port>49000 AND lp.protocol=6) - AND NOT (p.name='WireGuardNetworkExtension' AND p.cwd LIKE '/Users/%/Library/Containers/com.wireguard.macos.network-extension/Data' AND lp.port>49000 AND lp.protocol=17) + AND NOT (p.name='com.docker.vpnkit' AND lp.port>49000 AND lp.protocol=6) AND NOT (p.name='X11.bin' AND lp.port=6000 AND lp.protocol=6) diff --git a/unexpected-systemd.sql b/unexpected-systemd.sql index 1cc183f..61b6a3a 100644 --- a/unexpected-systemd.sql +++ b/unexpected-systemd.sql @@ -23,60 +23,113 @@ WHERE active_state != "inactive" 'acpid.path', 'acpid.service', 'acpid.socket', + 'adsl.service', 'akmods-keygen.target', 'akmods-shutdown.service', - 'flatpak-system-helper.service', - 'zfs-snapshot-hourly.service', - 'zfs-snapshot-frequent.service', 'akmods.service', 'alsa-restore.service', 'alsa-state.service', 'alsa-store.service', - 'anacron.timer', 'anacron.service', + 'anacron.timer', 'apcupsd.service', 'apparmor.service', 'apport.service', 'apt-daily-upgrade.timer', 'apt-daily.timer', + 'archlinux-keyring-wkd-sync.service', + 'archlinux-keyring-wkd-sync.timer', 'audit.service', 'auditd.service', + 'auth-rpcgss-module.service', + 'autovt@.service', 'avahi-daemon.service', 'avahi-daemon.socket', + 'avahi-dnsconfd.service', 'basic.target', 'blk-availability.service', + 'blockdev@.target', 'blockdev@dev-mapper-cryptoswap.target', + 'bluetooth-mesh.service', 'bluetooth.service', 'bluetooth.target', 'bolt.service', + 'boot-complete.target', + 'brltty-device@.service', + 'brltty@.service', + 'btrfs-scrub@.service', + 'btrfs-scrub@.timer', + 'canberra-system-bootup.service', + 'canberra-system-shutdown-reboot.service', + 'canberra-system-shutdown.service', 'chronyd.service', + 'clamav-clamonacc.service', + 'clamav-daemon.service', + 'clamav-daemon.socket', + 'clamav-freshclam.service', 'colord.service', + 'console-getty.service', 'console-setup.service', + 'container-getty@.service', 'containerd.service', 'cron.service', 'cronie.service', + 'cryptsetup-pre.target', 'cryptsetup.target', + 'ctrl-alt-del.target', 'cups-browsed.service', 'cups.path', 'cups.service', 'cups.socket', + 'daxdev-reconfigure@.service', 'dbus-broker.service', + 'dbus-org.freedesktop.hostname1.service', + 'dbus-org.freedesktop.import1.service', + 'dbus-org.freedesktop.locale1.service', + 'dbus-org.freedesktop.login1.service', + 'dbus-org.freedesktop.machine1.service', + 'dbus-org.freedesktop.portable1.service', + 'dbus-org.freedesktop.timedate1.service', 'dbus.service', 'dbus.socket', + 'debug-shell.service', + 'default.target', 'dev-mapper-cryptoswap.swap', + 'dhclient@.service', 'dhcpcd.service', 'display-manager.service', 'dkms.service', + 'dm-event.service', 'dm-event.socket', + 'dmraid.service', 'dnf-makecache.timer', + 'dnsmasq.service', 'docker.service', 'docker.socket', 'dpkg-db-backup.timer', 'dracut-shutdown.service', + 'drkonqi-coredump-processor@.service', + 'e2scrub_all.service', 'e2scrub_all.timer', + 'e2scrub_fail@.service', + 'e2scrub_reap.service', + 'e2scrub@.service', + 'ead.service', + 'emergency.service', + 'emergency.target', + 'exit.target', + 'factory-reset.target', + 'fancontrol.service', + 'final.target', 'firewall.service', 'firewalld.service', + 'first-boot-complete.target', + 'flatpak-system-helper.service', + 'fprintd.service', + 'fstrim.service', 'fstrim.timer', + 'ftpd.service', + 'fwupd-offline-update.service', 'fwupd-refresh.service', 'fwupd-refresh.timer', 'fwupd.service', @@ -84,21 +137,59 @@ WHERE active_state != "inactive" 'geoclue.service', 'getty-pre.target', 'getty.target', + 'getty@.service', + 'git-daemon.socket', + 'git-daemon@.service', + 'glances.service', + 'gpm.service', 'graphical.target', 'gssproxy.service', + 'halt.target', + 'haveged-once.service', + 'haveged.service', + 'healthd.service', + 'hibernate.target', + 'httpd.service', + 'hybrid-sleep.target', 'iio-sensor-proxy.service', 'import-state.service', + 'initrd-cleanup.service', + 'initrd-fs.target', + 'initrd-parse-etc.service', + 'initrd-root-device.target', + 'initrd-root-fs.target', + 'initrd-switch-root.service', + 'initrd-switch-root.target', + 'initrd-udevadm-cleanup-db.service', + 'initrd-usr-fs.target', + 'initrd.target', + 'integritysetup-pre.target', 'integritysetup.target', + 'ip6tables.service', + 'iptables.service', 'irqbalance.service', 'iscsid.socket', 'iscsiuio.socket', 'iwd.service', 'kerneloops.service', + 'kexec.target', 'keyboard-setup.service', 'kmod-static-nodes.service', 'kolide-launcher.service', + 'krb5-kadmind.service', + 'krb5-kdc.service', + 'krb5-kpropd.service', + 'krb5-kpropd.socket', + 'krb5-kpropd@.service', 'launcher.kolide-k2.service', 'ldconfig.service', + 'libvirt-guests.service', + 'libvirtd-admin.socket', + 'libvirtd-ro.socket', + 'libvirtd-tcp.socket', + 'libvirtd-tls.socket', + 'libvirtd.service', + 'libvirtd.socket', 'lightdm.service', 'livesys-late.service', 'livesys.service', @@ -106,16 +197,38 @@ WHERE active_state != "inactive" 'local-fs-pre.target', 'local-fs.target', 'logrotate-checkconf.service', + 'logrotate.service', 'logrotate.timer', 'low-memory-monitor.service', + 'lvm2-lvmpolld.service', 'lvm2-lvmpolld.socket', 'lvm2-monitor.service', 'lvm2.service', 'machine.slice', 'machines.target', + 'man-db.service', 'man-db.timer', + 'mariadb-extra.socket', + 'mariadb-extra@.socket', + 'mariadb.service', + 'mariadb.socket', + 'mariadb@.service', + 'mariadb@.socket', 'mcelog.service', + 'mdadm-grow-continue@.service', + 'mdadm-last-resort@.service', + 'mdadm-last-resort@.timer', + 'mdcheck_continue.service', + 'mdcheck_continue.timer', + 'mdcheck_start.service', + 'mdcheck_start.timer', + 'mdmon@.service', + 'mdmonitor-oneshot.service', + 'mdmonitor-oneshot.timer', + 'mdmonitor.service', + 'mkinitcpio-generate-shutdown-ramfs.service', 'ModemManager.service', + 'modprobe@.service', 'modprobe@chromeos_pstore.service', 'modprobe@efi_pstore.service', 'modprobe@mtdpstore.service', @@ -125,6 +238,20 @@ WHERE active_state != "inactive" 'motd-news.timer', 'mount-pstore.service', 'multi-user.target', + 'multipathd.service', + 'multipathd.socket', + 'mysql.service', + 'mysqld.service', + 'named.service', + 'nbd.service', + 'nbd@.service', + 'ndctl-monitor.service', + 'netctl-auto@.service', + 'netctl-ifplugd@.service', + 'netctl-sleep.service', + 'netctl-wait-online.service', + 'netctl.service', + 'netctl@.service', 'network-interfaces.target', 'network-local-commands.service', 'network-online.target', @@ -132,95 +259,227 @@ WHERE active_state != "inactive" 'network-setup.service', 'network.target', 'networkd-dispatcher.service', + 'NetworkManager-dispatcher.service', 'NetworkManager-wait-online.service', 'NetworkManager.service', + 'nfs-blkmap.service', 'nfs-client.target', + 'nfs-idmapd.service', + 'nfs-mountd.service', + 'nfs-server.service', + 'nfs-utils.service', + 'nfsdcld.service', + 'nfsv4-exportd.service', + 'nfsv4-server.service', 'nginx.service', + 'ninfod.service', 'nix-daemon.service', 'nix-daemon.socket', 'nix-gc.timer', + 'nm-priv-helper.service', + 'nmb.service', 'nscd.service', 'nss-lookup.target', 'nss-user-lookup.target', + 'ntpd.service', + 'ntpdate.service', 'nvidia-persistenced.service', + 'openvpn-client@.service', + 'openvpn-server@.service', 'openvpn.service', + 'ostree-boot-complete.service', + 'ostree-finalize-staged.service', + 'ostree-prepare-root.service', + 'ostree-remount.service', + 'paccache.service', + 'paccache.timer', 'packagekit.service', + 'pacman-filesdb-refresh.service', + 'pacman-filesdb-refresh.timer', + 'pam_namespace.service', 'paths.target', 'pcscd.service', 'pcscd.socket', 'phpsessionclean.timer', + 'pkgfile-update.service', + 'pkgfile-update.timer', 'plocate-updatedb.timer', 'plymouth-quit-wait.service', 'plymouth-read-write.service', 'plymouth-start.service', 'polkit.service', 'power-profiles-daemon.service', + 'poweroff.target', + 'ppp@.service', + 'printer.target', 'proc-sys-fs-binfmt_misc.automount', + 'qemu-pr-helper.service', + 'qemu-pr-helper.socket', + 'quotaon.service', 'raid-check.timer', + 'rarpd@.service', + 'rdisc.service', + 'rdnssd@.service', + 'reboot.target', + 'reflector.service', 'reflector.timer', 'reload-systemd-vconsole-setup.service', + 'remote-cryptsetup.target', 'remote-fs-pre.target', 'remote-fs.target', + 'remote-veritysetup.target', + 'rescue.service', + 'rescue.target', 'resolvconf.service', + 'rfkill-block@.service', + 'rfkill-unblock@.service', + 'rlogin.socket', + 'rlogin@.service', 'rpc_pipefs.target', + 'rpc-gssd.service', 'rpc-statd-notify.service', + 'rpc-statd.service', + 'rpcbind.service', + 'rpcbind.socket', + 'rpcbind.target', + 'rsh.socket', + 'rsh@.service', + 'rsyncd.service', + 'rsyncd.socket', + 'rsyncd@.service', 'rsyslog.service', 'rtkit-daemon.service', + 'samba.service', + 'saned.socket', + 'saned@.service', + 'sddm.service', + 'sensord.service', + 'sentinelone.service', + 'serial-getty@.service', 'setvtrgb.service', 'shadow.service', 'shadow.timer', + 'shutdown.target', + 'sigpwr.target', + 'sleep.target', 'slices.target', 'smartcard.target', + 'smartd.service', + 'smb.service', 'snapd.apparmor.service', 'snapd.seeded.service', 'snapd.service', 'snapd.socket', + 'snmpd.service', + 'snmptrapd.service', 'sockets.target', 'sound.target', + 'speech-dispatcherd.service', + 'spice-vdagentd.service', + 'spice-vdagentd.socket', + 'spice-webdavd.service', 'sshd.service', + 'sshdgenkeys.service', 'sssd-kcm.service', 'sssd-kcm.socket', + 'suspend-then-hibernate.target', + 'suspend.target', 'swap.target', 'switcheroo-control.service', 'sysinit.target', 'syslog.socket', + 'sysprof2.service', + 'sysprof3.service', 'sysstat-collect.timer', 'sysstat-summary.timer', 'sysstat.service', + 'system-update-cleanup.service', + 'system-update-pre.target', + 'system-update.target', 'systemd-ask-password-console.path', + 'systemd-ask-password-console.service', 'systemd-ask-password-plymouth.path', 'systemd-ask-password-wall.path', + 'systemd-ask-password-wall.service', + 'systemd-backlight@.service', 'systemd-backlight@backlight:intel_backlight.service', 'systemd-backlight@leds:dell::kbd_backlight.service', 'systemd-backlight@leds:tpacpi::kbd_backlight.service', 'systemd-binfmt.service', + 'systemd-bless-boot.service', + 'systemd-boot-check-no-failures.service', + 'systemd-boot-system-token.service', 'systemd-boot-update.service', 'systemd-coredump.socket', + 'systemd-coredump@.service', 'systemd-cryptsetup@cryptoswap.service', + 'systemd-exit.service', + 'systemd-firstboot.service', + 'systemd-fsck-root.service', + 'systemd-fsck@.service', 'systemd-fsckd.socket', + 'systemd-halt.service', + 'systemd-hibernate-resume@.service', + 'systemd-hibernate.service', 'systemd-homed-activate.service', 'systemd-homed.service', + 'systemd-hostnamed.service', 'systemd-hwdb-update.service', + 'systemd-hybrid-sleep.service', + 'systemd-importd.service', 'systemd-initctl.socket', 'systemd-journal-catalog-update.service', 'systemd-journal-flush.service', + 'systemd-journal-gatewayd.service', + 'systemd-journal-gatewayd.socket', + 'systemd-journal-remote.service', + 'systemd-journal-remote.socket', + 'systemd-journal-upload.service', 'systemd-journald-audit.socket', 'systemd-journald-dev-log.socket', + 'systemd-journald-varlink@.socket', 'systemd-journald.service', 'systemd-journald.socket', + 'systemd-journald@.service', + 'systemd-journald@.socket', + 'systemd-kexec.service', + 'systemd-localed.service', 'systemd-logind.service', + 'systemd-machine-id-commit.service', 'systemd-machined.service', 'systemd-modules-load.service', 'systemd-network-generator.service', + 'systemd-networkd-wait-online.service', + 'systemd-networkd-wait-online@.service', + 'systemd-networkd.service', + 'systemd-networkd.socket', + 'systemd-nspawn@.service', 'systemd-oomd.service', 'systemd-oomd.socket', + 'systemd-portabled.service', + 'systemd-poweroff.service', + 'systemd-pstore.service', + 'systemd-quotacheck.service', 'systemd-random-seed.service', + 'systemd-reboot.service', 'systemd-remount-fs.service', + 'systemd-repart.service', 'systemd-resolved.service', + 'systemd-rfkill.service', 'systemd-rfkill.socket', + 'systemd-suspend-then-hibernate.service', + 'systemd-suspend.service', 'systemd-sysctl.service', + 'systemd-sysext.service', + 'systemd-sysupdate-reboot.service', + 'systemd-sysupdate-reboot.timer', + 'systemd-sysupdate.service', + 'systemd-sysupdate.timer', 'systemd-sysusers.service', + 'systemd-time-wait-sync.service', + 'systemd-timedated.service', 'systemd-timesyncd.service', + 'systemd-tmpfiles-clean.service', 'systemd-tmpfiles-clean.timer', 'systemd-tmpfiles-setup-dev.service', 'systemd-tmpfiles-setup.service', @@ -235,38 +494,107 @@ WHERE active_state != "inactive" 'systemd-userdbd.service', 'systemd-userdbd.socket', 'systemd-vconsole-setup.service', + 'systemd-volatile-root.service', 'tailscaled.service', + 'talk.service', + 'talk.socket', + 'teamd@.service', + 'telnet.socket', + 'telnet@.service', 'thermald.service', 'time-set.target', + 'time-sync.target', 'timers.target', 'tlp.service', 'ua-timer.timer', + 'udisks2-zram-setup@.service', 'udisks2.service', 'ufw.service', + 'umount.target', 'unattended-upgrades.service', 'unbound-anchor.timer', 'update-notifier-download.timer', 'update-notifier-motd.timer', + 'updatedb.service', 'updatedb.timer', 'upower.service', 'uresourced.service', + 'usb_modeswitch@.service', + 'usb-gadget.target', + 'usbmuxd.service', + 'user-runtime-dir@.service', 'user.slice', + 'user@.service', + 'uuidd.service', 'uuidd.socket', + 'veritysetup-pre.target', 'veritysetup.target', + 'virt-guest-shutdown.target', + 'virtchd-admin.socket', + 'virtchd-ro.socket', + 'virtchd.service', + 'virtchd.socket', + 'virtinterfaced-admin.socket', + 'virtinterfaced-ro.socket', + 'virtinterfaced.service', 'virtinterfaced.socket', + 'virtlockd-admin.socket', + 'virtlockd.service', 'virtlockd.socket', + 'virtlogd-admin.socket', + 'virtlogd.service', 'virtlogd.socket', + 'virtlxcd-admin.socket', + 'virtlxcd-ro.socket', + 'virtlxcd.service', + 'virtlxcd.socket', + 'virtnetworkd-admin.socket', + 'virtnetworkd-ro.socket', + 'virtnetworkd.service', 'virtnetworkd.socket', + 'virtnodedevd-admin.socket', + 'virtnodedevd-ro.socket', + 'virtnodedevd.service', 'virtnodedevd.socket', + 'virtnwfilterd-admin.socket', + 'virtnwfilterd-ro.socket', + 'virtnwfilterd.service', 'virtnwfilterd.socket', + 'virtproxyd-admin.socket', + 'virtproxyd-ro.socket', + 'virtproxyd-tcp.socket', + 'virtproxyd-tls.socket', + 'virtproxyd.service', 'virtproxyd.socket', 'virtqemud-admin.socket', 'virtqemud-ro.socket', + 'virtqemud.service', 'virtqemud.socket', + 'virtsecretd-admin.socket', + 'virtsecretd-ro.socket', + 'virtsecretd.service', 'virtsecretd.socket', + 'virtstoraged-admin.socket', + 'virtstoraged-ro.socket', + 'virtstoraged.service', 'virtstoraged.socket', + 'virtvboxd-admin.socket', + 'virtvboxd-ro.socket', + 'virtvboxd.service', + 'virtvboxd.socket', + 'vpnc@.service', + 'wazuh-agent.service', 'whoopsie.path', + 'winbind.service', + 'wpa_supplicant-nl80211@.service', + 'wpa_supplicant-wired@.service', 'wpa_supplicant.service', + 'wpa_supplicant@.service', + 'xfs_scrub_all.service', + 'xfs_scrub_all.timer', + 'xfs_scrub_fail@.service', + 'xfs_scrub@.service', + 'xl2tpd.service', 'zfs-import-cache.service', 'zfs-import.target', 'zfs-load-key-rpool.service', @@ -275,7 +603,9 @@ WHERE active_state != "inactive" 'zfs-scrub.timer', 'zfs-share.service', 'zfs-snapshot-daily.timer', + 'zfs-snapshot-frequent.service', 'zfs-snapshot-frequent.timer', + 'zfs-snapshot-hourly.service', 'zfs-snapshot-hourly.timer', 'zfs-snapshot-monthly.timer', 'zfs-snapshot-weekly.timer', diff --git a/unexpected-talkers.sql b/unexpected-talkers.sql index c3e5854..0683dae 100644 --- a/unexpected-talkers.sql +++ b/unexpected-talkers.sql @@ -6,6 +6,7 @@ WHERE protocol > 0 AND s.remote_port > 0 AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') AND s.remote_address NOT LIKE 'fe80:%' +AND s.remote_address NOT LIKE '127.%' AND s.remote_address NOT LIKE '192.168.%' AND s.remote_address NOT LIKE '172.1%' AND s.remote_address NOT LIKE '172.2%' @@ -23,7 +24,7 @@ AND NOT (p.name = 'syncthing' AND remote_port IN (22067,443,22000)) AND NOT (p.name = 'zoom.us' AND remote_port IN (443,8801)) AND NOT (p.name IN ('chrome', 'Google Chrome Helper', 'Chromium Helper') AND remote_port IN (8080,8000,8008,8443,8888) AND remote_address LIKE '192.168.%') AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper') AND remote_port IN (443,80,8009,8443,5228,32211,53,10001,3478)) -AND NOT (p.name IN ('Mail','thunderbird','Spark') AND remote_port IN (443,993)) +AND NOT (p.name IN ('Mail','thunderbird','Spark') AND remote_port IN (443,587,993)) AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (443,8009,4070,32211)) AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17) AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)