From e8d86af906153bf1b52a01017bdc83bbe2abc4a5 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 10 Feb 2023 10:31:19 -0500
Subject: [PATCH 1/2] Make sure caddy & kubectl are in the wider listening
 range

---
 .../unexpected-listening-port-linux.sql       |  3 +++
 .../unexpected-listening-port-macos.sql       | 23 +++++++++++--------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
index 7ad8aa3..e420f18 100644
--- a/detection/persistence/unexpected-listening-port-linux.sql
+++ b/detection/persistence/unexpected-listening-port-linux.sql
@@ -163,10 +163,13 @@ WHERE
   AND NOT (
     p.name IN (
       'caddy',
+      'com.docker.backend',
       'controller',
       'docker-proxy',
       'hugo',
+      'kubectl',
       'nginx-ingress-c',
+      'node',
       'rootlessport',
       'webhook'
     )
diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql
index 6e6c1d5..654ce8a 100644
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@@ -39,21 +39,17 @@ WHERE
   AND lp.address NOT LIKE '127.0.0.%'
   AND lp.address NOT LIKE '172.1%'
   AND lp.address NOT LIKE 'fe80::%'
-  AND lp.address NOT LIKE '::ffff:127.0.0.%'
-  -- All outgoing UDP (protocol 17) sessions are 'listening'
+  AND lp.address NOT LIKE '::ffff:127.0.0.%' -- All outgoing UDP (protocol 17) sessions are 'listening'
   AND NOT (
     lp.protocol = 17
     AND lp.port > 1024
-  )
-  -- Random webservers
+  ) -- Random webservers
   AND NOT (
     p.uid > 500
     AND lp.port IN (8000, 8080)
     AND lp.protocol = 6
-  )
-  -- Filter out unmapped raw sockets
-  AND NOT (p.pid == '')
-  -- Exceptions: the uid is capped at 500 to represent regular users versus system users
+  ) -- Filter out unmapped raw sockets
+  AND NOT (p.pid == '') -- Exceptions: the uid is capped at 500 to represent regular users versus system users
   -- port is capped at 49152 to represent transient ports
   AND NOT exception_key IN (
     '10011,6,0,launchd,Software Signing',
@@ -154,7 +150,16 @@ WHERE
     and lp.protocol = 6
   )
   AND NOT (
-    p.name IN ('hugo', 'node', 'com.docker.backend', 'kubectl')
+    p.name IN (
+      'caddy',
+      'com.docker.backend',
+      'controller',
+      'docker-proxy',
+      'hugo',
+      'kubectl',
+      'node',
+      'webhook'
+    )
     AND lp.port > 1024
     and lp.protocol = 6
   )

From 99f8793169a573a143f6cb8f531404f6cd2b5abb Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 10 Feb 2023 10:32:14 -0500
Subject: [PATCH 2/2] Remove com.docker.backend (macOS specific)

---
 detection/persistence/unexpected-listening-port-linux.sql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
index e420f18..1e1d69e 100644
--- a/detection/persistence/unexpected-listening-port-linux.sql
+++ b/detection/persistence/unexpected-listening-port-linux.sql
@@ -163,7 +163,6 @@ WHERE
   AND NOT (
     p.name IN (
       'caddy',
-      'com.docker.backend',
       'controller',
       'docker-proxy',
       'hugo',