RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-16 02:54:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #100 from tstromberg/k3s

Browse Source 
Add k3s /dev/kmsg exception, add parent info
This commit is contained in:
Thomas Strömberg 2022-12-20 07:54:03 -05:00 committed by GitHub
commit ddd238e4de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -14,6 +14,8 @@ SELECT
p.path AS program,
p.name AS program_name,
p.cmdline AS cmdline,
pp.cmdline AS parent_cmdline,
gp.cmdline AS gparent_cmdline,
hash.sha256,
CONCAT (
IIF(
@ -61,6 +63,8 @@ SELECT
FROM
process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN processes gp ON pp.parent = gp.pid
LEFT JOIN hash ON hash.path = p.path
WHERE
pof.path LIKE '/dev/%'
@ -115,6 +119,7 @@ WHERE
'/dev/shm,Brackets',
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/kmsg,k3s',
'/dev/shm,electron',
'/dev/shm,firefox',
'/dev/shm,gopls',