RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Second weekend tuning

This commit is contained in:
Thomas Stromberg 2022-09-10 13:10:54 -04:00
parent 763b9eaed6
commit e5973acc25
Failed to extract signature
5 changed files with 336 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fd/unexpected-dev-opener.sql
View File

@ -36,7 +36,7 @@ WHERE pof.path LIKE '/dev/%'
AND NOT pof.path LIKE '/dev/shm/.com.google.%'
AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%'
AND NOT (device LIKE '/dev/hidraw%' AND p.name = 'chrome')
AND NOT (device LIKE '/dev/hidraw%' AND p.name IN ('chrome', 'depmod'))
AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox')
AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg'))
AND NOT (
@ -45,7 +45,7 @@ WHERE pof.path LIKE '/dev/%'
)
AND NOT (
device LIKE '/dev/bpf%'
AND program = '/usr/libexec/airportd'
AND program IN ('/usr/libexec/airportd', '/usr/libexec/configd')
)
AND NOT (
device LIKE '/dev/bus/usb/%'

520
fs/unexpected-setuid-binaries.sql
View File

@ -1,232 +1,288 @@
SELECT suid_bin.path, file.gid, file.uid, file.mode, file.type, file.size
FROM suid_bin
JOIN file ON suid_bin.path = file.path
AND NOT (suid_bin.path='/bin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/chage' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/bin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/crontab' AND file.mode='2755' AND file.uid=0 AND file.gid=104)
AND NOT (suid_bin.path='/bin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/expiry' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/bin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/fusermount-glusterfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=979)
AND NOT (suid_bin.path='/bin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/plocate' AND file.mode='2755' AND file.uid=0 AND file.gid=979)
AND NOT (suid_bin.path='/bin/ps' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/bin/ssh-agent' AND file.mode='2755' AND file.uid=0 AND file.gid=118)
AND NOT (suid_bin.path='/bin/staprun' AND file.mode='4110' AND file.uid=0 AND file.gid=156)
AND NOT (suid_bin.path='/bin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/sudo' AND file.mode='4111' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/sudoedit' AND file.mode='4111' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/vmware-user-suid-wrapper' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/vmware-user' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/bin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/bin/write.ul' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/bin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/sbin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/grub2-set-bootflag' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/sbin/lockdev' AND file.mode='2711' AND file.uid=0 AND file.gid=54)
AND NOT (suid_bin.path='/sbin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/pam_extrausers_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/sbin/pam_timestamp_check' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/pppd' AND file.mode='4754' AND file.uid=0 AND file.gid=30)
AND NOT (suid_bin.path='/sbin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/sbin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/umount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/umount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/userhelper' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/sbin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/sbin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/usr/bin/at' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/atq' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/atrm' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/batch' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/chage' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/usr/bin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/crontab' AND file.mode='2755' AND file.uid=0 AND file.gid=104)
AND NOT (suid_bin.path='/usr/bin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/expiry' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/usr/bin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/fusermount-glusterfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/usr/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=979)
AND NOT (suid_bin.path='/usr/bin/login' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/newgrp' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/plocate' AND file.mode='2755' AND file.uid=0 AND file.gid=979)
AND NOT (suid_bin.path='/usr/bin/quota' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/usr/bin/ssh-agent' AND file.mode='2755' AND file.uid=0 AND file.gid=118)
AND NOT (suid_bin.path='/usr/bin/staprun' AND file.mode='4110' AND file.uid=0 AND file.gid=156)
AND NOT (suid_bin.path='/usr/bin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4111' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sudoedit' AND file.mode='4111' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/top' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/vmware-user-suid-wrapper' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/vmware-user' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/usr/bin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/bin/write.ul' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/usr/bin/write' AND file.mode='2555' AND file.uid=0 AND file.gid=4)
AND NOT (suid_bin.path='/usr/bin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/usr/sbin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/grub2-set-bootflag' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/usr/sbin/lockdev' AND file.mode='2711' AND file.uid=0 AND file.gid=54)
AND NOT (suid_bin.path='/usr/sbin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/pam_extrausers_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/usr/sbin/pam_timestamp_check' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/postdrop' AND file.mode='2755' AND file.uid=0 AND file.gid=28)
AND NOT (suid_bin.path='/usr/sbin/postqueue' AND file.mode='2755' AND file.uid=0 AND file.gid=28)
AND NOT (suid_bin.path='/usr/sbin/pppd' AND file.mode='4754' AND file.uid=0 AND file.gid=30)
AND NOT (suid_bin.path='/usr/sbin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21)
AND NOT (suid_bin.path='/usr/sbin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/traceroute' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/traceroute6' AND file.mode='4555' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/umount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/umount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42)
AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/userhelper' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
AND NOT (suid_bin.path='/usr/sbin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0)
AND NOT (suid_bin.path='/usr/sbin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5)
SELECT file.path, gid, uid, mode, type, size, sha256
-- missed many directories
FROM file
JOIN hash ON file.path = hash.path
WHERE
(
file.path LIKE "/bin/%"
OR file.path LIKE "/sbin/%"
OR file.path LIKE "/usr/sbin/%"
OR file.path LIKE "/usr/lib/%"
OR file.path LIKE "/usr/lib64/%"
OR file.path LIKE "/usr/bin/%"
OR file.path LIKE "/usr/libexec/%"
OR file.path LIKE "/usr/local/bin/%"
OR file.path LIKE "/usr/local/sbin/%"
OR file.path LIKE "/opt/%/bin/%"
OR file.path LIKE "/opt/%/sbin/%"
OR file.path LIKE "/usr/local/lib/%"
OR file.path LIKE "/usr/local/lib64/%"
OR file.path LIKE "/usr/local/libexec/%"
OR file.path LIKE "/var/lib/%"
OR file.path LIKE "/var/tmp/%"
OR file.path LIKE "/tmp/%"
OR file.path LIKE "/home/%/bin/%"
OR file.path LIKE "/Users/%/bin/%"
)
AND type='regular'
AND mode NOT LIKE "0%"
AND mode NOT LIKE "1%"
AND NOT (mode LIKE '4%11' AND uid=0 AND gid=0 AND
file.path IN (
'/usr/sbin/wodim',
'/usr/sbin/userhelper',
'/usr/sbin/umount.nfs4',
'/usr/sbin/umount.nfs',
'/usr/sbin/rscsi',
'/usr/sbin/readom',
'/usr/sbin/readcd',
'/usr/sbin/mount.nfs4',
'/usr/sbin/mount.nfs',
'/usr/sbin/icedax',
'/usr/sbin/cdrecord',
'/usr/sbin/cdda2wav',
'/usr/bin/wodim',
'/usr/bin/umount.nfs4',
'/usr/bin/umount.nfs',
'/usr/bin/sudoedit',
'/usr/bin/sudo',
'/usr/bin/rscsi',
'/usr/bin/readom',
'/usr/bin/readcd',
'/usr/bin/mount.nfs4',
'/usr/bin/mount.nfs',
'/usr/bin/icedax',
'/usr/bin/cdrecord',
'/usr/bin/cdda2wav',
'/sbin/wodim',
'/sbin/userhelper',
'/sbin/umount.nfs4',
'/sbin/umount.nfs',
'/sbin/rscsi',
'/sbin/readom',
'/sbin/readcd',
'/sbin/mount.nfs4',
'/sbin/mount.nfs',
'/sbin/icedax',
'/sbin/cdrecord',
'/sbin/cdda2wav',
'/bin/wodim',
'/bin/umount.nfs4',
'/bin/umount.nfs',
'/bin/sudoedit',
'/bin/sudo',
'/bin/rscsi',
'/bin/readom',
'/bin/readcd',
'/bin/mount.nfs4',
'/bin/mount.nfs',
'/bin/icedax',
'/bin/cdrecord',
'/bin/cdda2wav',
'/usr/libexec/security_authtrampoline'
)
)
AND NOT (mode LIKE '4%55' AND uid=0 AND gid=0 AND
file.path IN (
'/usr/sbin/unix_chkpwd',
'/usr/sbin/umount.nfs4',
'/usr/sbin/umount.nfs',
'/usr/sbin/umount',
'/usr/libexec/authopen',
'/bin/nvidia-modprobe',
'/sbin/nvidia-modprobe',
'/usr/bin/nvidia-modprobe',
'/usr/sbin/nvidia-modprobe',
'/usr/sbin/traceroute6',
'/usr/sbin/traceroute',
'/usr/sbin/suexec',
'/usr/sbin/sudoedit',
'/usr/sbin/sudo',
'/usr/sbin/su',
'/usr/sbin/sg',
'/usr/sbin/rltraceroute6',
'/usr/sbin/rdisc6',
'/usr/sbin/pkexec',
'/usr/sbin/passwd',
'/usr/sbin/pam_timestamp_check',
'/usr/sbin/newgrp',
'/usr/sbin/ndisc6',
'/usr/sbin/mount.nfs4',
'/usr/sbin/mount.nfs',
'/usr/sbin/mount',
'/usr/sbin/ksu',
'/usr/sbin/grub2-set-bootflag',
'/usr/sbin/gpasswd',
'/usr/sbin/fusermount3',
'/usr/sbin/fusermount',
'/usr/sbin/expiry',
'/usr/sbin/doas',
'/usr/sbin/crontab',
'/usr/sbin/chsh',
'/usr/sbin/chfn',
'/usr/sbin/chage',
'/usr/bin/vmware-user-suid-wrapper',
'/usr/bin/vmware-user',
'/usr/bin/umount',
'/usr/bin/top',
'/usr/bin/suexec',
'/usr/bin/sudoedit',
'/usr/bin/sudo',
'/usr/bin/su',
'/usr/bin/sg',
'/usr/bin/rltraceroute6',
'/usr/bin/rdisc6',
'/usr/bin/quota',
'/usr/bin/pkexec',
'/usr/bin/passwd',
'/usr/bin/newgrp',
'/usr/bin/ndisc6',
'/usr/bin/mount',
'/usr/bin/login',
'/usr/bin/ksu',
'/usr/bin/gpasswd',
'/usr/bin/fusermount-glusterfs',
'/usr/bin/fusermount3',
'/usr/bin/fusermount',
'/usr/bin/expiry',
'/usr/bin/doas',
'/usr/bin/crontab',
'/usr/bin/chsh',
'/usr/bin/chfn',
'/usr/bin/chage',
'/usr/bin/batch',
'/usr/bin/atrm',
'/usr/bin/atq',
'/usr/bin/at',
'/sbin/unix_chkpwd',
'/sbin/umount.nfs4',
'/sbin/umount.nfs',
'/sbin/umount',
'/sbin/suexec',
'/sbin/sudoedit',
'/sbin/sudo',
'/sbin/su',
'/sbin/sg',
'/sbin/rltraceroute6',
'/sbin/rdisc6',
'/sbin/pkexec',
'/sbin/passwd',
'/sbin/pam_timestamp_check',
'/sbin/newgrp',
'/sbin/ndisc6',
'/sbin/mount.nfs4',
'/sbin/mount.nfs',
'/sbin/mount',
'/sbin/ksu',
'/sbin/grub2-set-bootflag',
'/sbin/gpasswd',
'/sbin/fusermount3',
'/sbin/fusermount',
'/sbin/expiry',
'/sbin/doas',
'/sbin/crontab',
'/sbin/chsh',
'/sbin/chfn',
'/sbin/chage',
'/bin/vmware-user-suid-wrapper',
'/bin/vmware-user',
'/bin/umount',
'/bin/suexec',
'/bin/sudoedit',
'/bin/sudo',
'/bin/su',
'/bin/sg',
'/bin/rltraceroute6',
'/bin/rdisc6',
'/bin/ps',
'/bin/pkexec',
'/bin/passwd',
'/bin/newgrp',
'/bin/ndisc6',
'/bin/mount',
'/bin/ksu',
'/bin/gpasswd',
'/bin/fusermount-glusterfs',
'/bin/fusermount3',
'/bin/fusermount',
'/bin/expiry',
'/bin/doas',
'/bin/crontab',
'/bin/chsh',
'/bin/chfn',
'/bin/chage',
'/usr/lib/Xorg.wrap',
'/usr/lib/mail-dotlock',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib64/Xorg.wrap',
'/usr/lib64/mail-dotlock',
'/usr/lib64/xf86-video-intel-backlight-helper',
'/usr/libexec/qemu-bridge-helper',
'/usr/libexec/Xorg.wrap',
'/usr/libexec/polkit-agent-helper-1'
)
)
AND NOT (mode ='6755' AND uid=0 AND gid=0 AND
file.path IN (
'/bin/mount.cifs',
'/bin/mount.smb3',
'/bin/unix_chkpwd',
'/sbin/mount.cifs',
'/sbin/mount.smb3',
'/sbin/unix_chkpwd',
'/usr/bin/mount.cifs',
'/usr/bin/mount.smb3',
'/usr/bin/unix_chkpwd',
'/usr/sbin/mount.cifs',
'/usr/sbin/mount.smb3',
'/usr/sbin/unix_chkpwd',
'/usr/lib/xtest',
'/usr/lib64/xtest'
)
)
AND NOT (file.path='/bin/chage' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/bin/crontab' AND mode='2755' AND uid=0 AND gid=104)
AND NOT (file.path='/bin/expiry' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/bin/plocate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/bin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118)
AND NOT (file.path='/bin/staprun' AND mode='4110' AND uid=0 AND gid=156)
AND NOT (file.path='/bin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/bin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/sbin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54)
AND NOT (file.path='/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30)
AND NOT (file.path='/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/sbin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/sbin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/chage' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/bin/crontab' AND mode='2755' AND uid=0 AND gid=104)
AND NOT (file.path='/usr/bin/expiry' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/usr/bin/plocate' AND mode='2755' AND uid=0 AND gid=979)
AND NOT (file.path='/usr/bin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118)
AND NOT (file.path='/usr/bin/staprun' AND mode='4110' AND uid=0 AND gid=156)
AND NOT (file.path='/usr/bin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/bin/write' AND mode='2555' AND uid=0 AND gid=4)
AND NOT (file.path='/usr/bin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/sbin/locate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54)
AND NOT (file.path='/usr/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/sbin/postdrop' AND mode='2755' AND uid=0 AND gid=28)
AND NOT (file.path='/usr/sbin/postqueue' AND mode='2755' AND uid=0 AND gid=28)
AND NOT (file.path='/usr/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30)
AND NOT (file.path='/usr/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21)
AND NOT (file.path='/usr/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42)
AND NOT (file.path='/usr/sbin/wall' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/sbin/write' AND mode='2755' AND uid=0 AND gid=5)
AND NOT (file.path='/usr/libexec/camel-lock-helper-1.2' AND mode='2755' AND uid=0 AND gid=8)
AND NOT (file.path='/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache' AND mode='2755' AND uid=173 AND gid=173)

0
process/deleted-processes.sql → process/missing-from-disk.sql
View File

4
process/unexpected-executable-directory.sql
View File

@ -20,6 +20,7 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
AND directory NOT LIKE '/nix/store/%/lib/%'
AND directory NOT LIKE '/nix/store/%/libexec'
AND directory NOT LIKE '/nix/store/%/libexec/%'
AND directory NOT LIKE '/nix/store/%/share/%'
AND directory NOT LIKE '/opt/%'
AND directory NOT LIKE '/opt/homebrew/%'
AND directory NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
@ -68,7 +69,8 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
'/usr/sbin',
'/Library/Printers/DYMO/Utilities',
'/Library/Developer/CommandLineTools/usr/bin',
'/usr/share/code'
'/usr/share/code',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS'
)
AND f.path NOT IN (
'/usr/libexec/AssetCache/AssetCache',

83
process/unusual-fetcher.sql
View File

@ -12,43 +12,46 @@ SELECT p.pid,
FROM processes p
JOIN processes pp ON p.parent = pp.pid
WHERE
p.cmdline LIKE "%.onion%" OR
p.cmdline LIKE "%tor2web%" OR
p.cmdline LIKE "%aliyun%" OR
p.cmdline LIKE "%pastebin%" OR
p.cmdline LIKE "%curl %/.%" OR
p.cmdline LIKE "%curl %.0%" OR
p.cmdline LIKE "%curl %.1%" OR
p.cmdline LIKE "%curl %.2%" OR
p.cmdline LIKE "%curl %.3%" OR
p.cmdline LIKE "%curl %.4%" OR
p.cmdline LIKE "%curl %.5%" OR
p.cmdline LIKE "%curl %.6%" OR
p.cmdline LIKE "%curl %.7%" OR
p.cmdline LIKE "%curl %.8%" OR
p.cmdline LIKE "%curl %.9%" OR
p.cmdline LIKE "%curl %:0%" OR
p.cmdline LIKE "%curl %:1%" OR
p.cmdline LIKE "%curl %:2%" OR
p.cmdline LIKE "%curl %:3%" OR
p.cmdline LIKE "%curl %:4%" OR
p.cmdline LIKE "%curl %:5%" OR
p.cmdline LIKE "%curl %:6%" OR
p.cmdline LIKE "%curl %:7%" OR
p.cmdline LIKE "%curl %:8%" OR
p.cmdline LIKE "%curl %:9%" OR
p.cmdline LIKE "%curl %--user-agent%" OR
p.cmdline LIKE "%curl -fsSL%" OR
p.cmdline LIKE "%wget %/.%" OR
p.cmdline LIKE "%wget %.0%" OR
p.cmdline LIKE "%wget %.1%" OR
p.cmdline LIKE "%wget %.2%" OR
p.cmdline LIKE "%wget %.3%" OR
p.cmdline LIKE "%wget %.4%" OR
p.cmdline LIKE "%wget %.5%" OR
p.cmdline LIKE "%wget %.6%" OR
p.cmdline LIKE "%wget %.7%" OR
p.cmdline LIKE "%wget %.8%" OR
p.cmdline LIKE "%wget %.9%" OR
p.cmdline LIKE "%wget %--user-agent%" OR
p.cmdline LIKE "%wget %--no-check-certificate%"
(
p.cmdline LIKE "%.onion%" OR
p.cmdline LIKE "%tor2web%" OR
p.cmdline LIKE "%aliyun%" OR
p.cmdline LIKE "%pastebin%" OR
p.cmdline LIKE "%curl %/.%" OR
p.cmdline LIKE "%curl %.0%" OR
p.cmdline LIKE "%curl %.1%" OR
p.cmdline LIKE "%curl %.2%" OR
p.cmdline LIKE "%curl %.3%" OR
p.cmdline LIKE "%curl %.4%" OR
p.cmdline LIKE "%curl %.5%" OR
p.cmdline LIKE "%curl %.6%" OR
p.cmdline LIKE "%curl %.7%" OR
p.cmdline LIKE "%curl %.8%" OR
p.cmdline LIKE "%curl %.9%" OR
p.cmdline LIKE "%curl %:0%" OR
p.cmdline LIKE "%curl %:1%" OR
p.cmdline LIKE "%curl %:2%" OR
p.cmdline LIKE "%curl %:3%" OR
p.cmdline LIKE "%curl %:4%" OR
p.cmdline LIKE "%curl %:5%" OR
p.cmdline LIKE "%curl %:6%" OR
p.cmdline LIKE "%curl %:7%" OR
p.cmdline LIKE "%curl %:8%" OR
p.cmdline LIKE "%curl %:9%" OR
p.cmdline LIKE "%curl %--user-agent%" OR
p.cmdline LIKE "%curl -fsSL%" OR
p.cmdline LIKE "%wget %/.%" OR
p.cmdline LIKE "%wget %.0%" OR
p.cmdline LIKE "%wget %.1%" OR
p.cmdline LIKE "%wget %.2%" OR
p.cmdline LIKE "%wget %.3%" OR
p.cmdline LIKE "%wget %.4%" OR
p.cmdline LIKE "%wget %.5%" OR
p.cmdline LIKE "%wget %.6%" OR
p.cmdline LIKE "%wget %.7%" OR
p.cmdline LIKE "%wget %.8%" OR
p.cmdline LIKE "%wget %.9%" OR
p.cmdline LIKE "%wget %--user-agent%" OR
p.cmdline LIKE "%wget %--no-check-certificate%"
)
AND parent_name NOT IN ('makepkg')