From e5973acc2590e7cefe3f1a77f2141cfcdea99579 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 10 Sep 2022 13:10:54 -0400 Subject: [PATCH] Second weekend tuning --- fd/unexpected-dev-opener.sql | 4 +- fs/unexpected-setuid-binaries.sql | 520 ++++++++++-------- ...ed-processes.sql => missing-from-disk.sql} | 0 process/unexpected-executable-directory.sql | 4 +- process/unusual-fetcher.sql | 83 +-- 5 files changed, 336 insertions(+), 275 deletions(-) rename process/{deleted-processes.sql => missing-from-disk.sql} (100%) diff --git a/fd/unexpected-dev-opener.sql b/fd/unexpected-dev-opener.sql index c5fd830..6aa53d0 100644 --- a/fd/unexpected-dev-opener.sql +++ b/fd/unexpected-dev-opener.sql @@ -36,7 +36,7 @@ WHERE pof.path LIKE '/dev/%' AND NOT pof.path LIKE '/dev/shm/.com.google.%' AND NOT pof.path LIKE '/dev/shm/.org.chromium.%' AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%' - AND NOT (device LIKE '/dev/hidraw%' AND p.name = 'chrome') + AND NOT (device LIKE '/dev/hidraw%' AND p.name IN ('chrome', 'depmod')) AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox') AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg')) AND NOT ( @@ -45,7 +45,7 @@ WHERE pof.path LIKE '/dev/%' ) AND NOT ( device LIKE '/dev/bpf%' - AND program = '/usr/libexec/airportd' + AND program IN ('/usr/libexec/airportd', '/usr/libexec/configd') ) AND NOT ( device LIKE '/dev/bus/usb/%' diff --git a/fs/unexpected-setuid-binaries.sql b/fs/unexpected-setuid-binaries.sql index 2cd6bf3..28868ce 100644 --- a/fs/unexpected-setuid-binaries.sql +++ b/fs/unexpected-setuid-binaries.sql @@ -1,232 +1,288 @@ -SELECT suid_bin.path, file.gid, file.uid, file.mode, file.type, file.size -FROM suid_bin -JOIN file ON suid_bin.path = file.path -AND NOT (suid_bin.path='/bin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/chage' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/bin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/crontab' AND file.mode='2755' AND file.uid=0 AND file.gid=104) -AND NOT (suid_bin.path='/bin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/expiry' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/bin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/fusermount-glusterfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=979) -AND NOT (suid_bin.path='/bin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/plocate' AND file.mode='2755' AND file.uid=0 AND file.gid=979) -AND NOT (suid_bin.path='/bin/ps' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/bin/ssh-agent' AND file.mode='2755' AND file.uid=0 AND file.gid=118) -AND NOT (suid_bin.path='/bin/staprun' AND file.mode='4110' AND file.uid=0 AND file.gid=156) -AND NOT (suid_bin.path='/bin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/sudo' AND file.mode='4111' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/sudoedit' AND file.mode='4111' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/vmware-user-suid-wrapper' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/vmware-user' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/bin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/bin/write.ul' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/bin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/sbin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/grub2-set-bootflag' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/sbin/lockdev' AND file.mode='2711' AND file.uid=0 AND file.gid=54) -AND NOT (suid_bin.path='/sbin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/pam_extrausers_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/sbin/pam_timestamp_check' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/pppd' AND file.mode='4754' AND file.uid=0 AND file.gid=30) -AND NOT (suid_bin.path='/sbin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/sbin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/umount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/umount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/userhelper' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/sbin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/sbin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/usr/bin/at' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/atq' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/atrm' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/batch' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/chage' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/usr/bin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/crontab' AND file.mode='2755' AND file.uid=0 AND file.gid=104) -AND NOT (suid_bin.path='/usr/bin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/expiry' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/usr/bin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/fusermount-glusterfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/usr/bin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=979) -AND NOT (suid_bin.path='/usr/bin/login' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/newgrp' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/plocate' AND file.mode='2755' AND file.uid=0 AND file.gid=979) -AND NOT (suid_bin.path='/usr/bin/quota' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/usr/bin/ssh-agent' AND file.mode='2755' AND file.uid=0 AND file.gid=118) -AND NOT (suid_bin.path='/usr/bin/staprun' AND file.mode='4110' AND file.uid=0 AND file.gid=156) -AND NOT (suid_bin.path='/usr/bin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4111' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sudoedit' AND file.mode='4111' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/top' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/vmware-user-suid-wrapper' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/vmware-user' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/usr/bin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/bin/write.ul' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/usr/bin/write' AND file.mode='2555' AND file.uid=0 AND file.gid=4) -AND NOT (suid_bin.path='/usr/bin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/usr/sbin/cdda2wav' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/cdrecord' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/chage' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/chfn' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/chsh' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/crontab' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/doas' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/expiry' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/fusermount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/fusermount3' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/gpasswd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/grub2-set-bootflag' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/icedax' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/ksu' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/locate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/usr/sbin/lockdev' AND file.mode='2711' AND file.uid=0 AND file.gid=54) -AND NOT (suid_bin.path='/usr/sbin/mount.cifs' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount.smb3' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/mount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/ndisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/newgrp' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/pam_extrausers_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/usr/sbin/pam_timestamp_check' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/passwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/pkexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/postdrop' AND file.mode='2755' AND file.uid=0 AND file.gid=28) -AND NOT (suid_bin.path='/usr/sbin/postqueue' AND file.mode='2755' AND file.uid=0 AND file.gid=28) -AND NOT (suid_bin.path='/usr/sbin/pppd' AND file.mode='4754' AND file.uid=0 AND file.gid=30) -AND NOT (suid_bin.path='/usr/sbin/rdisc6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/readcd' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/readom' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/rltraceroute6' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/rscsi' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/sg' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/slocate' AND file.mode='2755' AND file.uid=0 AND file.gid=21) -AND NOT (suid_bin.path='/usr/sbin/su' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/sudo' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/sudoedit' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/suexec' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/traceroute' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/traceroute6' AND file.mode='4555' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/umount.nfs' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/umount.nfs' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/umount.nfs4' AND file.mode='4511' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/umount.nfs4' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/umount' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='2755' AND file.uid=0 AND file.gid=42) -AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='4755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/unix_chkpwd' AND file.mode='6755' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/userhelper' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/wall' AND file.mode='2755' AND file.uid=0 AND file.gid=5) -AND NOT (suid_bin.path='/usr/sbin/wodim' AND file.mode='4711' AND file.uid=0 AND file.gid=0) -AND NOT (suid_bin.path='/usr/sbin/write' AND file.mode='2755' AND file.uid=0 AND file.gid=5) \ No newline at end of file +SELECT file.path, gid, uid, mode, type, size, sha256 +-- missed many directories +FROM file +JOIN hash ON file.path = hash.path +WHERE +( + file.path LIKE "/bin/%" + OR file.path LIKE "/sbin/%" + OR file.path LIKE "/usr/sbin/%" + OR file.path LIKE "/usr/lib/%" + OR file.path LIKE "/usr/lib64/%" + OR file.path LIKE "/usr/bin/%" + OR file.path LIKE "/usr/libexec/%" + OR file.path LIKE "/usr/local/bin/%" + OR file.path LIKE "/usr/local/sbin/%" + OR file.path LIKE "/opt/%/bin/%" + OR file.path LIKE "/opt/%/sbin/%" + OR file.path LIKE "/usr/local/lib/%" + OR file.path LIKE "/usr/local/lib64/%" + OR file.path LIKE "/usr/local/libexec/%" + OR file.path LIKE "/var/lib/%" + OR file.path LIKE "/var/tmp/%" + OR file.path LIKE "/tmp/%" + OR file.path LIKE "/home/%/bin/%" + OR file.path LIKE "/Users/%/bin/%" +) +AND type='regular' +AND mode NOT LIKE "0%" +AND mode NOT LIKE "1%" +AND NOT (mode LIKE '4%11' AND uid=0 AND gid=0 AND + file.path IN ( + '/usr/sbin/wodim', + '/usr/sbin/userhelper', + '/usr/sbin/umount.nfs4', + '/usr/sbin/umount.nfs', + '/usr/sbin/rscsi', + '/usr/sbin/readom', + '/usr/sbin/readcd', + '/usr/sbin/mount.nfs4', + '/usr/sbin/mount.nfs', + '/usr/sbin/icedax', + '/usr/sbin/cdrecord', + '/usr/sbin/cdda2wav', + '/usr/bin/wodim', + '/usr/bin/umount.nfs4', + '/usr/bin/umount.nfs', + '/usr/bin/sudoedit', + '/usr/bin/sudo', + '/usr/bin/rscsi', + '/usr/bin/readom', + '/usr/bin/readcd', + '/usr/bin/mount.nfs4', + '/usr/bin/mount.nfs', + '/usr/bin/icedax', + '/usr/bin/cdrecord', + '/usr/bin/cdda2wav', + '/sbin/wodim', + '/sbin/userhelper', + '/sbin/umount.nfs4', + '/sbin/umount.nfs', + '/sbin/rscsi', + '/sbin/readom', + '/sbin/readcd', + '/sbin/mount.nfs4', + '/sbin/mount.nfs', + '/sbin/icedax', + '/sbin/cdrecord', + '/sbin/cdda2wav', + '/bin/wodim', + '/bin/umount.nfs4', + '/bin/umount.nfs', + '/bin/sudoedit', + '/bin/sudo', + '/bin/rscsi', + '/bin/readom', + '/bin/readcd', + '/bin/mount.nfs4', + '/bin/mount.nfs', + '/bin/icedax', + '/bin/cdrecord', + '/bin/cdda2wav', + '/usr/libexec/security_authtrampoline' + ) +) +AND NOT (mode LIKE '4%55' AND uid=0 AND gid=0 AND + file.path IN ( + '/usr/sbin/unix_chkpwd', + '/usr/sbin/umount.nfs4', + '/usr/sbin/umount.nfs', + '/usr/sbin/umount', + '/usr/libexec/authopen', + '/bin/nvidia-modprobe', + '/sbin/nvidia-modprobe', + '/usr/bin/nvidia-modprobe', + '/usr/sbin/nvidia-modprobe', + '/usr/sbin/traceroute6', + '/usr/sbin/traceroute', + '/usr/sbin/suexec', + '/usr/sbin/sudoedit', + '/usr/sbin/sudo', + '/usr/sbin/su', + '/usr/sbin/sg', + '/usr/sbin/rltraceroute6', + '/usr/sbin/rdisc6', + '/usr/sbin/pkexec', + '/usr/sbin/passwd', + '/usr/sbin/pam_timestamp_check', + '/usr/sbin/newgrp', + '/usr/sbin/ndisc6', + '/usr/sbin/mount.nfs4', + '/usr/sbin/mount.nfs', + '/usr/sbin/mount', + '/usr/sbin/ksu', + '/usr/sbin/grub2-set-bootflag', + '/usr/sbin/gpasswd', + '/usr/sbin/fusermount3', + '/usr/sbin/fusermount', + '/usr/sbin/expiry', + '/usr/sbin/doas', + '/usr/sbin/crontab', + '/usr/sbin/chsh', + '/usr/sbin/chfn', + '/usr/sbin/chage', + '/usr/bin/vmware-user-suid-wrapper', + '/usr/bin/vmware-user', + '/usr/bin/umount', + '/usr/bin/top', + '/usr/bin/suexec', + '/usr/bin/sudoedit', + '/usr/bin/sudo', + '/usr/bin/su', + '/usr/bin/sg', + '/usr/bin/rltraceroute6', + '/usr/bin/rdisc6', + '/usr/bin/quota', + '/usr/bin/pkexec', + '/usr/bin/passwd', + '/usr/bin/newgrp', + '/usr/bin/ndisc6', + '/usr/bin/mount', + '/usr/bin/login', + '/usr/bin/ksu', + '/usr/bin/gpasswd', + '/usr/bin/fusermount-glusterfs', + '/usr/bin/fusermount3', + '/usr/bin/fusermount', + '/usr/bin/expiry', + '/usr/bin/doas', + '/usr/bin/crontab', + '/usr/bin/chsh', + '/usr/bin/chfn', + '/usr/bin/chage', + '/usr/bin/batch', + '/usr/bin/atrm', + '/usr/bin/atq', + '/usr/bin/at', + '/sbin/unix_chkpwd', + '/sbin/umount.nfs4', + '/sbin/umount.nfs', + '/sbin/umount', + '/sbin/suexec', + '/sbin/sudoedit', + '/sbin/sudo', + '/sbin/su', + '/sbin/sg', + '/sbin/rltraceroute6', + '/sbin/rdisc6', + '/sbin/pkexec', + '/sbin/passwd', + '/sbin/pam_timestamp_check', + '/sbin/newgrp', + '/sbin/ndisc6', + '/sbin/mount.nfs4', + '/sbin/mount.nfs', + '/sbin/mount', + '/sbin/ksu', + '/sbin/grub2-set-bootflag', + '/sbin/gpasswd', + '/sbin/fusermount3', + '/sbin/fusermount', + '/sbin/expiry', + '/sbin/doas', + '/sbin/crontab', + '/sbin/chsh', + '/sbin/chfn', + '/sbin/chage', + '/bin/vmware-user-suid-wrapper', + '/bin/vmware-user', + '/bin/umount', + '/bin/suexec', + '/bin/sudoedit', + '/bin/sudo', + '/bin/su', + '/bin/sg', + '/bin/rltraceroute6', + '/bin/rdisc6', + '/bin/ps', + '/bin/pkexec', + '/bin/passwd', + '/bin/newgrp', + '/bin/ndisc6', + '/bin/mount', + '/bin/ksu', + '/bin/gpasswd', + '/bin/fusermount-glusterfs', + '/bin/fusermount3', + '/bin/fusermount', + '/bin/expiry', + '/bin/doas', + '/bin/crontab', + '/bin/chsh', + '/bin/chfn', + '/bin/chage', + '/usr/lib/Xorg.wrap', + '/usr/lib/mail-dotlock', + '/usr/lib/xf86-video-intel-backlight-helper', + '/usr/lib64/Xorg.wrap', + '/usr/lib64/mail-dotlock', + '/usr/lib64/xf86-video-intel-backlight-helper', + '/usr/libexec/qemu-bridge-helper', + '/usr/libexec/Xorg.wrap', + '/usr/libexec/polkit-agent-helper-1' + ) +) + +AND NOT (mode ='6755' AND uid=0 AND gid=0 AND + file.path IN ( + '/bin/mount.cifs', + '/bin/mount.smb3', + '/bin/unix_chkpwd', + '/sbin/mount.cifs', + '/sbin/mount.smb3', + '/sbin/unix_chkpwd', + '/usr/bin/mount.cifs', + '/usr/bin/mount.smb3', + '/usr/bin/unix_chkpwd', + '/usr/sbin/mount.cifs', + '/usr/sbin/mount.smb3', + '/usr/sbin/unix_chkpwd', + '/usr/lib/xtest', + '/usr/lib64/xtest' + ) +) +AND NOT (file.path='/bin/chage' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/bin/crontab' AND mode='2755' AND uid=0 AND gid=104) +AND NOT (file.path='/bin/expiry' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/bin/locate' AND mode='2755' AND uid=0 AND gid=979) +AND NOT (file.path='/bin/plocate' AND mode='2755' AND uid=0 AND gid=979) +AND NOT (file.path='/bin/slocate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118) +AND NOT (file.path='/bin/staprun' AND mode='4110' AND uid=0 AND gid=156) +AND NOT (file.path='/bin/wall' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/bin/write' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/sbin/locate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54) +AND NOT (file.path='/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30) +AND NOT (file.path='/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/sbin/wall' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/sbin/write' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/bin/chage' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/usr/bin/crontab' AND mode='2755' AND uid=0 AND gid=104) +AND NOT (file.path='/usr/bin/expiry' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/usr/bin/locate' AND mode='2755' AND uid=0 AND gid=979) +AND NOT (file.path='/usr/bin/plocate' AND mode='2755' AND uid=0 AND gid=979) +AND NOT (file.path='/usr/bin/slocate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/usr/bin/ssh-agent' AND mode='2755' AND uid=0 AND gid=118) +AND NOT (file.path='/usr/bin/staprun' AND mode='4110' AND uid=0 AND gid=156) +AND NOT (file.path='/usr/bin/wall' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/bin/write.ul' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/bin/write' AND mode='2555' AND uid=0 AND gid=4) +AND NOT (file.path='/usr/bin/write' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/sbin/locate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/usr/sbin/lockdev' AND mode='2711' AND uid=0 AND gid=54) +AND NOT (file.path='/usr/sbin/pam_extrausers_chkpwd' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/usr/sbin/postdrop' AND mode='2755' AND uid=0 AND gid=28) +AND NOT (file.path='/usr/sbin/postqueue' AND mode='2755' AND uid=0 AND gid=28) +AND NOT (file.path='/usr/sbin/pppd' AND mode='4754' AND uid=0 AND gid=30) +AND NOT (file.path='/usr/sbin/slocate' AND mode='2755' AND uid=0 AND gid=21) +AND NOT (file.path='/usr/sbin/unix_chkpwd' AND mode='2755' AND uid=0 AND gid=42) +AND NOT (file.path='/usr/sbin/wall' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/sbin/write' AND mode='2755' AND uid=0 AND gid=5) +AND NOT (file.path='/usr/libexec/camel-lock-helper-1.2' AND mode='2755' AND uid=0 AND gid=8) +AND NOT (file.path='/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache' AND mode='2755' AND uid=173 AND gid=173) diff --git a/process/deleted-processes.sql b/process/missing-from-disk.sql similarity index 100% rename from process/deleted-processes.sql rename to process/missing-from-disk.sql diff --git a/process/unexpected-executable-directory.sql b/process/unexpected-executable-directory.sql index 8a5e856..0425d8c 100644 --- a/process/unexpected-executable-directory.sql +++ b/process/unexpected-executable-directory.sql @@ -20,6 +20,7 @@ WHERE directory NOT LIKE '/Applications/%.app/%' AND directory NOT LIKE '/nix/store/%/lib/%' AND directory NOT LIKE '/nix/store/%/libexec' AND directory NOT LIKE '/nix/store/%/libexec/%' + AND directory NOT LIKE '/nix/store/%/share/%' AND directory NOT LIKE '/opt/%' AND directory NOT LIKE '/opt/homebrew/%' AND directory NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' @@ -68,7 +69,8 @@ WHERE directory NOT LIKE '/Applications/%.app/%' '/usr/sbin', '/Library/Printers/DYMO/Utilities', '/Library/Developer/CommandLineTools/usr/bin', - '/usr/share/code' + '/usr/share/code', + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS' ) AND f.path NOT IN ( '/usr/libexec/AssetCache/AssetCache', diff --git a/process/unusual-fetcher.sql b/process/unusual-fetcher.sql index 04cf80d..54ed513 100644 --- a/process/unusual-fetcher.sql +++ b/process/unusual-fetcher.sql @@ -12,43 +12,46 @@ SELECT p.pid, FROM processes p JOIN processes pp ON p.parent = pp.pid WHERE -p.cmdline LIKE "%.onion%" OR -p.cmdline LIKE "%tor2web%" OR -p.cmdline LIKE "%aliyun%" OR -p.cmdline LIKE "%pastebin%" OR -p.cmdline LIKE "%curl %/.%" OR -p.cmdline LIKE "%curl %.0%" OR -p.cmdline LIKE "%curl %.1%" OR -p.cmdline LIKE "%curl %.2%" OR -p.cmdline LIKE "%curl %.3%" OR -p.cmdline LIKE "%curl %.4%" OR -p.cmdline LIKE "%curl %.5%" OR -p.cmdline LIKE "%curl %.6%" OR -p.cmdline LIKE "%curl %.7%" OR -p.cmdline LIKE "%curl %.8%" OR -p.cmdline LIKE "%curl %.9%" OR -p.cmdline LIKE "%curl %:0%" OR -p.cmdline LIKE "%curl %:1%" OR -p.cmdline LIKE "%curl %:2%" OR -p.cmdline LIKE "%curl %:3%" OR -p.cmdline LIKE "%curl %:4%" OR -p.cmdline LIKE "%curl %:5%" OR -p.cmdline LIKE "%curl %:6%" OR -p.cmdline LIKE "%curl %:7%" OR -p.cmdline LIKE "%curl %:8%" OR -p.cmdline LIKE "%curl %:9%" OR -p.cmdline LIKE "%curl %--user-agent%" OR -p.cmdline LIKE "%curl -fsSL%" OR -p.cmdline LIKE "%wget %/.%" OR -p.cmdline LIKE "%wget %.0%" OR -p.cmdline LIKE "%wget %.1%" OR -p.cmdline LIKE "%wget %.2%" OR -p.cmdline LIKE "%wget %.3%" OR -p.cmdline LIKE "%wget %.4%" OR -p.cmdline LIKE "%wget %.5%" OR -p.cmdline LIKE "%wget %.6%" OR -p.cmdline LIKE "%wget %.7%" OR -p.cmdline LIKE "%wget %.8%" OR -p.cmdline LIKE "%wget %.9%" OR -p.cmdline LIKE "%wget %--user-agent%" OR -p.cmdline LIKE "%wget %--no-check-certificate%" +( + p.cmdline LIKE "%.onion%" OR + p.cmdline LIKE "%tor2web%" OR + p.cmdline LIKE "%aliyun%" OR + p.cmdline LIKE "%pastebin%" OR + p.cmdline LIKE "%curl %/.%" OR + p.cmdline LIKE "%curl %.0%" OR + p.cmdline LIKE "%curl %.1%" OR + p.cmdline LIKE "%curl %.2%" OR + p.cmdline LIKE "%curl %.3%" OR + p.cmdline LIKE "%curl %.4%" OR + p.cmdline LIKE "%curl %.5%" OR + p.cmdline LIKE "%curl %.6%" OR + p.cmdline LIKE "%curl %.7%" OR + p.cmdline LIKE "%curl %.8%" OR + p.cmdline LIKE "%curl %.9%" OR + p.cmdline LIKE "%curl %:0%" OR + p.cmdline LIKE "%curl %:1%" OR + p.cmdline LIKE "%curl %:2%" OR + p.cmdline LIKE "%curl %:3%" OR + p.cmdline LIKE "%curl %:4%" OR + p.cmdline LIKE "%curl %:5%" OR + p.cmdline LIKE "%curl %:6%" OR + p.cmdline LIKE "%curl %:7%" OR + p.cmdline LIKE "%curl %:8%" OR + p.cmdline LIKE "%curl %:9%" OR + p.cmdline LIKE "%curl %--user-agent%" OR + p.cmdline LIKE "%curl -fsSL%" OR + p.cmdline LIKE "%wget %/.%" OR + p.cmdline LIKE "%wget %.0%" OR + p.cmdline LIKE "%wget %.1%" OR + p.cmdline LIKE "%wget %.2%" OR + p.cmdline LIKE "%wget %.3%" OR + p.cmdline LIKE "%wget %.4%" OR + p.cmdline LIKE "%wget %.5%" OR + p.cmdline LIKE "%wget %.6%" OR + p.cmdline LIKE "%wget %.7%" OR + p.cmdline LIKE "%wget %.8%" OR + p.cmdline LIKE "%wget %.9%" OR + p.cmdline LIKE "%wget %--user-agent%" OR + p.cmdline LIKE "%wget %--no-check-certificate%" +) +AND parent_name NOT IN ('makepkg') \ No newline at end of file