Initial configs for the kolide-pipeline-notifier

2022-09-01 16:39:35 -04:00 · 2022-09-01 16:39:35 -04:00 · e9dcfbbe2e
parent d86d87812e
commit e9dcfbbe2e
4 changed files with 11 additions and 3 deletions
--- a/unexpected-listeners.sql
+++ b/unexpected-listeners.sql
@ -42,7 +42,7 @@ WHERE port != 0
    AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6)
    AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=4161 AND lp.protocol=6)
    AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=41641 AND lp.protocol=17)
-    AND NOT (p.name='Socket Process' and p.cwd LIKE '/proc/%/fdinfo' AND lp.port>32000 AND lp.protocol=17)
+    AND NOT (p.name='Socket Process' and p.cwd LIKE '/proc/%/fdinfo%' AND lp.port>32000 AND lp.protocol=17)
    -- macOS --
    AND NOT (p.name IN ('launchd','netbiosd') AND p.cwd='/' AND lp.port IN (137,138) AND lp.protocol=17)
    AND NOT (p.name='Arc Helper' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17)
@ -80,6 +80,7 @@ WHERE port != 0
    AND NOT (p.name='syslogd' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17)
    AND NOT (p.name='systemd-resolve' AND p.cwd='/' AND lp.port=5355 AND lp.protocol IN (6,17))
    AND NOT (p.name='Slack Helper' AND lp.port>49000 AND lp.protocol=17)
+    AND NOT (p.name='com.apple.WebKit.Networking' AND lp.port>49000 AND lp.protocol=17)
    AND NOT (p.name='TIDAL Helper (Renderer)' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17)
    AND NOT (p.name='vpnkit-bridge' AND p.cwd LIKE '/Users/%/Library/Containers/com.docker.docker/Data' AND lp.port>49000 AND lp.protocol=6)
    AND NOT (p.name='WireGuardNetworkExtension' AND p.cwd LIKE '/Users/%/Library/Containers/com.wireguard.macos.network-extension/Data' AND lp.port>49000 AND lp.protocol=17)
--- a/unexpected-talkers.sql
+++ b/unexpected-talkers.sql
@ -11,6 +11,7 @@ AND s.remote_address NOT LIKE '172.1%'
 AND s.remote_address NOT LIKE '::ffff:172.%'
 AND s.remote_address NOT LIKE '10.%'
 AND s.remote_address NOT LIKE '::ffff:10.%'
+AND s.remote_address NOT LIKE 'fc00:%'
 AND s.state != 'LISTEN'
 AND NOT (p.cmdline LIKE '%.com.flexibits.fantastical2.mac.helper' AND remote_port = 443)
 AND NOT (p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' AND remote_port = 443)
@ -22,6 +23,7 @@ AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Ch
 AND NOT (p.name IN ('Mail','thunderbird','Spark') AND remote_port IN (443,993))
 AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (443,8009,4070,32211))
 AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17)
+AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)
 AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6)
 AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443)
 AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6)
@ -37,7 +39,7 @@ AND NOT (p.path LIKE '%/NetworkManager' AND remote_port = 67)
 AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
 AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17)
 AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17)
-AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking' AND p.cwd='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc' AND remote_port=>1024 AND protocol=17)
+AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking' AND remote_port>1023 AND protocol=17)
 AND NOT (p.path='/System/Library/PrivateFrameworks/ApplePushService.framework/apsd' AND p.cwd='/' AND remote_port=5223 AND protocol=6)
 AND NOT (p.path='/usr/local/libexec/ReceiverHelper.app/Contents/MacOS/ReceiverHelper' AND p.cwd='/' AND remote_port=443 AND protocol=6)
 AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.path = '/usr/sbin/mDNSResponder')
@ -50,6 +52,8 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN (
        'ko',
        'kubectl',
        'k9s',
+        'terraform',
+        'steam_osx',
        'slack',
        'Slack Helper',
        'Slack',
@ -61,4 +65,6 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN (
        'htop'
    )
 )
+AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')
+

--- a/unexpectedly-high-readers.sql
+++ b/unexpectedly-high-readers.sql
@ -12,6 +12,7 @@ AND NOT (name='gopls' AND path LIKE '/home/%/gopls/gopls')
 AND NOT (name='gopls' AND path LIKE '/Users/%/bin/gopls')
 AND NOT (name='gopls' AND path LIKE '/Users/%/gopls/gopls')
 AND NOT (name='go' AND cmdline LIKE 'go run %')
+AND NOT (name='terraform-ls' AND cmdline LIKE 'terraform-ls serve%')
 AND NOT (name='kernel_task' AND path='' AND parent IN (0,1) AND on_disk=-1)
 AND NOT (name='launcher' AND path='/usr/local/kolide-k2/bin/launcher-updates/1659471464/launcher')
 AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1)
--- a/unexpectedly-high-writers.sql
+++ b/unexpectedly-high-writers.sql
@ -13,7 +13,7 @@ AND NOT (name='launchd' AND path='/sbin/launchd' aND parent=0)
 AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1)
 AND NOT (name='oahd' AND path='/usr/libexec/rosetta/oahd')
 AND NOT (name='systemd' AND path='/usr/lib/systemd/systemd')
-AND NOT name IN ('firefox','gopls')
+AND NOT name IN ('firefox','gopls','containerd')
 AND path NOT LIKE '/Applications/%.app/Contents/%'
 AND path NOT LIKE '/System/Applications/%'
 AND path NOT LIKE '/System/Library/%'