From e9dcfbbe2e209279fcdb3ea0962e6c084d20d697 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 1 Sep 2022 16:39:35 -0400 Subject: [PATCH] Initial configs for the kolide-pipeline-notifier --- unexpected-listeners.sql | 3 ++- unexpected-talkers.sql | 8 +++++++- unexpectedly-high-readers.sql | 1 + unexpectedly-high-writers.sql | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/unexpected-listeners.sql b/unexpected-listeners.sql index 227cfab..6f3addf 100644 --- a/unexpected-listeners.sql +++ b/unexpected-listeners.sql @@ -42,7 +42,7 @@ WHERE port != 0 AND NOT (p.name='sshd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6) AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=4161 AND lp.protocol=6) AND NOT (p.name='tailscaled' AND p.cwd='/' AND lp.port=41641 AND lp.protocol=17) - AND NOT (p.name='Socket Process' and p.cwd LIKE '/proc/%/fdinfo' AND lp.port>32000 AND lp.protocol=17) + AND NOT (p.name='Socket Process' and p.cwd LIKE '/proc/%/fdinfo%' AND lp.port>32000 AND lp.protocol=17) -- macOS -- AND NOT (p.name IN ('launchd','netbiosd') AND p.cwd='/' AND lp.port IN (137,138) AND lp.protocol=17) AND NOT (p.name='Arc Helper' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) @@ -80,6 +80,7 @@ WHERE port != 0 AND NOT (p.name='syslogd' AND p.cwd='/' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='systemd-resolve' AND p.cwd='/' AND lp.port=5355 AND lp.protocol IN (6,17)) AND NOT (p.name='Slack Helper' AND lp.port>49000 AND lp.protocol=17) + AND NOT (p.name='com.apple.WebKit.Networking' AND lp.port>49000 AND lp.protocol=17) AND NOT (p.name='TIDAL Helper (Renderer)' AND p.cwd='/' AND lp.port=5353 AND lp.protocol=17) AND NOT (p.name='vpnkit-bridge' AND p.cwd LIKE '/Users/%/Library/Containers/com.docker.docker/Data' AND lp.port>49000 AND lp.protocol=6) AND NOT (p.name='WireGuardNetworkExtension' AND p.cwd LIKE '/Users/%/Library/Containers/com.wireguard.macos.network-extension/Data' AND lp.port>49000 AND lp.protocol=17) diff --git a/unexpected-talkers.sql b/unexpected-talkers.sql index df23fe6..c09c535 100644 --- a/unexpected-talkers.sql +++ b/unexpected-talkers.sql @@ -11,6 +11,7 @@ AND s.remote_address NOT LIKE '172.1%' AND s.remote_address NOT LIKE '::ffff:172.%' AND s.remote_address NOT LIKE '10.%' AND s.remote_address NOT LIKE '::ffff:10.%' +AND s.remote_address NOT LIKE 'fc00:%' AND s.state != 'LISTEN' AND NOT (p.cmdline LIKE '%.com.flexibits.fantastical2.mac.helper' AND remote_port = 443) AND NOT (p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' AND remote_port = 443) @@ -22,6 +23,7 @@ AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Ch AND NOT (p.name IN ('Mail','thunderbird','Spark') AND remote_port IN (443,993)) AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (443,8009,4070,32211)) AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17) +AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17) AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6) AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443) AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6) @@ -37,7 +39,7 @@ AND NOT (p.path LIKE '%/NetworkManager' AND remote_port = 67) AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80)) AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17) AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17) -AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking' AND p.cwd='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc' AND remote_port=>1024 AND protocol=17) +AND NOT (p.path='/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking' AND remote_port>1023 AND protocol=17) AND NOT (p.path='/System/Library/PrivateFrameworks/ApplePushService.framework/apsd' AND p.cwd='/' AND remote_port=5223 AND protocol=6) AND NOT (p.path='/usr/local/libexec/ReceiverHelper.app/Contents/MacOS/ReceiverHelper' AND p.cwd='/' AND remote_port=443 AND protocol=6) AND NOT (remote_port = 443 AND protocol IN (6,17) AND p.path = '/usr/sbin/mDNSResponder') @@ -50,6 +52,8 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN ( 'ko', 'kubectl', 'k9s', + 'terraform', + 'steam_osx', 'slack', 'Slack Helper', 'Slack', @@ -61,4 +65,6 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN ( 'htop' ) ) +AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%') + diff --git a/unexpectedly-high-readers.sql b/unexpectedly-high-readers.sql index 1623c8b..8576076 100644 --- a/unexpectedly-high-readers.sql +++ b/unexpectedly-high-readers.sql @@ -12,6 +12,7 @@ AND NOT (name='gopls' AND path LIKE '/home/%/gopls/gopls') AND NOT (name='gopls' AND path LIKE '/Users/%/bin/gopls') AND NOT (name='gopls' AND path LIKE '/Users/%/gopls/gopls') AND NOT (name='go' AND cmdline LIKE 'go run %') +AND NOT (name='terraform-ls' AND cmdline LIKE 'terraform-ls serve%') AND NOT (name='kernel_task' AND path='' AND parent IN (0,1) AND on_disk=-1) AND NOT (name='launcher' AND path='/usr/local/kolide-k2/bin/launcher-updates/1659471464/launcher') AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1) diff --git a/unexpectedly-high-writers.sql b/unexpectedly-high-writers.sql index be58f6a..47cd7d2 100644 --- a/unexpectedly-high-writers.sql +++ b/unexpectedly-high-writers.sql @@ -13,7 +13,7 @@ AND NOT (name='launchd' AND path='/sbin/launchd' aND parent=0) AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1) AND NOT (name='oahd' AND path='/usr/libexec/rosetta/oahd') AND NOT (name='systemd' AND path='/usr/lib/systemd/systemd') -AND NOT name IN ('firefox','gopls') +AND NOT name IN ('firefox','gopls','containerd') AND path NOT LIKE '/Applications/%.app/Contents/%' AND path NOT LIKE '/System/Applications/%' AND path NOT LIKE '/System/Library/%'