From 7219f64571f8a7b09e70d5109ed5d43090fbf213 Mon Sep 17 00:00:00 2001
From: Dave Smith <dave.smith@chainguard.dev>
Date: Thu, 7 Nov 2024 17:11:45 -0500
Subject: [PATCH 1/2] FPR: containerd, cupsd, etc

---
 detection/c2/unexpected-talkers-linux.sql              | 1 +
 detection/persistence/unexpected-uid0-daemon-linux.sql | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 459491a..256d8de 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -83,6 +83,7 @@ WHERE protocol > 0
   )
   AND NOT exception_key IN (
     '123,17,500,chronyd,0u,0g,chronyd',
+    '123,17,473,chronyd,0u,0g,chronyd',
     '19305,6,500,msedge,0u,0g,msedge',
     '4070,6,500,spotify,u,g,spotify',
     '49152,6,500,ContinuityCaptureAgent,Software Signing',
diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql
index d6b0dcb..ce7ce5c 100644
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@@ -114,6 +114,7 @@ WHERE
     'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
     'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
     'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
+    'containerd,/usr/sbin/containerd,0,system.slice,docker.service,0755',
     'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
     'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
     'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
@@ -122,6 +123,7 @@ WHERE
     'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
     'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
     'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
+    'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700',
     'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
     'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
     'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
@@ -165,6 +167,7 @@ WHERE
     'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
     'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
     'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
+    'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755'
     'geoclue.service,Location Lookup Service,geoclue,500',
     'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
     'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
@@ -260,6 +263,7 @@ WHERE
     'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
     'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
     'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
+    'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
     'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
     'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
     'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
@@ -328,6 +332,7 @@ WHERE
     'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
     'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
     'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
+    'upowerd,/usr/libexec/upower/upowerd,0,system.slice,upower.service,0755',
     'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
     'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
     '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',

From f9ae1fe921480df0e8c84745061865bc16bf7798 Mon Sep 17 00:00:00 2001
From: Dave Smith <dave.smith@chainguard.dev>
Date: Thu, 7 Nov 2024 17:19:13 -0500
Subject: [PATCH 2/2] Update unexpected-uid0-daemon-linux.sql

fixed syntax error

Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
---
 detection/persistence/unexpected-uid0-daemon-linux.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql
index ce7ce5c..5b211c9 100644
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@@ -167,7 +167,7 @@ WHERE
     'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
     'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
     'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
-    'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755'
+    'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755',
     'geoclue.service,Location Lookup Service,geoclue,500',
     'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
     'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',