mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-28 08:42:02 +00:00
fpr, refactor minimal-socket-client-macos
This commit is contained in:
parent
a46fa30676
commit
f038dc7557
@ -186,7 +186,6 @@ WHERE
|
||||
'500,istioctl,istioctl,500u,20g',
|
||||
'500,istioctl,istioctl,,a.out',
|
||||
'500,java,java,0u,0g',
|
||||
'500,streamer,streamer,Developer ID Application: Autodesk (XXKJ396S2Y),streamer',
|
||||
'500,log-streaming,log-streaming,500u,80g',
|
||||
'500,.man-wrapped,.man-wrapped,0u,500g',
|
||||
'500,nami,nami,0u,0g',
|
||||
@ -211,6 +210,8 @@ WHERE
|
||||
)
|
||||
AND NOT s.authority IN (
|
||||
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
|
||||
'Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||
'Developer ID Application: Autodesk (XXKJ396S2Y)',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
||||
'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
|
||||
'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
|
||||
|
@ -79,6 +79,7 @@ WHERE pos.pid IN (
|
||||
AND state != 'LISTEN'
|
||||
) -- Ignore most common application paths
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/%/MacOS/%'
|
||||
AND p0.path NOT LIKE '/Applications/%.app/Contents/Resources/%'
|
||||
AND p0.path NOT LIKE '/Library/Apple/%'
|
||||
AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%'
|
||||
@ -92,7 +93,8 @@ WHERE pos.pid IN (
|
||||
'0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
|
||||
'500,Apple Mac OS Application Signing',
|
||||
'500,Developer ID Application: Cisco (DE8Y96K9QP)',
|
||||
'500,Developer ID Application: Google LLC (EQHXZ8M8AV)'
|
||||
'500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'500,Developer ID Application: Valve Corporation (MXGJJ98X76)'
|
||||
)
|
||||
AND NOT (
|
||||
unsigned_exception = '500,6,80,main,main'
|
||||
|
@ -224,7 +224,8 @@ WHERE
|
||||
AND NOT homepath LIKE '~/Library/%/%.sqlite-wal'
|
||||
AND NOT homepath LIKE '~/Library/%/%.db'
|
||||
AND NOT homepath LIKE '~/Library/%/%.db-wal'
|
||||
AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework'
|
||||
AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework%'
|
||||
AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Contents/MacOS'
|
||||
AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
|
||||
AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
|
||||
AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'
|
||||
|
@ -61,6 +61,7 @@ WHERE -- Focus on longer-running programs
|
||||
AND NOT path LIKE '/Users/%/dev/%'
|
||||
AND NOT path LIKE '/Users/%/src/%'
|
||||
AND NOT path LIKE '/Users/%/bin/%'
|
||||
AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
|
||||
AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
|
||||
AND NOT path LIKE '/Users/%/.terraform/providers/%'
|
||||
AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'
|
||||
@ -85,6 +86,7 @@ WHERE -- Focus on longer-running programs
|
||||
'500,sdzoomplugin,,',
|
||||
'500,sdaudioswitch,,',
|
||||
'500,gopls,a.out,',
|
||||
'500,sdmicmute,sdmicmute,',
|
||||
'500,sdaudioswitch,sdaudioswitch,'
|
||||
)
|
||||
AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
|
||||
|
@ -115,6 +115,7 @@ WHERE
|
||||
'32768,6,500,Chromium',
|
||||
'32768,6,500,Code Helper (Plugin)',
|
||||
'24024,17,500,MTGA',
|
||||
'32768,6,500,Python',
|
||||
'32768,17,499,viscosity_openvpn',
|
||||
'1,1,500,ping'
|
||||
)
|
||||
|
@ -40,26 +40,74 @@ FROM processes p
|
||||
LEFT JOIN signature s ON p.path = s.path
|
||||
WHERE p.pid IN (
|
||||
SELECT processes.pid
|
||||
FROM processes
|
||||
JOIN process_open_sockets ON processes.pid = process_open_sockets.pid
|
||||
AND family != 1
|
||||
FROM process_open_sockets
|
||||
JOIN processes ON process_open_sockets.pid = processes.pid
|
||||
AND family != 1 -- The outer query is slow due to the use of process_memory_map, so narrow down our choices here
|
||||
WHERE processes.path NOT LIKE '/System/%'
|
||||
AND processes.path NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%'
|
||||
AND processes.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
|
||||
AND processes.path NOT LIKE '/Library/Apple/%'
|
||||
AND processes.path NOT LIKE '/nix/store/%/bin/nix'
|
||||
AND processes.path NOT LIKE '/opt/%/bin/%'
|
||||
AND processes.path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
|
||||
AND processes.path NOT LIKE '/sbin/%'
|
||||
AND processes.path NOT LIKE '/usr/bin/%'
|
||||
AND processes.path NOT LIKE '/usr/libexec/%'
|
||||
AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
|
||||
AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
|
||||
AND processes.path NOT LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%.app/Contents/MacOS/%'
|
||||
AND processes.path NOT LIKE '/usr/sbin/%'
|
||||
AND processes.path NOT LIKE '/Library/Elastic/Agent/data/%'
|
||||
AND NOT (
|
||||
processes.euid >= 500
|
||||
AND (
|
||||
processes.path LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%'
|
||||
OR processes.path LIKE '/Applications/%.app/Contents/MacOS/%'
|
||||
OR processes.path LIKE '/nix/store/%/bin/nix'
|
||||
OR processes.path LIKE '/opt/%/bin/%'
|
||||
OR processes.path LIKE '/Users/%/go/bin/%'
|
||||
OR processes.path LIKE '/Users/%/Library/Application Support/Figma/FigmaAgent.app/Contents/MacOS/figma_agent'
|
||||
OR processes.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
|
||||
OR processes.path LIKE '/Users/%/Applications/zoom.us.app/Contents/MacOS/zoom.us'
|
||||
OR processes.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/%'
|
||||
OR processes.path LIKE '/private/var/folders/%/X/com.google.Chrome.code_sign_clone/code_sign_clone%'
|
||||
OR processes.path IN (
|
||||
'/Applications/Elgato Stream Deck.app/Contents/Helpers/node20',
|
||||
'/Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv',
|
||||
'/Applications/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater',
|
||||
'/Applications/AirBuddy.app/Contents/Library/LoginItems/AirBuddyHelper.app/Contents/XPCServices/MobileDevicesService.xpc/Contents/MacOS/MobileDevicesService',
|
||||
'/Applications/Ollama.app/Contents/Resources/ollama',
|
||||
'/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl.ventura',
|
||||
'/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/qemu-system-aarch64',
|
||||
'/Applications/Syncthing.app/Contents/Resources/syncthing/syncthing',
|
||||
'/Library/Application Support/Adobe/Adobe Desktop Common/IPCBox/AdobeIPCBroker.app/Contents/MacOS/AdobeIPCBroker',
|
||||
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS/Kandji Menu',
|
||||
'/Applications/Google Drive.app/Contents/Applications/FinderHelper.app/Contents/PlugIns/FinderSyncExtension.appex/Contents/MacOS/FinderSyncExtension',
|
||||
'/Applications/Google Drive.app/Contents/PlugIns/DFSFileProviderExtension.appex/Contents/MacOS/DFSFileProviderExtension',
|
||||
'/Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/MacOS/Adobe Desktop Service',
|
||||
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater',
|
||||
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',
|
||||
'/Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver',
|
||||
'/Library/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/Contents/MacOS/Python',
|
||||
'/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon',
|
||||
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
|
||||
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
|
||||
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
|
||||
'/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome',
|
||||
'/Applications/Loom.app/Contents/Resources/binaries/loom-recorder-production',
|
||||
'/Volumes/Slack/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
|
||||
'/usr/local/bin/node'
|
||||
)
|
||||
)
|
||||
) -- uid0-499 exceptions
|
||||
AND NOT processes.path IN (
|
||||
'/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon',
|
||||
'/Library/safeqclientcore/bin/safeqclientcore',
|
||||
'/Applications/WiFiman Desktop.app/Contents/service/wifiman-desktopd',
|
||||
'/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint',
|
||||
'/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',
|
||||
'/usr/local/sbin/velociraptor'
|
||||
)
|
||||
AND processes.start_time < (strftime('%s', 'now') -600)
|
||||
GROUP BY processes.path
|
||||
GROUP BY processes.path
|
||||
)
|
||||
AND NOT exception_key = '500,Steam Helper,~/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam HelperDeveloper ID Application: Valve Corporation (MXGJJ98X76)'
|
||||
AND pmm.path LIKE "%.dylib"
|
||||
|
||||
GROUP BY pos.pid
|
||||
HAVING lib_count IN (1, 2)
|
||||
AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib'
|
||||
|
Loading…
Reference in New Issue
Block a user