mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
fpr: aws-sdk, melange, Tailscale, Xprotect, etc
This commit is contained in:
parent
6d05dbc2da
commit
f25cfe1399
@ -93,13 +93,13 @@ WHERE
|
||||
AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53'
|
||||
AND p.name != 'nessusd'
|
||||
-- Local DNS servers and custom clients go here
|
||||
-- Electron apps
|
||||
AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper'
|
||||
AND p.path NOT IN (
|
||||
'/usr/lib/systemd/systemd-resolved',
|
||||
'/Library/Nessus/run/sbin/nessusd',
|
||||
'/usr/bin/apko',
|
||||
'/opt/google/chrome/chrome',
|
||||
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
|
||||
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper'
|
||||
'/usr/bin/apko',
|
||||
'/usr/lib/systemd/systemd-resolved'
|
||||
)
|
||||
-- Chromium apps can send stray DNS packets
|
||||
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
|
||||
|
@ -71,6 +71,7 @@ WHERE
|
||||
'0,kmod,0u,0g,depmod',
|
||||
'0,launcher,0u,0g,launcher',
|
||||
'0,launcher,500u,500g,launcher',
|
||||
'0,ldconfig,0u,0g,ldconfig',
|
||||
'0,nessusd,0u,0g,nessusd',
|
||||
'0,nix,0u,0g,nix',
|
||||
'0,nix,0u,0g,nix-daemon',
|
||||
@ -91,12 +92,12 @@ WHERE
|
||||
'106,geoclue,0u,0g,geoclue',
|
||||
'500,1password,0u,0g,1password',
|
||||
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
||||
'500,act,0u,0g,act',
|
||||
'500,apk,500u,500g,apk',
|
||||
'500,apko,u,g,apko',
|
||||
'500,apk,u,g,apk',
|
||||
'500,aws,0u,0g,aws',
|
||||
'500,bom,500u,500g,bom',
|
||||
'500,act,0u,0g,act',
|
||||
'500,Brackets,0u,0g,Brackets',
|
||||
'500,brave,0u,0g,brave',
|
||||
'500,buildkitd,500u,500g,buildkitd',
|
||||
@ -128,11 +129,13 @@ WHERE
|
||||
'500,flameshot,0u,0g,flameshot',
|
||||
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
|
||||
'500,geoclue,0u,0g,geoclue',
|
||||
'500,gh,0u,0g,gh',
|
||||
'500,git,0u,0g,git',
|
||||
'500,git-remote-http,0u,0g,git-remote-http',
|
||||
'500,gitsign,0u,0g,gitsign',
|
||||
'500,gitsign,500u,0g,gitsign',
|
||||
'500,gitsign,500u,500g,gitsign',
|
||||
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
|
||||
'500,gjs-console,0u,0g,org.gnome.Maps',
|
||||
'500,gnome-recipes,0u,0g,gnome-recipes',
|
||||
'500,gnome-shell,0u,0g,gnome-shell',
|
||||
@ -160,10 +163,12 @@ WHERE
|
||||
'500,Keybase,0u,0g,Keybase',
|
||||
'500,ko,500u,500g,ko',
|
||||
'500,ko,u,g,ko',
|
||||
'500,kpromo,500u,500g,kpromo',
|
||||
'500,krel,500u,500g,krel',
|
||||
'500,kubectl,0u,0g,kubectl',
|
||||
'500,kubectl,500u,500g,kubectl',
|
||||
'500,lens,0u,0g,lens',
|
||||
'500,limactl,0u,0g,limactl',
|
||||
'500,mconvert,500u,500g,mconvert',
|
||||
'500,melange,u,g,melange',
|
||||
'500,Melvor Idle,500u,500g,exe',
|
||||
@ -175,10 +180,11 @@ WHERE
|
||||
'500,node,0u,0g,.node2nix-wrapp',
|
||||
'500,node,u,g,node',
|
||||
'500,obs,0u,0g,obs',
|
||||
'500,obs,u,g,obs',
|
||||
'500,obs-browser-page,0u,0g,obs-browser-pag',
|
||||
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
|
||||
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
|
||||
'500,obsidian,u,g,obsidian',
|
||||
'500,obs,u,g,obs',
|
||||
'500,pacman,0u,0g,pacman',
|
||||
'500,php8.1,0u,0g,php',
|
||||
'500,promoter,500u,500g,promoter',
|
||||
@ -190,17 +196,16 @@ WHERE
|
||||
'500,python3.11,0u,0g,protonvpn',
|
||||
'500,python3.11,0u,0g,prowler',
|
||||
'500,python3,500u,500g,python3',
|
||||
'500,python.test,500u,500g,python.test',
|
||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||
'500,reporter-ureport,0u,0g,reporter-urepor',
|
||||
'500,rpi-imager,0u,0g,rpi-imager',
|
||||
'500,rustup,0u,0g,rustup',
|
||||
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
|
||||
'500,scoville,500u,500g,scoville',
|
||||
'500,signal-desktop,0u,0g,signal-desktop',
|
||||
'500,kpromo,500u,500g,kpromo',
|
||||
'500,signal-desktop,u,g,signal-desktop',
|
||||
'500,slack,0u,0g,slack',
|
||||
'500,slack,u,g,slack',
|
||||
'500,python.test,500u,500g,python.test',
|
||||
'500,slirp4netns,500u,500g,slirp4netns',
|
||||
'500,snap-store,0u,0g,snap-store',
|
||||
'500,spotify,0u,0g,spotify',
|
||||
@ -208,7 +213,6 @@ WHERE
|
||||
'500,spotify,u,g,spotify',
|
||||
'500,steam,500u,100g,steam',
|
||||
'500,steam,500u,500g,steam',
|
||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||
'500,steamwebhelper,500u,100g,steamwebhelper',
|
||||
'500,steamwebhelper,500u,500g,steamwebhelper',
|
||||
'500,step,500u,500g,step',
|
||||
@ -219,13 +223,11 @@ WHERE
|
||||
'500,terraform,500u,500g,terraform',
|
||||
'500,thunderbird,0u,0g,thunderbird',
|
||||
'500,thunderbird,u,g,thunderbird',
|
||||
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
||||
'500,todoist,0u,0g,todoist',
|
||||
'500,trivy,0u,0g,trivy',
|
||||
'500,trivy,500u,500g,trivy',
|
||||
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
||||
'500,wget,0u,0g,wget',
|
||||
'500,limactl,0u,0g,limactl',
|
||||
'500,wolfictl,500u,500g,wolfictl',
|
||||
'500,WPILibInstaller,500u,500g,WPILibInstaller',
|
||||
'500,xmobar,0u,0g,xmobar',
|
||||
@ -258,5 +260,7 @@ WHERE
|
||||
-- Exclude processes running inside of containers
|
||||
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
|
||||
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
|
||||
-- Tests
|
||||
AND NOT p.path LIKE '/tmp/go-build%.test'
|
||||
GROUP BY
|
||||
p.cmdline
|
||||
|
@ -122,6 +122,7 @@ WHERE
|
||||
'80,6,0,bash,0u,0g,update-ca-trust',
|
||||
'80,6,0,cp,0u,0g,cp',
|
||||
'80,6,0,fc-cache,0u,0g,fc-cache',
|
||||
'500,syft,0u,0g,syft',
|
||||
'80,6,0,find,0u,0g,find',
|
||||
'80,6,0,gawk,0u,0g,awk',
|
||||
'80,6,0,gpg,0u,0g,gpg',
|
||||
@ -132,6 +133,7 @@ WHERE
|
||||
'80,6,0,packagekitd,0u,0g,packagekitd',
|
||||
'80,6,0,pacman,0u,0g,pacman',
|
||||
'80,6,0,python3.10,0u,0g,dnf',
|
||||
'1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',
|
||||
'80,6,0,python3.10,0u,0g,dnf-automatic',
|
||||
'80,6,0,python3.10,0u,0g,yum',
|
||||
'80,6,0,python3.11,0u,0g,dnf',
|
||||
@ -170,11 +172,15 @@ WHERE
|
||||
'80,6,500,steam,500u,100g,steam',
|
||||
'80,6,500,steam,500u,500g,steam',
|
||||
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
|
||||
'80,6,500,python3.11,0u,0g,dnf',
|
||||
'80,6,500,terraform,500u,500g,terraform',
|
||||
'80,6,500,thunderbird,0u,0g,thunderbird',
|
||||
'80,6,500,thunderbird,u,g,thunderbird',
|
||||
'587,6,500,thunderbird,u,g,thunderbird',
|
||||
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
||||
'80,6,500,zoom,0u,0g,zoom',
|
||||
'80,6,500,zoom.real,u,g,zoom.real',
|
||||
'9418,6,500,git,0u,0g,git',
|
||||
'8080,6,500,brave,0u,0g,brave',
|
||||
'8080,6,500,chrome,0u,0g,chrome',
|
||||
'8080,6,500,firefox,0u,0g,firefox',
|
||||
|
@ -181,6 +181,7 @@ WHERE
|
||||
'443,6,500,apko,a.out,',
|
||||
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
|
||||
'443,6,0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
|
||||
'443,6,500,bash,bash,',
|
||||
'443,6,500,BlockBlock Installer,com.objective-see.blockblock.installer,Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
|
||||
'443,6,500,bom,,',
|
||||
|
@ -141,6 +141,7 @@ WHERE
|
||||
'rustup',
|
||||
'slack',
|
||||
'snyk',
|
||||
'snyk-macos',
|
||||
'spotify',
|
||||
'staticcheck',
|
||||
'steam',
|
||||
|
@ -101,6 +101,7 @@ WHERE
|
||||
'netstat,500,IPNExtension,launchd',
|
||||
'pfctl,0,pia-daemon,launchd',
|
||||
'ifconfig,500,zsh,stable',
|
||||
'netstat,0,io.tailscale.ipn.macsys.network-extension,launchd',
|
||||
'ifconfig,0,pia-openvpn,pia-daemon',
|
||||
'ifconfig,0,pia-openvpn,pia-daemon',
|
||||
'ifconfig,0,pia-daemon,launchd',
|
||||
|
@ -34,32 +34,33 @@ WHERE
|
||||
AND p.parent NOT IN (0, 2)
|
||||
AND NOT p.path IS NULL
|
||||
AND p.name NOT IN (
|
||||
'1Password-Keyri',
|
||||
'applydeltarpm',
|
||||
'bwrap',
|
||||
'crond',
|
||||
'cupsd',
|
||||
'dhcpcd',
|
||||
'1Password-Keyri',
|
||||
'modprobe',
|
||||
'dnf',
|
||||
'gdm-x-session',
|
||||
'systemd-udevd',
|
||||
'gdm-session-wor',
|
||||
'systemd-userwor',
|
||||
'osqueryi',
|
||||
'fprintd',
|
||||
'gdm-session-wor',
|
||||
'gdm-x-session',
|
||||
'gpg-agent',
|
||||
'modprobe',
|
||||
'nginx',
|
||||
'osqueryi',
|
||||
'realmd',
|
||||
'sedispatch',
|
||||
'ssh',
|
||||
'sshd',
|
||||
'sudo',
|
||||
'systemd',
|
||||
'gpg-agent',
|
||||
'systemd-udevd',
|
||||
'systemd-userdbd',
|
||||
'nginx',
|
||||
'sshd',
|
||||
'systemd-userwor',
|
||||
'zfs',
|
||||
'ssh',
|
||||
'sedispatch',
|
||||
'zypak-sandbox'
|
||||
)
|
||||
AND NOT pp.name IN ('systemd-userdbd', 'crond')
|
||||
AND NOT pp.name IN ('systemd-userdbd', 'crond', 'systemd')
|
||||
AND NOT (
|
||||
p.name LIKE 'systemd-%'
|
||||
AND p.parent = 1
|
||||
|
@ -137,6 +137,8 @@ WHERE
|
||||
OR dir LIKE '~/%/.config/nvim'
|
||||
OR dir LIKE '~/dev/%/dots/%/.config%'
|
||||
OR dir LIKE '~/%/.git'
|
||||
OR dir LIKE '/private/tmp/%/.git'
|
||||
OR dir LIKE '/tmp/%/.git'
|
||||
OR dir LIKE '~/%/.github%'
|
||||
OR dir LIKE '~/%/.docker%'
|
||||
OR dir LIKE '~/%/.vercel%'
|
||||
|
@ -57,6 +57,7 @@ WHERE
|
||||
OR cmd LIKE '/opt/homebrew/Cellar/%'
|
||||
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
|
||||
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
|
||||
OR p.path LIKE '/Users/%/homebrew/Cellar/%'
|
||||
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
|
||||
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
|
||||
OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
|
||||
|
@ -70,7 +70,10 @@ WHERE
|
||||
AND pp.path NOT LIKE '/opt/homebrew/Cellar/%'
|
||||
AND pp.path NOT LIKE '%google-cloud-sdk/.install/.backup%'
|
||||
AND pp.path NOT LIKE '/private/var/folders/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
|
||||
AND pp.path != ""
|
||||
AND pp.path != "/sbin/launchd"
|
||||
AND pp.path NOT IN (
|
||||
"",
|
||||
"/sbin/launchd",
|
||||
"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)"
|
||||
)
|
||||
AND pp.on_disk != 1
|
||||
);
|
||||
|
@ -67,6 +67,7 @@ WHERE
|
||||
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
|
||||
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
|
||||
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
|
||||
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
|
||||
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
|
||||
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
|
||||
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
|
||||
@ -86,6 +87,7 @@ WHERE
|
||||
AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
|
||||
AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
|
||||
AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
|
||||
AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
|
||||
AND NOT (
|
||||
signature.identifier LIKE 'cargo-%'
|
||||
AND ae.path LIKE '/Users/%/.rustup/%'
|
||||
|
@ -191,6 +191,8 @@ WHERE
|
||||
AND NOT p0_cmd LIKE 'modprobe -ab%'
|
||||
AND NOT p0_cmd LIKE 'modprobe --all%'
|
||||
AND NOT p0_cmd LIKE '%modprobe aufs'
|
||||
AND NOT p0_cmd LIKE '%touch -r /tmp/cc%.o %'
|
||||
AND NOT p0_cmd LIKE '%chmod -R 777 /app/%'
|
||||
AND NOT p0_cmd LIKE '%modprobe overlay'
|
||||
AND NOT p0_cmd LIKE '%modprobe nf_nat_netbios_ns'
|
||||
AND NOT p0_cmd LIKE '%modprobe -va%'
|
||||
@ -198,4 +200,5 @@ WHERE
|
||||
AND NOT p0_cmd LIKE 'tail /%history'
|
||||
AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.cpp'
|
||||
AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.h'
|
||||
AND NOT p0_name IN ('cc1', 'compile', 'cmake', 'cc1plus')
|
||||
AND NOT p0_name IN ('ar', 'cc1', 'compile', 'cmake', 'cc1plus')
|
||||
AND NOT exception_key IN ('bash,500,ninja,bash')
|
||||
|
@ -147,7 +147,11 @@ WHERE
|
||||
) -- Things that could reasonably happen at boot.
|
||||
AND NOT (
|
||||
pe.path = '/usr/bin/mkfifo'
|
||||
AND p0_cmd LIKE '%/org.gpgtools.log.%/fifo'
|
||||
AND (
|
||||
p0_cmd LIKE '%/org.gpgtools.log.%/fifo'
|
||||
OR p0_cmd LIKE '/var/%/gitstatus.POWERLEVEL9K.%'
|
||||
OR p0_cmd LIKE '/var/%/p10k.worker.%'
|
||||
)
|
||||
)
|
||||
AND NOT (
|
||||
p0_cmd LIKE '%csrutil status'
|
||||
|
@ -98,7 +98,8 @@ WHERE
|
||||
'se',
|
||||
'sh',
|
||||
'so',
|
||||
'uk'
|
||||
'uk',
|
||||
'us'
|
||||
)
|
||||
-- Or if it matches weird keywords we've seen
|
||||
OR p.cmdline LIKE '%chmod%'
|
||||
|
@ -123,6 +123,7 @@ WHERE
|
||||
'/Library/Application Support/GPGTools',
|
||||
'~/Library/Application Support/JetBrains',
|
||||
'~/Library/Caches/com.knollsoft.Rectangle',
|
||||
'~/Library/Application Support/zoom.us',
|
||||
'~/Library/Caches/com.mimestream.Mimestream',
|
||||
'~/Library/Caches/snyk',
|
||||
'/Library/Developer/CommandLineTools',
|
||||
@ -145,23 +146,25 @@ WHERE
|
||||
'~/code/bin',
|
||||
'~/Downloads/google-cloud-sdk/bin',
|
||||
'~/Downloads/protoc/bin',
|
||||
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
|
||||
'~/go/bin',
|
||||
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
|
||||
'~/Library/Application Support/dev.warp.Warp-Stable',
|
||||
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
|
||||
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
|
||||
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
|
||||
'/Library/DropboxHelperTools/Dropbox_u501',
|
||||
'/Library/Filesystems/kbfuse.fs/Contents/Resources',
|
||||
'/Library/Frameworks/Python.framework/Versions/3.10/bin',
|
||||
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
|
||||
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
|
||||
'/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
|
||||
'/Library/Printers/DYMO/Utilities',
|
||||
'/Library/PrivilegedHelperTools',
|
||||
'/Library/TeX/texbin',
|
||||
'~/.local/bin',
|
||||
'~/.magefile',
|
||||
'/node_modules/.bin',
|
||||
'/opt/homebrew/bin',
|
||||
'/opt/usr/bin',
|
||||
'/opt/X11/bin',
|
||||
'/opt/X11/libexec',
|
||||
@ -170,7 +173,6 @@ WHERE
|
||||
'/sbin',
|
||||
'/usr/bin',
|
||||
'/usr/lib',
|
||||
'/opt/homebrew/bin',
|
||||
'/usr/lib/bluetooth',
|
||||
'/usr/lib/cups/notifier',
|
||||
'/usr/libexec',
|
||||
@ -211,6 +213,7 @@ WHERE
|
||||
AND dir NOT LIKE '/private/tmp/go-build%/exe'
|
||||
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
|
||||
AND dir NOT LIKE '/private/tmp/nix-build-%'
|
||||
AND dir NOT LIKE '/Library/SystemExtensions/%-%/%.systemextension/Contents/MacOS'
|
||||
AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%'
|
||||
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
|
||||
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app/%'
|
||||
|
@ -135,12 +135,13 @@ WHERE
|
||||
AND top3_homedir NOT IN (
|
||||
'~/Library/Application Support/BraveSoftware/',
|
||||
'~/Library/Application Support/com.elgato.StreamDeck/',
|
||||
'~/Library/Application Support/Foxit Software/',
|
||||
'~/Library/Caches/com.mimestream.Mimestream/',
|
||||
'/Library/Application Support/EcammLive',
|
||||
'/Library/Developer/Xcode/',
|
||||
'~/Library/Application Support/Foxit Software/',
|
||||
'~/Library/Application Support/OpenLens',
|
||||
'~/Library/Caches/com.mimestream.Mimestream/',
|
||||
'~/Library/Caches/com.sempliva.Tiles/',
|
||||
'~/Library/Caches/snyk/',
|
||||
'/Library/Developer/Xcode/',
|
||||
'~/.terraform.d/plugin-cache/registry.terraform.io/'
|
||||
)
|
||||
AND dir NOT LIKE '/Applications/%'
|
||||
|
@ -110,7 +110,7 @@ WHERE
|
||||
AND NOT (
|
||||
pe.euid > 500
|
||||
AND p1_name = 'ruby'
|
||||
AND p1_cmd LIKE '%/opt/homebrew/Library/Homebrew/brew.rb%'
|
||||
AND p1_cmd LIKE '%/Homebrew/brew.rb%'
|
||||
)
|
||||
AND NOT (
|
||||
pe.euid > 500
|
||||
|
@ -50,6 +50,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
|
||||
'curl,500,bash,ShellLauncher',
|
||||
'curl,500,Slack,launchd',
|
||||
'curl,500,bash,zsh',
|
||||
'curl,0,09-timezone,nm-dispatcher',
|
||||
'curl,500,env,env',
|
||||
'curl,500,fish,gnome-terminal-',
|
||||
'curl,500,Slack,launchd',
|
||||
|
@ -89,6 +89,7 @@ WHERE
|
||||
-- I'm not too thrilled to have this as an exception, to be honest.
|
||||
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
|
||||
'Developer ID Application: Sanford, L.P. (N3S6676K3E)',
|
||||
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
|
||||
'Software Signing'
|
||||
)
|
||||
AND NOT (
|
||||
|
@ -100,6 +100,7 @@ WHERE
|
||||
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
|
||||
'500,gopls,a.out,',
|
||||
'500,gopls,gopls,',
|
||||
'500,dive,a.out,',
|
||||
'500,gpg-agent,gpg-agent,',
|
||||
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
|
||||
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
@ -115,6 +116,7 @@ WHERE
|
||||
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
|
||||
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
||||
'500,PrinterProxy,com.apple.print.PrinterProxy,',
|
||||
'500,BloomRPC Helper,,',
|
||||
'500,registry-redirect,a.out,',
|
||||
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
|
||||
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
|
||||
|
@ -96,6 +96,7 @@ WHERE
|
||||
'/usr/bin/udevadm',
|
||||
'/usr/libexec/aned',
|
||||
'/usr/libexec/coreduetd',
|
||||
'/usr/libexec/diskmanagementd',
|
||||
'/usr/bin/update-notifier',
|
||||
'/usr/libexec/flatpak-system-helper',
|
||||
'/usr/libexec/logd',
|
||||
|
@ -111,6 +111,7 @@ WHERE
|
||||
file.symlink = 1
|
||||
AND magic.data != 'symbolic link to /Applications'
|
||||
AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
|
||||
AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment'
|
||||
)
|
||||
)
|
||||
GROUP BY
|
||||
|
@ -117,6 +117,7 @@ WHERE
|
||||
'gnome-terminal-server',
|
||||
'go',
|
||||
'goland',
|
||||
'mc',
|
||||
'gopls',
|
||||
'helm',
|
||||
'HP Diagnose & Fix',
|
||||
@ -152,8 +153,10 @@ WHERE
|
||||
'sh',
|
||||
'ShellLauncher',
|
||||
'skhd',
|
||||
'su',
|
||||
'snyk',
|
||||
'sshd',
|
||||
'obs',
|
||||
'stable',
|
||||
'Stream Deck',
|
||||
'sudo',
|
||||
@ -164,6 +167,8 @@ WHERE
|
||||
'terraform-ls',
|
||||
'test2json',
|
||||
'tmux',
|
||||
'snyk-macos',
|
||||
'ression-arm64',
|
||||
'tmux:server',
|
||||
'update-notifier',
|
||||
'vi',
|
||||
@ -253,6 +258,7 @@ WHERE
|
||||
'sh,500,Google Drive,launchd',
|
||||
'dash,0,snapd,systemd',
|
||||
'bash,500,xdg-desktop-portal,systemd',
|
||||
'zsh,500,old,old',
|
||||
'sh,500,snyk-macos,snyk',
|
||||
'sh,500,ssh,mosh-client',
|
||||
'sh,500,updater,Foxit PDF Reader',
|
||||
|
@ -105,6 +105,7 @@ WHERE
|
||||
'ssh',
|
||||
'sshd',
|
||||
'steam_osx',
|
||||
'LogiTune',
|
||||
'swift',
|
||||
'systemd',
|
||||
'terminator',
|
||||
@ -161,6 +162,7 @@ WHERE
|
||||
AND NOT p.cmdline IN (
|
||||
-- npm run server
|
||||
'sh -c -- exec-bin node_modules/.bin/hugo/hugo server',
|
||||
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
|
||||
"sh -c acpi -b | grep -v 'unavailable'",
|
||||
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null',
|
||||
-- Brother printer
|
||||
|
@ -80,6 +80,7 @@ WHERE
|
||||
'.disk_label_2x',
|
||||
'.DS_Store',
|
||||
'.file',
|
||||
'LogiPresentation Installer.app',
|
||||
'.file-revisions-by-id',
|
||||
'._Id.txt',
|
||||
'.iotest',
|
||||
@ -95,6 +96,7 @@ WHERE
|
||||
)
|
||||
AND authority NOT IN (
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
|
||||
) -- Unsigned programs here
|
||||
AND trimpath NOT IN (
|
||||
|
@ -127,6 +127,7 @@ WHERE
|
||||
'dnf-automatic-install.service,dnf automatic install updates,,225',
|
||||
'dnf-automatic-install.timer,dnf-automatic-install timer,,225',
|
||||
'dnf-makecache.service,dnf makecache,,225',
|
||||
'dnf-makecache.service,dnf makecache,,450',
|
||||
'dnf-makecache.timer,dnf makecache --timer,,225',
|
||||
'docker.service,Docker Application Container Engine,,1125',
|
||||
'docker.service,Docker Application Container Engine,,1350',
|
||||
@ -142,6 +143,7 @@ WHERE
|
||||
'firewall.service,Firewall,,1350',
|
||||
'flatpak-system-helper.service,flatpak system helper,,225',
|
||||
'fprintd.service,Fingerprint Authentication Daemon,,900',
|
||||
'fprintd.service,Fingerprint Authentication Daemon,,675',
|
||||
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225',
|
||||
'fstrim.timer,Discard unused blocks once a week,,225',
|
||||
'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225',
|
||||
@ -214,12 +216,15 @@ WHERE
|
||||
'network-interfaces.target,All Network Interfaces (deprecated),,0',
|
||||
'network-local-commands.service,Extra networking commands.,,1350',
|
||||
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675',
|
||||
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450',
|
||||
'NetworkManager.service,Network Manager,,1125',
|
||||
'nvidia-suspend.service,NVIDIA system suspend actions,,225',
|
||||
'NetworkManager.service,Network Manager,,1350',
|
||||
'NetworkManager-wait-online.service,Network Manager Wait Online,,1125',
|
||||
'network-online.target,Network is Online,,450',
|
||||
'network-pre.target,Network (Pre),,450',
|
||||
'network-pre.target,Preparation for Network,,450',
|
||||
'sleep.target,Sleep,,450',
|
||||
'network-setup.service,Networking Setup,,1350',
|
||||
'network.target,Network,,225',
|
||||
'network.target,Network,,450',
|
||||
|
@ -11,215 +11,227 @@
|
||||
-- tags: persistent filesystem state
|
||||
-- platform: linux
|
||||
SELECT -- Remove numerals from device names
|
||||
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
|
||||
DISTINCT REPLACE(
|
||||
-- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH
|
||||
DISTINCT REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(
|
||||
REPLACE(REPLACE(path, "0", ""), "1", ""),
|
||||
"2",
|
||||
""
|
||||
),
|
||||
"3",
|
||||
""
|
||||
),
|
||||
"4",
|
||||
""
|
||||
),
|
||||
"5",
|
||||
""
|
||||
),
|
||||
"6",
|
||||
""
|
||||
),
|
||||
"7",
|
||||
REPLACE(
|
||||
REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""),
|
||||
"3",
|
||||
""
|
||||
),
|
||||
"4",
|
||||
""
|
||||
),
|
||||
"8",
|
||||
"5",
|
||||
""
|
||||
),
|
||||
"6",
|
||||
""
|
||||
),
|
||||
"9",
|
||||
"7",
|
||||
""
|
||||
) AS path_expr,
|
||||
file.*
|
||||
FROM file
|
||||
WHERE (
|
||||
path LIKE '/dev/%'
|
||||
OR directory LIKE '/dev/%'
|
||||
)
|
||||
AND path_expr NOT IN (
|
||||
'/dev/acpi_thermal_rel',
|
||||
'/dev/autofs',
|
||||
'/dev/block/',
|
||||
'/dev/block/:',
|
||||
'/dev/bsg/',
|
||||
'/dev/bsg/:::',
|
||||
'/dev/btrfs-control',
|
||||
'/dev/bus/',
|
||||
'/dev/bus/usb',
|
||||
'/dev/cdrom',
|
||||
'/dev/char/',
|
||||
'/dev/char/:',
|
||||
'/dev/console',
|
||||
'/dev/core',
|
||||
'/dev/cpu/',
|
||||
'/dev/cpu_dma_latency',
|
||||
'/dev/cpu/microcode',
|
||||
'/dev/cros_ec',
|
||||
'/dev/cuse',
|
||||
'/dev/disk/',
|
||||
'/dev/disk/by-diskseq',
|
||||
'/dev/disk/by-id',
|
||||
'/dev/disk/by-label',
|
||||
'/dev/disk/by-partlabel',
|
||||
'/dev/disk/by-partuuid',
|
||||
'/dev/disk/by-path',
|
||||
'/dev/disk/by-uuid',
|
||||
'/dev/dm-',
|
||||
'/dev/dma_heap/',
|
||||
'/dev/dma_heap/system',
|
||||
'/dev/dri/',
|
||||
'/dev/dri/by-path',
|
||||
'/dev/dri/card',
|
||||
'/dev/dri/renderD',
|
||||
'/dev/drm_dp_aux',
|
||||
'/dev/dvd',
|
||||
'/dev/ecryptfs',
|
||||
'/dev/fb',
|
||||
'/dev/fd/',
|
||||
'/dev/full',
|
||||
'/dev/fuse',
|
||||
'/dev/gpiochip',
|
||||
'/dev/hidraw',
|
||||
'/dev/HID-SENSOR-e..auto',
|
||||
'/dev/hpet',
|
||||
'/dev/hugepages/',
|
||||
'/dev/hugepages/libvirt',
|
||||
'/dev/hwrng',
|
||||
'/dev/ic-',
|
||||
'/dev/iio:device',
|
||||
'/dev/initctl',
|
||||
'/dev/input/',
|
||||
'/dev/input/by-id',
|
||||
'/dev/input/by-path',
|
||||
'/dev/input/event',
|
||||
'/dev/input/js',
|
||||
'/dev/input/mice',
|
||||
'/dev/input/mouse',
|
||||
'/dev/kfd',
|
||||
'/dev/kmsg',
|
||||
'/dev/kvm',
|
||||
'/dev/log',
|
||||
'/dev/loop',
|
||||
'/dev/loop-control',
|
||||
'/dev/lp',
|
||||
'/dev/mapper/',
|
||||
'/dev/mapper/control',
|
||||
'/dev/mcelog',
|
||||
'/dev/media',
|
||||
'/dev/mei',
|
||||
'/dev/mem',
|
||||
'/dev/mqueue/',
|
||||
'/dev/mtd',
|
||||
'/dev/mtdro',
|
||||
'/dev/net/',
|
||||
'/dev/net/tun',
|
||||
'/dev/ngn',
|
||||
'/dev/null',
|
||||
'/dev/nvidia',
|
||||
'/dev/nvidia-caps/',
|
||||
'/dev/nvidia-caps/nvidia-cap',
|
||||
'/dev/nvidiactl',
|
||||
'/dev/nvidia-modeset',
|
||||
'/dev/nvidia-uvm',
|
||||
'/dev/nvidia-uvm-tools',
|
||||
'/dev/nvme',
|
||||
'/dev/nvmen',
|
||||
'/dev/nvmenp',
|
||||
'/dev/nvram',
|
||||
'/dev/port',
|
||||
'/dev/ppp',
|
||||
'/dev/pps',
|
||||
'/dev/psaux',
|
||||
'/dev/ptmx',
|
||||
'/dev/ptp',
|
||||
'/dev/pts/',
|
||||
'/dev/pts/ptmx',
|
||||
'/dev/random',
|
||||
'/dev/rfkill',
|
||||
'/dev/rpool/',
|
||||
'/dev/rpool/keystore',
|
||||
'/dev/rtc',
|
||||
'/dev/sda',
|
||||
'/dev/sg',
|
||||
'/dev/shm/',
|
||||
'/dev/snapshot',
|
||||
'/dev/snd/',
|
||||
'/dev/snd/by-id',
|
||||
'/dev/snd/by-path',
|
||||
'/dev/snd/controlC',
|
||||
'/dev/snd/hwCD',
|
||||
'/dev/snd/pcmCDc',
|
||||
'/dev/snd/pcmCDp',
|
||||
'/dev/snd/seq',
|
||||
'/dev/snd/timer',
|
||||
'/dev/sr',
|
||||
'/dev/stderr',
|
||||
'/dev/stdin',
|
||||
'/dev/stdout',
|
||||
'/dev/tpm',
|
||||
'/dev/tpmrm',
|
||||
'/dev/tty',
|
||||
'/dev/ttyprintk',
|
||||
'/dev/ttyS',
|
||||
'/dev/udmabuf',
|
||||
'/dev/uhid',
|
||||
'/dev/uinput',
|
||||
'/dev/urandom',
|
||||
'/dev/usb/',
|
||||
'/dev/usb/hiddev',
|
||||
'/dev/usbmon',
|
||||
'/dev/userfaultfd',
|
||||
'/dev/userio',
|
||||
'/dev/vboxdrv',
|
||||
'/dev/vboxdrvu',
|
||||
'/dev/vboxnetctl',
|
||||
'/dev/vboxusb/',
|
||||
'/dev/vcs',
|
||||
'/dev/vcsa',
|
||||
'/dev/vcsu',
|
||||
'/dev/vda',
|
||||
'/dev/vfio/',
|
||||
'/dev/vfio/vfio',
|
||||
'/dev/vg/',
|
||||
'/dev/vga_arbiter',
|
||||
'/dev/vg/root',
|
||||
'/dev/vg/swap',
|
||||
'/dev/vgubuntu/',
|
||||
'/dev/vgubuntu/root',
|
||||
'/dev/vgubuntu/swap_',
|
||||
'/dev/vhci',
|
||||
'/dev/vhost-net',
|
||||
'/dev/vhost-vsock',
|
||||
'/dev/video',
|
||||
'/dev/vl/',
|
||||
'/dev/vl/by-id',
|
||||
'/dev/vl/by-path',
|
||||
'/dev/watchdog',
|
||||
'/dev/wmi/',
|
||||
'/dev/wmi/dell-smbios',
|
||||
'/dev/zd',
|
||||
'/dev/zero',
|
||||
'/dev/zfs',
|
||||
'/dev/zram',
|
||||
'/dev/zvol/',
|
||||
'/dev/zvol/rpool',
|
||||
'/dev/vlloopback'
|
||||
)
|
||||
AND NOT path LIKE '/dev/mapper/%'
|
||||
AND NOT path LIKE '/dev/shm/u%-Shm_%'
|
||||
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
|
||||
),
|
||||
"8",
|
||||
""
|
||||
),
|
||||
"9",
|
||||
""
|
||||
) AS path_expr,
|
||||
file.*
|
||||
FROM
|
||||
file
|
||||
WHERE
|
||||
(
|
||||
path LIKE '/dev/%'
|
||||
OR directory LIKE '/dev/%'
|
||||
)
|
||||
AND path_expr NOT IN (
|
||||
'/dev/acpi_thermal_rel',
|
||||
'/dev/autofs',
|
||||
'/dev/block/',
|
||||
'/dev/block/:',
|
||||
'/dev/bsg/',
|
||||
'/dev/bsg/:::',
|
||||
'/dev/btrfs-control',
|
||||
'/dev/bus/',
|
||||
'/dev/bus/usb',
|
||||
'/dev/cdrom',
|
||||
'/dev/char/',
|
||||
'/dev/char/:',
|
||||
'/dev/console',
|
||||
'/dev/core',
|
||||
'/dev/cpu/',
|
||||
'/dev/cpu_dma_latency',
|
||||
'/dev/cpu/microcode',
|
||||
'/dev/cros_ec',
|
||||
'/dev/cuse',
|
||||
'/dev/disk/',
|
||||
'/dev/disk/by-diskseq',
|
||||
'/dev/disk/by-id',
|
||||
'/dev/disk/by-label',
|
||||
'/dev/disk/by-partlabel',
|
||||
'/dev/disk/by-partuuid',
|
||||
'/dev/disk/by-path',
|
||||
'/dev/disk/by-uuid',
|
||||
'/dev/dm-',
|
||||
'/dev/dma_heap/',
|
||||
'/dev/dma_heap/system',
|
||||
'/dev/dmmidi',
|
||||
'/dev/dri/',
|
||||
'/dev/dri/by-path',
|
||||
'/dev/dri/card',
|
||||
'/dev/dri/renderD',
|
||||
'/dev/drm_dp_aux',
|
||||
'/dev/dvd',
|
||||
'/dev/ecryptfs',
|
||||
'/dev/fb',
|
||||
'/dev/fd/',
|
||||
'/dev/full',
|
||||
'/dev/fuse',
|
||||
'/dev/gpiochip',
|
||||
'/dev/hidraw',
|
||||
'/dev/HID-SENSOR-e..auto',
|
||||
'/dev/hpet',
|
||||
'/dev/hugepages/',
|
||||
'/dev/hugepages/libvirt',
|
||||
'/dev/hwrng',
|
||||
'/dev/ic-',
|
||||
'/dev/iio:device',
|
||||
'/dev/initctl',
|
||||
'/dev/input/',
|
||||
'/dev/input/by-id',
|
||||
'/dev/input/by-path',
|
||||
'/dev/input/event',
|
||||
'/dev/input/js',
|
||||
'/dev/input/mice',
|
||||
'/dev/input/mouse',
|
||||
'/dev/kfd',
|
||||
'/dev/kmsg',
|
||||
'/dev/kvm',
|
||||
'/dev/log',
|
||||
'/dev/loop',
|
||||
'/dev/loop-control',
|
||||
'/dev/lp',
|
||||
'/dev/mapper/',
|
||||
'/dev/mapper/control',
|
||||
'/dev/mcelog',
|
||||
'/dev/md',
|
||||
'/dev/md/',
|
||||
'/dev/md/ssraid',
|
||||
'/dev/media',
|
||||
'/dev/mei',
|
||||
'/dev/mem',
|
||||
'/dev/midi',
|
||||
'/dev/mqueue/',
|
||||
'/dev/mtd',
|
||||
'/dev/mtdro',
|
||||
'/dev/net/',
|
||||
'/dev/net/tun',
|
||||
'/dev/ngn',
|
||||
'/dev/null',
|
||||
'/dev/nvidia',
|
||||
'/dev/nvidia-caps/',
|
||||
'/dev/nvidia-caps/nvidia-cap',
|
||||
'/dev/nvidiactl',
|
||||
'/dev/nvidia-modeset',
|
||||
'/dev/nvidia-uvm',
|
||||
'/dev/nvidia-uvm-tools',
|
||||
'/dev/nvme',
|
||||
'/dev/nvmen',
|
||||
'/dev/nvmenp',
|
||||
'/dev/nvram',
|
||||
'/dev/port',
|
||||
'/dev/ppp',
|
||||
'/dev/pps',
|
||||
'/dev/psaux',
|
||||
'/dev/ptmx',
|
||||
'/dev/ptp',
|
||||
'/dev/pts/',
|
||||
'/dev/pts/ptmx',
|
||||
'/dev/random',
|
||||
'/dev/rfkill',
|
||||
'/dev/rpool/',
|
||||
'/dev/rpool/keystore',
|
||||
'/dev/rtc',
|
||||
'/dev/sda',
|
||||
'/dev/sdb',
|
||||
'/dev/serial/',
|
||||
'/dev/serial/by-id',
|
||||
'/dev/serial/by-path',
|
||||
'/dev/sg',
|
||||
'/dev/sgx_provision',
|
||||
'/dev/sgx_vepc',
|
||||
'/dev/shm/',
|
||||
'/dev/shm/libpod_rootless_lock_',
|
||||
'/dev/snapshot',
|
||||
'/dev/snd/',
|
||||
'/dev/snd/by-id',
|
||||
'/dev/snd/by-path',
|
||||
'/dev/snd/controlC',
|
||||
'/dev/snd/hwCD',
|
||||
'/dev/snd/midiCD',
|
||||
'/dev/snd/pcmCDc',
|
||||
'/dev/snd/pcmCDp',
|
||||
'/dev/snd/seq',
|
||||
'/dev/snd/timer',
|
||||
'/dev/sr',
|
||||
'/dev/stderr',
|
||||
'/dev/stdin',
|
||||
'/dev/stdout',
|
||||
'/dev/tpm',
|
||||
'/dev/tpmrm',
|
||||
'/dev/tty',
|
||||
'/dev/ttyACM',
|
||||
'/dev/ttyprintk',
|
||||
'/dev/ttyS',
|
||||
'/dev/udmabuf',
|
||||
'/dev/uhid',
|
||||
'/dev/uinput',
|
||||
'/dev/urandom',
|
||||
'/dev/usb/',
|
||||
'/dev/usb/hiddev',
|
||||
'/dev/usbmon',
|
||||
'/dev/userfaultfd',
|
||||
'/dev/userio',
|
||||
'/dev/vboxdrv',
|
||||
'/dev/vboxdrvu',
|
||||
'/dev/vboxnetctl',
|
||||
'/dev/vboxusb/',
|
||||
'/dev/vcs',
|
||||
'/dev/vcsa',
|
||||
'/dev/vcsu',
|
||||
'/dev/vda',
|
||||
'/dev/vfio/',
|
||||
'/dev/vfio/vfio',
|
||||
'/dev/vg/',
|
||||
'/dev/vga_arbiter',
|
||||
'/dev/vg/root',
|
||||
'/dev/vg/swap',
|
||||
'/dev/vgubuntu/',
|
||||
'/dev/vgubuntu/root',
|
||||
'/dev/vgubuntu/swap_',
|
||||
'/dev/vhci',
|
||||
'/dev/vhost-net',
|
||||
'/dev/vhost-vsock',
|
||||
'/dev/video',
|
||||
'/dev/vl/',
|
||||
'/dev/vl/by-id',
|
||||
'/dev/vl/by-path',
|
||||
'/dev/vlloopback',
|
||||
'/dev/watchdog',
|
||||
'/dev/wmi/',
|
||||
'/dev/wmi/dell-smbios',
|
||||
'/dev/zd',
|
||||
'/dev/zero',
|
||||
'/dev/zfs',
|
||||
'/dev/zram',
|
||||
'/dev/zvol/',
|
||||
'/dev/zvol/rpool'
|
||||
)
|
||||
AND NOT path LIKE '/dev/mapper/%'
|
||||
AND NOT path LIKE '/dev/shm/u%-Shm_%'
|
||||
AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
|
||||
|
@ -40,6 +40,7 @@ WHERE
|
||||
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
|
||||
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
|
||||
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
||||
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
|
||||
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
||||
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
||||
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
|
||||
|
@ -37,7 +37,8 @@ WHERE
|
||||
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
||||
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
||||
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
||||
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)'
|
||||
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
||||
'Software Signing'
|
||||
)
|
||||
AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent')
|
||||
AND NOT (
|
||||
|
@ -117,6 +117,7 @@ WHERE
|
||||
'5432,6,70,postgres',
|
||||
'546,17,500,dhcpcd',
|
||||
'5556,6,500,dex',
|
||||
'5556,6,500,openshot-qt',
|
||||
'5558,6,500,dex',
|
||||
'58,255,0,dhcpcd',
|
||||
'58,255,0,NetworkManager',
|
||||
|
@ -62,12 +62,14 @@ WHERE
|
||||
'138,17,222,netbiosd,Software Signing',
|
||||
'16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
|
||||
'17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
|
||||
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'2112,6,500,fake,',
|
||||
'2112,6,500,rekor-server,',
|
||||
'2112,6,500,timestamp-server,',
|
||||
'22000,6,500,syncthing,',
|
||||
'22,6,0,launchd,Software Signing',
|
||||
'24678,6,500,node,',
|
||||
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
|
||||
'33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
||||
'3306,6,500,mariadbd,',
|
||||
@ -108,7 +110,6 @@ WHERE
|
||||
'53,17,65,mDNSResponder,Software Signing',
|
||||
'53,6,500,dnsmasq,',
|
||||
'53,6,65,mDNSResponder,Software Signing',
|
||||
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'546,17,0,configd,Software Signing',
|
||||
'547,17,500,dhcp6d,Software Signing',
|
||||
'5900,6,0,launchd,Software Signing',
|
||||
@ -119,8 +120,6 @@ WHERE
|
||||
'67,17,0,bootpd,Software Signing',
|
||||
'67,17,0,launchd,Software Signing',
|
||||
'68,17,0,configd,Software Signing',
|
||||
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'7000,6,500,ControlCenter,Software Signing',
|
||||
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'8770,6,500,sharingd,Software Signing',
|
||||
|
@ -101,13 +101,13 @@ WHERE
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
|
||||
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
|
||||
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
|
||||
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
|
||||
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
|
||||
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
|
||||
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755 p0_cgroup:/system.slice/networking.service',
|
||||
'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
|
||||
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
|
||||
@ -130,6 +130,7 @@ WHERE
|
||||
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
|
||||
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
|
||||
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
|
||||
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
|
||||
@ -147,6 +148,7 @@ WHERE
|
||||
'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555',
|
||||
'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755',
|
||||
'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755',
|
||||
'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755',
|
||||
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
|
||||
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
|
||||
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
|
||||
@ -188,7 +190,6 @@ WHERE
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
|
||||
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
|
||||
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
|
||||
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
|
||||
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
|
||||
|
@ -67,7 +67,6 @@ WHERE -- Focus on longer-running programs
|
||||
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd',
|
||||
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
|
||||
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
|
||||
|
||||
'/bin/bash',
|
||||
'/usr/sbin/sshd',
|
||||
'/usr/libexec/trustdFileHelper',
|
||||
@ -91,6 +90,7 @@ WHERE -- Focus on longer-running programs
|
||||
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
|
||||
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
|
||||
'/Library/PrivilegedHelperTools/keybase.Helper',
|
||||
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
|
||||
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
|
||||
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
|
||||
'/sbin/launchd',
|
||||
|
@ -13,7 +13,6 @@
|
||||
-- interval: 600
|
||||
SELECT
|
||||
file.mode AS p0_binary_mode,
|
||||
pe.cmdline_size AS p0_cmd_size,
|
||||
-- Child
|
||||
pe.path AS p0_path,
|
||||
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
|
||||
|
@ -87,18 +87,19 @@ WHERE
|
||||
AND p1_path NOT IN (
|
||||
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
|
||||
'/usr/libexec/PerfPowerServicesExtended',
|
||||
'/System/Library/PrivateFrameworks/AOSKit.framework/Versions/A/XPCServices/com.apple.iCloudHelper.xpc/Contents/MacOS/com.apple.iCloudHelper',
|
||||
'/usr/bin/login',
|
||||
'/usr/bin/su',
|
||||
'/usr/bin/sudo',
|
||||
'/usr/libexec/mdmclient',
|
||||
'/usr/local/bin/doas'
|
||||
)
|
||||
-- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
|
||||
AND NOT (
|
||||
p0_cmd IN (
|
||||
'/usr/sbin/cupsd -l',
|
||||
'/usr/libexec/mdmclient daemon',
|
||||
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
|
||||
)
|
||||
AND NOT p0_cmd IN (
|
||||
'/usr/sbin/cupsd -l',
|
||||
'/usr/libexec/PerfPowerServicesExtended',
|
||||
'/usr/libexec/mdmclient daemon',
|
||||
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
|
||||
)
|
||||
AND NOT (
|
||||
pe.euid = 262 -- core media helper id
|
||||
|
@ -31,6 +31,7 @@ WHERE
|
||||
'distroless.dev/melange',
|
||||
'docker.io/rancher/k3s',
|
||||
'gcr.io/k8s-minikube/kicbase',
|
||||
'ghcr.io/wolfi-dev/sdk',
|
||||
'kindest/node',
|
||||
'moby/buildkit',
|
||||
'wolfi'
|
||||
|
@ -14,7 +14,8 @@ FROM
|
||||
LEFT JOIN file ON mdfind.path = file.path
|
||||
LEFT JOIN users u ON file.uid = u.uid
|
||||
LEFT JOIN hash ON mdfind.path = hash.path
|
||||
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from'
|
||||
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
|
||||
AND ea.key = 'where_from'
|
||||
LEFT JOIN magic ON mdfind.path = magic.path
|
||||
LEFT JOIN signature ON mdfind.path = signature.path
|
||||
WHERE
|
||||
@ -22,6 +23,9 @@ WHERE
|
||||
AND file.filename LIKE "%-%-%.json"
|
||||
AND file.directory NOT LIKE '%/go/pkg/%'
|
||||
AND file.directory NOT LIKE '%/go/src/%'
|
||||
AND NOT file.directory LIKE '%/aws-sdk/apis'
|
||||
AND NOT file.directory LIKE '%/testdata/%'
|
||||
AND NOT file.directory LIKE '%/schemas'
|
||||
AND file.directory NOT LIKE '/Users/%/Library/Application Support/%'
|
||||
AND file.directory NOT LIKE '%demo'
|
||||
AND file.size BETWEEN 2311 AND 2385
|
||||
@ -33,5 +37,6 @@ WHERE
|
||||
REPLACE(LOWER(TRIM(u.description)), " ", "-")
|
||||
) == 1
|
||||
-- Common filenames that are non-controversial
|
||||
AND file.filename NOT IN ('service-account-file.json')
|
||||
GROUP BY file.path
|
||||
AND NOT file.filename IN ('service-account-file.json')
|
||||
GROUP BY
|
||||
file.path
|
||||
|
@ -44,4 +44,4 @@ WHERE
|
||||
REPLACE(LOWER(TRIM(description)), " ", "-")
|
||||
) == 1
|
||||
-- Common filenames that are non-controversial
|
||||
AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')
|
||||
AND NOT file.filename LIKE '%melange.rsa%'
|
||||
|
Loading…
Reference in New Issue
Block a user