More filtering

fd/unexpected-dev-opener.sql

@@ -96,6 +96,7 @@ WHERE pof.path LIKE '/dev/%'
             'getty',
             'systemd-logind',
             'X',
+            'agetty',
             'Xorg'
         )
     )

firewall/unexpected-alf-exceptions.sql

@@ -1,6 +1,10 @@
-SELECT *
+SELECT alf_exceptions.path, alf_exceptions.state,
+file.mtime, file.ctime, file.uid, file.size, file.type,
+hash.sha256
 FROM alf_exceptions
-WHERE path NOT IN (
+LEFT JOIN file ON alf_exceptions.path = file.path
+LEFT JOIN hash ON alf_exceptions.path = hash.path
+WHERE alf_exceptions.path NOT IN (
         '/Applications/Dropbox.app/',
         '/Applications/Epson%20Software/Event%20Manager.app/Contents/Resources/Assistants/Event%20Manager/EEventManager.app/',
         '/Applications/GarageBand.app/',
@@ -14,6 +18,7 @@ WHERE path NOT IN (
         '/Applications/Spotify.app/',
         '/Applications/Sketch.app/',
         '/Applications/Sonos.app/',
+        '/Applications/ProtonMail%20Bridge.app/',
         '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/',
         '/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/',
         '/Applications/Visual%20Studio%20Code.app/',
@@ -30,17 +35,18 @@ WHERE path NOT IN (
         '/usr/libexec/xartstorageremoted',
         '/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/'
     )
-    AND path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
-    AND path NOT LIKE '/private/var/folders/%/go-build%/exe/%'
-    AND path NOT LIKE '/System/Applications/%'
-    AND path NOT LIKE "%/hugo"
-    AND path NOT LIKE "%/registry-redirect"
-    AND path NOT LIKE '/System/Library/CoreServices/%'
-    AND path NOT LIKE '/System/Library/Frameworks/%'
-    AND PATH NOT LIKE "%IntelliJ%"
-    AND path NOT LIKE '/%/bin/syncthing'
-    AND path NOT LIKE '/Users/%/go/bin/%'
-    AND path NOT LIKE '/Users/%/go/src/%'
-    AND path NOT LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
-    AND path NOT LIKE '/Users/%/.rustup/toolchains/%/bin/cargo'
-    AND path NOT LIKE '/Users/%/homebrew/%/bin/%'
+    AND alf_exceptions.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
+    AND alf_exceptions.path NOT LIKE '/private/var/folders/%/go-build%/exe/%'
+    AND alf_exceptions.path NOT LIKE '/System/Applications/%'
+    AND alf_exceptions.path NOT LIKE "%/hugo"
+    AND alf_exceptions.path NOT LIKE "%/registry-redirect"
+    AND alf_exceptions.path NOT LIKE '/System/Library/CoreServices/%'
+    AND alf_exceptions.path NOT LIKE '/System/Library/Frameworks/%'
+    AND alf_exceptions.path NOT LIKE "%IntelliJ%"
+    AND alf_exceptions.path NOT LIKE '/%/bin/syncthing'
+    AND alf_exceptions.path NOT LIKE '/Users/%/go/bin/%'
+    AND alf_exceptions.path NOT LIKE '/Users/%/go/src/%'
+    AND alf_exceptions.path NOT LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
+    AND alf_exceptions.path NOT LIKE '/Users/%/.rustup/toolchains/%/bin/cargo'
+    AND alf_exceptions.path NOT LIKE '/Users/%/homebrew/%/bin/%'
+    AND alf_exceptions.path NOT LIKE '/Users/%/rekor-server'

net/unexpected-listening-port.sql

@@ -1,7 +1,7 @@
 SELECT lp.address, lp.port, lp.protocol, p.pid, p.name, p.path, p.cmdline, p.cwd, hash.sha256
 FROM listening_ports lp
-    JOIN processes p ON lp.pid = p.pid
-    JOIN hash ON p.path = hash.path
+    LEFT JOIN processes p ON lp.pid = p.pid
+    LEFT JOIN hash ON p.path = hash.path
 WHERE port != 0
     AND lp.address NOT IN ("224.0.0.251", "::1")
     AND lp.address NOT LIKE "127.0.0.%"
@@ -40,7 +40,7 @@ WHERE port != 0
     AND NOT (p.name='kubectl' AND p.cmdline LIKE '%port-forward%' AND lp.port>1023 AND lp.protocol=6)
     AND NOT (p.name='metrics-sidecar' AND p.cwd='/' AND lp.port=8000 AND lp.protocol=6)
     AND NOT (p.name='NetworkManager' AND p.cwd='/' AND lp.port=58 AND lp.protocol=255)
-    AND NOT (p.name='nginx' AND p.cwd='/' AND lp.port=80 AND lp.protocol=6)
+    AND NOT (p.name IN ('nginx', 'crc') AND p.cwd='/' AND lp.port IN (80,443) AND lp.protocol=6)
     AND NOT (p.name='plugin-container' AND lp.port>32000 AND lp.protocol IN (6,17))
     AND NOT (p.name='node' AND lp.port>1024 AND lp.protocol = 6)
     AND NOT (p.name IN ('registry', 'registry-redirect') AND lp.port>1024 AND lp.protocol = 6)
@@ -65,21 +65,32 @@ WHERE port != 0
     AND NOT (p.name='hugo' AND lp.port>1024 AND lp.protocol=6)
     AND NOT (p.name='IPNExtension' AND p.cwd LIKE '/Users/%/Library/Containers/io.tailscale.ipn.macos.network-extension/Data' AND lp.port>32000 AND lp.protocol IN (6,17))
     AND NOT (p.name='launchd' AND p.cwd='/' AND lp.port=22 AND lp.protocol=6)
-    AND NOT (p.name IN ('LogiMgrDaemon', 'rapportd', 'AirPlayXPCHelper', 'Sketch', 'SketchMirrorHelper') AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17))
+    AND NOT (p.name='GarageBand' AND lp.port=51100 AND lp.protocol=6)
+
     AND NOT (p.name='mariadbd' AND p.cwd='/opt/homebrew/var/mysql' AND lp.port=3306 AND lp.protocol=6)
     AND NOT (p.name='node' AND p.cwd LIKE '/Users/%/app' AND lp.port>5000 AND lp.protocol=6)
     AND NOT (p.name='mysqld' AND port IN (3306,33060) AND lp.protocol=6)
     AND NOT (p.name='apcupsd' AND p.cwd='/' AND lp.port=3551 AND lp.protocol=6)
     AND NOT (p.name='rapportd' AND p.cwd='/' AND lp.port=3722 AND lp.protocol=17)
-    AND NOT (p.name='1Password-BrowserSupport' AND lp.port >49000 AND lp.protocol=6)
-    AND NOT (p.name='remoted' AND p.cwd='/' AND lp.port>49000 AND lp.protocol IN (6,17))
     AND NOT (p.name='RescueTime' AND p.cwd='/' AND lp.port=16587 AND lp.protocol=6)
     AND NOT (p.name='kdenlive' AND lp.port=1337 AND lp.protocol=6)
     AND NOT (p.name='sharingd' AND p.cwd='/' AND lp.port IN (8770,8771) AND lp.protocol=6)
     AND NOT (p.name='syncthing' AND lp.port > 20000 AND lp.protocol IN (6,17))
-    AND NOT (p.name='steam' AND lp.port = 270366 AND lp.protocol IN (6,17))
+    AND NOT (p.name='steam' AND lp.port >20000 AND lp.protocol IN (6,17))
     AND NOT (p.name='systemd-resolve' AND p.cwd='/' AND lp.port=5355 AND lp.protocol IN (6,17))
-    AND NOT (p.name='vpnkit-bridge' AND p.cwd LIKE '/Users/%/Library/Containers/com.docker.docker/Data' AND lp.port>49000 AND lp.protocol=6)
-    AND NOT (p.name='com.docker.vpnkit' AND lp.port>49000 AND lp.protocol=6)
     AND NOT (p.name='X11.bin' AND lp.port=6000 AND lp.protocol=6)
     AND NOT (p.path LIKE "/ko-app/%" AND lp.port > 1024 and lp.protocol=6)
+
+    -- Ephemerals
+    AND NOT (p.name IN (
+        'LogiMgrDaemon',
+        'rapportd',
+        'vpnkit-bridge',
+        'com.docker.vpnkit',
+        '1Password-BrowserSupport',
+        'remoted',
+        'AirPlayXPCHelper',
+        'Sketch',
+        'SketchMirrorHelper'
+    ) AND lp.port>49000 AND lp.protocol IN (6,17))
+

process/hidden-cwd.sql

@@ -17,6 +17,7 @@ p.cwd LIKE "%/.%" AND NOT (
     p.cwd LIKE "%/.vscode/extensions%" OR
     p.cwd LIKE "/Users/%/.%" OR
     p.cwd LIKE "/home/%/.%" OR
+    p.cwd LIKE "/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%" OR
     p.name = 'bindfs' OR
     p.path="/usr/libexec/dirhelper"
 )

process/missing-from-disk-linux.sql

@@ -1,7 +1,11 @@
-SELECT processes.pid, processes.cmdline, processes.path, mnt_namespace
-FROM processes
-LEFT JOIN process_namespaces ON processes.pid=process_namespaces.pid
-WHERE on_disk != 1
+SELECT p.pid, p.cmdline, p.path, mnt_namespace, p.cwd,
+p.on_disk, p.state, pp.on_disk AS parent_on_disk, pp.path AS parent_path, pp.cmdline AS parent_cmdline, pp.cwd AS parent_cwd,
+ph.sha256 AS parent_sha256
+FROM processes p
+LEFT JOIN process_namespaces ON p.pid=process_namespaces.pid
+LEFT JOIN processes pp ON p.parent = pp.pid
+LEFT JOIN hash ph ON pp.path = ph.path
+WHERE p.on_disk != 1 AND p.path != ""
 -- use osquery as the reference mount namespace
 AND mnt_namespace IN (
         SELECT DISTINCT(mnt_namespace)
@@ -9,8 +13,7 @@ AND mnt_namespace IN (
         JOIN processes ON processes.pid = process_namespaces.pid
         WHERE processes.name IN ('osqueryi', 'osqueryd')
 )
-AND path NOT IN (
-    "",
+AND p.path NOT IN (
     "/opt/google/chrome/chrome",
     "/usr/bin/containerd",
     "/usr/bin/dbus-broker-launch",
@@ -22,3 +25,7 @@ AND path NOT IN (
     "/opt/google/chrome/chrome_crashpad_handler",
     "/opt/google/chrome/nacl_helper"
 )
+
+-- AppImage
+AND p.path NOT LIKE "/tmp/.mount_%/usr/bin/%"
+AND p.path NOT LIKE "/Users/%/%/%.test"

process/missing-from-disk-macos.sql

@@ -1,6 +1,8 @@
-SELECT p.pid, p.path, p.parent, p.state, p.cwd, p.gid, p.uid, p.euid, p.cmdline, p.on_disk, p.state, pp.on_disk AS parent_on_disk, pp.path AS parent_path, pp.cmdline AS parent_cmdline, hash.sha256 AS parent_hash
+SELECT p.pid, p.path, p.parent, p.state, p.cwd, p.gid, p.uid, p.euid, p.cmdline, p.cwd,
+p.on_disk, p.state, pp.on_disk AS parent_on_disk, pp.path AS parent_path, pp.cmdline AS parent_cmdline,
+pp.cwd AS parent_cwd, hash.sha256 AS parent_sha256
 FROM processes p
-JOIN processes pp ON p.parent = pp.pid
+LEFT JOIN processes pp ON p.parent = pp.pid
 LEFT JOIN hash ON pp.path = hash.path
 WHERE p.on_disk != 1
 AND p.pid > 0
@@ -14,6 +16,7 @@ AND NOT (
     (
         pp.path LIKE "/Applications/Docker.app/Contents/%"
         OR pp.path LIKE "/Users/%/Library/Application Support/Figma/FigmaAgent.app/Contents/MacOS/figma_agent"
+        OR pp.path = '/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService'
         OR p.path LIKE "/opt/homebrew/Cellar/%"
         OR p.path LIKE "/private/var/folders/%/Visual Studio Code.app/Contents/%"
         OR p.path LIKE "%.sandboxTrash/Slack.app%"

process/unexpected-executable-directory.sql

@@ -39,7 +39,7 @@ WHERE dirname NOT LIKE '/Applications/%.app/%'
     AND dirname NOT LIKE '/Users/%/Library/Application Support/%'
     AND dirname NOT LIKE '/usr/libexec/%'
     AND dirname NOT LIKE '/usr/local/%/bin/%'
-    AND dirname NOT LIKE '/usr/local/%/dist/%'
+    AND dirname NOT LIKE '/usr/local/%/dist'
     AND dirname NOT LIKE '/usr/local/%bin'
     AND dirname NOT LIKE '/usr/local/%libexec'
     and dirname NOT LIKE '/usr/local/Cellar/%'

process/unexpected-executable-permissions.sql

@@ -23,3 +23,4 @@ WHERE f.mode NOT IN (
 AND NOT (f.path = '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService' AND f.mode = '0777' AND f.uid>500)
 AND NOT (f.path = '/usr/bin/fusermount3' AND f.mode='4755')
 AND NOT (f.path = '/opt/1Password/1Password-KeyringHelper' AND f.mode='6755')
+AND NOT (f.path = '/usr/libexec/cups/backend/ipp' AND f.mode='0700')

process/unexpected-privilege-escalation.sql

@@ -17,7 +17,14 @@ WHERE p.euid < pp.euid
         '/usr/bin/login',
         '/usr/bin/sudo',
         '/usr/bin/doas',
-        '/bin/ps'
+        '/bin/ps',
+        '/usr/bin/top'
     )
     AND p.path NOT LIKE "/nix/store/%/bin/sudo"
     AND p.path NOT LIKE "/nix/store/%/bin/dhcpcd"
+    AND NOT (
+        p.name = 'polkit-agent-he' AND parent_path='/usr/bin/gnome-shell'
+    )
+    AND NOT (
+        p.name = 'fusermount3' AND parent_path='/usr/lib/xdg-document-portal'
+    )

process/unexpected-shell-parents.sql

@@ -68,7 +68,11 @@ WHERE p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
     AND NOT parent_name LIKE "Emacs%"
     AND NOT parent_name LIKE "%term%"
     AND NOT parent_name LIKE "%Term%"
+    AND NOT p.cmdline LIKE "%gcloud config config-helper%"
+    AND NOT p.cmdline LIKE "%/Library/Apple/System/Library/InstallerSandboxes%"
+    AND NOT parent_cmdline LIKE "%gcloud.py config config-helper%"
     AND NOT (parent_name='sshd' AND p.cmdline LIKE "%askpass%")
+    AND NOT parent_path LIKE "/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent"
 
     -- Oh, NixOS.
     AND NOT parent_name LIKE "%/bin/bash"

process_events/exotic-command-events.sql

@@ -26,10 +26,17 @@ WHERE p.time > (strftime('%s', 'now') -300)
         '/usr/bin/kmod'
     )
     -- Things that could reasonably happen at boot.
+    AND NOT (p.path="/usr/bin/kmod" AND parent_path="/usr/lib/systemd/systemd" AND parent_cmdline="/sbin/init")
+
     AND NOT (
         p.path = '/usr/bin/kmod'
         AND uptime.total_seconds < 15
     )
+    -- gpgtools
+    AND NOT (
+        p.path = '/usr/bin/mkfifo'
+        AND p.cmdline LIKE "%/org.gpgtools.log.%/fifo"
+    )
     -- Docker
     AND NOT (
         p.path = '/usr/bin/kmod'
@@ -37,6 +44,8 @@ WHERE p.time > (strftime('%s', 'now') -300)
     )
     AND NOT p.cmdline LIKE 'modprobe -va%'
     AND NOT p.cmdline LIKE 'modprobe -ab%'
+    AND NOT p.cmdline LIKE '%modprobe overlay'
+    AND NOT p.cmdline LIKE '%modprobe aufs'
     AND NOT p.cmdline IN (
         'lsmod'
     )

process_events/sketchy-fetcher-events.sql

@@ -83,5 +83,7 @@ WHERE p.time > (strftime('%s', 'now') -300)
             OR p.cmdline LIKE "--progress-bar"
             OR parent_cmdline LIKE "%brew.rb%"
             OR parent_cmdline LIKE "%brew.sh%"
+            OR p.cmdline LIKE "git %"
+            OR p.cmdline LIKE "%LICENSES/vendor/%"
         )
     )