RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #423 from r0cketlad/main 

fpr: mostly uid0 things
This commit is contained in:
Dave Smith 2024-11-12 08:32:31 -05:00 committed by GitHub
parent 95ccc3dda1 ca768ca4fa
commit f610ee5e4d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-talkers-linux.sql
View File

@ -159,6 +159,7 @@ WHERE protocol > 0
'80,6,500,python3.11,0u,0g,dnf', '80,6,500,python3.11,0u,0g,dnf',
'80,6,500,python3.11,0u,0g,yum', '80,6,500,python3.11,0u,0g,yum',
'80,6,500,python3.12,0u,0g,pull-lp-source', '80,6,500,python3.12,0u,0g,pull-lp-source',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86', '80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86', '80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86',
'80,6,500,rpi-imager,0u,0g,rpi-imager', '80,6,500,rpi-imager,0u,0g,rpi-imager',

9
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -125,6 +125,7 @@ WHERE
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755', 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700', 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755',
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755', 'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755', 'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
@ -143,17 +144,20 @@ WHERE
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755', 'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
'dpkg,/usr/bin/dpkg,0,user.slice,user-1000.slice,0755',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500', 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500',
'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755', 'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755', 'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
'frontend,/usr/bin/perl,0,user.slice,user-1000.slice,0755',
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755', 'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755', 'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
@ -190,6 +194,7 @@ WHERE
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755', 'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755',
'incusd,/usr/libexec/incus/incusd,0,system.slice,incus.service,0755', 'incusd,/usr/libexec/incus/incusd,0,system.slice,incus.service,0755',
'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755', 'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755',
'input-remapper-,/usr/bin/python3.13,0,system.slice,input-remapper.service,0755',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,', 'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,',
'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,0700', 'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,0700',
'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,', 'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,',
@ -313,7 +318,9 @@ WHERE
'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555', 'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755', 'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755', 'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755', 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755', 'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555', 'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755', 'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
@ -326,6 +333,7 @@ WHERE
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755', 'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755',
'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755', 'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555', 'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755', 'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
@ -351,6 +359,7 @@ WHERE
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755', 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755', 'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',