mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
fpr: docker, fish, Stream Deck, rsync, lima, macOS
This commit is contained in:
parent
25f7c2cacd
commit
f73263bece
@ -79,6 +79,7 @@ WHERE
|
||||
'ZaloCall,8.8.8.8,53',
|
||||
'Telegram,8.8.8.8,53',
|
||||
'Meeting Center,8.8.8.8,53',
|
||||
'limactl,8.8.8.8,53',
|
||||
'signal-desktop,8.8.8.8,53',
|
||||
'slack,8.8.8.8,53',
|
||||
'EpicWebHelper,8.8.4.4,53',
|
||||
|
@ -172,6 +172,7 @@ WHERE
|
||||
'500,git,0u,0g,git',
|
||||
'500,git-remote-http,0u,0g,git-remote-http',
|
||||
'500,git-remote-http,u,g,git-remote-http',
|
||||
'500,com.docker.backend,0u,0g,com.docker.back',
|
||||
'500,gitsign,0u,0g,gitsign',
|
||||
'500,gitsign,500u,0g,gitsign',
|
||||
'500,gitsign,500u,500g,gitsign',
|
||||
|
@ -100,7 +100,9 @@ WHERE
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
'500,0,123,sntp',
|
||||
'500,0,443,com.google.one.NetworkExtension',
|
||||
'500,0,22,ssh',
|
||||
'500,0,443,com.apple.NRD.UpdateBrainService',
|
||||
'500,0,31488,sntp',
|
||||
'500,0,32768,ksfetch',
|
||||
'500,0,32768,syncthing',
|
||||
@ -132,14 +134,25 @@ WHERE
|
||||
'500,500,32768,cloud-sql-proxy',
|
||||
'500,500,32768,ksfetch',
|
||||
'500,500,4318,Code Helper (Plugin)',
|
||||
'500,500,80,Code Helper (Plugin)',
|
||||
'500,500,443,aws',
|
||||
'500,500,443,cloud_sql_proxy',
|
||||
'500,500,443,Code Helper (Plugin)',
|
||||
'500,500,443,Code Helper',
|
||||
'500,500,443,grype',
|
||||
'500,500,443,copilot-agent-macos-arm64',
|
||||
'500,500,443,Electron',
|
||||
'500,500,443,chainctl',
|
||||
'500,0,80,http',
|
||||
'500,500,443,figma_agent',
|
||||
'500,0,443,fwupdmgr',
|
||||
'500,500,443,GitX',
|
||||
'500,0,110,syncthing',
|
||||
'500,500,80,Code Helper (Plugin)',
|
||||
'500,500,80,ksfetch',
|
||||
'500,500,443,gitsign',
|
||||
'500,500,443,go',
|
||||
'500,0,443,OneDriveStandaloneUpdater',
|
||||
'500,500,443,ksfetch',
|
||||
'500,500,443,node',
|
||||
'500,500,443,old',
|
||||
@ -148,6 +161,8 @@ WHERE
|
||||
'500,500,80,copilot-agent-macos-arm64',
|
||||
'500,500,80,node'
|
||||
)
|
||||
AND NOT exception_key LIKE '500,500,443,terraform%'
|
||||
AND NOT exception_key LIKE '500,0,%,chrome'
|
||||
AND NOT (
|
||||
basename = "Python"
|
||||
AND (
|
||||
|
@ -237,10 +237,17 @@ WHERE
|
||||
AND s.protocol = 6
|
||||
AND p.euid > 500
|
||||
)
|
||||
AND NOT (
|
||||
p.name = 'ruby'
|
||||
AND p.cmdline LIKE '%fluentd%'
|
||||
AND s.remote_port > 1024
|
||||
AND s.protocol = 6
|
||||
AND p.euid > 500
|
||||
)
|
||||
AND NOT (
|
||||
p.name = 'java'
|
||||
AND p.cmdline LIKE '/home/%/PhpStorm%'
|
||||
AND s.remote_port > 1024
|
||||
AND s.remote_port > 79
|
||||
AND s.protocol = 6
|
||||
AND p.euid > 500
|
||||
)
|
||||
|
@ -71,6 +71,8 @@ WHERE
|
||||
)
|
||||
OR exception_key LIKE '%sh,~/.Trash'
|
||||
)
|
||||
AND NOT pe.cwd LIKE '%/build/%'
|
||||
AND NOT pe.cwd LIKE '%/out/%'
|
||||
GROUP BY
|
||||
p.cmdline,
|
||||
p.cwd;
|
@ -79,6 +79,7 @@ WHERE
|
||||
'/Users/Shared/Relocated Items',
|
||||
'/Users/Shared/TechSmith'
|
||||
)
|
||||
OR file.path LIKE '/Users/Shared/Epic Games/%'
|
||||
OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
|
||||
OR (
|
||||
file.path LIKE "%.plist"
|
||||
|
@ -94,6 +94,7 @@ WHERE
|
||||
"xdg-permission-store",
|
||||
"xdg-desktop-portal",
|
||||
"xdg-document-portal",
|
||||
'udevadm',
|
||||
"xdg-desktop-portal-gnome",
|
||||
"xdg-desktop-portal-gtk",
|
||||
"nm-applet",
|
||||
|
@ -95,7 +95,7 @@ WHERE
|
||||
)
|
||||
AND NOT (
|
||||
p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
|
||||
AND p1.name LIKE 'limactl%'
|
||||
AND p0_cmd LIKE "%lima/%"
|
||||
)
|
||||
AND NOT (
|
||||
p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
|
||||
|
@ -106,6 +106,7 @@ WHERE
|
||||
'Safari',
|
||||
'sh',
|
||||
'plasmashell',
|
||||
'rsync',
|
||||
'slack',
|
||||
'spotify',
|
||||
'steam',
|
||||
@ -131,6 +132,7 @@ WHERE
|
||||
'/app/libexec/mediawriter/helper',
|
||||
'/usr/bin/darktable',
|
||||
'/usr/libexec/snapd/snapd',
|
||||
'/usr/bin/rsync',
|
||||
'/usr/bin/dockerd',
|
||||
'/usr/bin/gnome-shell',
|
||||
'/usr/bin/teskdisk',
|
||||
|
@ -51,6 +51,7 @@ WHERE
|
||||
AND yara.count > 0
|
||||
AND p0.name NOT IN (
|
||||
'old',
|
||||
'stable',
|
||||
'fig-darwin-universal',
|
||||
'wezterm-gui'
|
||||
)
|
||||
|
@ -144,6 +144,7 @@ WHERE
|
||||
'flipperzero.one',
|
||||
'dl.google.com',
|
||||
'duckduckgo.com',
|
||||
'go.dev',
|
||||
'dygma.com',
|
||||
'emacsformacosx.com',
|
||||
'getkap.co',
|
||||
|
@ -46,7 +46,8 @@ WHERE p0.path != '' -- optimization: focus on longer running processes
|
||||
'/usr/lib/electron/chrome-sandbox',
|
||||
'/usr/bin/i3blocks'
|
||||
)
|
||||
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
|
||||
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
|
||||
AND p0.path NOT LIKE '/home/%/go/bin/%'
|
||||
AND pos.family != 1
|
||||
AND pos.pid > 0
|
||||
AND pos.state != 'LISTEN'
|
||||
|
@ -34,6 +34,7 @@ WHERE
|
||||
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
||||
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
||||
'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
|
||||
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
||||
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
|
||||
|
@ -125,6 +125,7 @@ WHERE
|
||||
'53,6,65,mDNSResponder,Software Signing',
|
||||
'5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
||||
'546,17,0,configd,Software Signing',
|
||||
'49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
||||
'547,17,500,dhcp6d,Software Signing',
|
||||
'5900,6,0,launchd,Software Signing',
|
||||
'5900,6,0,screensharingd,Software Signing',
|
||||
|
@ -76,6 +76,7 @@ WHERE
|
||||
AND exception_key NOT IN (
|
||||
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
|
||||
'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
|
||||
'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
|
||||
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
|
||||
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
|
||||
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
|
||||
|
@ -67,7 +67,7 @@ WHERE
|
||||
$avahi = "avahi-daemon:"
|
||||
$redhat4 = "Red Hat 4"
|
||||
condition:
|
||||
filesize < 10MB and 2 of them
|
||||
filesize < 25MB and 3 of them
|
||||
}'
|
||||
AND yara.count > 0
|
||||
AND p0.name NOT IN (
|
||||
@ -88,12 +88,18 @@ WHERE
|
||||
'/usr/bin/bash',
|
||||
'/usr/bin/gnome-software',
|
||||
'/usr/bin/gpg-agent',
|
||||
'/bin/fish',
|
||||
'/usr/bin/fish',
|
||||
'/usr/bin/ibus-daemon',
|
||||
'/usr/bin/make',
|
||||
'/usr/bin/docker-proxy',
|
||||
'/usr/bin/NetworkManager',
|
||||
'/usr/bin/nvidia-persistenced',
|
||||
'/usr/lib/systemd/systemd-machined',
|
||||
'/usr/bin/pulseaudio',
|
||||
'/usr/bin/udevadm',
|
||||
'/usr/sbin/crond',
|
||||
'/usr/sbin/gdm',
|
||||
'/usr/bin/update-notifier',
|
||||
'/usr/bin/Xwayland',
|
||||
'/usr/lib/bluetooth/bluetoothd',
|
||||
|
Loading…
Reference in New Issue
Block a user