diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql new file mode 100644 index 0000000..61dc1e8 --- /dev/null +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -0,0 +1,37 @@ +-- Indicative of stored GCP service account keys just sitting around unencrypted +-- +-- tags: persistent state filesystem +-- platform: darwin +SELECT + file.path, + file.size, + datetime(file.btime, 'unixepoch') AS file_created, + magic.data, + hash.sha256, + ea.value AS url +FROM + mdfind + LEFT JOIN file ON mdfind.path = file.path + LEFT JOIN users u ON file.uid = u.uid + LEFT JOIN hash ON mdfind.path = hash.path + LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from' + LEFT JOIN magic ON mdfind.path = magic.path + LEFT JOIN signature ON mdfind.path = signature.path +WHERE + mdfind.query = "kMDItemFSName == '*.json'" + AND file.filename LIKE "%-%-%.json" + AND file.directory NOT LIKE '%/go/pkg/%' + AND file.directory NOT LIKE '%/go/src/%' + AND file.directory NOT LIKE '/Users/%/Library/Application Support/%' + AND file.directory NOT LIKE '%demo' + AND file.size BETWEEN 2311 AND 2385 + -- Don't alert on tokens that begin with the username-, as they may be personal + AND NOT INSTR(file.filename, CONCAT (u.username, "-")) == 1 + -- Don't alert on tokens that begin with the users full name and a dash + AND NOT INSTR( + file.filename, + REPLACE(LOWER(TRIM(u.description)), " ", "-") + ) == 1 + -- Common filenames that are non-controversial + AND file.filename NOT IN ('service-account-file.json') +GROUP BY file.path diff --git a/policy/unexpected-rsa-keys-mdfind.sql b/policy/unexpected-rsa-keys-mdfind.sql new file mode 100644 index 0000000..cf34812 --- /dev/null +++ b/policy/unexpected-rsa-keys-mdfind.sql @@ -0,0 +1,33 @@ +-- Indicative of stored RSA keys just sitting around unencrypted +-- +-- tags: persistent state filesystem +-- platform: darwin +SELECT + file.path, + file.size, + datetime(file.btime, 'unixepoch') AS file_created, + magic.data, + hash.sha256, + ea.value AS url +FROM + mdfind + LEFT JOIN file ON mdfind.path = file.path + LEFT JOIN users u ON file.uid = u.uid + LEFT JOIN hash ON mdfind.path = hash.path + LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from' + LEFT JOIN magic ON mdfind.path = magic.path + LEFT JOIN signature ON mdfind.path = signature.path +WHERE + mdfind.query = "kMDItemFSName == '*.rsa'" + AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa') + AND size BETWEEN 128 AND 8192 + -- Don't alert on tokens that begin with the username-, as they may be personal + AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1 + -- Don't alert on tokens that begin with the users full name and a dash + AND NOT INSTR( + filename, + REPLACE(LOWER(TRIM(description)), " ", "-") + ) == 1 + -- Common filenames that are non-controversial + +GROUP BY file.path diff --git a/policy/unexpected-rsa-keys.sql b/policy/unexpected-rsa-keys.sql new file mode 100644 index 0000000..b9ae6d8 --- /dev/null +++ b/policy/unexpected-rsa-keys.sql @@ -0,0 +1,47 @@ +-- Indicative of stored RSA keys just sitting around unencrypted +-- +-- tags: persistent state filesystem seldom +-- platform: posix +SELECT + file.path, + file.type, + file.size, + file.mtime, + file.uid, + file.ctime, + file.gid, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN users u ON file.uid = u.uid + LEFT JOIN magic ON file.path = magic.path +WHERE + ( + file.directory LIKE '/Users/%/Downloads/%' + OR file.directory LIKE '/home/%/%' + OR file.directory LIKE '/home/%/' + OR file.directory LIKE '/home/%/.%' + OR file.directory LIKE '/home/%/Downloads/%' + OR file.directory LIKE '/tmp/%' + OR file.directory LIKE '/tmp/' + OR file.directory LIKE '/Users/%/%' + OR file.directory LIKE '/Users/%/' + OR file.directory LIKE '/Users/%/.%' + OR file.directory LIKE '/var/tmp/%' + OR file.directory LIKE '/var/tmp/' + ) + AND file.directory NOT LIKE "%/../%" + AND file.directory NOT LIKE "%/./%" + AND filename LIKE "%.rsa" + AND size BETWEEN 128 AND 8192 + -- Don't alert on tokens that begin with the username-, as they may be personal + AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1 + -- Don't alert on tokens that begin with the users full name and a dash + AND NOT INSTR( + filename, + REPLACE(LOWER(TRIM(description)), " ", "-") + ) == 1 + -- Common filenames that are non-controversial + AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa')