RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add exception for /usr/bin/bash

This commit is contained in:
Thomas Stromberg 2022-10-27 10:41:14 -04:00
parent 5da942402b
commit ffbc65697f
Failed to extract signature
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
detection/execution/recently-created-executables-linux.sql
View File

@ -37,7 +37,7 @@ WHERE
AND (p.start_time - MAX(f.ctime, f.btime)) < 180
AND p.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
-- These are binaries that get installed/updated often enough that we should just mask them
-- These are binaries that are known to get updated and subsequently executed
AND NOT p.path IN (
'',
'/opt/google/chrome/chrome',
@ -45,6 +45,7 @@ WHERE
'/opt/google/chrome/nacl_helper',
'/usr/bin/containerd',
'/usr/bin/dockerd',
'/usr/bin/bash',
'/usr/bin/gedit',
'/usr/bin/obs',
'/usr/bin/docker-proxy',