RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,312 Commits 1 Branch 31 Tags 5.6 MiB
Commit Graph

1312 Commits

Author SHA1 Message Date
Thomas Strömberg dec9896aae
Merge pull request #389 from tstromberg/makefile-type 
policy.conf: Fix makefile typo (extra o)
 2024-09-24 16:06:15 -04:00
Thomas Stromberg cae297a6b8
policy.conf: Fix makefile typo (extra o) 2024-09-24 15:57:29 -04:00
Thomas Strömberg a6c38daf2d
Merge pull request #388 from tstromberg/net-events 
Add events and extra tags to relevant event-based queries
 2024-09-24 15:53:07 -04:00
Thomas Strömberg 8cda6d48f6
Merge pull request #387 from tstromberg/fpr-sep24 
fpr: cups, zed, pycharm, msedge, surfshark, ubiquiti
 2024-09-24 15:52:57 -04:00
Thomas Stromberg 6aab8fdfb6
Add events and extra tags to relevant event-based queries 2024-09-24 15:36:03 -04:00
Thomas Stromberg 8d583131ca
fpr: cups, zed, pycharm, msedge, surfshark, ubiquiti 2024-09-24 15:10:21 -04:00
Thomas Strömberg d6b17a0534
Merge pull request #385 from tstromberg/fpr-sep23 
fpr: sequoia, osquery, cups, atops, transmission, nvidia, surfshark
 2024-09-23 11:26:16 -04:00
Thomas Stromberg d14d5429e8
swap extra tag between udev and systemd 2024-09-23 11:24:03 -04:00
Thomas Stromberg 5255539777
extend timeout to 16s 2024-09-23 11:20:44 -04:00
Thomas Stromberg fc97970e9c
extend timeout to 12s 2024-09-23 11:20:34 -04:00
Thomas Stromberg c26be487b8
Mark udev as 'extra' for now (disabled by default) 2024-09-23 11:19:16 -04:00
Thomas Stromberg b85b9d550f
fix more linux quirks 2024-09-23 11:18:40 -04:00
Thomas Stromberg 47401947d5
fix verify errors 2024-09-23 11:10:05 -04:00
Thomas Stromberg 4d0a9fd533
fpr: sequoia, osquery, cups, atops, transmission, etc 2024-09-23 11:07:53 -04:00
Thomas Strömberg df577d4f1c
Merge pull request #384 from tstromberg/fpr-aug27 
fpr: the largest of 2024 🎉
 2024-08-27 19:06:00 -04:00
Thomas Stromberg edc1710003
remove duplicate tag 2024-08-27 18:47:02 -04:00
Thomas Stromberg b976189cf3
run 'make reformat' 2024-08-27 18:45:06 -04:00
Thomas Strömberg 73f76d5f1d
Merge pull request #383 from tstromberg/suspicious-systemd 
new detection: suspicious systemd units
 2024-08-27 18:42:32 -04:00
Thomas Stromberg 4b10d10520
False-positives be damned 2024-08-27 18:40:43 -04:00
Thomas Strömberg 342aeda543
Merge pull request #382 from tstromberg/active-systemd 
active systemd units: populate more in-the-wild examples
 2024-08-27 12:06:58 -04:00
Thomas Stromberg 157d7d2850
Add ExecStop=/opt exception 2024-08-27 12:06:48 -04:00
Thomas Stromberg fa497a7fc2
Improve comments 2024-08-26 21:16:22 -04:00
Thomas Stromberg d7b6c51435
new detection: suspicious systemd units 2024-08-26 21:11:15 -04:00
Thomas Stromberg 783cb7633c
improve boot-sysctl entry 2024-08-26 21:10:08 -04:00
Thomas Stromberg 8e3996ba1a
active systemd: populate more in-the-wild content 2024-08-26 21:06:57 -04:00
Thomas Strömberg 7f6078e233
Merge pull request #381 from tstromberg/packed 
new detection: recently downloaded files which have been packed
 2024-08-26 16:10:09 -04:00
Thomas Stromberg 695b403b4b
Detect recently downloaded files which have been packed 2024-08-26 15:03:25 -04:00
Thomas Strömberg 0d46dcb083
Merge pull request #380 from tstromberg/udev 
linux udevd: replace file-size based detection with YARA rules
 2024-08-26 12:49:37 -04:00
Thomas Strömberg 7d468b6166
Merge pull request #379 from tstromberg/fpr-aug20 
unexpected https: add GitHub to exceptions list
 2024-08-26 12:49:24 -04:00
Thomas Strömberg b04c3eb48d
Merge pull request #378 from tstromberg/fpr-aug12 
fpr: syft, krunner, k9s, espeak, chainctl, supermaven
 2024-08-26 12:49:14 -04:00
Thomas Stromberg 16dd18a1ea
Improve targetting accuracy 2024-08-26 12:25:17 -04:00
Thomas Stromberg f42d74213e
Remove obsolete small-udev entry query 2024-08-26 12:24:50 -04:00
Thomas Stromberg fb0f67b652
Improve discovery of udevd for persistence 2024-08-26 11:49:53 -04:00
Thomas Stromberg f2df771c36
unexpected https: add GitHub to exceptions list 2024-08-20 15:01:50 -04:00
Thomas Stromberg 1facce21f2
fpr: syft, krunner, k9s, espeak, chainctl, supermaven 2024-08-12 13:57:35 -04:00
Thomas Strömberg 2fcde3a133
Merge pull request #377 from tstromberg/fpr-jul26 
fpr: sddm-helper, smartd, Xorg, elastic, WebEx, BambuStudio, keepass, etc.
 2024-07-26 14:54:27 -04:00
Thomas Stromberg 39a7bdb55a
fix trailing comma 2024-07-26 14:54:07 -04:00
Thomas Stromberg 00a9f6450b
fpr: sddm-helper, smartd, Xorg, elastic, WebEx, BambuStudio, keepass, etc 2024-07-26 13:26:37 -04:00
Thomas Strömberg bf9c1e007f
Merge pull request #376 from tstromberg/fpr-jul13 
Add Mailvelope and SABconnect, sort Chrome extensions
 2024-07-23 11:17:12 -04:00
Thomas Strömberg aff147c740
Merge pull request #375 from egibs/20240718-exceptions 
Add exceptions for 1Password, Docker's kubectl, Loom, ngrok, SAFEQ, and Zed
 2024-07-23 11:16:56 -04:00
Thomas Stromberg d384201c9e
Add Mailvelope and SABconnect, sort extensions 2024-07-23 09:11:22 -04:00
egibs 9367f41f81
Remove 1Password and Loom exception duplicates; add Vim for Google Docs 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-22 07:41:21 -05:00
egibs 7a1c723e98
Use emdashes 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-19 07:18:40 -05:00
egibs 3de6559b5f
Add exceptions for 1Password and Loom Chrome extensions 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 16:59:05 -05:00
egibs cf4f0d62c2
Add ngrok to unexpected-talkers-macos 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 13:39:07 -05:00
egibs c9ae0805e2
Add exceptions for Docker's kubectl, ngrok, SAFEQ, and Zed 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-18 07:25:04 -05:00
Thomas Strömberg 55c9fd1c03
Merge pull request #374 from egibs/20240715-allows 2024-07-15 17:39:37 -04:00
egibs cfb7142803
Add Cyberduck 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-15 14:40:57 -05:00
egibs 71d2857db2
Add allows for various alerts seen 2024-07-15 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-07-15 13:27:27 -05:00
Thomas Strömberg 7ebe6a30c1
Merge pull request #373 from tstromberg/fpr-jul12 
fpr: kas, bitnami, redis, bincapz, kolide, docker, whatsapp, rpm-ostree
 2024-07-12 17:15:32 -04:00