osquery-defense-kit

mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-03-03 01:07:30 +00:00

Author	SHA1	Message	Date
Thomas Stromberg	00398d447b	Look for setuid binaries in /usr/libexec too	2023-02-17 10:41:28 -05:00
Thomas Stromberg	bc359d69ce	Linux events: decrease CPU usage of elevated children & execdir	2023-02-17 10:40:58 -05:00
Thomas Stromberg	ec675bfb8d	New detector: unexpected ssh-authorized-keys	2023-02-14 20:36:27 -05:00
Thomas Stromberg	5eefbd0dba	Add chattr, setenforce to unexpected-sysutils	2023-02-14 20:35:24 -05:00
Thomas Stromberg	cf858d193d	fpr: ACE, Prusa, steam, pacman, Xcode, Adobe	2023-02-14 20:16:02 -05:00
Thomas Stromberg	0049ab06b1	Merge branch 'main' into wutang	2023-02-14 19:46:43 -05:00
Thomas Stromberg	8d4531198f	fpr: My ORA, Ecamm, setroubleshootd, etc	2023-02-14 19:46:36 -05:00
Thomas Strömberg	78cb030f40	Merge pull request #174 from tstromberg/wutang fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc	2023-02-14 08:33:45 -05:00
Thomas Stromberg	d897f0b50d	fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc	2023-02-14 08:33:05 -05:00
Thomas Strömberg	059bdbb649	Merge pull request #173 from tstromberg/makefile Makefile: Add reformat-updates target	2023-02-10 10:33:26 -05:00
Thomas Stromberg	ebb9780036	Makefile: Add reformat-updates target	2023-02-10 10:33:04 -05:00
Thomas Strömberg	d3d01bd5a1	Merge pull request #172 from tstromberg/allow-caddy listening ports: Include caddy, kubectl, node in wider listening range	2023-02-10 10:32:49 -05:00
Thomas Stromberg	99f8793169	Remove com.docker.backend (macOS specific)	2023-02-10 10:32:14 -05:00
Thomas Stromberg	e8d86af906	Make sure caddy & kubectl are in the wider listening range	2023-02-10 10:31:19 -05:00
Thomas Strömberg	a53c5204d4	Merge pull request #171 from tstromberg/pack-analysis New check: Launch Constraint Violation (macOS)	2023-02-10 10:24:42 -05:00
Thomas Stromberg	34282eacec	Increase polling interval to 15 min	2023-02-10 10:24:20 -05:00
Thomas Stromberg	0b6e503627	New check: Launch Constraint Violation (macOS)	2023-02-10 10:22:13 -05:00
Thomas Strömberg	900f6b3921	Merge pull request #170 from tstromberg/pack-analysis False positive removal and minor query perf improvements	2023-02-10 10:21:38 -05:00
Thomas Stromberg	4f4ae0ed38	False positive removal and minor query perf improvements	2023-02-10 10:21:06 -05:00
Thomas Strömberg	3c346e722a	Merge pull request #169 from tstromberg/pack-analysis FPR: spotify, htop, dnsmasq, sshd	2023-02-09 17:56:25 -05:00
Thomas Stromberg	593991adb8	Purge observed false positives	2023-02-09 17:54:41 -05:00
Thomas Strömberg	5286f8bf28	Merge pull request #168 from tstromberg/pack-analysis Query performance improvements, add p0 pids, decrease query frequency	2023-02-09 17:06:52 -05:00
Thomas Stromberg	a1105fec93	Fix broken updates to exotic-commands-macos	2023-02-09 17:06:09 -05:00
Thomas Stromberg	a8ed058d4d	Query performance improvements, add pids, decrease frequency	2023-02-09 17:01:29 -05:00
Thomas Strömberg	db3d6e5787	Merge pull request #167 from tstromberg/fpr-catch-up Remove cgroup from macOS reference fragment, add fragments README	2023-02-08 21:06:53 -05:00
Thomas Stromberg	b7681c3168	Remove cgroup from reference fragment, add README	2023-02-08 21:04:48 -05:00
Thomas Strömberg	ca316a0420	Merge pull request #166 from tstromberg/fpr-catch-up Add exclusions for google-cloud-sdk & Blackmagic firmware	2023-02-08 20:55:53 -05:00
Thomas Strömberg	eef833287a	Merge pull request #164 from NACHOSWITHCHEESE/fixing-macos-detection-compatibility Modified detections explicitly targeted towards macOS to not include cgroup field	2023-02-08 20:54:45 -05:00
Thomas Stromberg	209a5e08af	Add /Library/ThunderboltAcessoryFirmwareUpdates	2023-02-08 20:53:39 -05:00
Thomas Stromberg	eddefaae48	Fix gcloud exclusion, sort queries	2023-02-08 20:53:19 -05:00
Thomas Stromberg	3eb2c80d92	Add kubectl from google-cloud-sdk	2023-02-08 20:53:03 -05:00
Thomas Strömberg	4fc6d0627a	Merge pull request #165 from tstromberg/fpr-catch-up Catch up to all the false-positives, optimize tmp finder queries	2023-02-08 20:11:04 -05:00
Thomas Stromberg	72326c3b5c	Massive reduction of false positives across the board	2023-02-08 20:06:26 -05:00
Thomas Stromberg	51151290fb	Refactor unexpected tmp executables for speed & decreased hits	2023-02-08 20:06:10 -05:00
echunduri	e44dc167e9	Modified detections explicilty targeted towards macOS to not include cgroup_path fields anymore	2023-02-09 10:57:03 +11:00
Thomas Stromberg	e57f03b89f	fpr: Opera, TextExpander, socket_vmnet, elive, etc	2023-02-08 15:12:10 -05:00
Thomas Stromberg	5274198687	Add exceptions for socket_vmnet and pnpd	2023-02-08 14:44:22 -05:00
Thomas Stromberg	2634e9d45b	Monday morning false-positive purge	2023-02-08 14:37:09 -05:00
Thomas Strömberg	bdcd0b0ec7	Merge pull request #163 from tstromberg/shlayer-like New detector: sketchy-mounted-diskimage	2023-02-08 10:15:21 -05:00
Thomas Stromberg	c55c0225ac	Replace unexpected-vol-names with sketchy-mounted-diskimage	2023-02-08 10:14:32 -05:00
Thomas Strömberg	9bebd8a59a	Merge pull request #162 from tstromberg/fpr-again Add local port and address to network queries	2023-02-08 10:13:39 -05:00
Thomas Stromberg	9652464b27	Add local port and address to network queries	2023-02-08 10:12:44 -05:00
Thomas Strömberg	1f3b78dac4	Merge pull request #160 from tstromberg/fpr-again Remove false positives after the big process refactor	2023-02-02 21:47:39 -05:00
Thomas Stromberg	d302a9ff55	Purge false positives, again and again	2023-02-02 21:46:53 -05:00
Thomas Stromberg	9ea6486121	Fix start-iap-tunnel matching	2023-02-02 20:55:46 -05:00
Thomas Stromberg	2bdb9f2f3e	Add more macOS software authorities	2023-02-02 20:53:22 -05:00
Thomas Stromberg	668f012a92	Remove 'launchctl load' as an exotic event (too noisy)	2023-02-02 20:44:14 -05:00
Thomas Stromberg	1cf0a1e89d	Remove zsh from exotic list	2023-02-02 20:35:30 -05:00
Thomas Stromberg	f56930a05f	Merge remote-tracking branch 'upstream/main'	2023-02-02 20:34:19 -05:00
Thomas Strömberg	0eced9ec19	Merge pull request #159 from tstromberg/main Add uid0 exception for Logitech	2023-02-02 20:34:10 -05:00

1 2 3 4 5 ...

681 Commits