RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
672 Commits 1 Branch 31 Tags 5.7 MiB
Commit Graph

672 Commits

Author SHA1 Message Date
Thomas Strömberg 059bdbb649
Merge pull request #173 from tstromberg/makefile 
Makefile: Add reformat-updates target
 2023-02-10 10:33:26 -05:00
Thomas Stromberg ebb9780036
Makefile: Add reformat-updates target 2023-02-10 10:33:04 -05:00
Thomas Strömberg d3d01bd5a1
Merge pull request #172 from tstromberg/allow-caddy 
listening ports: Include caddy, kubectl, node in wider listening range
 2023-02-10 10:32:49 -05:00
Thomas Stromberg 99f8793169
Remove com.docker.backend (macOS specific) 2023-02-10 10:32:14 -05:00
Thomas Stromberg e8d86af906
Make sure caddy & kubectl are in the wider listening range 2023-02-10 10:31:19 -05:00
Thomas Strömberg a53c5204d4
Merge pull request #171 from tstromberg/pack-analysis 
New check: Launch Constraint Violation (macOS)
 2023-02-10 10:24:42 -05:00
Thomas Stromberg 34282eacec
Increase polling interval to 15 min 2023-02-10 10:24:20 -05:00
Thomas Stromberg 0b6e503627
New check: Launch Constraint Violation (macOS) 2023-02-10 10:22:13 -05:00
Thomas Strömberg 900f6b3921
Merge pull request #170 from tstromberg/pack-analysis 
False positive removal and minor query perf improvements
 2023-02-10 10:21:38 -05:00
Thomas Stromberg 4f4ae0ed38
False positive removal and minor query perf improvements 2023-02-10 10:21:06 -05:00
Thomas Strömberg 3c346e722a
Merge pull request #169 from tstromberg/pack-analysis 
FPR: spotify, htop, dnsmasq, sshd
 2023-02-09 17:56:25 -05:00
Thomas Stromberg 593991adb8
Purge observed false positives 2023-02-09 17:54:41 -05:00
Thomas Strömberg 5286f8bf28
Merge pull request #168 from tstromberg/pack-analysis 
Query performance improvements, add p0 pids, decrease query frequency
 2023-02-09 17:06:52 -05:00
Thomas Stromberg a1105fec93
Fix broken updates to exotic-commands-macos 2023-02-09 17:06:09 -05:00
Thomas Stromberg a8ed058d4d
Query performance improvements, add pids, decrease frequency 2023-02-09 17:01:29 -05:00
Thomas Strömberg db3d6e5787
Merge pull request #167 from tstromberg/fpr-catch-up 
Remove cgroup from macOS reference fragment, add fragments README
 2023-02-08 21:06:53 -05:00
Thomas Stromberg b7681c3168
Remove cgroup from reference fragment, add README 2023-02-08 21:04:48 -05:00
Thomas Strömberg ca316a0420
Merge pull request #166 from tstromberg/fpr-catch-up 
Add exclusions for google-cloud-sdk & Blackmagic firmware
 2023-02-08 20:55:53 -05:00
Thomas Strömberg eef833287a
Merge pull request #164 from NACHOSWITHCHEESE/fixing-macos-detection-compatibility 
Modified detections explicitly targeted towards macOS to not include cgroup field
 2023-02-08 20:54:45 -05:00
Thomas Stromberg 209a5e08af
Add /Library/ThunderboltAcessoryFirmwareUpdates 2023-02-08 20:53:39 -05:00
Thomas Stromberg eddefaae48
Fix gcloud exclusion, sort queries 2023-02-08 20:53:19 -05:00
Thomas Stromberg 3eb2c80d92
Add kubectl from google-cloud-sdk 2023-02-08 20:53:03 -05:00
Thomas Strömberg 4fc6d0627a
Merge pull request #165 from tstromberg/fpr-catch-up 
Catch up to all the false-positives, optimize tmp finder queries
 2023-02-08 20:11:04 -05:00
Thomas Stromberg 72326c3b5c
Massive reduction of false positives across the board 2023-02-08 20:06:26 -05:00
Thomas Stromberg 51151290fb
Refactor unexpected tmp executables for speed & decreased hits 2023-02-08 20:06:10 -05:00
echunduri e44dc167e9 Modified detections explicilty targeted towards macOS to not include cgroup_path fields anymore 2023-02-09 10:57:03 +11:00
Thomas Stromberg e57f03b89f
fpr: Opera, TextExpander, socket_vmnet, elive, etc 2023-02-08 15:12:10 -05:00
Thomas Stromberg 5274198687
Add exceptions for socket_vmnet and pnpd 2023-02-08 14:44:22 -05:00
Thomas Stromberg 2634e9d45b
Monday morning false-positive purge 2023-02-08 14:37:09 -05:00
Thomas Strömberg bdcd0b0ec7
Merge pull request #163 from tstromberg/shlayer-like 
New detector: sketchy-mounted-diskimage
 2023-02-08 10:15:21 -05:00
Thomas Stromberg c55c0225ac
Replace unexpected-vol-names with sketchy-mounted-diskimage 2023-02-08 10:14:32 -05:00
Thomas Strömberg 9bebd8a59a
Merge pull request #162 from tstromberg/fpr-again 
Add local port and address to network queries
 2023-02-08 10:13:39 -05:00
Thomas Stromberg 9652464b27
Add local port and address to network queries 2023-02-08 10:12:44 -05:00
Thomas Strömberg 1f3b78dac4
Merge pull request #160 from tstromberg/fpr-again 
Remove false positives after the big process refactor
 2023-02-02 21:47:39 -05:00
Thomas Stromberg d302a9ff55
Purge false positives, again and again 2023-02-02 21:46:53 -05:00
Thomas Stromberg 9ea6486121
Fix start-iap-tunnel matching 2023-02-02 20:55:46 -05:00
Thomas Stromberg 2bdb9f2f3e
Add more macOS software authorities 2023-02-02 20:53:22 -05:00
Thomas Stromberg 668f012a92
Remove 'launchctl load' as an exotic event (too noisy) 2023-02-02 20:44:14 -05:00
Thomas Stromberg 1cf0a1e89d
Remove zsh from exotic list 2023-02-02 20:35:30 -05:00
Thomas Stromberg f56930a05f
Merge remote-tracking branch 'upstream/main' 2023-02-02 20:34:19 -05:00
Thomas Strömberg 0eced9ec19
Merge pull request #159 from tstromberg/main 
Add uid0 exception for Logitech
 2023-02-02 20:34:10 -05:00
Thomas Stromberg 41ee6feced
Merge remote-tracking branch 'upstream/main' 2023-02-02 20:33:46 -05:00
Thomas Stromberg 91b20a98fd
Add uid0 exception for Logitech 2023-02-02 20:33:34 -05:00
Thomas Strömberg d885578e28
Merge pull request #158 from tstromberg/fpr-again 
Rewrite unexpecetd uid0 for Linux, include cgroup info
 2023-02-02 20:33:01 -05:00
Thomas Stromberg a3ec1bf2bf
Rewrite unexpecetd uid0 for Linux, include cgroup info 2023-02-02 20:30:55 -05:00
Thomas Strömberg 546cb47cef
Merge pull request #157 from tstromberg/fpr-again 
Add new Kolide signing authority as a valid talker
 2023-02-02 19:50:33 -05:00
Thomas Stromberg d039449330
Add new Kolide signing authority as a valid talker 2023-02-02 19:50:13 -05:00
Thomas Strömberg af32311d89
Merge pull request #156 from tstromberg/macos-perf 
Decrease number of rows returned by process_memory_map, reformat
 2023-02-02 17:59:09 -05:00
Thomas Stromberg bb3e1f964e
Run make reformat, update max rows for incident response 2023-02-02 17:58:19 -05:00
Thomas Strömberg d65e8a7638
Merge pull request #155 from tstromberg/macos-perf 
Significant performance improvements for slowest macOS queries
 2023-02-02 17:49:13 -05:00