RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
635 Commits 1 Branch 31 Tags 5.6 MiB
Commit Graph

85 Commits

Author SHA1 Message Date
Thomas Stromberg 41ee6feced
Merge remote-tracking branch 'upstream/main' 2023-02-02 20:33:46 -05:00
Thomas Stromberg 91b20a98fd
Add uid0 exception for Logitech 2023-02-02 20:33:34 -05:00
Thomas Strömberg d885578e28
Merge pull request #158 from tstromberg/fpr-again 
Rewrite unexpecetd uid0 for Linux, include cgroup info
 2023-02-02 20:33:01 -05:00
Thomas Stromberg a3ec1bf2bf
Rewrite unexpecetd uid0 for Linux, include cgroup info 2023-02-02 20:30:55 -05:00
Thomas Stromberg bb3e1f964e
Run make reformat, update max rows for incident response 2023-02-02 17:58:19 -05:00
Thomas Stromberg 809645a3bf
Add new Kolide id, fix some debug lines 2023-02-02 17:42:46 -05:00
Thomas Stromberg ba45449f7d
unexpected uid0: fix bug, make faster 2023-02-02 17:16:35 -05:00
Thomas Stromberg 2093a26423
Fix broken macOS queries 2023-02-02 15:33:25 -05:00
Thomas Stromberg cdcb2d48f3
Slow queries down, minor improvements 2023-02-01 16:17:36 -05:00
Thomas Stromberg 393b83168f
Merge to head 2023-02-01 15:11:51 -05:00
Thomas Stromberg 23f436f906
Minor perf improvements for macOS queries 2023-02-01 15:06:58 -05:00
Thomas Stromberg f9dce0a72d
Include more process information across queries 2023-02-01 13:55:55 -05:00
Thomas Stromberg 45ab183557
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 14:58:47 -05:00
Thomas Stromberg 66ee3484c0
Remove unused active fields, add WhatsApp ioreg exception 2023-01-27 08:46:48 -05:00
Thomas Stromberg d51bd731a1
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc 2023-01-26 20:40:47 -05:00
Thomas Stromberg b671e30fce
Simplify unexpected-chrome-extensions exceptions for maintainability 2023-01-26 20:40:22 -05:00
Thomas Stromberg 7d8fa35eb4
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 16:30:14 -05:00
Thomas Stromberg f5fe9a4aac
Refactor process_events queries for more accurate parenting 2023-01-26 11:40:54 -05:00
Thomas Stromberg 83cc38207e
fpr: minikube, tailscale, dex, pacman, virtualbox, steam, lsmod, busybox, etc 2023-01-23 20:33:52 -05:00
Thomas Stromberg f7c1557aee
fpr: libinput, kue, updatedb, mariadb, terraform 2023-01-23 08:13:04 -05:00
Thomas Stromberg 280b187b20
fpr: systemctl calls, go tests, WebEx, MariaDB, Brave 2023-01-20 17:55:48 -05:00
Thomas Stromberg d55bd17154
listening ports: Add goland exception 2023-01-20 10:00:40 -05:00
Thomas Stromberg e6824d87e9
Run 'make reformat' 2023-01-20 09:24:24 -05:00
Thomas Stromberg dc154a6199
FPR: Meta Pixel Helper, systemctl, pia-daemon, 1Passwd, iTerm, Brave 2023-01-20 09:04:00 -05:00
Thomas Stromberg 8e9ae0fda3
Less false positives: particularly among systemctl calls 2023-01-20 08:40:08 -05:00
Thomas Stromberg 67fb9cad14
Remove false positive: apt-helper calls to systemctl 2023-01-19 12:16:20 -05:00
Thomas Stromberg 710ca28ed9
False positives: apt-daily, github runner, Slack helper, Foxit, syncthing 2023-01-19 11:52:31 -05:00
Thomas Stromberg 24bdaa243a
New detector: unexpected systemctl calls 2023-01-19 11:39:52 -05:00
Thomas Stromberg f5e08ceec2
False positives: Chrome extensions, Steam games, tmp files, Photoshop 2023-01-18 14:10:33 -05:00
Thomas Stromberg 7b79b19090
False positive reduction: Messenger, Chrome, Final Cut Pro, etc 2023-01-18 09:49:56 -05:00
Thomas Stromberg 42e9f2721b
FP removal: plymouth, 1Password, firejail, systemd 2023-01-16 13:55:53 -05:00
Thomas Stromberg d415b36b57
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 12:56:39 -05:00
Thomas Stromberg e3401a07c6
Weekend false-positive flush 2023-01-14 08:19:26 -05:00
Thomas Stromberg 1b79359b68
Friday False Positive Flush 2023-01-13 14:10:43 -05:00
Thomas Stromberg c7e4252af1
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 10:46:30 -05:00
Thomas Stromberg e8af31a348
false positives: dots, ipn, apport-gtk, homebrew, hyperkey, contexts 2023-01-09 09:34:20 -05:00
Thomas Stromberg 4eb6993272
Catch up to some older false positives we ran into 2023-01-06 17:11:24 -05:00
Thomas Stromberg 1aefbe5e91
More false positive removal 2023-01-06 16:01:35 -05:00
Thomas Stromberg 05a39a78d3
Flush out more false positives across the stack 2023-01-06 10:36:48 -05:00
Thomas Stromberg ba23df1fef
Catch up to other false positives over winter break 2023-01-04 11:03:38 -05:00
Thomas Stromberg a8b95a2c9e
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 08:50:19 -05:00
Thomas Stromberg 15d3251120
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 18:06:06 -05:00
Thomas Stromberg 49a19a6fd5
Sort out more false positives 2022-12-16 17:37:32 -05:00
Thomas Stromberg 404adf3e1f
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 16:51:58 -05:00
Thomas Stromberg 16f9b2f3ee
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 10:20:16 -05:00
Thomas Stromberg 685a79d3e1
Add Vimium 2022-12-15 09:11:14 -05:00
Thomas Stromberg b9e0ad34a3
Post-Thanksgiving false positive flush 2022-11-28 16:06:07 -05:00
Thomas Stromberg 6a7c4b6668
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 09:21:03 -05:00
Thomas Stromberg 8e3d6a1614
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 10:27:43 -05:00
Thomas Stromberg 9f63e3b21d
Begin making use of cgroup_paths, clear more false positives 2022-11-16 16:52:39 -05:00