RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-18 03:54:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,311 Commits 1 Branch 31 Tags 5.8 MiB
78ec36eca0
Commit Graph

779 Commits

Author SHA1 Message Date
egibs
78ec36eca0
Add elastic-endpoint 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-11-20 14:02:05 -06:00
egibs
a24c3d2333
Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-11-20 13:45:50 -06:00
Thomas Stromberg
4c4423a474
suspicious systemd: accept any char instead of single quote 2024-11-19 16:09:38 -05:00
Thomas Stromberg
8237521d0d
fpr: mark exotic queries as extra, add flatpak/pop-os uid0 procs 2024-11-19 15:49:30 -05:00
Thomas Stromberg
6fb7fa69e1
fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc 2024-11-18 16:16:52 -05:00
Thomas Stromberg
71096ba4c7
fpr: mc, colima, webfilterproxyd, headlamp, record it, etc 2024-11-13 16:34:12 -05:00
Dave Smith
ca768ca4fa fpr: mostly uid0 things 2024-11-12 07:37:29 -05:00
Dave Smith
f8a942425d fpr: zypper, bambu, terraform, etc 2024-11-08 07:34:33 -05:00
Dave Smith
f9ae1fe921
Update unexpected-uid0-daemon-linux.sql 
fixed syntax error

Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-11-07 17:19:13 -05:00
Dave Smith
7219f64571 FPR: containerd, cupsd, etc 2024-11-07 17:11:45 -05:00
Dave Smith
335aca58b7 false positive reduction: apt, auditd, dockerd, etc. 2024-11-07 10:00:40 -05:00
egibs
be9e4f7053
Add rules for bambu-studio, extensions, firefox-bin, goland, xdg, and more 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-11-01 14:27:33 -05:00
egibs
b121d1f96c
More exceptions to cut down on alert noise 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-31 15:47:35 -05:00
Evan Gibler
d52f919599
Merge pull request #417 from egibs/20241030-exceptions 
Add exceptions for apache2, ChatGPT, and Discord among others
 2024-10-30 14:24:51 -05:00
egibs
1d7a67da0f
Add cg to unexpected-dns-traffic-events, add ubuntu-advantage 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 13:06:38 -05:00
egibs
5acc2b922c
Add msedge 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 11:35:32 -05:00
egibs
4abd265459
Address PR comments 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 11:33:49 -05:00
egibs
18e9879b01
Add deskflow-server and additional repos directory 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 10:28:00 -05:00
egibs
4b47a29a2c
Sort 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 08:57:52 -05:00
egibs
afb1facdf1
Add chainlink to unexpected-talkers-macos 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 08:50:30 -05:00
egibs
e487aac574
Add exceptions for apache2, ChatGPT, and Discord among others 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-30 08:10:07 -05:00
Thomas Stromberg
b3c427792b
fpr: framework nix, etc 2024-10-30 08:30:43 -04:00
egibs
7b1e152266
Add Arc browser talker exception 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-29 16:33:58 -05:00
egibs
f67335babb
Add exceptions for Arc, busybox, and Edge; fix existing exceptions 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-29 14:15:40 -05:00
egibs
9a95064139
Add exceptions for Xcode, Zen browser, Hugo, Krew, and more 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
 2024-10-29 12:18:07 -05:00
Dave Smith
f4559b3f97 fpr: bwrap 2024-10-29 09:34:42 -04:00
Dave Smith
a695f5d2f5
Merge pull request #410 from tstromberg/oct25 
fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion, GitButler
 2024-10-25 16:38:43 -04:00
Dave Smith
0c10622a50
add extra tag to high_disk_bytes_read.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-25 14:17:32 -04:00
Thomas Stromberg
1c17532ae8
fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion 2024-10-25 11:29:40 -04:00
Dave Smith
7ad81b16c2
add extra tag to setxid-cmdline-overflow-attempt.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-24 18:42:46 -04:00
Thomas Stromberg
462fbef639
Mark as extra, as this query is racey 2024-10-24 15:36:21 -04:00
Thomas Stromberg
bf8b60cd33
Fix cursor placement 2024-10-24 15:36:05 -04:00
Thomas Stromberg
0b41ec5d07
unexpected fetcher parents: add Cursor Helper 2024-10-24 15:34:04 -04:00
Thomas Stromberg
f038dc7557
fpr, refactor minimal-socket-client-macos 2024-10-24 15:12:33 -04:00
Thomas Strömberg
a46fa30676
Merge pull request #406 from tstromberg/talkers-borken-merge 
unexpected-talkers-macos: fix broken merge
 2024-10-24 11:56:25 -04:00
Thomas Stromberg
38ced95bc2
fix broken merge 2024-10-24 11:33:35 -04:00
Thomas Stromberg
25f0e14790
add more exceptions 2024-10-24 11:31:28 -04:00
Thomas Stromberg
781f1a33af
fpr + Mark touched-executable as extra on macOS 2024-10-24 11:20:06 -04:00
Thomas Stromberg
f3baa1d042
fpr: wider talkers exception, chrome extensions, postgres 2024-10-23 17:28:37 -04:00
Thomas Strömberg
1bbf419bfc
Merge pull request #402 from tstromberg/oct23 
fpr: bpftool, curl, pulumi, Docker Desktop, go tests
 2024-10-23 11:41:03 -04:00
Thomas Strömberg
c8e99a5ee1
Merge pull request #400 from r0cketlad/21oct2024 
small fpr push
 2024-10-23 11:40:41 -04:00
Thomas Stromberg
78d243abf0
fpr: bpftool, curl, pulumi, Docker Desktop, go tests 2024-10-23 10:59:37 -04:00
Dave Smith
fbf9a565c6
Update evenly-timestomped.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-23 10:02:37 -04:00
Dave Smith
899fc1dfca
Update unexpected-setuid-binaries.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-23 08:32:35 -04:00
Dave Smith
fe868f4bbb
Update evenly-timestomped.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-23 08:31:20 -04:00
Thomas Stromberg
81180803ae
fpr: tune-ppd, lightdm, nami, gradle, etc 2024-10-22 16:12:21 -04:00
Dave Smith
9a69bb55ba small fpr push 2024-10-22 08:20:24 -04:00
Thomas Strömberg
67ce4cd92a
Merge pull request #397 from tstromberg/linux-device-refactor 2024-10-21 11:57:08 -04:00
Thomas Strömberg
2ff2fa431e
Merge pull request #399 from tstromberg/fpr-oct21 2024-10-21 11:56:53 -04:00
Thomas Strömberg
638266bddc
Merge pull request #398 from tstromberg/hidden-exec2 2024-10-21 11:56:39 -04:00