RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 17:37:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
725 Commits 1 Branch 31 Tags 6.9 MiB
a7c2ef97e1
Commit Graph

725 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Stromberg
a7c2ef97e1
Add detectors for the reveng_rtkit rootkit 2023-02-23 17:05:11 -05:00
Thomas Strömberg
0cba2837bc
Merge pull request #193 from tstromberg/debian 
Debian uid0: add dhclient and unattended-upgr
 2023-02-23 10:39:15 -05:00
Thomas Stromberg
d253820cf2
Debian: add dhclient and unattended-upgr 2023-02-23 10:35:26 -05:00
Thomas Strömberg
ab5c01a998
Merge pull request #190 from zestysoft/fpr-2 
Add osquery to keyboard_sniffer
 2023-02-23 10:34:04 -05:00
Thomas Strömberg
f1e7474b3f
Merge pull request #192 from tstromberg/debian 
Add exceptions for Debian running under lima
 2023-02-23 10:33:46 -05:00
Thomas Stromberg
d904ca60cf
Add exceptions for Debian running under lima 2023-02-23 10:33:10 -05:00
Thomas Strömberg
26099f5fb7
Merge pull request #191 from tstromberg/postmortem 
Add 60 new postmortem queries for before/after analysis
 2023-02-23 09:38:20 -05:00
Thomas Stromberg
4d626923cd
Add many new incident response queries 2023-02-23 09:35:38 -05:00
Ian Brown
737eb93b48
Add osquery to keyboard_sniffer 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-21 22:07:08 -08:00
Thomas Strömberg
eeb8792ee8
Merge pull request #189 from tstromberg/ubuntu-lts-lima 
False positive reduction: Ubuntu LTS running on Lima VM
 2023-02-20 19:13:29 -05:00
Thomas Stromberg
baab22e282
Run make reformat-updates 2023-02-20 19:12:51 -05:00
Thomas Stromberg
3a4e0450a6
Uncomment remaining columns 2023-02-20 19:11:23 -05:00
Thomas Stromberg
d3780c0a6c
Remove ubuntu-lts false-positives on lima 2023-02-20 19:10:12 -05:00
Thomas Strömberg
7e2d9bf7eb
Merge pull request #188 from tstromberg/fpr-weekend 
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird
 2023-02-20 18:05:22 -05:00
Thomas Stromberg
e8cf7ecbe3
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird 2023-02-20 18:04:17 -05:00
Thomas Strömberg
9caafd4743
Merge pull request #187 from tstromberg/systemd-refactor 
systemd units: increase size bucket from 100 to 225
 2023-02-20 13:10:54 -05:00
Thomas Stromberg
82de4c9c2a
systemd units: increase size bucket from 100 to 225 2023-02-20 13:10:07 -05:00
Thomas Strömberg
575767eea1
Merge pull request #186 from tstromberg/fix-changes 
macos sniffers: back out osquery change until we understand it better
 2023-02-20 12:01:04 -05:00
Thomas Stromberg
75b7ec5552
macos sniffers: back out osquery change until we understand it better, sort exceptions 2023-02-20 11:58:43 -05:00
Thomas Strömberg
d6f903bb00
Merge pull request #185 from zestysoft/fpr-1 
fpr: Fujitsu, vmware, objective-see, paragon, etc
 2023-02-20 11:53:31 -05:00
Ian Brown
d64fd44604
fix 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 19:44:31 -08:00
Ian Brown
91f653262c
More osquery matches 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 11:24:54 -08:00
Ian Brown
96e95a7f37
Add additional talkers 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 11:11:13 -08:00
Ian Brown
74114dd34e
Swap like for equal 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 16:11:35 -08:00
Ian Brown
ffd552aa54
Missed one 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 16:10:48 -08:00
Ian Brown
551d7dbb8c
fpr: Fujitsu, vmware, objective-see, paragon, etc 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 12:02:40 -08:00
Thomas Strömberg
53b34621d3
Merge pull request #184 from tstromberg/friday-sweep 
overwritten memory: filter out pathless kernel bits
 2023-02-17 17:21:25 -05:00
Thomas Stromberg
5949ad1551
overwritten memory: filter out pathless kernel bits 2023-02-17 17:20:20 -05:00
Thomas Strömberg
31d74f1e68
Merge pull request #183 from tstromberg/friday-sweep 
Rewrite exotic-command-events-linux with INSTR to decrease CPU time
 2023-02-17 16:40:27 -05:00
Thomas Stromberg
c2b0423606
Rewrite exotic-command-events-linux with INSTR to decrease CPU time 2023-02-17 16:39:52 -05:00
Thomas Strömberg
4d90caa0ff
Merge pull request #182 from tstromberg/friday-sweep 
gcloud: filter out last_update_check, last_survey_prompt
 2023-02-17 12:04:10 -05:00
Thomas Stromberg
504ef2c8dd
gcloud: filter out last_update_check, last_survey_prompt 2023-02-17 12:03:36 -05:00
Thomas Strömberg
a4ad9b2aaa
Merge pull request #181 from tstromberg/friday-sweep 
execdir events macOS: Fix ambiguous path
 2023-02-17 12:01:38 -05:00
Thomas Stromberg
d25a89f241
execdir events macOS: Fix ambiguous path 2023-02-17 12:01:08 -05:00
Thomas Strömberg
2de44fc301
Merge pull request #180 from tstromberg/friday-sweep 
False positive flush, particularly in talkers
 2023-02-17 11:58:12 -05:00
Thomas Stromberg
f87541c945
False positive flush, particularly in talkers 2023-02-17 11:57:23 -05:00
Thomas Strömberg
8976bfecf2
Merge pull request #179 from tstromberg/ddexec 
New detector: overwritten memory map
 2023-02-17 10:49:57 -05:00
Thomas Stromberg
2e95606d9c
New detector: overwritten memory map 2023-02-17 10:49:19 -05:00
Thomas Strömberg
f5798047cc
Merge pull request #178 from tstromberg/wutang 
Linux events: decrease CPU usage of elevated children & execdir
 2023-02-17 10:48:50 -05:00
Thomas Stromberg
a655122eec
name path mismatch: only whitelist shells with same cmdlines 2023-02-17 10:47:49 -05:00
Thomas Stromberg
3d13d4995a
hidden system paths: include inode 2023-02-17 10:41:42 -05:00
Thomas Stromberg
00398d447b
Look for setuid binaries in /usr/libexec too 2023-02-17 10:41:28 -05:00
Thomas Stromberg
bc359d69ce
Linux events: decrease CPU usage of elevated children & execdir 2023-02-17 10:40:58 -05:00
Thomas Strömberg
a4ae39a66c
Merge pull request #177 from tstromberg/wutang 
New detector: unexpected ssh-authorized-keys
 2023-02-14 20:36:58 -05:00
Thomas Stromberg
ec675bfb8d
New detector: unexpected ssh-authorized-keys 2023-02-14 20:36:27 -05:00
Thomas Strömberg
be02e9f785
Merge pull request #176 from tstromberg/wutang 
Add chattr, setenforce to unexpected-sysutils
 2023-02-14 20:36:05 -05:00
Thomas Stromberg
5eefbd0dba
Add chattr, setenforce to unexpected-sysutils 2023-02-14 20:35:24 -05:00
Thomas Strömberg
575ebdd776
Merge pull request #175 from tstromberg/wutang 
fpr: ACE, Prusa, Ecamm, setroubleshootd, steam, pacman, Xcode, Adobe
 2023-02-14 20:17:13 -05:00
Thomas Stromberg
cf858d193d
fpr: ACE, Prusa, steam, pacman, Xcode, Adobe 2023-02-14 20:16:02 -05:00
Thomas Stromberg
0049ab06b1
Merge branch 'main' into wutang 2023-02-14 19:46:43 -05:00