osquery-defense-kit

mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-10 07:39:26 +00:00

Author	SHA1	Message	Date
Thomas Strömberg	c86073ecaf	Merge pull request #24 from chainguard-dev/fp3 False-positive removal: grype, gedit, mov, abrt-action, dnf	2022-10-21 14:13:50 -04:00
Thomas Stromberg	fdb891ba0b	False-positive removal: grype, gedit, mov, abrt-action, dnf	2022-10-21 14:13:29 -04:00
Thomas Stromberg	356db76a44	Filter out sh -i if launched by sh, ukh if launchedb by lima, Socket. if launched by compile	2022-10-21 14:11:45 -04:00
Thomas Stromberg	a64465f07b	Add exception for melange/wolfi	2022-10-21 12:13:16 -04:00
Thomas Stromberg	195330da9a	Fix docker-mounting-root query that got stomped on	2022-10-21 12:05:06 -04:00
Thomas Stromberg	9f2423a51e	Add exception for Fumihiko Takayama (Karabiner-Elements)	2022-10-21 11:50:52 -04:00
Thomas Stromberg	ffead2f717	Add Google Chat, Youtube, Bardeen, Leadjet	2022-10-21 11:49:54 -04:00
Thomas Stromberg	515f51daa6	Raise bps limit, add exception for systemd	2022-10-21 11:46:17 -04:00
Thomas Stromberg	ed6f37e11b	Record children, add known hosts exception for limactl	2022-10-21 11:45:25 -04:00
Thomas Stromberg	05ccb9b718	Allow larger shell/python programs	2022-10-21 11:41:33 -04:00
Thomas Stromberg	6bb1785df9	Add carevout for /nix/store and caskroom	2022-10-21 11:40:47 -04:00
Thomas Stromberg	1afd3f6a75	add exceptions for nix, kde paths, rvictl, and profile	2022-10-21 11:37:55 -04:00
Thomas Stromberg	ed2bede71f	linux https client: Add 1password	2022-10-21 11:28:31 -04:00
Thomas Stromberg	770496edea	dev opener: Add bluetoothd	2022-10-21 11:27:42 -04:00
Thomas Stromberg	2538e7f7ce	macos talkers: add grype, chainctl	2022-10-21 11:26:50 -04:00
Thomas Stromberg	a31108984f	linux talkers: add more ports for thunderbird, chrome, firefox	2022-10-21 11:22:24 -04:00
Thomas Stromberg	1359cdd38d	linux ports: add registry on 5000	2022-10-21 11:15:05 -04:00
Thomas Stromberg	b6af630ad8	linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar	2022-10-21 11:12:44 -04:00
Thomas Strömberg	dfe9f64953	Merge pull request #18 from chainguard-dev/reformat2 Reduce query intervals for some higher overhead queries	2022-10-20 14:56:38 -04:00
Thomas Stromberg	7d568898c1	Reduce query intervals for some higher overhead queries	2022-10-20 14:56:16 -04:00
Thomas Stromberg	1020cd6991	exotic commands (state-based): Add UserKnownHostsFile from event based, fix phash join	2022-10-20 14:31:36 -04:00
Thomas Stromberg	905046cd2a	linux https clients: Add exception for npm exec	2022-10-20 14:15:57 -04:00
Thomas Strömberg	8b16ce2aa4	Merge pull request #14 from chainguard-dev/false-positives False-positive update: Chrome, /usr/local/bin	2022-10-20 14:13:03 -04:00
Thomas Stromberg	d55d1db202	Add /usr/local/bin	2022-10-20 14:11:35 -04:00
Thomas Stromberg	416bdd8fd1	Add broader port exception for Chrome	2022-10-20 14:11:19 -04:00
Thomas Strömberg	c082d0caa8	Merge pull request #13 from chainguard-dev/reformat Run 'make reformat'	2022-10-20 14:03:17 -04:00
Thomas Stromberg	ec1a5b6c17	Add events-based detector for ICMP sockets	2022-10-20 14:02:06 -04:00
Thomas Stromberg	a68a3496e9	Run 'make reformat'	2022-10-20 14:01:34 -04:00
Thomas Stromberg	26fbe36e77	Linux: Add electron as an HTTPS client	2022-10-20 13:53:18 -04:00
Thomas Stromberg	9ff14203b6	macOS: Allow Linear Orbit and Microsoft to listen on a wider range of ports	2022-10-20 13:52:34 -04:00
Thomas Stromberg	ad832bc280	linux talkers: Treat /snap as /opt	2022-10-20 13:50:14 -04:00
Thomas Stromberg	6624c8c620	linux talkers: Add ssh exception	2022-10-20 13:46:55 -04:00
Thomas Stromberg	8ddc3de482	linux talkers: Add snap Slack and NixOS bash exception	2022-10-20 13:44:09 -04:00
Thomas Strömberg	bab02a6295	Merge pull request #9 from chainguard-dev/false-positives unexpected-library-entries: Add more /Library entries from the wild	2022-10-20 13:39:15 -04:00
Thomas Stromberg	44324e3811	Add more /Library entries from the wild	2022-10-20 13:38:33 -04:00
Thomas Stromberg	0706cc458a	listening ports: Add mtr-packet exception	2022-10-20 13:34:49 -04:00
Thomas Stromberg	b4776ea60f	Remove duplicate comma	2022-10-20 13:20:33 -04:00
Thomas Strömberg	95e5c925e9	Merge pull request #7 from chainguard-dev/false-positives Add exception for gitsign	2022-10-20 13:18:30 -04:00
Thomas Stromberg	0a92cbb9ce	Add exception for gitsign	2022-10-20 13:17:52 -04:00
Thomas Strömberg	1816e1472e	Merge pull request #6 from chainguard-dev/false-positives high-disk-bytes-written: Add exception for flatpak-system-helper	2022-10-20 13:16:59 -04:00
Thomas Stromberg	e2c41243d4	high-disk-bytes-written: Add exception for flatpak-system-helper	2022-10-20 13:16:33 -04:00
Thomas Strömberg	ce3b58c9f6	Merge pull request #5 from chainguard-dev/false-positives touched: Add exception for local kubectl binary	2022-10-20 13:15:53 -04:00
Thomas Stromberg	9373952f18	Add exception for local kubectl binary	2022-10-20 13:15:26 -04:00
Thomas Strömberg	71147816ec	Merge pull request #4 from chainguard-dev/false-positives library-entries: Add exceptions for /Library/Python and /Library/Caches/.0%	2022-10-20 13:15:07 -04:00
Thomas Stromberg	8e1569164a	Add exceptions for /Library/Python and /Library/Caches/.0%	2022-10-20 13:14:37 -04:00
Thomas Strömberg	e6a60ea1db	Merge pull request #3 from chainguard-dev/false-positives Add talker exceptions for curl, firefox, chrome, git-remote-http	2022-10-20 13:14:16 -04:00
Thomas Stromberg	a973dcbcf2	Add more Linux/macOS talker exceptions	2022-10-20 13:12:46 -04:00
Thomas Strömberg	5e8d0b637b	Merge pull request #2 from chainguard-dev/lib-entry Add /Library/DropboxHelperTools/ to expected list of /Library folders	2022-10-20 13:06:16 -04:00
Thomas Stromberg	bdce818374	Add /Library/DropboxHelperTools/ to expected list of /Library folders	2022-10-20 13:05:38 -04:00
Thomas Stromberg	186617890c	Add more real-world exceptions to unexpected-talkers	2022-10-20 13:03:46 -04:00
Thomas Stromberg	1c38ef430e	reformat SQL queries	2022-10-20 09:11:29 -04:00
Thomas Stromberg	1a54cebb55	Sort talker list	2022-10-20 08:20:06 -04:00
Thomas Stromberg	a43ee03929	Reduce dependency on magic.*	2022-10-20 08:19:56 -04:00
Thomas Stromberg	7de03e7fbc	Reduce false positives	2022-10-20 08:04:24 -04:00
Thomas Stromberg	152887f8d8	Add /Library detector	2022-10-20 07:59:27 -04:00
Thomas Stromberg	14715b602b	Add chronyd back	2022-10-20 07:59:17 -04:00
Thomas Stromberg	a22ca1f2b0	Don't mask directories, run on macOS	2022-10-20 07:59:06 -04:00
Thomas Stromberg	e09e410407	Rewrite and split linux talkers	2022-10-20 07:04:18 -04:00
Thomas Stromberg	f6317c2af8	Further reduction of false positives	2022-10-19 17:07:52 -04:00
Thomas Stromberg	d8e91bac63	Add missing files	2022-10-19 16:56:43 -04:00
Thomas Stromberg	ab94de7770	Add a lot more mitre data	2022-10-19 16:56:32 -04:00
Thomas Stromberg	cee1710f74	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
Thomas Stromberg	1bbd284a3c	Work through another series of false positives	2022-10-19 15:26:03 -04:00
Thomas Stromberg	28f52b4c51	Sync module list with known observed	2022-10-19 15:02:44 -04:00
Thomas Stromberg	61294aa8a8	Add dnf	2022-10-19 14:51:33 -04:00
Thomas Stromberg	9f06873ae9	Don't mind shells hanging out in ~/.Trash	2022-10-18 14:51:51 -04:00
Thomas Stromberg	7483c845f4	Split the recently-created-executables between macOS/Linux	2022-10-18 14:42:26 -04:00
Thomas Stromberg	8679ca943d	More false positive management	2022-10-18 14:26:47 -04:00
Thomas Stromberg	12c7f8360d	Filter out more false positives	2022-10-18 11:44:03 -04:00
Thomas Stromberg	83a8c0d589	Improve how we deal with the zfs case	2022-10-18 11:40:42 -04:00
Thomas Stromberg	535d835290	Simplify exotic commands queries, remove more false positives	2022-10-18 11:32:18 -04:00
Thomas Stromberg	5839a20fb3	Detect more	2022-10-18 10:08:34 -04:00
Thomas Stromberg	0160d05ed3	Add new spotlight queries to surface unexpected dmg/iso downloads	2022-10-18 08:52:05 -04:00
Thomas Stromberg	346309f3d2	Add missing apostrophe	2022-10-17 21:08:29 -04:00
Thomas Stromberg	50d1b42f80	Add provisio	2022-10-17 20:59:09 -04:00
Thomas Stromberg	8ddd5764e8	Remove some false positives	2022-10-17 20:57:56 -04:00
Thomas Stromberg	9bf85e3137	Flush out more false positives	2022-10-17 20:37:44 -04:00
Thomas Stromberg	2b5ea76729	Apply 'npx sql-formatter -l sqlite'	2022-10-17 19:06:17 -04:00
Thomas Stromberg	984f754990	Add more false positive filters	2022-10-17 19:01:16 -04:00
Thomas Stromberg	d89335a21e	Add child/grandchild, filter out zfs recv false positive	2022-10-17 18:46:00 -04:00
Thomas Stromberg	58dec12a49	Remove some false positives	2022-10-17 17:31:47 -04:00
Thomas Stromberg	9c233f5248	Decrease poll time to 60 seconds	2022-10-17 17:31:32 -04:00
Thomas Stromberg	5c7ec52350	Lower polling time to once a minute	2022-10-17 17:30:41 -04:00
Thomas Stromberg	de51dcdfcb	Minor adjustments	2022-10-17 17:11:15 -04:00
Thomas Stromberg	b72e052c09	Split env-values is case it helps decrease CPU time	2022-10-17 17:10:51 -04:00
Thomas Stromberg	9616a6ab36	Use 'rapid' instead of 'continous' for tagging	2022-10-17 08:43:29 -04:00
Thomas Stromberg	27a3013bba	Split up the unexpected-filesystem-entries by platform	2022-10-14 15:14:24 -04:00
Thomas Stromberg	fa49494e36	Add /var/run/current-system/sw/bin	2022-10-14 14:37:22 -04:00
Thomas Stromberg	927d2ab025	Add /etc/periodic/*, resort directories	2022-10-14 14:36:41 -04:00
Thomas Stromberg	9889a9308f	Make unexpected-var-executables safe for execution on macOS	2022-10-14 14:31:39 -04:00
Thomas Stromberg	f2023c0021	Update interval tags, mostly for persistence	2022-10-14 14:26:49 -04:00
Thomas Stromberg	ab0fad1c47	Add lost files from the rename	2022-10-14 14:19:32 -04:00
Thomas Stromberg	d2bdffe89e	Add support for interval tags	2022-10-14 14:19:13 -04:00
Thomas Stromberg	06fd003475	Use single-quotes for Kolide compatibility	2022-10-14 10:29:23 -04:00
Thomas Stromberg	d1f1d20192	Fix trailing apostrophe	2022-10-14 10:26:25 -04:00
Thomas Stromberg	432a727f41	Add Slack Technologies signature	2022-10-14 10:22:50 -04:00
Thomas Stromberg	fd9e8106f9	Give unexpected-modules a better name	2022-10-14 10:18:23 -04:00
Thomas Stromberg	b9a64e8b99	Janitorial maintenance	2022-10-14 10:18:01 -04:00
Thomas Stromberg	488d1aac96	Show process euid instead of uid.	2022-10-14 09:36:28 -04:00
Thomas Stromberg	b2f0c1ca54	Add kernel modules seen on Fedora	2022-10-14 09:30:44 -04:00
Thomas Stromberg	3c6d4968e1	Add two Docker checks that can catch Traitor	2022-10-14 09:16:48 -04:00
Thomas Stromberg	dc9493ee1e	Tighten down the field list, update metadata	2022-10-14 09:16:24 -04:00
Thomas Stromberg	4a7f734c81	Add metadata, mark as Linux only.	2022-10-14 08:42:10 -04:00
Thomas Stromberg	10a7091e62	Decrease exotic-events complexity by splitting & simplifying	2022-10-13 18:31:59 -04:00
Thomas Stromberg	1fb2b694bb	Use single quotes	2022-10-13 18:31:36 -04:00
Thomas Stromberg	c6a00b4714	Add markupsafe exception	2022-10-13 18:16:12 -04:00
Thomas Stromberg	d6ae20a73e	Add ipheth, resort.	2022-10-13 18:14:50 -04:00
Thomas Stromberg	6a4a12a261	Add Linear Helper, resort	2022-10-13 18:11:24 -04:00
Thomas Stromberg	91157f6180	Add raw socket exception for tailscale	2022-10-13 18:08:52 -04:00
Thomas Stromberg	d164591365	Add more localhost entries	2022-10-13 18:08:03 -04:00
Thomas Stromberg	27b9e620f2	Add *.wtf to allow list	2022-10-13 18:06:07 -04:00
Thomas Stromberg	9bbc043953	Add CoLab, remove trailing spaces	2022-10-13 18:05:05 -04:00
Thomas Stromberg	3562bc898e	Remove sshd listener false positive	2022-10-13 18:02:14 -04:00
Thomas Stromberg	59dc85a931	Add pipewire-pulse, sort exceptions	2022-10-13 18:00:14 -04:00
Thomas Stromberg	077c8f36fc	Filter out vaikas dev hostnames	2022-10-13 17:58:29 -04:00
Thomas Stromberg	20452b128b	Migrate query strings from double to single apostrophes	2022-10-13 14:59:32 -04:00
Thomas Stromberg	e785c35614	v0.0.1	2022-10-13 09:11:17 -04:00
Thomas Stromberg	26ee658c4a	Initial re-organization around the MITRE ATT&CK framework	2022-10-11 21:53:36 -04:00

... 2 3 4 5 6

268 Commits