osquery-defense-kit

mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-19 04:24:30 +00:00

Author	SHA1	Message	Date
Thomas Stromberg	404b7125f7	Add unattended-upgrades.pid (Ubuntu	2023-06-07 15:14:09 -04:00
Thomas Stromberg	c8760e0ae1	fpr: macOS, Signal, Creative Labs, node, etc	2023-06-07 09:55:17 -04:00
Thomas Stromberg	349ff58fb2	fpr: xfce4, Google Earth, Ubuntu	2023-06-07 08:58:02 -04:00
Thomas Stromberg	1c3d461392	Add lock exception for pipewire	2023-06-02 19:22:26 -04:00
Thomas Stromberg	066c88dc18	fpr: multipass, go, macOS, Ubuntu, Opera, git, ko	2023-06-02 19:08:08 -04:00
Thomas Stromberg	37ce71b94f	Decrease download limits to begin with	2023-06-02 18:03:44 -04:00
Thomas Stromberg	c2ce0ce7d7	New queries: excessive Google Drive exports	2023-06-02 18:01:10 -04:00
Thomas Stromberg	9575d18bc2	fpr: FleetDM, Edge, VSCode, dnf, Steam, etc	2023-06-01 11:52:20 -04:00
Thomas Stromberg	7446b55120	Fix missing apostrophe	2023-05-23 11:55:11 -04:00
Thomas Stromberg	4831794034	Rename from missing-parent	2023-05-23 11:31:58 -04:00
Thomas Stromberg	111c15e20b	fpr: macOS, yubikey, Premiere, dnf, vagrant, etc	2023-05-23 11:31:37 -04:00
Thomas Stromberg	56ede74c54	fpr: Parallels, Stream Deck, tflint, gitstatus, snyk	2023-05-17 17:52:55 -04:00
Thomas Stromberg	d9d6a836a7	Update minimal socket exceptions to not rely signatures	2023-05-17 13:21:29 -04:00
Thomas Stromberg	c6eec0ee17	Query tuning after Geacon testing	2023-05-17 10:54:16 -04:00
Thomas Stromberg	24c2baef28	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
Thomas Stromberg	7f86db5521	Improve detection for bpfdoor and similar backdoors.	2023-05-16 16:31:31 -04:00
Thomas Stromberg	93f2f2baf4	Fix comma placement	2023-05-16 10:31:46 -04:00
Thomas Stromberg	d5a94b21d1	fpr: Kolide, macOS, nvidia, neko	2023-05-16 10:28:19 -04:00
Thomas Stromberg	9c87838b9f	fpr: Chrome, Kolide	2023-05-12 16:41:17 -04:00
Thomas Stromberg	26b2b9a4c7	fpr: LGHUB, aomshm, Wisdolia, uubyte, eclipse, etc	2023-05-11 11:29:55 -04:00
Thomas Stromberg	099d6664fe	Remove seldom modifier, reformat	2023-05-11 10:33:51 -04:00
Thomas Stromberg	c58cac1a1f	New detector: unexpected /var/run files	2023-05-11 10:32:17 -04:00
Thomas Stromberg	49debb32c6	fix duplicate cloud-sql-proxy exception	2023-05-08 13:23:20 -04:00
Thomas Stromberg	41d83350a1	make reformat	2023-05-08 13:20:47 -04:00
Thomas Stromberg	778d53b169	Address merge conflicts	2023-05-08 13:11:24 -04:00
Thomas Stromberg	4856a0e80a	fpr: LogiTune, sharingd, gnome, sparkle, plex	2023-05-08 13:07:57 -04:00
Thomas Stromberg	785b7c2bde	fpr: LogiTune, EndeavourOS, less	2023-05-08 12:19:19 -04:00
Thomas Stromberg	9eed574026	fpr: sharingd, sparkle, golang, Snagit	2023-05-05 15:10:54 -04:00
Thomas Stromberg	61d503db0e	Add Zed binaries dir	2023-05-05 12:55:14 -04:00
Thomas Stromberg	272711ae7a	fpr: node, nc, busybox, libvirt, etc	2023-05-05 12:44:46 -04:00
Thomas Stromberg	f3fd822a55	Refactor recently-created-executables to fit within complexity limits	2023-05-03 17:57:58 -04:00
Thomas Stromberg	d7937aa532	Fix trailing comma	2023-05-03 16:56:15 -04:00
Thomas Stromberg	e3b9938db2	Fix trailing comma	2023-05-03 16:30:03 -04:00
Thomas Stromberg	0202e87b73	fpr: libopenblas, snapd, k3d, opera, nix, ssh, cargo, adobe installer	2023-05-03 16:28:00 -04:00
Thomas Stromberg	cc221ae011	sysutils: Add /usr/bin/security (Keychain)	2023-05-03 15:53:33 -04:00
Thomas Stromberg	76cf1006c6	fpr: microbit, i3, Grammarly for Safari, wine	2023-05-02 17:49:53 -04:00
Thomas Stromberg	47124daa01	fpr: RetailMeNot, LogiTune, macOS, mediawriter, etc	2023-05-02 15:25:36 -04:00
Thomas Stromberg	cdd112827a	Add 8801	2023-04-28 14:45:51 -04:00
Thomas Stromberg	1961531adf	fpr: more refactor fallout	2023-04-28 14:40:12 -04:00
Thomas Stromberg	fbdd253d6a	fpr: post-refactor talker reduction	2023-04-28 14:09:57 -04:00
Thomas Stromberg	007038c6c0	Merge branch 'main' into simpler-talkers	2023-04-27 15:10:40 -04:00
Thomas Stromberg	407295d6e7	macOS talkers: reset exceptions, split https	2023-04-27 15:09:53 -04:00
Thomas Stromberg	ef7b7e7fa1	new detector: hidden ~/Library/Application Support	2023-04-27 15:07:49 -04:00
Thomas Stromberg	02337c28f0	fpr: cleanup and new additions	2023-04-27 12:00:08 -04:00
Thomas Stromberg	ed772cb369	Filter out targets, add more entries	2023-04-27 11:59:02 -04:00
Thomas Stromberg	df925eaa6c	fpr: lghub, brew, pve, chrome exts, etc	2023-04-20 20:45:35 -04:00
Thomas Stromberg	9c3f783491	fpr everything	2023-04-17 16:20:35 -04:00
Thomas Stromberg	0dc6748dff	fpr: LGHUB keys, go, Acrobat, code, yum, fwupdatemgr	2023-03-31 06:19:30 -04:00
Thomas Stromberg	d4dd423745	fpr: Grammarly, semodule, docker-compose, xdg, etc	2023-03-30 18:44:01 -04:00
Thomas Stromberg	5ea01eabeb	Exclude .rustup toolchains	2023-03-28 17:02:30 -04:00
Thomas Stromberg	2d6ced6ae5	Remove powershell indicator	2023-03-28 17:02:14 -04:00
Thomas Stromberg	eceb9c5dec	Mask all descendants of .github/	2023-03-28 17:02:01 -04:00
Thomas Stromberg	98e502b039	fpr: add new containerd systemd file	2023-03-28 16:31:02 -04:00
Thomas Stromberg	9b0ed09c8e	fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage	2023-03-28 16:25:26 -04:00
Thomas Stromberg	21cadbeb28	move missing comma	2023-03-24 11:20:37 -04:00
Thomas Stromberg	284796b895	fpr: snyk-ls, electron	2023-03-24 11:03:55 -04:00
Thomas Stromberg	570c36dc71	fpr: tilt, electron, cilium, write/read improvements	2023-03-24 10:42:06 -04:00
Thomas Stromberg	7a78199906	fpr: traceroute, thunderbird, garmin installer, chainctl, etc	2023-03-21 14:07:06 -04:00
Thomas Stromberg	fbab3701c0	fpr: Docker, Zwift, macOS updates, etc	2023-03-20 17:05:02 -04:00
Thomas Strömberg	621967a085	Merge pull request #230 from tstromberg/split-chmod Add exceptions for Kandji	2023-03-17 15:49:30 -04:00
Thomas Stromberg	13a95a4f41	Add exceptions for Kandji	2023-03-17 15:46:00 -04:00
Thomas Strömberg	1b9e2a6ec1	Merge pull request #229 from tstromberg/split-chmod unexpected-chmod-exec: Split and Linux/macOS queries	2023-03-17 15:39:26 -04:00
Thomas Stromberg	15c666a170	Fix references to p0.cmdline	2023-03-17 15:38:22 -04:00
Thomas Stromberg	e1db6fc2de	Fix split chmod detector	2023-03-17 15:19:33 -04:00
Thomas Stromberg	feb7c234e7	split unexpected-chmod-exec-event into Linux/macOS	2023-03-17 15:13:36 -04:00
Thomas Stromberg	6ddc478df4	fpr: Brother, Intel OneAPI, k6, firefox	2023-03-17 15:08:22 -04:00
Thomas Stromberg	fb6af4858a	chmod events: broaden snap exception	2023-03-17 10:52:28 -04:00
Thomas Stromberg	9eeae99f24	modernize high-disk-bytes queries	2023-03-17 10:48:17 -04:00
Thomas Stromberg	2bfd736d37	Use p0_cmd instead of p0.cmdline	2023-03-17 06:37:18 -04:00
Thomas Stromberg	7ee331b399	Add missing comma	2023-03-17 06:35:15 -04:00
Thomas Stromberg	7ceb7b2b19	fpr: NetworkManager, packer, rancher desktop, proxmox, sd	2023-03-17 06:32:54 -04:00
Thomas Stromberg	8154560703	chmod events: Include macOS, improve results	2023-03-17 06:24:26 -04:00
Thomas Stromberg	6473469e72	revert euid change in exception key	2023-03-16 17:31:31 -04:00
Thomas Stromberg	fbc2b207b4	fpr: Signal, apko, aws, melange, dash, stern	2023-03-16 17:29:11 -04:00
Thomas Stromberg	af9a78236e	New detector: unexpected chmod exec event	2023-03-16 16:53:32 -04:00
Thomas Stromberg	2e10bdf52b	Add unexpected libcurl detector	2023-03-16 16:10:25 -04:00
Thomas Stromberg	824efa9705	fpr: yum, systemd, cloud-sql-proxy, image-automation-controller, helm, bom, aws	2023-03-14 19:00:44 -04:00
Thomas Stromberg	09652bd91f	fpr: SA keys, libgtop, haproxy, gvproxy, slirp	2023-03-14 16:05:16 -04:00
Thomas Strömberg	2f16dda2a7	Merge pull request #217 from tstromberg/mismatch Rewrite name/path mismatch for lower maintenance	2023-03-14 15:25:24 -04:00
Thomas Stromberg	0c03324296	Reduce fuziness of matching	2023-03-14 15:11:33 -04:00
Thomas Stromberg	e23b34dc7b	Rewrite name/path mismatch for lower maintenance	2023-03-09 21:11:24 -05:00
Thomas Stromberg	b3825ba2b9	fpr: Canon Universal Installer, melange, GPG, key names	2023-03-06 15:11:11 -05:00
Thomas Stromberg	89439e7959	Merge to head	2023-03-04 13:21:42 -05:00
Thomas Stromberg	83de333882	Add dhclient uid0 exception, as appears in Debian	2023-03-04 13:20:26 -05:00
Thomas Stromberg	81b09ae711	fpr: aws certs, AdobePIM, slack	2023-03-04 12:20:53 -05:00
Thomas Stromberg	f25cfe1399	fpr: aws-sdk, melange, Tailscale, Xprotect, etc	2023-03-03 07:24:42 -05:00
Thomas Stromberg	12a5507907	Optimize recently-created-executables-macos	2023-02-24 17:24:09 -05:00
Thomas Stromberg	4150b1ee7c	macOS: Exceptions for TestFlight apps & specifically Kindle	2023-02-24 17:04:34 -05:00
Thomas Stromberg	fb7cd56249	fpr: abrt-dbus, gdm, chrome, ff, etc	2023-02-24 16:30:17 -05:00
Thomas Stromberg	995c1e1104	Fixes so that ODK can run under CI	2023-02-24 12:15:56 -05:00
Thomas Stromberg	a7c2ef97e1	Add detectors for the reveng_rtkit rootkit	2023-02-23 17:05:11 -05:00
Thomas Strömberg	0cba2837bc	Merge pull request #193 from tstromberg/debian Debian uid0: add dhclient and unattended-upgr	2023-02-23 10:39:15 -05:00
Thomas Stromberg	d253820cf2	Debian: add dhclient and unattended-upgr	2023-02-23 10:35:26 -05:00
Thomas Strömberg	ab5c01a998	Merge pull request #190 from zestysoft/fpr-2 Add osquery to keyboard_sniffer	2023-02-23 10:34:04 -05:00
Thomas Stromberg	d904ca60cf	Add exceptions for Debian running under lima	2023-02-23 10:33:10 -05:00
Ian Brown	737eb93b48	Add osquery to keyboard_sniffer Signed-off-by: Ian Brown <ian@zestysoft.com>	2023-02-21 22:07:08 -08:00
Thomas Stromberg	baab22e282	Run make reformat-updates	2023-02-20 19:12:51 -05:00
Thomas Stromberg	3a4e0450a6	Uncomment remaining columns	2023-02-20 19:11:23 -05:00
Thomas Stromberg	d3780c0a6c	Remove ubuntu-lts false-positives on lima	2023-02-20 19:10:12 -05:00
Thomas Stromberg	e8cf7ecbe3	fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird	2023-02-20 18:04:17 -05:00

1 2 3 4 5 ...

570 Commits