RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-03-01 08:20:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
693 Commits 1 Branch 31 Tags 7.4 MiB
c2b0423606
Commit Graph

411 Commits

Author SHA1 Message Date
Thomas Stromberg
c2b0423606
Rewrite exotic-command-events-linux with INSTR to decrease CPU time 2023-02-17 16:39:52 -05:00
Thomas Stromberg
504ef2c8dd
gcloud: filter out last_update_check, last_survey_prompt 2023-02-17 12:03:36 -05:00
Thomas Stromberg
d25a89f241
execdir events macOS: Fix ambiguous path 2023-02-17 12:01:08 -05:00
Thomas Stromberg
f87541c945
False positive flush, particularly in talkers 2023-02-17 11:57:23 -05:00
Thomas Strömberg
8976bfecf2
Merge pull request #179 from tstromberg/ddexec 
New detector: overwritten memory map
 2023-02-17 10:49:57 -05:00
Thomas Stromberg
2e95606d9c
New detector: overwritten memory map 2023-02-17 10:49:19 -05:00
Thomas Stromberg
a655122eec
name path mismatch: only whitelist shells with same cmdlines 2023-02-17 10:47:49 -05:00
Thomas Stromberg
3d13d4995a
hidden system paths: include inode 2023-02-17 10:41:42 -05:00
Thomas Stromberg
00398d447b
Look for setuid binaries in /usr/libexec too 2023-02-17 10:41:28 -05:00
Thomas Stromberg
bc359d69ce
Linux events: decrease CPU usage of elevated children & execdir 2023-02-17 10:40:58 -05:00
Thomas Stromberg
ec675bfb8d
New detector: unexpected ssh-authorized-keys 2023-02-14 20:36:27 -05:00
Thomas Stromberg
5eefbd0dba
Add chattr, setenforce to unexpected-sysutils 2023-02-14 20:35:24 -05:00
Thomas Stromberg
cf858d193d
fpr: ACE, Prusa, steam, pacman, Xcode, Adobe 2023-02-14 20:16:02 -05:00
Thomas Stromberg
8d4531198f
fpr: My ORA, Ecamm, setroubleshootd, etc 2023-02-14 19:46:36 -05:00
Thomas Stromberg
d897f0b50d
fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc 2023-02-14 08:33:05 -05:00
Thomas Stromberg
99f8793169
Remove com.docker.backend (macOS specific) 2023-02-10 10:32:14 -05:00
Thomas Stromberg
e8d86af906
Make sure caddy & kubectl are in the wider listening range 2023-02-10 10:31:19 -05:00
Thomas Stromberg
34282eacec
Increase polling interval to 15 min 2023-02-10 10:24:20 -05:00
Thomas Stromberg
0b6e503627
New check: Launch Constraint Violation (macOS) 2023-02-10 10:22:13 -05:00
Thomas Stromberg
4f4ae0ed38
False positive removal and minor query perf improvements 2023-02-10 10:21:06 -05:00
Thomas Stromberg
593991adb8
Purge observed false positives 2023-02-09 17:54:41 -05:00
Thomas Stromberg
a1105fec93
Fix broken updates to exotic-commands-macos 2023-02-09 17:06:09 -05:00
Thomas Stromberg
a8ed058d4d
Query performance improvements, add pids, decrease frequency 2023-02-09 17:01:29 -05:00
Thomas Strömberg
ca316a0420
Merge pull request #166 from tstromberg/fpr-catch-up 
Add exclusions for google-cloud-sdk & Blackmagic firmware
 2023-02-08 20:55:53 -05:00
Thomas Strömberg
eef833287a
Merge pull request #164 from NACHOSWITHCHEESE/fixing-macos-detection-compatibility 
Modified detections explicitly targeted towards macOS to not include cgroup field
 2023-02-08 20:54:45 -05:00
Thomas Stromberg
209a5e08af
Add /Library/ThunderboltAcessoryFirmwareUpdates 2023-02-08 20:53:39 -05:00
Thomas Stromberg
eddefaae48
Fix gcloud exclusion, sort queries 2023-02-08 20:53:19 -05:00
Thomas Stromberg
3eb2c80d92
Add kubectl from google-cloud-sdk 2023-02-08 20:53:03 -05:00
Thomas Stromberg
72326c3b5c
Massive reduction of false positives across the board 2023-02-08 20:06:26 -05:00
Thomas Stromberg
51151290fb
Refactor unexpected tmp executables for speed & decreased hits 2023-02-08 20:06:10 -05:00
echunduri
e44dc167e9 Modified detections explicilty targeted towards macOS to not include cgroup_path fields anymore 2023-02-09 10:57:03 +11:00
Thomas Stromberg
e57f03b89f
fpr: Opera, TextExpander, socket_vmnet, elive, etc 2023-02-08 15:12:10 -05:00
Thomas Stromberg
5274198687
Add exceptions for socket_vmnet and pnpd 2023-02-08 14:44:22 -05:00
Thomas Stromberg
2634e9d45b
Monday morning false-positive purge 2023-02-08 14:37:09 -05:00
Thomas Stromberg
c55c0225ac
Replace unexpected-vol-names with sketchy-mounted-diskimage 2023-02-08 10:14:32 -05:00
Thomas Stromberg
9652464b27
Add local port and address to network queries 2023-02-08 10:12:44 -05:00
Thomas Stromberg
d302a9ff55
Purge false positives, again and again 2023-02-02 21:46:53 -05:00
Thomas Stromberg
9ea6486121
Fix start-iap-tunnel matching 2023-02-02 20:55:46 -05:00
Thomas Stromberg
2bdb9f2f3e
Add more macOS software authorities 2023-02-02 20:53:22 -05:00
Thomas Stromberg
668f012a92
Remove 'launchctl load' as an exotic event (too noisy) 2023-02-02 20:44:14 -05:00
Thomas Stromberg
1cf0a1e89d
Remove zsh from exotic list 2023-02-02 20:35:30 -05:00
Thomas Stromberg
41ee6feced
Merge remote-tracking branch 'upstream/main' 2023-02-02 20:33:46 -05:00
Thomas Stromberg
91b20a98fd
Add uid0 exception for Logitech 2023-02-02 20:33:34 -05:00
Thomas Strömberg
d885578e28
Merge pull request #158 from tstromberg/fpr-again 
Rewrite unexpecetd uid0 for Linux, include cgroup info
 2023-02-02 20:33:01 -05:00
Thomas Stromberg
a3ec1bf2bf
Rewrite unexpecetd uid0 for Linux, include cgroup info 2023-02-02 20:30:55 -05:00
Thomas Strömberg
546cb47cef
Merge pull request #157 from tstromberg/fpr-again 
Add new Kolide signing authority as a valid talker
 2023-02-02 19:50:33 -05:00
Thomas Stromberg
d039449330
Add new Kolide signing authority as a valid talker 2023-02-02 19:50:13 -05:00
Thomas Stromberg
bb3e1f964e
Run make reformat, update max rows for incident response 2023-02-02 17:58:19 -05:00
Thomas Stromberg
809645a3bf
Add new Kolide id, fix some debug lines 2023-02-02 17:42:46 -05:00
Thomas Stromberg
ba45449f7d
unexpected uid0: fix bug, make faster 2023-02-02 17:16:35 -05:00