RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-18 19:40:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
711 Commits 1 Branch 31 Tags 6.2 MiB
e8cf7ecbe3
Commit Graph

711 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Stromberg
e8cf7ecbe3
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird 2023-02-20 18:04:17 -05:00
Thomas Strömberg
9caafd4743
Merge pull request #187 from tstromberg/systemd-refactor 
systemd units: increase size bucket from 100 to 225
 2023-02-20 13:10:54 -05:00
Thomas Stromberg
82de4c9c2a
systemd units: increase size bucket from 100 to 225 2023-02-20 13:10:07 -05:00
Thomas Strömberg
575767eea1
Merge pull request #186 from tstromberg/fix-changes 
macos sniffers: back out osquery change until we understand it better
 2023-02-20 12:01:04 -05:00
Thomas Stromberg
75b7ec5552
macos sniffers: back out osquery change until we understand it better, sort exceptions 2023-02-20 11:58:43 -05:00
Thomas Strömberg
d6f903bb00
Merge pull request #185 from zestysoft/fpr-1 
fpr: Fujitsu, vmware, objective-see, paragon, etc
 2023-02-20 11:53:31 -05:00
Ian Brown
d64fd44604
fix 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 19:44:31 -08:00
Ian Brown
91f653262c
More osquery matches 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 11:24:54 -08:00
Ian Brown
96e95a7f37
Add additional talkers 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-19 11:11:13 -08:00
Ian Brown
74114dd34e
Swap like for equal 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 16:11:35 -08:00
Ian Brown
ffd552aa54
Missed one 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 16:10:48 -08:00
Ian Brown
551d7dbb8c
fpr: Fujitsu, vmware, objective-see, paragon, etc 
Signed-off-by: Ian Brown <ian@zestysoft.com>
 2023-02-18 12:02:40 -08:00
Thomas Strömberg
53b34621d3
Merge pull request #184 from tstromberg/friday-sweep 
overwritten memory: filter out pathless kernel bits
 2023-02-17 17:21:25 -05:00
Thomas Stromberg
5949ad1551
overwritten memory: filter out pathless kernel bits 2023-02-17 17:20:20 -05:00
Thomas Strömberg
31d74f1e68
Merge pull request #183 from tstromberg/friday-sweep 
Rewrite exotic-command-events-linux with INSTR to decrease CPU time
 2023-02-17 16:40:27 -05:00
Thomas Stromberg
c2b0423606
Rewrite exotic-command-events-linux with INSTR to decrease CPU time 2023-02-17 16:39:52 -05:00
Thomas Strömberg
4d90caa0ff
Merge pull request #182 from tstromberg/friday-sweep 
gcloud: filter out last_update_check, last_survey_prompt
 2023-02-17 12:04:10 -05:00
Thomas Stromberg
504ef2c8dd
gcloud: filter out last_update_check, last_survey_prompt 2023-02-17 12:03:36 -05:00
Thomas Strömberg
a4ad9b2aaa
Merge pull request #181 from tstromberg/friday-sweep 
execdir events macOS: Fix ambiguous path
 2023-02-17 12:01:38 -05:00
Thomas Stromberg
d25a89f241
execdir events macOS: Fix ambiguous path 2023-02-17 12:01:08 -05:00
Thomas Strömberg
2de44fc301
Merge pull request #180 from tstromberg/friday-sweep 
False positive flush, particularly in talkers
 2023-02-17 11:58:12 -05:00
Thomas Stromberg
f87541c945
False positive flush, particularly in talkers 2023-02-17 11:57:23 -05:00
Thomas Strömberg
8976bfecf2
Merge pull request #179 from tstromberg/ddexec 
New detector: overwritten memory map
 2023-02-17 10:49:57 -05:00
Thomas Stromberg
2e95606d9c
New detector: overwritten memory map 2023-02-17 10:49:19 -05:00
Thomas Strömberg
f5798047cc
Merge pull request #178 from tstromberg/wutang 
Linux events: decrease CPU usage of elevated children & execdir
 2023-02-17 10:48:50 -05:00
Thomas Stromberg
a655122eec
name path mismatch: only whitelist shells with same cmdlines 2023-02-17 10:47:49 -05:00
Thomas Stromberg
3d13d4995a
hidden system paths: include inode 2023-02-17 10:41:42 -05:00
Thomas Stromberg
00398d447b
Look for setuid binaries in /usr/libexec too 2023-02-17 10:41:28 -05:00
Thomas Stromberg
bc359d69ce
Linux events: decrease CPU usage of elevated children & execdir 2023-02-17 10:40:58 -05:00
Thomas Strömberg
a4ae39a66c
Merge pull request #177 from tstromberg/wutang 
New detector: unexpected ssh-authorized-keys
 2023-02-14 20:36:58 -05:00
Thomas Stromberg
ec675bfb8d
New detector: unexpected ssh-authorized-keys 2023-02-14 20:36:27 -05:00
Thomas Strömberg
be02e9f785
Merge pull request #176 from tstromberg/wutang 
Add chattr, setenforce to unexpected-sysutils
 2023-02-14 20:36:05 -05:00
Thomas Stromberg
5eefbd0dba
Add chattr, setenforce to unexpected-sysutils 2023-02-14 20:35:24 -05:00
Thomas Strömberg
575ebdd776
Merge pull request #175 from tstromberg/wutang 
fpr: ACE, Prusa, Ecamm, setroubleshootd, steam, pacman, Xcode, Adobe
 2023-02-14 20:17:13 -05:00
Thomas Stromberg
cf858d193d
fpr: ACE, Prusa, steam, pacman, Xcode, Adobe 2023-02-14 20:16:02 -05:00
Thomas Stromberg
0049ab06b1
Merge branch 'main' into wutang 2023-02-14 19:46:43 -05:00
Thomas Stromberg
8d4531198f
fpr: My ORA, Ecamm, setroubleshootd, etc 2023-02-14 19:46:36 -05:00
Thomas Strömberg
78cb030f40
Merge pull request #174 from tstromberg/wutang 
fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc
 2023-02-14 08:33:45 -05:00
Thomas Stromberg
d897f0b50d
fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc 2023-02-14 08:33:05 -05:00
Thomas Strömberg
059bdbb649
Merge pull request #173 from tstromberg/makefile 
Makefile: Add reformat-updates target
 2023-02-10 10:33:26 -05:00
Thomas Stromberg
ebb9780036
Makefile: Add reformat-updates target 2023-02-10 10:33:04 -05:00
Thomas Strömberg
d3d01bd5a1
Merge pull request #172 from tstromberg/allow-caddy 
listening ports: Include caddy, kubectl, node in wider listening range
 2023-02-10 10:32:49 -05:00
Thomas Stromberg
99f8793169
Remove com.docker.backend (macOS specific) 2023-02-10 10:32:14 -05:00
Thomas Stromberg
e8d86af906
Make sure caddy & kubectl are in the wider listening range 2023-02-10 10:31:19 -05:00
Thomas Strömberg
a53c5204d4
Merge pull request #171 from tstromberg/pack-analysis 
New check: Launch Constraint Violation (macOS)
 2023-02-10 10:24:42 -05:00
Thomas Stromberg
34282eacec
Increase polling interval to 15 min 2023-02-10 10:24:20 -05:00
Thomas Stromberg
0b6e503627
New check: Launch Constraint Violation (macOS) 2023-02-10 10:22:13 -05:00
Thomas Strömberg
900f6b3921
Merge pull request #170 from tstromberg/pack-analysis 
False positive removal and minor query perf improvements
 2023-02-10 10:21:38 -05:00
Thomas Stromberg
4f4ae0ed38
False positive removal and minor query perf improvements 2023-02-10 10:21:06 -05:00
Thomas Strömberg
3c346e722a
Merge pull request #169 from tstromberg/pack-analysis 
FPR: spotify, htop, dnsmasq, sshd
 2023-02-09 17:56:25 -05:00