osquery-defense-kit

Commit Graph

Select branches

Hide Pull Requests

main

#1

#10

#100

#101

#102

#103

#104

#105

#106

#107

#108

#109

#11

#110

#111

#112

#113

#114

#115

#116

#117

#118

#119

#12

#120

#121

#122

#123

#124

#125

#126

#127

#128

#129

#13

#130

#131

#132

#133

#134

#135

#136

#137

#138

#139

#14

#140

#141

#142

#143

#144

#145

#146

#147

#148

#149

#15

#150

#151

#152

#153

#154

#155

#156

#157

#158

#159

#16

#160

#162

#163

#164

#165

#166

#167

#168

#169

#17

#170

#171

#172

#173

#174

#175

#176

#177

#178

#179

#18

#180

#181

#182

#183

#184

#185

#186

#187

#188

#189

#19

#190

#191

#192

#193

#194

#195

#196

#197

#198

#199

#2

#200

#201

#202

#203

#204

#205

#206

#207

#208

#209

#210

#211

#212

#213

#214

#215

#216

#217

#218

#219

#220

#221

#222

#223

#224

#225

#226

#227

#228

#229

#23

#230

#231

#232

#233

#234

#235

#236

#237

#238

#239

#24

#240

#241

#242

#243

#244

#245

#246

#247

#248

#249

#250

#251

#252

#253

#254

#255

#256

#257

#258

#259

#26

#260

#261

#262

#263

#264

#265

#266

#267

#268

#269

#27

#270

#271

#272

#273

#274

#275

#276

#277

#278

#279

#28

#280

#281

#282

#283

#284

#285

#286

#287

#288

#289

#29

#290

#291

#292

#293

#294

#295

#296

#297

#298

#299

#3

#30

#300

#301

#302

#303

#304

#305

#306

#307

#308

#309

#31

#310

#311

#312

#313

#314

#315

#316

#317

#318

#319

#32

#320

#321

#322

#323

#324

#325

#326

#327

#328

#329

#33

#330

#331

#332

#333

#334

#335

#336

#337

#338

#339

#34

#340

#341

#342

#343

#344

#345

#346

#347

#348

#349

#35

#350

#351

#352

#353

#354

#355

#356

#357

#358

#359

#36

#360

#361

#362

#363

#364

#365

#366

#367

#368

#369

#370

#371

#372

#373

#374

#375

#376

#377

#378

#379

#38

#380

#381

#382

#383

#384

#385

#386

#387

#388

#389

#39

#390

#391

#392

#393

#394

#395

#396

#397

#398

#399

#4

#40

#400

#401

#402

#403

#404

#405

#406

#407

#408

#409

#41

#410

#411

#412

#413

#414

#415

#416

#417

#418

#419

#42

#420

#421

#422

#423

#424

#425

#426

#427

#428

#43

#44

#45

#46

#47

#48

#49

#5

#50

#51

#52

#53

#54

#55

#56

#57

#58

#59

#6

#60

#61

#62

#63

#64

#65

#66

#67

#68

#69

#7

#70

#71

#72

#73

#74

#75

#76

#77

#78

#79

#8

#80

#81

#82

#83

#84

#85

#86

#87

#88

#89

#9

#90

#91

#92

#93

#94

#95

#96

#97

#98

#99

10.15.0

v0.0.1

v0.0.2

v0.0.3

v0.15.0

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.12.1

v1.12.2

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.6.1

v1.7.0

v1.8.0

v1.9.0

81571d08a1

Merge pull request #428 from egibs/20241120-fpr main Evan Gibler 2024-11-20 14:06:38 -0600
78ec36eca0

Add elastic-endpoint egibs 2024-11-20 14:02:05 -0600
a24c3d2333

Add exceptions for Autodesk, cloud_sql_proxy, .md downloads, TF providers in /tmp/, and more egibs 2024-11-20 13:45:50 -0600
d078e4a1ca

Merge pull request #427 from tstromberg/nov19 Thomas Strömberg 2024-11-19 16:12:21 -0500
4c4423a474

suspicious systemd: accept any char instead of single quote Thomas Stromberg 2024-11-19 16:09:38 -0500
a2c2571ee9

Merge pull request #426 from tstromberg/nov19 Thomas Strömberg 2024-11-19 16:03:35 -0500
8237521d0d

fpr: mark exotic queries as extra, add flatpak/pop-os uid0 procs Thomas Stromberg 2024-11-19 15:49:30 -0500
b85f602726

Merge pull request #425 from tstromberg/nov19 Thomas Strömberg 2024-11-18 16:28:04 -0500
6fb7fa69e1

fpr: mumbel, gvproxy, chainlink, telegram, systemd, etc Thomas Stromberg 2024-11-18 16:16:52 -0500
5e2a562417

Merge pull request #424 from tstromberg/fpr-nov13 Thomas Strömberg 2024-11-13 16:54:01 -0500
71096ba4c7

fpr: mc, colima, webfilterproxyd, headlamp, record it, etc Thomas Stromberg 2024-11-13 16:34:12 -0500
f610ee5e4d

Merge pull request #423 from r0cketlad/main Dave Smith 2024-11-12 08:32:31 -0500
ca768ca4fa fpr: mostly uid0 things Dave Smith 2024-11-12 07:37:29 -0500
95ccc3dda1

Merge pull request #422 from r0cketlad/main Dave Smith 2024-11-08 08:08:15 -0500
f8a942425d fpr: zypper, bambu, terraform, etc Dave Smith 2024-11-08 07:34:33 -0500
ee8619bee6

Merge pull request #421 from r0cketlad/main Dave Smith 2024-11-07 17:28:15 -0500
f9ae1fe921

Update unexpected-uid0-daemon-linux.sql Dave Smith 2024-11-07 17:19:13 -0500
7219f64571 FPR: containerd, cupsd, etc Dave Smith 2024-11-07 17:11:45 -0500
c5b507a230

Merge pull request #420 from r0cketlad/main Dave Smith 2024-11-07 11:50:32 -0500
335aca58b7 false positive reduction: apt, auditd, dockerd, etc. Dave Smith 2024-11-07 10:00:40 -0500
12019d4ae1

Merge pull request #419 from egibs/20241101-exceptions Dave Smith 2024-11-01 15:32:20 -0400
be9e4f7053

Add rules for bambu-studio, extensions, firefox-bin, goland, xdg, and more egibs 2024-11-01 14:25:08 -0500
331e363f1f

Merge pull request #418 from egibs/20241031-exceptions Evan Gibler 2024-10-31 15:52:08 -0500
b121d1f96c

More exceptions to cut down on alert noise egibs 2024-10-31 15:31:34 -0500
d52f919599

Merge pull request #417 from egibs/20241030-exceptions Evan Gibler 2024-10-30 14:24:51 -0500
1d7a67da0f

Add cg to unexpected-dns-traffic-events, add ubuntu-advantage egibs 2024-10-30 13:06:38 -0500
5acc2b922c

Add msedge egibs 2024-10-30 11:35:32 -0500
4abd265459

Address PR comments egibs 2024-10-30 11:33:49 -0500
18e9879b01

Add deskflow-server and additional repos directory egibs 2024-10-30 10:28:00 -0500
4b47a29a2c

Sort egibs 2024-10-30 08:57:52 -0500
afb1facdf1

Add chainlink to unexpected-talkers-macos egibs 2024-10-30 08:50:30 -0500
e487aac574

Add exceptions for apache2, ChatGPT, and Discord among others egibs 2024-10-30 07:40:25 -0500
f12e6d9258

Merge pull request #416 from tstromberg/oct30 Thomas Strömberg 2024-10-30 09:03:12 -0400
b3c427792b

fpr: framework nix, etc Thomas Stromberg 2024-10-30 08:30:43 -0400
12077261e7

Merge pull request #415 from egibs/arc-unexpected-talker-exception Dave Smith 2024-10-29 17:43:13 -0400
7b1e152266

Add Arc browser talker exception egibs 2024-10-29 16:33:58 -0500
b47bc10f2e

Merge pull request #414 from egibs/20241029-more-exceptions Evan Gibler 2024-10-29 14:41:25 -0500
f67335babb

Add exceptions for Arc, busybox, and Edge; fix existing exceptions egibs 2024-10-29 14:14:25 -0500
bcdc354126

Merge pull request #413 from egibs/20241029-exceptions Evan Gibler 2024-10-29 12:43:22 -0500
9a95064139

Add exceptions for Xcode, Zen browser, Hugo, Krew, and more egibs 2024-10-29 12:08:43 -0500
29c2844af0

Merge pull request #412 from r0cketlad/main Thomas Strömberg 2024-10-29 10:36:42 -0400
f4559b3f97 fpr: bwrap Dave Smith 2024-10-29 09:34:42 -0400
a695f5d2f5

Merge pull request #410 from tstromberg/oct25 Dave Smith 2024-10-25 16:38:43 -0400
98d214e2ad

Merge pull request #411 from chainguard-dev/r0cketlad-patch-1 Dave Smith 2024-10-25 16:36:47 -0400
0c10622a50

add extra tag to high_disk_bytes_read.sql Dave Smith 2024-10-25 14:17:32 -0400
7fad85ceeb

Merge pull request #409 from chainguard-dev/r0cketlad-patch-1 Thomas Strömberg 2024-10-25 11:29:55 -0400
1c17532ae8

fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion Thomas Stromberg 2024-10-25 11:29:40 -0400
3a005452ee

add extra tag to unified_log_macos.sql Dave Smith 2024-10-25 10:53:19 -0400
f59a4bdb58

Merge pull request #408 from chainguard-dev/r0cketlad-patch-1 Dave Smith 2024-10-24 19:37:25 -0400
7ad81b16c2

add extra tag to setxid-cmdline-overflow-attempt.sql Dave Smith 2024-10-24 18:42:46 -0400
59575e227b

Merge pull request #407 from tstromberg/oct24 Thomas Strömberg 2024-10-24 15:55:10 -0400
462fbef639

Mark as extra, as this query is racey Thomas Stromberg 2024-10-24 15:36:21 -0400
bf8b60cd33

Fix cursor placement Thomas Stromberg 2024-10-24 15:36:05 -0400
0b41ec5d07

unexpected fetcher parents: add Cursor Helper Thomas Stromberg 2024-10-24 15:34:04 -0400
f038dc7557

fpr, refactor minimal-socket-client-macos Thomas Stromberg 2024-10-24 15:12:33 -0400
a46fa30676

Merge pull request #406 from tstromberg/talkers-borken-merge Thomas Strömberg 2024-10-24 11:56:25 -0400
d4946eb86e

Merge pull request #405 from tstromberg/oct24 Thomas Strömberg 2024-10-24 11:56:15 -0400
38ced95bc2

fix broken merge Thomas Stromberg 2024-10-24 11:33:35 -0400
25f0e14790

add more exceptions Thomas Stromberg 2024-10-24 11:31:28 -0400
781f1a33af

fpr + Mark touched-executable as extra on macOS Thomas Stromberg 2024-10-24 11:20:06 -0400
63c6e58eeb prepending low confidence identifier to all checks with extra tags Dave Smith 2024-10-24 08:18:25 -0400
c4b6da1596

Merge pull request #403 from tstromberg/oct23 Thomas Strömberg 2024-10-23 17:48:48 -0400
f3baa1d042

fpr: wider talkers exception, chrome extensions, postgres Thomas Stromberg 2024-10-23 17:28:37 -0400
1bbf419bfc

Merge pull request #402 from tstromberg/oct23 Thomas Strömberg 2024-10-23 11:41:03 -0400
c8e99a5ee1

Merge pull request #400 from r0cketlad/21oct2024 Thomas Strömberg 2024-10-23 11:40:41 -0400
78d243abf0

fpr: bpftool, curl, pulumi, Docker Desktop, go tests Thomas Stromberg 2024-10-23 10:59:37 -0400
fbf9a565c6

Update evenly-timestomped.sql Dave Smith 2024-10-23 10:02:37 -0400
899fc1dfca

Update unexpected-setuid-binaries.sql Dave Smith 2024-10-23 08:32:35 -0400
fe868f4bbb

Update evenly-timestomped.sql Dave Smith 2024-10-23 08:31:20 -0400
5c7bdbc31f

Merge pull request #401 from tstromberg/oct22 Thomas Strömberg 2024-10-22 16:32:07 -0400
81180803ae

fpr: tune-ppd, lightdm, nami, gradle, etc Thomas Stromberg 2024-10-22 16:12:21 -0400
9a69bb55ba small fpr push Dave Smith 2024-10-22 08:20:24 -0400
67ce4cd92a

Merge pull request #397 from tstromberg/linux-device-refactor v1.18.0 Thomas Strömberg 2024-10-21 11:57:08 -0400
2ff2fa431e

Merge pull request #399 from tstromberg/fpr-oct21 Thomas Strömberg 2024-10-21 11:56:53 -0400
638266bddc

Merge pull request #398 from tstromberg/hidden-exec2 Thomas Strömberg 2024-10-21 11:56:39 -0400
194f3ce17b

Merge pull request #391 from tstromberg/faster-talkers Thomas Strömberg 2024-10-21 10:32:02 -0400
56a764ec05

add /dev/std* as characters, fix perm/mode Thomas Stromberg 2024-10-21 10:27:16 -0400
5d109ec6fd

minor tweaks Thomas Stromberg 2024-10-21 10:23:43 -0400
69850c42af

Add Tailscale/Cisco Thomas Stromberg 2024-10-21 10:19:07 -0400
2da853b35e

fpr: bwrap, malcontent, ld, metallb Thomas Stromberg 2024-10-21 10:15:59 -0400
f7fd6bb2ae

hidden executable refactor Thomas Stromberg 2024-10-21 10:14:43 -0400
122a63c2a3

better /dev/shm handling! Thomas Stromberg 2024-10-21 10:13:38 -0400
8667622ef4

unexpected linux device: Include file types Thomas Stromberg 2024-10-21 09:57:54 -0400
e22dcbf0ee

Merge branch 'main' into faster-talkers Thomas Stromberg 2024-10-18 09:45:39 -0400
1054dfe297

Merge pull request #396 from tstromberg/oct17 Thomas Strömberg 2024-10-17 12:05:16 -0400
3cbb0ab34c

fpr: alf, hidden paths, proc names, listeners, systemd Thomas Stromberg 2024-10-17 11:44:47 -0400
0090392de3

Merge pull request #395 from r0cketlad/16Oct2024 Thomas Strömberg 2024-10-16 15:01:44 -0400
f71898ca70 refactoring alerts to reduce noise Dave Smith 2024-10-16 14:59:43 -0400
575261ac12

Merge pull request #394 from tstromberg/osqtool Thomas Strömberg 2024-10-16 14:12:49 -0400
f99e6bdc1e

upgrade osqtool to v1.4.2 Thomas Stromberg 2024-10-16 10:24:16 -0400
b0549b56e2

Merge pull request #393 from tstromberg/oct16 Thomas Strömberg 2024-10-16 10:14:59 -0400
9f4b8a0b69

refactor to reduce false positives Thomas Stromberg 2024-10-16 09:44:19 -0400
14a9098a9a

widen query scope Thomas Stromberg 2024-10-16 09:32:00 -0400
f5ce082a4e

Merge pull request #392 from tstromberg/oct11 Thomas Strömberg 2024-10-11 10:38:31 -0400
71282a0a62

Relax checks enough to pass tests Thomas Stromberg 2024-10-11 10:38:07 -0400
c65ddc8c0c

exceptions for Bluefin systemd services Thomas Stromberg 2024-10-11 10:06:57 -0400
a3fcee2ad3

Enable suspicious systemd, disable unexpected-active Thomas Stromberg 2024-10-11 10:00:37 -0400
c60c8ccf39

mark https-linux extra, minor query tuning Thomas Stromberg 2024-10-11 09:55:04 -0400
57012f64d9

Performance refactor for unexpected-talkers-macos Thomas Stromberg 2024-09-30 09:43:18 -0400
66a43c8080

Merge pull request #390 from tstromberg/fpr-sep26 Thomas Strömberg 2024-09-26 13:01:15 -0400