-- Unexpected /etc/hosts entries
--
-- false positives:
--   * developers adding entries for their own use
--
-- references:
--   * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
--
-- tags: persistent seldom filesystem net
SELECT
  *
FROM
  etc_hosts
WHERE
  hostnames NOT IN (
    'localhost',
    'localhost ip6-localhost ip6-loopback',
    'localhost localhost.localdomain localhost4 localhost4.localdomain4',
    'ip6-allnodes',
    'ip6-allrouters',
    'kubernetes'
  )
  AND address NOT IN (
    '::1',
    'ff02::1',
    'ff02::2',
    '255.255.255.255',
    'fe00::0',
    'ff00::0'
  )
  AND address NOT LIKE '127.%'
  AND address NOT LIKE '172.%'
  AND address NOT LIKE '192.168.%'
  AND address NOT LIKE '10.%'
  AND hostnames NOT LIKE 'localhost.%'
  AND hostnames NOT LIKE '%k8s%'
  AND hostnames NOT LIKE '%.svc'
  AND hostnames NOT LIKE '%.%-%.%.dev'
  AND hostnames NOT LIKE '%local%'
  AND hostnames NOT LIKE '%.wtf'
  AND hostnames NOT LIKE '%.test'
  AND hostnames NOT LIKE '%.internal'
  AND hostnames NOT LIKE '%.local'
  AND hostnames NOT LIKE "%.cloud"
  AND hostnames NOT LIKE 'ip6-%'
  AND hostnames NOT LIKE "%.example.com"