RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-17 01:47:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
0371505d75
osquery-defense-kit/fs/unexpected-tmp-executables.sql
Thomas Stromberg c6797e3496
Reorganize paths, tune queries a bit
2022-09-09 12:51:52 -04:00

30 lines
1.1 KiB
SQL
Raw Blame History

SELECT file.path, uid, gid, mode, file.mtime, file.size, hash.sha256
FROM file
JOIN hash on file.path = hash.path
WHERE (
file.path LIKE "/tmp/%%"
OR file.path LIKE "/var/tmp/%%"
)
AND file.type = "regular"
AND (file.mode LIKE "%7%" or file.mode LIKE "%5%" or file.mode LIKE "%1%")
AND NOT (
uid > 500 AND (
file.path LIKE "%go-build%" OR
file.path LIKE "%/bin/%-gen" OR
file.path LIKE "%/bin/%" OR
file.path LIKE "%/ko/%" OR
file.path LIKE "%/CCLBS/%" OR
file.path LIKE "%/tmp/epdf%" OR
file.path LIKE "%/pdf-tools/%" OR
file.path LIKE "/tmp/terraformer/%" OR
file.path LIKE "/tmp/checkout/%" OR
file.path LIKE "/tmp/guile-%/guile-%" OR
file.path LIKE "/tmp/com.apple.installer%" OR
(file.size < 4000 AND file.path LIKE "/tmp/%.sh") OR
(file.size < 4000 AND file.path LIKE "/tmp/tmp.%")
)
)
-- Nix
AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
-- Don't alert if it's only on disk for a moment
AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
Reference in New Issue View Git Blame Copy Permalink