RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-12 17:14:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
092bdfe5a3
osquery-defense-kit/fd/unexpected-dev-opener-linux.sql
Thomas Stromberg 481581c616
Launch day final cleanup
2022-09-22 19:35:24 -04:00

107 lines
3.5 KiB
SQL
Raw Blame History

SELECT pof.pid,
pof.path AS device,
p.path AS program,
p.name AS program_name,
p.cmdline AS cmdline,
hash.sha256,
CONCAT(
IIF(REGEX_MATCH(pof.path, "(/dev/.*)\d+$", 1) != "", REGEX_MATCH(pof.path, "(/dev/.*)\d+$", 1), pof.path),
",",
REPLACE(p.path, RTRIM(p.path, REPLACE(p.path, '/', '')), '')) AS path_exception,
CONCAT(TRIM(REPLACE(pof.path, CONCAT('/', REPLACE(pof.path, RTRIM(pof.path, REPLACE(pof.path, '/', '')), '')) , '')), ",", REPLACE(p.path, RTRIM(p.path, REPLACE(p.path, '/', '')), '')) AS dir_exception
FROM process_open_files pof
LEFT JOIN processes p ON pof.pid = p.pid
LEFT JOIN hash ON hash.path = p.path
WHERE pof.path LIKE '/dev/%'
AND pof.path NOT IN (
'/dev/dri/card0',
'/dev/dri/card1',
'/dev/dri/renderD128',
'/dev/dri/renderD129',
'/dev/fuse',
'/dev/io8log',
'/dev/io8logmt',
'/dev/io8logtemp',
'/dev/null',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia0',
'/dev/nvidiactl',
'/dev/ptmx',
'/dev/pts/ptmx',
'/dev/random',
'/dev/rfkill',
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE "/dev/pts/%"
AND pof.path NOT LIKE "/dev/snd/%"
AND pof.path NOT LIKE "/dev/tty%"
AND pof.path NOT LIKE "/dev/hidraw%"
AND pof.path NOT LIKE "/dev/shm/.com.google.Chrome.%"
AND pof.path NOT LIKE "/dev/shm/.org.chromium.Chromium.%"
AND pof.path NOT LIKE "/dev/shm/authentik_%"
AND NOT dir_exception IN (
'/dev/bus/usb,pcscd',
'/dev/bus/usb/001,pcscd',
'/dev/bus/usb/005,python3.10',
'/dev/input,acpid',
'/dev/input,gnome-shell',
'/dev/input,systemd-logind',
'/dev/input,systemd',
'/dev/input,upowerd',
'/dev/input,Xorg',
'/dev/net,.tailscaled-wrapped',
'/dev/net,tailscaled',
'/dev/shm,1password',
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/shm,electron',
'/dev/shm,Brackets',
'/dev/shm,firefox',
'/dev/shm,gopls',
'/dev/shm,java',
'/dev/shm,jcef_helper',
'/dev/shm,slack',
'/dev/shm,spotify',
'/dev/shm,steam',
'/dev/shm,steamwebhelper',
'/dev/shm,wine64-preloader',
'/dev/shm,winedevice.exe',
'/dev/snd,.pulseaudio-wrapped',
'/dev/snd,alsactl',
'/dev/snd,pipewire',
'/dev/snd,pulseaudio',
'/dev/snd,wireplumber'
)
AND NOT path_exception IN (
'/dev/autofs,systemd',
'/dev/hidraw,chrome',
'/dev/input/event,Xorg',
'/dev/kmsg,kubelet',
'/dev/kmsg,systemd-journald',
'/dev/kmsg,systemd',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/usb/hiddev,apcupsd',
'/dev/tty,systemd-logind',
'/dev/usb/hiddev,upowerd',
'/dev/tty,Xorg',
'/dev/uinput,bluetoothd',
'/dev/video,chrome',
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,obs',
'/dev/video,vlc',
'/dev/net/tun,slirp4netns',
'/dev/zfs,zed',
'/dev/zfs,zfs'
)
-- shows up as python
AND NOT (device LIKE "/dev/bus/usb/%" AND program_name IN ('streamdeck', 'gphoto2', 'fwupd'))
GROUP BY pof.pid
Reference in New Issue View Git Blame Copy Permalink