85 lines
3.5 KiB
SQL
85 lines
3.5 KiB
SQL
SELECT
|
|
pof.pid,
|
|
pof.path AS device,
|
|
p.path AS program,
|
|
p.name AS program_name,
|
|
p.cmdline AS cmdline,
|
|
hash.sha256,
|
|
s.authority,
|
|
s.identifier,
|
|
CONCAT (
|
|
IIF(
|
|
REGEX_MATCH (pof.path, "(/dev/.*)\d+$", 1) != "",
|
|
REGEX_MATCH (pof.path, "(/dev/.*)\d+", 1),
|
|
pof.path
|
|
),
|
|
",",
|
|
REPLACE(
|
|
p.path,
|
|
RTRIM(p.path, REPLACE(p.path, "/", "")),
|
|
""
|
|
),
|
|
",",
|
|
s.authority,
|
|
",",
|
|
s.identifier
|
|
) AS exception_key
|
|
FROM
|
|
process_open_files pof
|
|
LEFT JOIN processes p ON pof.pid = p.pid
|
|
LEFT JOIN hash ON hash.path = p.path
|
|
LEFT JOIN signature s ON p.path = s.path
|
|
WHERE
|
|
pof.path LIKE "/dev/%"
|
|
AND pof.path NOT IN (
|
|
"/dev/null",
|
|
"/dev/ptmx",
|
|
"/dev/random",
|
|
"/dev/tty",
|
|
"/dev/urandom"
|
|
)
|
|
AND pof.path NOT LIKE "/dev/ttys%"
|
|
-- Assume SIP
|
|
AND p.path NOT LIKE "/System/%"
|
|
AND p.path NOT LIKE "/usr/libexec/%"
|
|
AND p.path NOT LIKE "/usr/sbin/%"
|
|
AND exception_key NOT IN (
|
|
"/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond",
|
|
"/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd",
|
|
"/dev/auditsessions,authd,Software Signing,com.apple.authd",
|
|
"/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred",
|
|
"/dev/auditsessions,securityd,Software Signing,com.apple.securityd",
|
|
"/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver",
|
|
"/dev/autofs,automountd,Software Signing,com.apple.automountd",
|
|
"/dev/bpf,airportd,Software Signing,com.apple.airport.airportd",
|
|
"/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd",
|
|
"/dev/console,launchd,Software Signing,com.apple.xpc.launchd",
|
|
"/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd",
|
|
"/dev/io8log,airportd,Software Signing,com.apple.airport.airportd",
|
|
"/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter",
|
|
"/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd",
|
|
"/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices",
|
|
"/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd",
|
|
"/dev/io8logtemp,airportd,Software Signing,com.apple.airport.airportd",
|
|
"/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter",
|
|
"/dev/io8logtemp,PerfPowerServices,Software Signing,com.apple.PerfPowerServices",
|
|
"/dev/io8logtemp,symptomsd,Software Signing,com.apple.symptomsd",
|
|
"/dev/io8logtemp,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent",
|
|
"/dev/io8logtemp,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd",
|
|
"/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent",
|
|
"/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd",
|
|
"/dev/io,airportd,Software Signing,com.apple.airport.airportd",
|
|
"/dev/io,ControlCenter,Software Signing,com.apple.controlcenter",
|
|
"/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices",
|
|
"/dev/io,symptomsd,Software Signing,com.apple.symptomsd",
|
|
"/dev/io,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent",
|
|
"/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd",
|
|
"/dev/klog,syslogd,Software Signing,com.apple.syslogd",
|
|
"/dev/oslog,logd,Software Signing,com.apple.logd",
|
|
"/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices",
|
|
"/dev/xcpm,systemstats,Software Signing,com.apple.systemstats",
|
|
"/dev/xcpm,thermald,Software Signing,com.apple.thermald"
|
|
)
|
|
GROUP BY
|
|
pof.pid
|