RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-15 17:07:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
11d0d67f74
osquery-defense-kit/fd/unexpected-pcap-user.sql
Thomas Stromberg 868f1ff13b
Monday morning tuning
2022-09-12 11:17:51 -04:00

31 lines
1.1 KiB
SQL
Raw Blame History

SELECT pmm.pid,
p.uid,
p.gid,
p.path AS proc_path,
p.name AS proc_name,
p.cmdline AS proc_cmd,
pmm.path AS lib_path,
hash.sha25
FROM process_memory_map pmm
JOIN processes p ON pmm.pid = p.pid
JOIN hash h ON p.path = hash.path
WHERE pmm.path LIKE "%libpcap%"
AND euid = 0
AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
AND proc_path NOT LIKE "/System/Library/%"
AND proc_path NOT LIKE "/nix/store/%/bin/nix"
AND proc_path NOT IN (
'/usr/libexec/UserEventAgent',
'/usr/sbin/systemstats',
'/usr/sbin/cupsd',
'/usr/bin/tcpdump'
)
AND proc_cmd NOT IN (
'/nix/var/nix/profiles/default/bin/nix-daemon',
'/run/current-system/systemd/lib/systemd/systemd',
'/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid'
)
GROUP BY pmm.pid
Reference in New Issue View Git Blame Copy Permalink