RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-01 18:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
4c8eec7342
osquery-defense-kit/fs/unexpected-var-executables-linux.sql
Thomas Stromberg c5dc2464aa
Overdue false positive removal
2022-09-29 15:42:27 -04:00

28 lines
593 B
SQL
Raw Blame History

-- Find unexpected executables in /var
SELECT file.path,
file.directory,
uid,
gid,
mode,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE (file.path LIKE "/var/%%")
AND file.type = "regular"
AND (
file.mode LIKE "%7%"
or file.mode LIKE "%5%"
or file.mode LIKE "%1%"
)
AND file.directory NOT IN (
"/var/lib/colord",
"/var/ossec/agentless",
"/var/ossec/bin",
"/var/ossec/wodles",
"/var/run/booted-system",
"/var/run/current-system"
)
Reference in New Issue View Git Blame Copy Permalink