mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-19 12:34:33 +00:00
65 lines
1.6 KiB
SQL
65 lines
1.6 KiB
SQL
-- Unusually tainted kernel - via a loaded kernel module
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
|
|
-- * https://docs.kernel.org/admin-guide/tainted-kernels.html
|
|
--
|
|
-- Confirmed to catch revenge-rtkit
|
|
--
|
|
-- false positives:
|
|
-- * custom kernel modules
|
|
--
|
|
-- tags: persistent kernel state
|
|
-- platform: linux
|
|
--
|
|
SELECT
|
|
taint,
|
|
taint & 65536 AS is_aux,
|
|
taint & 8192 is_unsigned,
|
|
taint & 4096 AS out_of_tree,
|
|
taint & 512 AS kernel_warning,
|
|
taint & 614 AS requested_by_userspace,
|
|
taint & 8 AS force_unloaded,
|
|
taint & 4 AS out_of_spec,
|
|
taint & 2 AS force_loaded,
|
|
taint & 1 AS proprietary,
|
|
modules
|
|
FROM
|
|
(
|
|
SELECT
|
|
sc.current_value AS taint,
|
|
GROUP_CONCAT(km.name) AS modules
|
|
FROM
|
|
system_controls sc,
|
|
kernel_modules km
|
|
WHERE
|
|
sc.name = "kernel.tainted"
|
|
ORDER BY
|
|
km.name ASC
|
|
)
|
|
-- 4096 is a signed, out of tree, open source driver
|
|
-- 4097 is a signed, out of tree, proprietary driver
|
|
-- 512 is a kernel warning
|
|
WHERE
|
|
taint NOT IN (0, 512, 4096, 4097)
|
|
-- Some day, folks will sign rootkits. That day isn't today.
|
|
AND is_unsigned = 1
|
|
AND NOT (
|
|
(
|
|
-- 12289 is an unsigned, out of tree, proprietary
|
|
-- 12801 is an unsigned, out of tree, proprietary with kernel warning. not great.
|
|
taint IN (12289, 12801)
|
|
AND (
|
|
modules LIKE "%,nvidia,%"
|
|
OR modules LIKE "%,v42loopback,%"
|
|
OR modules LIKE "%,wl,%"
|
|
)
|
|
)
|
|
OR (
|
|
-- 12352 is unsigned, out of tree, requested by user space
|
|
-- 12289 is an unsigned, out of tree, proprietary
|
|
taint IN (12352, 12289)
|
|
AND modules LIKE "%,v4l2loopback,%"
|
|
)
|
|
)
|