47 lines
1.2 KiB
SQL
47 lines
1.2 KiB
SQL
-- Unexpected /etc/hosts entries
|
|
--
|
|
-- false positives:
|
|
-- * developers adding entries for their own use
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation)
|
|
--
|
|
-- tags: persistent seldom filesystem net
|
|
SELECT
|
|
*
|
|
FROM
|
|
etc_hosts
|
|
WHERE
|
|
hostnames NOT IN (
|
|
'localhost',
|
|
'localhost ip6-localhost ip6-loopback',
|
|
'localhost localhost.localdomain localhost4 localhost4.localdomain4',
|
|
'ip6-allnodes',
|
|
'ip6-allrouters',
|
|
'kubernetes'
|
|
)
|
|
AND address NOT IN (
|
|
'::1',
|
|
'ff02::1',
|
|
'ff02::2',
|
|
'255.255.255.255',
|
|
'fe00::0',
|
|
'ff00::0'
|
|
)
|
|
AND address NOT LIKE '127.%'
|
|
AND address NOT LIKE '172.%'
|
|
AND address NOT LIKE '192.168.%'
|
|
AND address NOT LIKE '10.%'
|
|
AND hostnames NOT LIKE 'localhost.%'
|
|
AND hostnames NOT LIKE '%k8s%'
|
|
AND hostnames NOT LIKE '%.svc'
|
|
AND hostnames NOT LIKE '%.%-%.%.dev'
|
|
AND hostnames NOT LIKE '%local%'
|
|
AND hostnames NOT LIKE '%.wtf'
|
|
AND hostnames NOT LIKE '%.test'
|
|
AND hostnames NOT LIKE '%.internal'
|
|
AND hostnames NOT LIKE '%.local'
|
|
AND hostnames NOT LIKE "%.cloud"
|
|
AND hostnames NOT LIKE 'ip6-%'
|
|
AND hostnames NOT LIKE "%.example.com"
|