mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2025-01-22 05:12:59 +00:00
78 lines
1.8 KiB
SQL
78 lines
1.8 KiB
SQL
-- Find programs which spawn root children without propagating environment variables
|
|
--
|
|
-- references:
|
|
-- * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
|
|
--
|
|
-- tags: persistent state daemon process
|
|
-- interval: 600
|
|
-- platform: linux
|
|
SELECT
|
|
COUNT(key) AS count,
|
|
p.pid,
|
|
p.path,
|
|
p.name,
|
|
p.on_disk,
|
|
p.cgroup_path,
|
|
hash.sha256,
|
|
p.parent,
|
|
p.cmdline,
|
|
p.cwd,
|
|
pp.name AS parent_name,
|
|
pp.cmdline AS parent_cmd
|
|
-- Processes is 20X faster to scan than process_envs
|
|
FROM
|
|
processes p
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
LEFT JOIN process_envs pe ON p.pid = pe.pid
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
WHERE
|
|
p.euid = 0
|
|
-- This time should match the interval
|
|
AND p.start_time > (strftime('%s', 'now') - 601)
|
|
-- Filter out transient processes that may not have an envs entry by the time we poll for it
|
|
AND p.start_time < (strftime('%s', 'now') - 1)
|
|
AND p.parent NOT IN (0, 2)
|
|
AND NOT p.path IS NULL
|
|
AND p.name NOT IN (
|
|
'applydeltarpm',
|
|
'bwrap',
|
|
'crond',
|
|
'cupsd',
|
|
'dhcpcd',
|
|
'1Password-Keyri',
|
|
'modprobe',
|
|
'dnf',
|
|
'gdm-x-session',
|
|
'systemd-udevd',
|
|
'gdm-session-wor',
|
|
'systemd-userwor',
|
|
'fprintd',
|
|
'systemd',
|
|
'gpg-agent',
|
|
'systemd-userdbd',
|
|
'nginx',
|
|
'sshd',
|
|
'zfs',
|
|
'ssh',
|
|
'sedispatch',
|
|
'zypak-sandbox'
|
|
)
|
|
AND NOT pp.name IN ('systemd-userdbd', 'crond')
|
|
AND NOT (
|
|
p.name LIKE 'systemd-%'
|
|
AND p.parent = 1
|
|
)
|
|
AND NOT p.cgroup_path IN ('/system.slice/cronie.service')
|
|
AND NOT pp.cmdline LIKE 'bwrap %'
|
|
AND NOT p.cmdline LIKE '%--type=zygote%'
|
|
AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
|
|
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
|
|
AND NOT (
|
|
p.name = 'sh'
|
|
AND p.cgroup_path = '/system.slice/znapzend.service'
|
|
)
|
|
GROUP BY
|
|
p.pid
|
|
HAVING
|
|
count == 0;
|