mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-11 16:44:35 +00:00
17 lines
404 B
SQL
17 lines
404 B
SQL
-- Retrieves all the open files per process in the target system.
|
|
--
|
|
-- tags: postmortem
|
|
-- platform: posix
|
|
SELECT DISTINCT
|
|
pof.pid,
|
|
pof.path,
|
|
p.name,
|
|
p.cmdline
|
|
FROM
|
|
process_open_files pof
|
|
LEFT JOIN processes p ON pof.pid = p.pid
|
|
WHERE
|
|
pof.path NOT LIKE '/private/var/folders%'
|
|
AND pof.path NOT LIKE '/System/Library/%'
|
|
AND pof.path NOT IN ('/dev/null', '/dev/urandom', '/dev/random');
|