mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-11 08:34:34 +00:00
509 lines
9.2 KiB
SQL
509 lines
9.2 KiB
SQL
-- Find kernel modules that are not part of the expected list
|
|
--
|
|
-- false positives:
|
|
-- * operating-system updates
|
|
--
|
|
-- platform: linux
|
|
-- tags: latent seldom kernel
|
|
SELECT
|
|
*
|
|
FROM
|
|
kernel_modules
|
|
WHERE
|
|
-- Filter out kernel modules that are required by another kernel module to reduce false-positives
|
|
used_by != NULL
|
|
AND name NOT IN (
|
|
'8021q',
|
|
'ac97_bus',
|
|
'acpi_cpufreq',
|
|
'acpi_pad',
|
|
'acpi_tad',
|
|
'acpi_thermal_rel',
|
|
'aesni_intel',
|
|
'af_alg',
|
|
'af_packet',
|
|
'agpgart',
|
|
'ahci',
|
|
'algif_aead',
|
|
'algif_hash',
|
|
'algif_skcipher',
|
|
'amdgpu',
|
|
'amd_pmc',
|
|
'apple_mfi_fastcharge',
|
|
'asn1_encoder',
|
|
'asus_ec_sensors',
|
|
'asus_wmi',
|
|
'ath',
|
|
'ath10k_core',
|
|
'ath10k_pci',
|
|
'atkbd',
|
|
'authenc',
|
|
'autofs4',
|
|
'backlight',
|
|
'battery',
|
|
'binfmt_misc',
|
|
'bluetooth',
|
|
'bnep',
|
|
'bpf_preload',
|
|
'bridge',
|
|
'br_netfilter',
|
|
'btbcm',
|
|
'btintel',
|
|
'btmtk',
|
|
'btrtl',
|
|
'btusb',
|
|
'button',
|
|
'cbc',
|
|
'ccm',
|
|
'ccp',
|
|
'cdc_ether',
|
|
'cdrom',
|
|
'cec',
|
|
'cfg80211',
|
|
'cmac',
|
|
'configfs',
|
|
'coretemp',
|
|
'cpuid',
|
|
'cqhci',
|
|
'crc16',
|
|
'crc32c_generic',
|
|
'crc32c_intel',
|
|
'crc32_pclmul',
|
|
'crc_t10dif',
|
|
'crct10dif_common',
|
|
'crct10dif_generic',
|
|
'crct10dif_pclmul',
|
|
'cros_ec',
|
|
'cros_ec_chardev',
|
|
'cros_ec_debugfs',
|
|
'cros_ec_dev',
|
|
'cros_ec_ishtp',
|
|
'cros_ec_lpcs',
|
|
'cros_ec_sysfs',
|
|
'cros_usbpd_charger',
|
|
'cros_usbpd_logger',
|
|
'cros_usbpd_notify',
|
|
'cryptd',
|
|
'crypto_simd',
|
|
'crypto_user',
|
|
'ctr',
|
|
'dca',
|
|
'dcdbas',
|
|
'deflate',
|
|
'dell_laptop',
|
|
'dell_smbios',
|
|
'dell_smm_hwmon',
|
|
'dell_wmi',
|
|
'dell_wmi_descriptor',
|
|
'des_generic',
|
|
'dm_bio_prison',
|
|
'dm_bufio',
|
|
'dm_crypt',
|
|
'dm_mod',
|
|
'dm_multipath',
|
|
'dm_persistent_data',
|
|
'dm_thin_pool',
|
|
'drm',
|
|
'drm_buddy',
|
|
'drm_display_helper',
|
|
'drm_dp_helper',
|
|
'drm_kms_helper',
|
|
'drm_ttm_helper',
|
|
'ecb',
|
|
'ecc',
|
|
'ecdh_generic',
|
|
'edac_core',
|
|
'edac_mce_amd',
|
|
'ee1004',
|
|
'eeepc_wmi',
|
|
'efi_pstore',
|
|
'efivarfs',
|
|
'encrypted_keys',
|
|
'essiv',
|
|
'evdev',
|
|
'exfat',
|
|
'ext4',
|
|
'fat',
|
|
'fb_sys_fops',
|
|
'firmware_attributes_class',
|
|
'fuse',
|
|
'garmin_gps',
|
|
'gf128mul',
|
|
'ghash_clmulni_intel',
|
|
'gigabyte_wmi',
|
|
'gpio_amdpt',
|
|
'gpio_generic',
|
|
'gpu_sched',
|
|
'hid',
|
|
'hid_apple',
|
|
'hid_generic',
|
|
'hid_jabra',
|
|
'hid_logitech_dj',
|
|
'hid_logitech_hidpp',
|
|
'hid_multitouch',
|
|
'hid_sensor_als',
|
|
'hid_sensor_custom',
|
|
'hid_sensor_hub',
|
|
'hid_sensor_iio_common',
|
|
'hid_sensor_trigger',
|
|
'hwmon_vid',
|
|
'i2c_algo_bit',
|
|
'i2c_core',
|
|
'i2c_designware_core',
|
|
'i2c_designware_platform',
|
|
'i2c_hid',
|
|
'i2c_hid_acpi',
|
|
'i2c_i801',
|
|
'i2c_piix4',
|
|
'i2c_scmi',
|
|
'i2c_smbus',
|
|
'i8042',
|
|
'i915',
|
|
'icp',
|
|
'idma64',
|
|
'igb',
|
|
'igc',
|
|
'igen6_edac',
|
|
'industrialio',
|
|
'industrialio_triggered_buffer',
|
|
'input_leds',
|
|
'int3400_thermal',
|
|
'int3403_thermal',
|
|
'int340x_thermal_zone',
|
|
'intel_cstate',
|
|
'intel_gtt',
|
|
'intel_hid',
|
|
'intel_ish_ipc',
|
|
'intel_ishtp',
|
|
'intel_ishtp_hid',
|
|
'intel_ishtp_loader',
|
|
'intel_lpss',
|
|
'intel_lpss_pci',
|
|
'intel_pch_thermal',
|
|
'intel_pmc_bxt',
|
|
'intel_pmt',
|
|
'intel_powerclamp',
|
|
'intel_rapl_common',
|
|
'intel_rapl_msr',
|
|
'intel_soc_dts_iosf',
|
|
'intel_spi',
|
|
'intel_spi_pci',
|
|
'intel_tcc_cooling',
|
|
'intel_uncore',
|
|
'intel_vsec',
|
|
'intel_wmi_thunderbolt',
|
|
'intel_xhci_usb_role_switch',
|
|
'iommu_v2',
|
|
'ip6table_filter',
|
|
'ip6table_mangle',
|
|
'ip6table_nat',
|
|
'ip6table_raw',
|
|
'ip6_tables',
|
|
'ip6table_security',
|
|
'ip6t_REJECT',
|
|
'ip6t_rpfilter',
|
|
'ip6t_rt',
|
|
'ipheth',
|
|
'ipmi_devintf',
|
|
'ipmi_msghandler',
|
|
'ip_set',
|
|
'iptable_filter',
|
|
'iptable_mangle',
|
|
'iptable_nat',
|
|
'iptable_raw',
|
|
'ip_tables',
|
|
'iptable_security',
|
|
'ipt_REJECT',
|
|
'ipt_rpfilter',
|
|
'ip_vs',
|
|
'ip_vs_rr',
|
|
'ip_vs_sh',
|
|
'ip_vs_wrr',
|
|
'irqbypass',
|
|
'isofs',
|
|
'iTCO_vendor_support',
|
|
'iTCO_wdt',
|
|
'iwlmei',
|
|
'iwlmvm',
|
|
'iwlwifi',
|
|
'jbd2',
|
|
'jc42',
|
|
'joydev',
|
|
'k10temp',
|
|
'kfifo_buf',
|
|
'kvm',
|
|
'kvm_amd',
|
|
'kvm_intel',
|
|
'led_class',
|
|
'ledtrig_audio',
|
|
'libaes',
|
|
'libahci',
|
|
'libarc4',
|
|
'libata',
|
|
'libcrc32c',
|
|
'libdes',
|
|
'libphy',
|
|
'libps2',
|
|
'llc',
|
|
'loop',
|
|
'lp',
|
|
'mac80211',
|
|
'mac_hid',
|
|
'macvlan',
|
|
'mbcache',
|
|
'mc',
|
|
'md4',
|
|
'mdio_devres',
|
|
'md_mod',
|
|
'mei',
|
|
'mei_hdcp',
|
|
'mei_me',
|
|
'mei_pxp',
|
|
'mei_wdt',
|
|
'mii',
|
|
'mmc_block',
|
|
'mmc_core',
|
|
'mousedev',
|
|
'msr',
|
|
'mtd',
|
|
'mxm_wmi',
|
|
'nct6775',
|
|
'nct6775_core',
|
|
'netlink_diag',
|
|
'nf_conntrack',
|
|
'nf_conntrack_broadcast',
|
|
'nf_conntrack_netbios_ns',
|
|
'nf_conntrack_netlink',
|
|
'nf_defrag_ipv4',
|
|
'nf_defrag_ipv6',
|
|
'nf_log_syslog',
|
|
'nf_nat',
|
|
'nfnetlink',
|
|
'nfnetlink_log',
|
|
'nfnetlink_queue',
|
|
'nf_reject_ipv4',
|
|
'nf_reject_ipv6',
|
|
'nf_tables',
|
|
'nft_chain_nat',
|
|
'nft_compat',
|
|
'nft_counter',
|
|
'nft_ct',
|
|
'nft_fib',
|
|
'nft_fib_inet',
|
|
'nft_fib_ipv4',
|
|
'nft_fib_ipv6',
|
|
'nft_limit',
|
|
'nft_objref',
|
|
'nft_reject',
|
|
'nft_reject_inet',
|
|
'nls_cp437',
|
|
'nls_iso8859_1',
|
|
'nvidia',
|
|
'nvidia_drm',
|
|
'nvidia_modeset',
|
|
'nvidia_uvm',
|
|
'nvme',
|
|
'nvme_common',
|
|
'nvme_core',
|
|
'nvram',
|
|
'overlay',
|
|
'parport',
|
|
'parport_pc',
|
|
'pcspkr',
|
|
'pinctrl_amd',
|
|
'pinctrl_sunrisepoint',
|
|
'pinctrl_tigerlake',
|
|
'pkcs8_key_parser',
|
|
'platform_profile',
|
|
'pmt_class',
|
|
'pmt_telemetry',
|
|
'polyval_clmulni',
|
|
'polyval_generic',
|
|
'ppdev',
|
|
'pps_core',
|
|
'processor_thermal_device',
|
|
'processor_thermal_device_pci',
|
|
'processor_thermal_device_pci_legacy',
|
|
'processor_thermal_mbox',
|
|
'processor_thermal_rapl',
|
|
'processor_thermal_rfim',
|
|
'psmouse',
|
|
'pstore',
|
|
'pstore_blk',
|
|
'pstore_zone',
|
|
'ptp',
|
|
'qrtr',
|
|
'r8152',
|
|
'r8153_ecm',
|
|
'r8169',
|
|
'raid0',
|
|
'ramoops',
|
|
'rapl',
|
|
'raydium_i2c_ts',
|
|
'rc_core',
|
|
'realtek',
|
|
'reed_solomon',
|
|
'rfcomm',
|
|
'rfkill',
|
|
'rndis_host',
|
|
'rndis_wlan',
|
|
'rng_core',
|
|
'roles',
|
|
'rtc_cmos',
|
|
'rtsx_pci',
|
|
'rtsx_pci_sdmmc',
|
|
'rtw89_8852a',
|
|
'rtw89_8852ae',
|
|
'rtw89_core',
|
|
'rtw89_pci',
|
|
'sch_fq_codel',
|
|
'scsi_common',
|
|
'scsi_mod',
|
|
'sdhci',
|
|
'sdhci_pci',
|
|
'serio',
|
|
'serio_raw',
|
|
'sg',
|
|
'snd',
|
|
'snd_acp3x_pdm_dma',
|
|
'snd_acp3x_rn',
|
|
'snd_acp_config',
|
|
'snd_compress',
|
|
'snd_ctl_led',
|
|
'snd_hda_codec',
|
|
'snd_hda_codec_generic',
|
|
'snd_hda_codec_hdmi',
|
|
'snd_hda_codec_idt',
|
|
'snd_hda_codec_realtek',
|
|
'snd_hda_core',
|
|
'snd_hda_ext_core',
|
|
'snd_hda_intel',
|
|
'snd_hrtimer',
|
|
'snd_hwdep',
|
|
'snd_intel_dspcfg',
|
|
'snd_intel_sdw_acpi',
|
|
'snd_pci_acp3x',
|
|
'snd_pci_acp5x',
|
|
'snd_pci_acp6x',
|
|
'snd_pcm',
|
|
'snd_pcm_dmaengine',
|
|
'snd_rawmidi',
|
|
'snd_rn_pci_acp3x',
|
|
'snd_seq',
|
|
'snd_seq_device',
|
|
'snd_seq_dummy',
|
|
'snd_seq_midi',
|
|
'snd_seq_midi_event',
|
|
'snd_soc_acpi',
|
|
'snd_soc_acpi_intel_match',
|
|
'snd_soc_avs',
|
|
'snd_soc_core',
|
|
'snd_soc_dmic',
|
|
'snd_soc_hdac_hda',
|
|
'snd_soc_hdac_hdmi',
|
|
'snd_soc_hda_codec',
|
|
'snd_soc_intel_hda_dsp_common',
|
|
'snd_soc_skl',
|
|
'snd_soc_skl_hda_dsp',
|
|
'snd_soc_sst_dsp',
|
|
'snd_soc_sst_ipc',
|
|
'snd_sof',
|
|
'snd_sof_amd_acp',
|
|
'snd_sof_amd_renoir',
|
|
'snd_sof_intel_hda',
|
|
'snd_sof_intel_hda_common',
|
|
'snd_sof_pci',
|
|
'snd_sof_pci_intel_tgl',
|
|
'snd_sof_utils',
|
|
'snd_sof_xtensa_dsp',
|
|
'snd_timer',
|
|
'snd_usb_audio',
|
|
'snd_usbmidi_lib',
|
|
'soundcore',
|
|
'soundwire_bus',
|
|
'soundwire_cadence',
|
|
'soundwire_generic_allocation',
|
|
'soundwire_intel',
|
|
'sp5100_tco',
|
|
'sparse_keymap',
|
|
'spi_intel',
|
|
'spi_intel_pci',
|
|
'spi_nor',
|
|
'spl',
|
|
'squashfs',
|
|
'stp',
|
|
'sunrpc',
|
|
'syscopyarea',
|
|
'sysfillrect',
|
|
'sysimgblt',
|
|
't10_pi',
|
|
'tap',
|
|
'tee',
|
|
'thermal',
|
|
'think_lmi',
|
|
'thinkpad_acpi',
|
|
'thunderbolt',
|
|
'tiny_power_button',
|
|
'tls',
|
|
'tpm',
|
|
'tpm_crb',
|
|
'tpm_tis',
|
|
'tpm_tis_core',
|
|
'trusted',
|
|
'ttm',
|
|
'tun',
|
|
'typec',
|
|
'typec_ucsi',
|
|
'uas',
|
|
'ucsi_acpi',
|
|
'uhid',
|
|
'uinput',
|
|
'usb_common',
|
|
'usbcore',
|
|
'usbhid',
|
|
'usbnet',
|
|
'usb_storage',
|
|
'uvcvideo',
|
|
'v4l2loopback',
|
|
'veth',
|
|
'vfat',
|
|
'video',
|
|
'videobuf2_common',
|
|
'videobuf2_memops',
|
|
'videobuf2_v4l2',
|
|
'videobuf2_vmalloc',
|
|
'videodev',
|
|
'vivaldi_fmap',
|
|
'watchdog',
|
|
'wmi',
|
|
'wmi_bmof',
|
|
'x86_pkg_temp_thermal',
|
|
'xfrm_algo',
|
|
'xfrm_user',
|
|
'xfs',
|
|
'xhci_hcd',
|
|
'xhci_pci',
|
|
'xhci_pci_renesas',
|
|
'x_tables',
|
|
'xt_addrtype',
|
|
'xt_comment',
|
|
'xt_conntrack',
|
|
'xt_hl',
|
|
'xt_limit',
|
|
'xt_LOG',
|
|
'xt_mark',
|
|
'xt_MASQUERADE',
|
|
'xt_nat',
|
|
'xt_pkttype',
|
|
'xt_statistic',
|
|
'xt_tcpudp',
|
|
'zavl',
|
|
'zcommon',
|
|
'zfs',
|
|
'zlua',
|
|
'znvpair',
|
|
'zram',
|
|
'zunicode',
|
|
'zzstd'
|
|
)
|