Skip to content

Commit

Permalink
genericize wolfi rule
Browse files Browse the repository at this point in the history
  • Loading branch information
@tstromberg
tstromberg committed Feb 24, 2025
1 parent b2d6e78 commit 632d493
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 11 deletions.
13 changes: 6 additions & 7 deletions detection/c2/1-unexpected-https-linux.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ WHERE
'0,apk,u,g,apk',
'0,applydeltarpm,0u,0g,applydeltarpm',
'0,bash,0u,0g,bash',
'0,multipassd,0u,0g,multipassd',
'0,bash,0u,0g,mkinitcpio',
'0,bash,0u,0g,sh',
'0,canonical-livepatchd,0u,0g,canonical-livep',
Expand All @@ -86,7 +85,6 @@ WHERE
'0,go,0u,0g,go',
'0,gtk4-update-icon-cache,0u,0g,gtk-update-icon',
'0,http,0u,0g,https',
'500,firefox-bin,0u,0g,firefox-bin',
'0,ir_agent,0u,0g,ir_agent',
'0,kmod,0u,0g,depmod',
'0,launcher,0u,0g,launcher',
Expand All @@ -95,6 +93,7 @@ WHERE
'0,make,0u,0g,make',
'0,melange,500u,500g,melange',
'0,metricbeat,0u,0g,metricbeat',
'0,multipassd,0u,0g,multipassd',
'0,nessusd,0u,0g,nessusd',
'0,nix,0u,0g,nix',
'0,nix,0u,0g,nix-daemon',
Expand All @@ -118,13 +117,11 @@ WHERE
'120,fwupdmgr,0u,0g,fwupdmgr',
'128,fwupdmgr,0u,0g,fwupdmgr',
'129,fwupdmgr,0u,0g,fwupdmgr',
'500,transmission-daemon,500u,500g,transmission-da',
'42,http,0u,0g,https',
'500,1password,0u,0g,1password',
'500,___go_build_main_go,500u,500g,___go_build_mai',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,accountwizard,u,g,accountwizard',
'500,thunderbird-bin,0u,0g,thunderbird-bi',
'500,act,0u,0g,act',
'500,apk,500u,500g,apk',
'500,apk,u,g,apk',
Expand All @@ -133,7 +130,6 @@ WHERE
'500,armcord,u,g,armcord',
'500,aws,0u,0g,aws',
'500,aws,500u,500g,aws',
'500,node,u,g,npm ci',
'500,bash,0u,0g,bash',
'500,beeper,u,g,beeper',
'500,bitwarden,u,g,bitwarden',
Expand Down Expand Up @@ -184,6 +180,7 @@ WHERE
'500,docker,0u,0g,docker',
'500,docker-buildx,0u,0g,docker-buildx',
'500,drkonqi,0u,0g,drkonqi',
'500,dropbox,500u,500g,dropbox',
'500,eksctl,0u,0g,eksctl',
'500,eksctl,500u,500g,eksctl',
'500,electron,0u,0g,electron',
Expand Down Expand Up @@ -280,6 +277,7 @@ WHERE
'500,node,0u,0g,npm install',
'500,node,500u,500g,npm run start',
'500,node,u,g,node',
'500,node,u,g,npm ci',
'500,nuclei,500u,500g,nuclei',
'500,obs,0u,0g,obs',
'500,obs,u,g,obs',
Expand Down Expand Up @@ -351,11 +349,13 @@ WHERE
'500,terraform-ls,500u,500g,terraform-ls',
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,thunderbird-bin,0u,0g,thunderbird-bi',
'500,thunderbird-bin,u,g,thunderbird-bin',
'500,tidal-hifi,u,g,tidal-hifi',
'500,tilt,500u,500g,tilt',
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
'500,todoist,0u,0g,todoist',
'500,transmission-daemon,500u,500g,transmission-da',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,ubuntu-report,0u,0g,ubuntu-report',
Expand All @@ -364,8 +364,6 @@ WHERE
'500,wget,0u,0g,wget',
'500,wine64-preloader,500u,500g,DaveTheDiver.ex',
'500,wine64-preloader,500u,500g,Root.exe',
'500,wolfi-package-status,500u,500g,wolfi-package-s',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,writerside,500u,500g,writerside',
'500,xmobar,0u,0g,xmobar',
Expand All @@ -375,6 +373,7 @@ WHERE
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real'
) -- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '500,wolfi%,500u,500g,wolfi%'
AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic'
AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
AND NOT exception_key LIKE '0,python3.%,0u,0g,yum'
Expand Down
7 changes: 4 additions & 3 deletions detection/c2/1-unexpected-https-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,13 +108,14 @@ WHERE
AND NOT exception_key IN (
'0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
'0,chainctl,chainctl,,a.out',
'0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
'0,com.nordvpn.macos.helper,com.nordvpn.macos.helper,Developer ID Application: Nordvpn S.A. (W5W395V82Y),com.nordvpn.macos.helper',
'0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
'500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
'500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
'500,apko,apko,,a.out',
'500,proctor,proctor,500u,20g',
'500,apkoaas,apkoaas,,a.out',
'500,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'500,art,art,,a.out',
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,bash,bash,,bash',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
Expand All @@ -138,7 +139,6 @@ WHERE
'500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl',
'500,melange,melange,,a.out',
'500,nami,nami,,a.out',
'500,art,art,500u,20g',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g',
Expand All @@ -148,6 +148,7 @@ WHERE
'500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
'500,PowerPoint,PowerPoint,Apple Development: Zack Hoherchak (SS9PSPF8UF),PowerPoint',
'500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
'500,proctor,proctor,,a.out',
'500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
Expand Down
2 changes: 1 addition & 1 deletion detection/execution/1-recently-created-executables-long-lived-linux.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ WHERE
AND p0.cmdline LIKE './%'
)
AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
AND NOT p1.name = 'makepkg'
AND NOT p1.name IN ('makepkg', 'make')
AND NOT p2.path = '/usr/bin/yay'
AND NOT p2.cmdline LIKE '/usr/bin/yay %'
AND NOT (
Expand Down
3 changes: 3 additions & 0 deletions detection/execution/1-recently-created-executables-long-lived-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@ WHERE
OR homepath LIKE '~/%/pkg/%.test'
OR homepath LIKE '~/%/src/%.test'
OR homepath LIKE '~/%/terraform-provider-%'
OR homepath LIKE '~/chainguard-dev/%'
OR homepath LIKE '~/repos/%'
OR homepath LIKE '~/github/%'
OR homepath LIKE '~/go/%/bin'
OR homepath LIKE '~/go/src/%'
Expand Down Expand Up @@ -245,6 +247,7 @@ WHERE
AND p0.path NOT LIKE '%/.%'
AND p0.path NOT LIKE '%Cache%'
)
AND NOT p1.name IN ('makepkg', 'make')
-- Arc
AND NOT (
p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'
Expand Down
2 changes: 2 additions & 0 deletions ...persistence/2-unexpected-device-linux.sql → ...persistence/1-unexpected-device-linux.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,8 @@ WHERE
'/dev/ngn,character',
'/dev/ntsync,character',
'/dev/null,character',
'/dev/nvidia-caps/,directory',
'/dev/nvidia-caps/nvidia-cap,character',
'/dev/nvidia-modeset,character',
'/dev/nvidia-uvm-tools,character',
'/dev/nvidia-uvm,character',
Expand Down

0 comments on commit 632d493

Please sign in to comment.