Merge pull request #369 from tstromberg/fpr-jun25

fpr: Rule toning for podman, pip, zed, java, ssh, and more
chainguard-dev · Jun 28, 2024 · 32bd629 · 32bd629
2 parents eecc2a3 + 6fe7468
commit 32bd629
Show file tree

Hide file tree

Showing 18 changed files with 144 additions and 98 deletions.
diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql
@@ -94,6 +94,7 @@ WHERE
     '/usr/sbin/mDNSResponder'
   )
   AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
+  AND p.path NOT LIKE '%/podman/gvproxy'
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent
 GROUP BY

diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql
@@ -109,13 +109,15 @@ WHERE
     '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,velociraptor,0u,0g,velociraptor_cl',
     '0,yay,0u,0g,yay',
+    '500,python3.11,u,g,pip',
     '105,http,0u,0g,https',
     '106,geoclue,0u,0g,geoclue',
     '115,geoclue,0u,0g,geoclue',
     '120,fwupdmgr,0u,0g,fwupdmgr',
     '128,fwupdmgr,0u,0g,fwupdmgr',
     '129,fwupdmgr,0u,0g,fwupdmgr',
     '42,http,0u,0g,https',
+    '500,podman,0u,0g,podman',
     '500,1password,0u,0g,1password',
     '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,act,0u,0g,act',
@@ -330,6 +332,7 @@ WHERE
   AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
   AND NOT exception_key LIKE '500,python3.%,0u,0g,pip'
+  AND NOT exception_key LIKE '500,python3%,u,g,pip'
   AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
   AND NOT (

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
@@ -142,17 +142,9 @@ WHERE
   )
   AND NOT alt_exception_key IN (
     '0,velociraptor,velociraptor,0u,0g',
-    '500,java,java,0u,0g',
-    '500,pulumi-resource-github,pulumi-resource-github,500u,20g',
     '0,velociraptor,velociraptor,0u,80g',
-    '500,taplo,taplo,500u,20g',
-    '500,nodegizmo,nodegizmo,500u,20g',
-    '500,docker-scout,docker-scout,500u,20g',
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
-    '500,wolfibump,wolfibump,500u,20g',
-    '500,wolfictl,wolfictl,0u,0g',
-    '500,istioctl,istioctl,500u,20g',
     '500,aws,aws,0u,0g',
     '500,cargo,cargo,500u,80g',
     '500,chainctl,chainctl,0u,0g',
@@ -161,28 +153,38 @@ WHERE
     '500,cilium,cilium,500u,123g',
     '500,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
     '500,cosign,cosign,0u,500g',
-    '500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
     '500,cosign,cosign,500u,20g',
     '500,cosign,cosign,500u,80g',
-    '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
     '500,cpu,cpu,500u,20g',
     '500,crane,crane,0u,500g',
     '500,crane,crane,500u,80g',
+    '500,docker-scout,docker-scout,500u,20g',
     '500,gh-dash,gh-dash,500u,20g',
+    '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
     '500,git,git,0u,500g',
-    '500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g',
     '500,git-remote-http,git-remote-http,500u,20g',
     '500,git-remote-http,git-remote-http,500u,80g',
-    '500,istioctl,istioctl,,a.out',
     '500,gitsign,gitsign,500u,20g',
     '500,go,go,500u,80g',
-    '500,vexi,vexi,500u,20g',
+    '500,hugo,hugo,500u,20g',
+    '500,istioctl,istioctl,500u,20g',
+    '500,istioctl,istioctl,,a.out',
+    '500,java,java,0u,0g',
     '500,.man-wrapped,.man-wrapped,0u,500g',
+    '500,nodegizmo,nodegizmo,500u,20g',
     '500,pprof,pprof,500u,80g',
     '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
+    '500,pulumi-resource-github,pulumi-resource-github,500u,20g',
     '500,sdaudioswitch,sdaudioswitch,500u,20g',
     '500,sdzoomplugin,sdzoomplugin,500u,20g',
+    '500,session-manager-plugin,session-manager-plugin,0u,0g',
+    '500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
+    '500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g',
+    '500,taplo,taplo,500u,20g',
+    '500,vexi,vexi,500u,20g',
     '500,vim,vim,0u,500g',
+    '500,wolfibump,wolfibump,500u,20g',
+    '500,wolfictl,wolfictl,0u,0g',
     '500,wolfictl,wolfictl,500u,20g'
   )
   AND NOT s.authority IN (

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -84,6 +84,7 @@ WHERE
     AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
   )
   AND NOT exception_key IN (
+    '123,17,500,chronyd,0u,0g,chronyd',
     '4070,6,500,spotify,u,g,spotify',
     '8000,6,500,brave,0u,0g,brave',
     '8000,6,500,chrome,0u,0g,chrome',
@@ -93,6 +94,7 @@ WHERE
     '80,6,0,kmod,0u,0g,depmod',
     '80,6,0,kubelet,u,g,kubelet',
     '80,6,0,ldconfig,0u,0g,ldconfig',
+    '80,6,0,NetworkManager,0u,0g,NetworkManager',
     '80,6,0,packagekitd,0u,0g,packagekitd',
     '80,6,0,pacman,0u,0g,pacman',
     '80,6,0,pdftex,0u,0g,pdftex',

diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql
@@ -91,6 +91,7 @@ WHERE
   AND pof.path NOT IN (
     '/dev/dri/card0',
     '/dev/dri/card1',
+    '/dev/dri/card2',
     '/dev/dri/renderD128',
     '/dev/dri/renderD129',
     '/dev/fuse',
@@ -126,6 +127,7 @@ WHERE
     '/dev/input,acpid',
     '/dev/input,gnome-shell',
     '/dev/input,Hyprland',
+    '/dev/input,kwin_wayland',
     '/dev/input,systemd',
     '/dev/input,systemd-logind',
     '/dev/input,thermald',
@@ -174,13 +176,13 @@ WHERE
     '/dev/hidraw,chrome',
     '/dev/hvc,agetty',
     '/dev/hwrng,rngd',
-    '/dev/input/event,Xorg',
     '/dev/input/event,thermald',
     '/dev/input/event,touchegg',
-    '/dev/kmsg,_k3s-inner',
+    '/dev/input/event,Xorg',
     '/dev/kmsg,bpfilter_umh',
     '/dev/kmsg,dmesg',
     '/dev/kmsg,k3s',
+    '/dev/kmsg,_k3s-inner',
     '/dev/kmsg,kubelet',
     '/dev/kmsg,systemd',
     '/dev/kmsg,systemd-coredump',
@@ -190,28 +192,29 @@ WHERE
     '/dev/mapper/control,gpartedbin',
     '/dev/mapper/control,multipathd',
     '/dev/mcelog,mcelog',
-    '/dev/media,pipewire',
-    '/dev/media,wireplumber',
     '/dev/media0,pipewire',
     '/dev/media0,wireplumber',
+    '/dev/media,pipewire',
+    '/dev/media,wireplumber',
     '/dev/net/tun,openvpn',
     '/dev/net/tun,qemu-system-x86_64',
     '/dev/net/tun,slirp4netns',
     '/dev/pts,incusd',
     '/dev/sda,ntfs-3g',
     '/dev/shm/envoy_shared_memory_1,envoy',
     '/dev/tpmrm,launcher',
-    '/dev/tty,Xorg',
     '/dev/tty,agetty',
     '/dev/tty,gdm-wayland-session',
     '/dev/tty,gdm-x-session',
     '/dev/tty,systemd-logind',
+    '/dev/tty,Xorg',
     '/dev/uhid,bluetoothd',
     '/dev/uinput,bluetoothd',
     '/dev/usb/hiddev,apcupsd',
     '/dev/usb/hiddev,upowerd',
     '/dev/vhost-net,qemu-system-x86_64',
     '/dev/vhost-vsock,qemu-system-x86_64',
+    '/dev/video0,chrome',
     '/dev/video,brave',
     '/dev/video,cheese',
     '/dev/video,chrome',
@@ -229,7 +232,6 @@ WHERE
     '/dev/video,wireplumber',
     '/dev/video,zoom',
     '/dev/video,zoom.real',
-    '/dev/video0,chrome',
     '/dev/wwan0mbim,mbim-proxy',
     '/dev/zfs,',
     '/dev/zfs,zed',
@@ -248,6 +250,10 @@ WHERE
       AND p0.name LIKE "solaar%"
       AND p0.path LIKE '/usr/bin/python%'
   )
+  AND NOT (
+      pof.path LIKE "/dev/input/event%"
+      AND p0.name = "openrazer-daemo"
+  )
   AND NOT (
     pof.path LIKE '/dev/bus/usb/%'
     AND p0.name IN (

diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
@@ -54,6 +54,7 @@ WHERE
   AND NOT f.directory LIKE '%/.config/nvm/%/bin'
   AND NOT f.directory LIKE '%/.cursor/%'
   AND NOT f.directory LIKE '%/.deno/bin'
+  AND NOT f.directory LIKE '%/.devpod/contexts/%'
   AND NOT f.directory LIKE '%/.linuxbrew/Cellar/%/bin'
   AND NOT f.directory LIKE '%/.docker/cli-plugins'
   AND NOT f.directory LIKE '%/.fig/bin'

diff --git a/detection/evasion/unexpected-ld-so-files-linux.sql b/detection/evasion/unexpected-ld-so-files-linux.sql
@@ -29,26 +29,25 @@ WHERE
   AND file.filename NOT IN ('.', '..')
   AND exception_key NOT IN (
     '/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5',
+    '/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3',
     '/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',
     '/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',
-    '/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a',
-    '/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3',
     '/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3',
     '/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167',
-    '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
     '/etc/ld.so.conf.d/bind-export-x86_64.conf,0644,26,efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e',
     '/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28',
     '/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50',
+    '/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7',
     '/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee',
     '/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181',
     '/etc/ld.so.conf.d/gds-11-8.conf,0644,46,2b48cb0abd03ff1d8926eca02a71540f4ee00ebccad5515e4d28a542dae8438a',
+    '/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a',
     '/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,48,c0c6efda46a86b0d0cbc620b910cec4ba455d09a2bc7a39adf45ce113093366d',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime-libs.conf,0644,44,9f123b367c8afdcd116047d24f91339a95724d6f6cd189967696d2eb8eda63b4',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-opencl-cpu.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,157,0b4a1c81fcab2d345f99e0187f29cf28f085ae67bf42c86d7b509c06b345186e',
-    '/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
     '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime-libs.conf,0644,65,0e9c472578fe009314f02ab64613fc41114f4d07cfd3a805191a5b755d780a43',
     '/etc/ld.so.conf.d/intel-oneapi-openmp.conf,0644,155,160358af96f4a1a92e624fa84a1776d45c1a2c4695c8b96070374f6d66bf6061',
@@ -61,6 +60,8 @@ WHERE
     '/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3',
     '/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0',
     '/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa',
+    '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
+    '/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c',
     '/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626',
     '/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9',
     '/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708',

diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql
@@ -43,40 +43,42 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         AND (
           file.path LIKE '%/go-build%'
           OR file.directory LIKE '/tmp/%/out'
+          OR file.path IN ('/tmp/mkinitramfs', '/tmp/mission')
           OR file.path LIKE '%/bin/%'
+          OR file.path LIKE "%/bin/bash"
+          OR file.path LIKE "%/bin/busybox"
           OR file.path LIKE '%/checkout/%'
           OR file.path LIKE '%/ci/%'
-          OR file.path LIKE '%/Rakefile'
+          OR file.path LIKE '%/configure'
           OR file.path LIKE '%/debug/%'
-          OR file.path LIKE '/tmp/ko%/out'
           OR file.path LIKE '%/dist/%'
           OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%'
           OR file.path LIKE '%/git/%'
           OR file.path LIKE '%/github/%'
           OR file.path LIKE '%/go.%.sum'
           OR file.path LIKE "%/%/gradlew"
           OR file.path LIKE '%/guile-%/guile-%'
-          OR file.path LIKE '%/melange-guest-%'
+          OR file.path LIKE '%integration_test%'
           OR file.path LIKE '%/ko/%'
           OR file.path LIKE '%/kots/%'
           OR file.path LIKE "%/lib/%.so"
-          OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
           OR file.path LIKE "%/lib/%.so.%"
-          OR file.path LIKE '%/configure'
-          OR file.path LIKE '%integration_test%'
-          OR file.path LIKE '%test_script'
           OR file.path LIKE "%/melange%"
-          OR file.path LIKE "%/bin/busybox"
-          OR file.path LIKE "%/bin/bash"
-          OR file.path LIKE "/tmp/lima/%"
+          OR file.path LIKE '%/melange-guest-%'
           OR file.path LIKE '%/pdf-tools/%'
+          OR file.path LIKE '%/Rakefile'
           OR file.path LIKE '%-release%/%'
           OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%'
           OR file.path LIKE '%/src/%'
           OR file.path LIKE '%/target/%'
           OR file.path LIKE '%/terraformer/%'
+          OR file.path LIKE '%test_script'
           OR file.path LIKE '%/tmp/epdf%'
+          OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
+          OR file.path LIKE '/tmp/ko%/out'
+          OR file.path LIKE "/tmp/lima/%"
           OR file.path LIKE '/tmp/lima/%/out/%'
+          OR file.path LIKE '/tmp/wolfi%'
         )
       )
       AND NOT (

diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql
@@ -22,6 +22,7 @@ SELECT
   f.size,
   hash.sha256,
   REPLACE(f.directory, u.directory, '~') AS homedir,
+  REPLACE(f.path, u.directory, '~') AS homepath,
   RTRIM(
     COALESCE(
       REGEX_MATCH (
@@ -199,6 +200,13 @@ WHERE
     '~/Library/helm',
     '~/Library/pnpm'
   )
+  AND NOT homepath IN (
+    '~/Library/Assistant/SiriAnalytics.db',
+    '~/Library/Calendars/Calendar.sqlitedb-wal',
+    '~/Library/Finance/finance_cloud.db',
+    '~/Library/Finance/finance_cloud.db-wal',
+    '~/Library/HTTPStorages/com.apple.AddressBookSourceSync'
+  )
   AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
   AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
   AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'

diff --git a/detection/evasion/unexpected-user-shared-entries.sql b/detection/evasion/unexpected-user-shared-entries.sql
@@ -48,6 +48,7 @@ WHERE
       '/Users/Shared/.betamigrated',
       '/Users/Shared/.com.intego.reporting.plist',
       '/Users/Shared/.DS_Store',
+      '/Users/Shared/Plugin Loading.log',
       '/Users/Shared/.ks.intego_metrics_2.plist',
       '/Users/Shared/.localized',
       '/Users/Shared/.userfonts.cachedb',
@@ -67,6 +68,7 @@ WHERE
       '/Users/Shared/CleanMyMac X Menu',
       '/Users/Shared/LGHUB',
       '/Users/Shared/logi',
+      '/Users/Shared/AdobeInstalledCodecsTier2',
       '/Users/Shared/LogioptionsPlus',
       '/Users/Shared/LogiOptionsPlus',
       '/Users/Shared/.logishrd',

diff --git a/detection/execution/unexpected-env-values-macos.sql b/detection/execution/unexpected-env-values-macos.sql
@@ -41,8 +41,10 @@ WHERE -- This time should match the interval
     AND NOT pe.value LIKE '/opt/homebrew/Cellar/r/4.%/lib/R/lib/libR.dylib'
     AND NOT pe.value LIKE '%/libsamply_mac_preload.dylib'
     AND NOT pe.value LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/steamloader.dylib:%/Steam/Steam.AppBundle/Steam/Contents/MacOS/gameoverlayrenderer.dylib'
+    AND NOT pe.value LIKE '%//libtrace.dylib'
   )
   OR (
     key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers
     AND NOT pe.value LIKE '%/IDLE.app/%'
+    AND NOT pe.value = '/System/Library/Frameworks'
   )
diff --git a/detection/execution/unexpected-gatekeeper-approvals-macos.sql b/detection/execution/unexpected-gatekeeper-approvals-macos.sql
@@ -37,6 +37,7 @@ WHERE
   AND gap.path NOT LIKE '/Users/%/rekor-cli'
   AND gap.path NOT LIKE '/Users/%/trivy'
   AND gap.path NOT LIKE '/usr/local/bin/%'
+  AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
   AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
 GROUP BY
   gap.requirement