Merge pull request #459 from tstromberg/fpr-feb18

fpr: kubernetes pods, clickshare, repos, zig-cache
chainguard-dev · Feb 19, 2025 · bd25eba · bd25eba
2 parents 0dbda14 + f58c9c9
commit bd25eba
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
@@ -82,6 +82,7 @@ WHERE
     '~/code',
     '~/Code',
     '~/.goenv',
+    '~/repos',
     '/nix/store/.links',
     '~/Projects',
     '~/src',
@@ -104,6 +105,7 @@ WHERE
   )
   AND NOT f.directory = '/nix/store/.links'
   AND NOT f.directory LIKE '%/.terraform/%'
+  AND NOT f.directory LIKE '%/.zig-cache/%'
   AND NOT f.directory LIKE '%/anchore/grype/.tool%'
   AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.directory LIKE '%/com.jetbrains.GoLand/cache/JetBrains/GoLand%'

diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
@@ -113,6 +113,7 @@ WHERE
     '~/.kuberlr/',
     '~/.provisio/',
     '~/.clickshare_button/',
+    '~/.clickshare/',
     '~/.pulumi/',
     '~/.pyenv/',
     '~/.rbenv/',

diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
@@ -18,7 +18,7 @@ SELECT
   p_p.cmdline AS p1_cmd,
   p_p_p.cmdline AS p2_cmd,
   p.cgroup_path,
-  datetime (file.mtime, 'unixepoch') AS mtime,
+  datetime(file.mtime, 'unixepoch') AS mtime,
   p.cwd,
   hash.sha256,
   CONCAT (
@@ -226,15 +226,11 @@ WHERE
   )
   -- Exclude common/default DNS talking
   AND NOT (
-    p.name IN (
-      'aardvark-dns',
-      'coredns',
-      'dnsmasq'
-    )
+    p.name IN ('aardvark-dns', 'coredns', 'dnsmasq')
     AND lp.port IN (
-      53,   -- DNS
-      67,   -- DHCP/BOOTP
-      547   -- DHCPv6 server
+      53, -- DNS
+      67, -- DHCP/BOOTP
+      547 -- DHCPv6 server
     )
     AND lp.protocol IN (
       6, -- TCP
@@ -243,6 +239,7 @@ WHERE
   )
   -- Exclude processes running inside of Docker containers
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT p.cgroup_path LIKE '/kubepods.slice/%'
   AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
   AND NOT p.cgroup_path LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/libpod-%'
   AND NOT p1_cmd LIKE 'bwrap --bind%'