Unexpected Dev Entries

osquery
Find unexpected files in /dev
Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Find unexpected files in /dev
--
-- references:
--   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
--
-- false positives:
--   * programs which have legimate uses for /dev/shm (Chrome, etc)
--
-- tags: persistent state filesystem
-- platform: posix
SELECT
  file.path,
  file.type,
  file.size,
  file.mtime,
  file.uid,
  file.ctime,
  file.gid,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash ON file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  (
    file.path LIKE '/dev/shm/%%'
    OR file.path LIKE '/dev/.%'
    OR file.path LIKE '/dev/.%/%'
    OR file.path LIKE '/dev/%/.%'
    OR file.path LIKE '/dev/%%/.%/%'
    OR file.path LIKE '/dev/mqueue/%%'
  ) -- We should also use uid for making decisions here
  AND NOT (
    file.uid > 499
    AND (
      file.path LIKE '/dev/shm/.com.google.%'
      OR file.path LIKE '/dev/shm/.com.microsoft.Edge.%'
      OR file.path LIKE '/dev/shm/.org.chromium.%'
      OR file.path LIKE '/dev/shm/aomshm.%'
      OR file.path LIKE '/dev/shm/byobu-%'
      OR file.path LIKE '/dev/shm/jack_db%'
      OR file.path LIKE '/dev/shm/pulse-shm-%'
      OR file.path LIKE '/dev/shm/sem.%autosave'
      OR file.path LIKE '/dev/shm/shm-%-%-%'
      OR file.path LIKE '/dev/shm/u1000-Shm%'
      OR file.path LIKE '/dev/shm/u1000-Valve%'
      OR file.path LIKE '/dev/shm/wayland.mozilla.%'
    )
  )
  AND NOT (
    file.size <= 32
    AND file.path LIKE '/dev/shm/%'
  )
  AND file.path NOT LIKE '/dev/shm/flatpak-%'
  AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%'
  AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%'
  AND file.path NOT LIKE '/dev/shm/sem.mp-%'
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
  AND file.path NOT IN (
    '/dev/.mdadm/',
    '/dev/shm/libpod_lock',
    '/dev/shm/sem.camlock'
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit