Unexpected Small Udev Entry Linux

osquery

Unexpected small udev rule entries

Author

Chainguard

Published

December 6, 2023

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Unexpected small udev rule entries
--
-- Typically vendor-provided udev rules are more verbose.
--
-- references:
--   * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
--   * https://attack.mitre.org/techniques/T1547/ (Boot or Logon Autostart Execution)
--
-- false positives:
--   * rules installed by 3rd party software
--
-- tags: persistent filesystem state
-- platform: linux
SELECT
  file.path,
  uid,
  gid,
  mode,
  mtime,
  ctime,
  type,
  size,
  hash.sha256,
  magic.data
FROM
  file
  LEFT JOIN hash ON file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
WHERE
  file.path LIKE '/usr/lib/udev/rules.d/%'
  AND file.size < 180
  AND file.path NOT IN (
    '/usr/lib/udev/rules.d/20-crystalhd.rules',
    '/usr/lib/udev/rules.d/40-redhat-disable-dell-ir-camera.rules',
    '/usr/lib/udev/rules.d/45-i2c-tools.rules',
    '/usr/lib/udev/rules.d/50-apport.rules',
    '/usr/lib/udev/rules.d/60-ddcutil.rules',
    '/usr/lib/udev/rules.d/60-ddcutil-i2c.rules',
    '/usr/lib/udev/rules.d/60-drm.rules',
    '/usr/lib/udev/rules.d/60-net.rules',
    '/usr/lib/udev/rules.d/60-rfkill.rules',
    '/usr/lib/udev/rules.d/61-accelerometer.rules',
    '/usr/lib/udev/rules.d/61-mutter.rules',
    '/usr/lib/udev/rules.d/66-saned.rules',
    '/usr/lib/udev/rules.d/70-hypervfcopy.rules',
    '/usr/lib/udev/rules.d/70-hypervkvp.rules',
    '/usr/lib/udev/rules.d/70-hypervvss.rules',
    '/usr/lib/udev/rules.d/70-spice-vdagentd.rules',
    '/usr/lib/udev/rules.d/70-spice-webdavd.rules',
    '/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules',
    '/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules',
    '/usr/lib/udev/rules.d/71-betop-controllers.rules',
    '/usr/lib/udev/rules.d/71-nacon-controllers.rules',
    '/usr/lib/udev/rules.d/71-sony-vr.rules',
    '/usr/lib/udev/rules.d/75-probe_mtd.rules',
    '/usr/lib/udev/rules.d/81-kvm-rhel.rules',
    '/usr/lib/udev/rules.d/85-hdparm.rules',
    '/usr/lib/udev/rules.d/85-regulatory.rules',
    '/usr/lib/udev/rules.d/90-daxctl-device.rules',
    '/usr/lib/udev/rules.d/90-rdma-umad.rules',
    '/usr/lib/udev/rules.d/90-usb-microbit.rules',
    '/usr/lib/udev/rules.d/90-wireshark-usbmon.rules',
    '/usr/lib/udev/rules.d/91-drm-modeset.rules',
    '/usr/lib/udev/rules.d/95-udev-late.rules',
    '/usr/lib/udev/rules.d/96-e2scrub.rules',
    '/usr/lib/udev/rules.d/99-BlackmagicDevices.rules',
    '/usr/lib/udev/rules.d/99-DavinciPanel.rules',
    '/usr/lib/udev/rules.d/99-fuse3.rules',
    '/usr/lib/udev/rules.d/99-fuse.rules',
    '/usr/lib/udev/rules.d/99-libsane1.rules',
    '/usr/lib/udev/rules.d/99-lxd-agent.rules',
    '/usr/lib/udev/rules.d/99-nfs.rules',
    '/usr/lib/udev/rules.d/99-qemu-guest-agent.rules'
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit