logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Check Linux file permission changes

Status: Approved Submitted by on ‎07-10-2019 12:49 PM

Description: Lists all executable and the level of permissions users/groups have on each file, helps detect backdoored binaries. Compare with an old list generated previously to spot any changes.

What The Data Shows: Lists all executable and the level of permissions users/groups have on each executable.

SQL:  

SELECT path,username,groupname,permissions,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime,sha256 
FROM suid_bin 
JOIN hash USING(path) 
JOIN file USING(path)
WHERE mode GLOB "???5";

 

Tags (1)
Comment
3 Comments
jnelson
Carbon Black Employee
‎07-10-2019 07:42 PM
‎07-10-2019 07:42 PM
Status changed to: Under Review

@mjomha would you consider modifying your query so that is shows the timestamps and hashes as well? Something like:

SELECT path,username,groupname,permissions,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime,sha256
FROM suid_bin
JOIN hash USING(path)
JOIN file USING(path)
WHERE mode GLOB "???5";

mjomha
Contributor
‎07-11-2019 09:56 AM
‎07-11-2019 09:56 AM

That is perfect J!

 

Thanks! That shows more refine results.

jnelson
Carbon Black Employee
‎07-12-2019 12:12 PM
‎07-12-2019 12:12 PM
Status changed to: Approved
 
logo