T1553.004 Install Root Certificate

Required Tables

file_events
process_events

Returned Fields

Field	Description
file_events.*	all fields from the file_events table

Query

SELECT
    *
FROM file_events
LEFT JOIN process_events
    ON file_events.process_uuid = process_events.process_uuid
WHERE
    process_events.event_type = 0
    AND process_events.path NOT IN (
        '/usr/bin/trust',
        '/usr/bin/apt', 
        '/usr/bin/yum', 
        '/usr/bin/dpkg', 
        '/usr/sbin/dpkg-preconfigure'
) AND (
    file_events.path LIKE '/etc/ca-certificates%' 
    OR file_events.path LIKE '/usr/local/share/ca-certificates%' 
    OR file_events.path LIKE '/etc/pki/ca-trust/%' 
    OR file_events.path LIKE '/etc/pki/tls/certs/ca-bundle%' 
    OR regexp_like(file_events.path, '/.+/.pki/.+') 
    OR file_events.path LIKE '/etc/ssl/certs/%'
)