T1553.004 Install Root Certificate

必要なテーブル

file_events
process_events

戻りフィールド

フィールド	説明
file_events.*	all fields from the file_events table

クエリ

SELECT
    *
FROM file_events
LEFT JOIN process_events
    ON file_events.process_uuid = process_events.process_uuid
WHERE
    process_events.event_type = 0
    AND process_events.path NOT IN (
        '/usr/bin/trust',
        '/usr/bin/apt',
        '/usr/bin/yum',
        '/usr/bin/dpkg',
        '/usr/sbin/dpkg-preconfigure'
) AND (
    file_events.path LIKE '/etc/ca-certificates%'
    OR file_events.path LIKE '/usr/local/share/ca-certificates%'
    OR file_events.path LIKE '/etc/pki/ca-trust/%'
    OR file_events.path LIKE '/etc/pki/tls/certs/ca-bundle%'
    OR regexp_like(file_events.path, '/.+/.pki/.+')
    OR file_events.path LIKE '/etc/ssl/certs/%'
)