How are rules like “*<Plain-text Github 2FA Recove...
# kolide
How are rules like “*Plain-text Github 2FA Recovery Codes Detected”* implemented? • it’s misfiring for my laptop, I have encrypted the file, but it still complains • we might want to add custom rules of our own, is there a workflow for that?
Hi Martin, can you tell me how you encrypted the file?
I used sshenc, which uses ssh keys to do something similar to what gpg would do.
the result is an ASCII file with contents like:
Copy code
-- encrypted with <>
-- keys
-- key
Base64 encoded data
We detect the github codes based on extended file attributes that are likely not impacted by your encryption process.
I def made a new file… the process is a bit like
openssl --flags flags < file > file.encrypted
it's likely it copied the file and its extended attributes
let me see if I can find the command line for showing that
and show you how to remove those attributes
so that the file no longer alerts
xattr -l <filename>
in your case you want to remove any extended attributes named
which can be done with
xattr -d metadata:kMDItemWhereFroms <file>
the file has no xattrs
ok well I would rename it slightly, the recheck will pass, and then it shouldn't be redetected
or you can just ignore the failure as well
yeah, I can ignore it. but I’m also learning about the system 🙂
are the actual rules visible by admin? editable by admin?
Hi Martin, the rules are not all visible but you can kind of infer them from look at a device's osquery config by clicking into a device, choosing actions, and then choosing "View Osquery Config..." you can sometimes reference a check ID
🙌 1
thank you