@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/data/rules/obom-runtime.yaml

@@ -7,6 +7,7 @@
   description: "Systemd units loaded from /tmp or /var/tmp can indicate unauthorized persistence."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'systemd_units'
@@ -22,8 +23,8 @@
       "bomRef": $."bom-ref",
       "purl": purl
     }
-  message: "Systemd unit '{{ name }}' references temporary execution artifacts in its unit file path configuration"
-  mitigation: "Move unit files to trusted system paths, validate ownership/permissions, and re-enable only approved services."
+  message: "Systemd unit '{{ name }}' loads from unit path '{{ $firstNonEmpty($prop($, 'fragment_path'), $prop($, 'source_path'), name) }}' with temporary-backed source '{{ $firstNonEmpty($prop($, 'source_path'), $prop($, 'fragment_path')) }}'"
+  mitigation: "Review the unit file and any generated source/drop-in together, move them to trusted system paths, validate ownership/permissions, and re-enable only approved services."
   evidence: |
     {
       "activeState": $prop($, 'active_state'),
@@ -37,6 +38,7 @@
   description: "Sudoers entries allowing unrestricted command execution increase lateral movement and privilege escalation risk."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'sudoers_snapshot'
@@ -63,6 +65,7 @@
   description: "Root SSH keys without command/from/no-agent-forwarding restrictions weaken access controls and traceability."
   severity: medium
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot'
@@ -90,6 +93,7 @@
   description: "Drives with disabled BitLocker protection can violate endpoint encryption requirements and increase data exposure risk."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'windows_bitlocker_info'
@@ -116,6 +120,7 @@
   description: "Poor Security Center health indicates one or more key endpoint protections are disabled or degraded."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'windows_security_center'
@@ -150,6 +155,7 @@
   description: "Run/RunOnce entries launching from temp or encoded script commands are common persistence techniques."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'windows_run_keys'
@@ -179,6 +185,7 @@
   description: "ALF misconfiguration can expose endpoints to unsolicited inbound traffic and weakens host hardening baselines."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'alf'
@@ -207,6 +214,7 @@
   description: "Launchd agents/daemons sourced from temporary paths are a strong persistence and execution abuse signal."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'launchd_services'
@@ -228,13 +236,15 @@
       "bomRef": $."bom-ref",
       "purl": purl
     }
-  message: "Launchd entry '{{ name }}' executes from temporary path and is configured for persistence"
-  mitigation: "Remove unauthorized plist entries, relocate approved binaries to trusted paths, and enforce signed launchd payloads."
+  message: "Launchd item '{{ $firstNonEmpty($prop($, 'label'), name) }}' uses plist '{{ $firstNonEmpty($prop($, 'path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments'), name) }}' from a temporary path with persistence enabled"
+  mitigation: "Review the launchd plist and target executable together, remove unauthorized entries, relocate approved binaries to trusted paths, and enforce signed launchd payloads."
   evidence: |
     {
       "label": $prop($, 'label'),
       "plistPath": $prop($, 'path'),
+      "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'program_arguments')),
       "program": $prop($, 'program'),
+      "programArguments": $prop($, 'program_arguments'),
       "runAtLoad": $prop($, 'run_at_load'),
       "keepAlive": $prop($, 'keep_alive')
     }
@@ -244,6 +254,7 @@
   description: "ALF exceptions for binaries in user Downloads/Desktop/tmp increase risk of untrusted inbound network exposure."
   severity: medium
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'alf_exceptions'
@@ -274,6 +285,7 @@
   description: "Shell history with direct download-and-execute commands may indicate malware staging or hands-on-keyboard activity."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'shell_history_snapshot'
@@ -304,6 +316,7 @@
   description: "Dockerd listening on TCP 2375 enables remote daemon control if not protected by network controls and TLS."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'listening_ports'
@@ -331,9 +344,10 @@
 
 - id: OBOM-LNX-006
   name: "Privileged Linux listener exposed on a non-local interface"
-  description: "Root or service-account listeners bound to all interfaces expand attack surface and deserve proactive review."
-  severity: high
+  description: "Root or service-account listeners bound to all interfaces expand attack surface and should be reviewed even when they appear to come from managed system paths."
+  severity: medium
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'privileged_listening_ports'
@@ -346,14 +360,21 @@
       and $safeStr(name) != 'systemd-resolved'
       and $safeStr(name) != 'avahi-daemon'
       and $safeStr(name) != 'cupsd'
+      and $safeStr($prop($, 'package_source_hint')) != 'user-writable-path'
+      and $safeStr($prop($, 'package_source_hint')) != 'unclassified-path'
+      and $not($contains($lowercase($nullSafeProp($, 'path')), '/tmp/'))
+      and $not($contains($lowercase($nullSafeProp($, 'path')), '/var/tmp/'))
+      and $not($contains($lowercase($nullSafeProp($, 'path')), '/dev/shm/'))
+      and $not($contains($lowercase($nullSafeProp($, 'path')), '/home/'))
+      and $not($contains($lowercase($nullSafeProp($, 'path')), '/run/user/'))
     ]
   location: |
     {
       "bomRef": $."bom-ref",
       "purl": purl
     }
-  message: "Privileged listener '{{ name }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }}"
-  mitigation: "Restrict privileged services to local interfaces where possible, front them with authenticated proxies, and validate exposure against approved admin-surface inventory."
+  message: "Privileged listener '{{ name }}' from '{{ $firstNonEmpty($prop($, 'path'), name) }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} and should be validated against approved exposure"
+  mitigation: "Restrict privileged services to local interfaces where possible, front them with authenticated proxies, and validate the listener path and service ownership against approved admin-surface inventory."
   evidence: |
     {
       "account": $prop($, 'account'),
@@ -371,6 +392,7 @@
   description: "Cockpit, PackageKit, pkexec, and related admin surfaces running with elevated privileges should be continuously monitored for exposure and drift."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       (
@@ -424,6 +446,7 @@
   description: "Interactive sudo or pkexec invocations against package-management and admin-control binaries can indicate privileged changes worth auditing."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'sudo_executions'
@@ -476,6 +499,7 @@
   description: "Setuid/setgid transitions outside a small baseline of expected tools can indicate risky privilege-bound packages or exploit activity."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'privilege_transitions'
@@ -519,10 +543,11 @@
     }
 
 - id: OBOM-LNX-010
-  name: "Elevated Linux process launched from user-writable or unusual path"
-  description: "Root processes executing from user-controlled or non-standard paths are a strong signal for persistence or package drift."
+  name: "Elevated Linux process launched from user-writable or temporary path"
+  description: "Root processes executing from explicit user-controlled, temporary, or per-user runtime paths are a strong signal for persistence or package drift."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'elevated_processes'
@@ -533,8 +558,12 @@
         or $contains($nullSafeProp($, 'path'), '/dev/shm/')
         or $contains($nullSafeProp($, 'path'), '/home/')
         or $contains($nullSafeProp($, 'path'), '/run/user/')
+        or $contains($nullSafeProp($, 'cmdline'), '/tmp/')
+        or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/')
+        or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/')
+        or $contains($nullSafeProp($, 'cmdline'), '/home/')
+        or $contains($nullSafeProp($, 'cmdline'), '/run/user/')
         or $safeStr($prop($, 'package_source_hint')) = 'user-writable-path'
-        or $safeStr($prop($, 'package_source_hint')) = 'unclassified-path'
       )
       and $safeStr(name) != 'systemd'
       and $safeStr(name) != 'init'
@@ -544,12 +573,13 @@
       "bomRef": $."bom-ref",
       "purl": purl
     }
-  message: "Elevated process '{{ name }}' executes from a risky path: {{ $prop($, 'path') }}"
-  mitigation: "Move approved binaries into trusted system locations, validate package ownership, and investigate any root process sourced from writable directories."
+  message: "Elevated process '{{ name }}' executes from a risky path or command: {{ $firstNonEmpty($prop($, 'path'), $prop($, 'cmdline'), name) }}"
+  mitigation: "Validate the executable path and full command line, move approved binaries into trusted system locations, and investigate any root process sourced from writable directories or per-user runtime paths."
   evidence: |
     {
       "account": $prop($, 'account'),
       "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
       "serviceUnit": $prop($, 'service_unit'),
       "parentPath": $prop($, 'parent_path'),
       "parentCmdline": $prop($, 'parent_cmdline'),
@@ -562,6 +592,7 @@
   description: "Shell-driven privileged chains are useful for separating admin changes from long-running service behavior."
   severity: medium
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'sudo_executions'
@@ -599,11 +630,68 @@
       "timestamp": $prop($, 'time')
     }
 
+- id: OBOM-LNX-012
+  name: "Linux Secure Boot inventory contains revoked certificate"
+  description: "Revoked entries in the Secure Boot trust inventory can indicate stale firmware trust policy or unexpected dbx posture drift."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+      and $safeStr($prop($, 'revoked')) = '1'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Secure Boot certificate '{{ name }}' is marked revoked in firmware trust inventory"
+  mitigation: "Review db/dbx enrollment, remove stale trust anchors, and reconcile firmware policy with approved platform signing certificates."
+  evidence: |
+    {
+      "subject": $prop($, 'subject'),
+      "issuer": $prop($, 'issuer'),
+      "serial": $prop($, 'serial'),
+      "path": $prop($, 'path'),
+      "notValidAfter": $prop($, 'not_valid_after')
+    }
+
+- id: OBOM-LNX-013
+  name: "Linux Secure Boot certificate expired or expiring soon"
+  description: "Secure Boot trust anchors nearing expiry can cause firmware validation drift and interrupt planned key rotation windows."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+      and $safeStr($prop($, 'not_valid_after')) != ''
+      and $number($prop($, 'not_valid_after')) <= ($floor($millis() / 1000) + 2592000)
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Secure Boot certificate '{{ name }}' expires at {{ $prop($, 'not_valid_after') }} and should be rotated or reviewed"
+  mitigation: "Rotate or re-enroll Secure Boot certificates before expiry and validate firmware trust stores against your approved signing hierarchy."
+  evidence: |
+    {
+      "subject": $prop($, 'subject'),
+      "issuer": $prop($, 'issuer'),
+      "serial": $prop($, 'serial'),
+      "path": $prop($, 'path'),
+      "notValidBefore": $prop($, 'not_valid_before'),
+      "notValidAfter": $prop($, 'not_valid_after')
+    }
+
 - id: OBOM-WIN-004
   name: "Hidden scheduled task uses suspicious execution path"
   description: "Enabled hidden tasks executing from temp paths or encoded script launchers are common persistence tradecraft."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
@@ -634,6 +722,7 @@
   description: "Auto-start services from temp or AppData paths may indicate privilege persistence through service hijacking."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'services_snapshot'
@@ -659,10 +748,11 @@
     }
 
 - id: OBOM-WIN-006
-  name: "Windows persistence surface references LOLBAS execution helper"
-  description: "Run keys, startup items, scheduled tasks, or auto-start services that reference LOLBAS execution helpers deserve elevated review because they blend persistence with proxy execution tradecraft."
+  name: "Windows suspicious persistence surface references LOLBAS execution helper"
+  description: "Any Windows persistence or startup surface that invokes a LOLBAS helper deserves review, including vendor- or platform-managed maintenance registrations, because these surfaces can become breachable execution targets."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:lolbas:matched') = 'true'
@@ -685,14 +775,16 @@
       "bomRef": $."bom-ref",
       "purl": purl
     }
-  message: "Windows persistence surface '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
-  mitigation: "Validate the owning change, replace proxy-execution helpers with signed managed binaries where possible, and baseline approved startup surfaces with allowlists."
+  message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' launches '{{ $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' via LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
+  mitigation: "Review the registration surface and launched command together, validate the owning change, and do not auto-trust managed or vendor-owned maintenance surfaces without provenance and hardening review."
   attack:
-    tactics: [TA0003, TA0005]
+    tactics: [TA0003, TA0004, TA0005]
     techniques: [T1218, T1547]
   evidence: |
     {
       "queryCategory": $prop($, 'cdx:osquery:category'),
+      "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name),
+      "targetPath": $firstNonEmpty($prop($, 'action'), $prop($, 'executable'), $prop($, 'module_path'), $prop($, 'path'), description),
       "lolbasNames": $prop($, 'cdx:lolbas:names'),
       "functions": $prop($, 'cdx:lolbas:functions'),
       "matchFields": $prop($, 'cdx:lolbas:matchFields'),
@@ -706,6 +798,7 @@
   description: "WMI command consumers and AppCompat shims that invoke LOLBAS utilities are high-signal persistence and defense-evasion indicators."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:lolbas:matched') = 'true'
@@ -723,7 +816,7 @@
   message: "WMI/AppCompat persistence artifact '{{ name }}' references LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
   mitigation: "Treat as a persistence investigation, review WMI repository and shim databases, and remove unauthorized subscriptions or shim registrations."
   attack:
-    tactics: [TA0003, TA0005]
+    tactics: [TA0003, TA0004, TA0005]
     techniques: [T1218, T1546]
   evidence: |
     {
@@ -742,6 +835,7 @@
   description: "Network-capable LOLBAS helpers such as PowerShell, Certutil, Bitsadmin, or WMIC become higher priority when they appear in persistence surfaces or suspicious live process command lines."
   severity: high
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:lolbas:matched') = 'true'
@@ -771,7 +865,7 @@
   message: "Network-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in '{{ $prop($, 'cdx:osquery:category') }}'"
   mitigation: "Correlate with outbound connections and downloads, restrict unmanaged scripting/network utilities, and investigate encoded or remote-fetch command lines."
   attack:
-    tactics: [TA0002, TA0011]
+    tactics: [TA0002, TA0010, TA0011]
     techniques: [T1041, T1059.001, T1105]
   evidence: |
     {
@@ -788,6 +882,7 @@
   description: "A listening process backed by a LOLBAS execution helper is a strong remote-control or staging indicator on Windows endpoints."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'listening_ports'
@@ -810,7 +905,7 @@
   message: "Listening process '{{ name }}' on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} matches LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }}"
   mitigation: "Review parent process lineage, isolate unmanaged listeners, and block or remove unexpected inbound admin or scripting surfaces."
   attack:
-    tactics: [TA0008, TA0011]
+    tactics: [TA0002, TA0005, TA0011]
     techniques: [T1059, T1105, T1218]
   evidence: |
     {
@@ -827,6 +922,7 @@
   description: "Persistence surfaces that reference LOLBAS helpers documented with UAC-bypass behavior should be treated as privilege-escalation investigations."
   severity: critical
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:lolbas:matched') = 'true'
@@ -847,7 +943,7 @@
   message: "UAC-bypass-capable LOLBAS helper(s) {{ $prop($, 'cdx:lolbas:names') }} detected in Windows persistence artifact '{{ name }}'"
   mitigation: "Investigate as a possible privilege-escalation foothold, remove unauthorized registration points, and enforce WDAC/AppLocker policies for known proxy binaries."
   attack:
-    tactics: [TA0003, TA0004, TA0005]
+    tactics: [TA0004, TA0005]
     techniques: [T1548.002, T1218]
   evidence: |
     {
@@ -864,6 +960,7 @@
   description: "Launchd overrides disabling Apple-managed services can indicate tampering with built-in security or platform controls."
   severity: medium
   category: obom-runtime
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:osquery:category') = 'launchd_overrides'
@@ -889,3 +986,791 @@
       "uid": $prop($, 'uid'),
       "plistPath": $prop($, 'path')
     }
+
+- id: OBOM-MAC-005
+  name: "macOS Gatekeeper enforcement is disabled or weakened"
+  description: "Gatekeeper should enforce assessments and identified-developer checks on managed macOS endpoints."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'gatekeeper'
+      and (
+        $safeStr($prop($, 'assessments_enabled')) != '1'
+        or $safeStr($prop($, 'dev_id_enabled')) != '1'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Gatekeeper posture is weakened (assessments_enabled={{ $prop($, 'assessments_enabled') }}, dev_id_enabled={{ $prop($, 'dev_id_enabled') }})"
+  mitigation: "Re-enable Gatekeeper assessments and identified-developer enforcement with spctl or an MDM configuration profile, then validate the host against baseline policy."
+  evidence: |
+    {
+      "gatekeeperVersion": version,
+      "opaqueVersion": description,
+      "assessmentsEnabled": $prop($, 'assessments_enabled'),
+      "devIdEnabled": $prop($, 'dev_id_enabled')
+    }
+
+- id: OBOM-LNX-014
+  name: "Linux reverse shell behavior detected in live process telemetry"
+  description: "A shell process with a live remote socket is a strong signal for hands-on-keyboard abuse, staging, or remote command execution."
+  severity: critical
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Reverse-shell-like process behavior detected for '{{ name }}' reaching {{ $prop($, 'remote_address') }}:{{ $prop($, 'remote_port') }}"
+  mitigation: "Isolate the host, review process lineage and parent shell context, and confirm whether the remote session is expected administrative activity."
+  evidence: |
+    {
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "parentCmdline": $prop($, 'parent_cmdline'),
+      "remoteAddress": $prop($, 'remote_address'),
+      "remotePort": $prop($, 'remote_port')
+    }
+
+- id: OBOM-LNX-015
+  name: "Linux process uses LD_PRELOAD from writable or temporary path"
+  description: "LD_PRELOAD pointing at user-controlled paths can indicate library hijacking, stealth persistence, or runtime tampering."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'ld_preload'
+      and (
+        $contains($lowercase($safeStr($prop($, 'value'))), '/tmp/')
+        or $contains($lowercase($safeStr($prop($, 'value'))), '/var/tmp/')
+        or $contains($lowercase($safeStr($prop($, 'value'))), '/dev/shm/')
+        or $contains($lowercase($safeStr($prop($, 'value'))), '/home/')
+        or $contains($lowercase($safeStr($prop($, 'value'))), '/run/user/')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Process '{{ name }}' sets LD_PRELOAD to a risky path: {{ $prop($, 'value') }}"
+  mitigation: "Review the preload library, remove unauthorized runtime injection, and compare the process with package ownership and startup history."
+  evidence: |
+    {
+      "processPath": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline'),
+      "cwd": $prop($, 'cwd'),
+      "ldPreload": $prop($, 'value')
+    }
+
+- id: OBOM-LNX-016
+  name: "Linux cron entry fetches remote content or runs from writable path"
+  description: "Cron jobs that fetch remote content or execute from temporary and user-writable paths are a high-signal persistence pattern."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'crontab_snapshot'
+      and (
+        (
+          (
+            $contains($lowercase($safeStr($prop($, 'command'))), 'curl ')
+            or $contains($lowercase($safeStr($prop($, 'command'))), 'wget ')
+          )
+          and (
+            $contains($lowercase($safeStr($prop($, 'command'))), 'http://')
+            or $contains($lowercase($safeStr($prop($, 'command'))), 'https://')
+            or $contains($lowercase($safeStr($prop($, 'command'))), '| sh')
+            or $contains($lowercase($safeStr($prop($, 'command'))), '| bash')
+          )
+        )
+        or $contains($lowercase($safeStr($prop($, 'command'))), '/tmp/')
+        or $contains($lowercase($safeStr($prop($, 'command'))), '/var/tmp/')
+        or $contains($lowercase($safeStr($prop($, 'command'))), '/dev/shm/')
+        or $contains($lowercase($safeStr($prop($, 'command'))), '/home/')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Cron entry '{{ name }}' has a risky command: {{ $prop($, 'command') }}"
+  mitigation: "Move bootstrap downloads into a managed deployment path, review cron ownership, and remove unauthorized recurring tasks."
+  evidence: |
+    {
+      "command": $prop($, 'command'),
+      "path": $prop($, 'path'),
+      "minute": $prop($, 'minute'),
+      "hour": $prop($, 'hour')
+    }
+
+- id: OBOM-LNX-017
+  name: "Linux sysctl posture diverges from common hardening baseline"
+  description: "Weak ASLR and redirect-handling sysctl values are commonly called out in Lynis and CIS-style hardening reviews."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'sysctl_hardening'
+      and (
+        (name = 'kernel.randomize_va_space' and $safeStr(version) != '2')
+        or (name = 'kernel.kptr_restrict' and $safeStr(version) = '0')
+        or (
+          (
+            name = 'net.ipv4.conf.all.accept_redirects'
+            or name = 'net.ipv4.conf.default.accept_redirects'
+            or name = 'net.ipv4.conf.all.send_redirects'
+            or name = 'net.ipv4.conf.default.send_redirects'
+          )
+          and $safeStr(version) = '1'
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Sysctl '{{ name }}' has a weak hardening value: {{ version }}"
+  mitigation: "Align the sysctl value with your baseline, apply the setting persistently, and validate whether the deviation is truly required for this host."
+  evidence: |
+    {
+      "sysctl": name,
+      "value": version
+    }
+
+- id: OBOM-LNX-018
+  name: "Linux temporary mount is missing key hardening flags"
+  description: "Temporary and shared-memory mounts should usually carry noexec, nosuid, and nodev protections on hardened hosts."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'mount_hardening'
+      and (
+        name = '/tmp'
+        or name = '/var/tmp'
+        or name = '/dev/shm'
+      )
+      and (
+        $not($contains($lowercase($safeStr(version)), 'noexec'))
+        or $not($contains($lowercase($safeStr(version)), 'nosuid'))
+        or $not($contains($lowercase($safeStr(version)), 'nodev'))
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Mount '{{ name }}' is missing one or more hardening flags: {{ version }}"
+  mitigation: "Review whether the mount should carry noexec, nosuid, and nodev, then enforce the chosen baseline through fstab, systemd mounts, or image build policy."
+  evidence: |
+    {
+      "mount": name,
+      "flags": version,
+      "device": description,
+      "type": $prop($, 'type')
+    }
+
+- id: OBOM-LNX-019
+  name: "Live Linux runtime artifact matches GTFOBins execution helper"
+  description: "GTFOBins-capable binaries in privileged or network-active runtime contexts deserve elevated review because they compress execution, persistence, and lateral movement tradecraft into familiar tools."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and (
+        $prop($, 'cdx:osquery:category') = 'sudo_executions'
+        or $prop($, 'cdx:osquery:category') = 'privilege_transitions'
+        or $prop($, 'cdx:osquery:category') = 'privileged_listening_ports'
+        or $prop($, 'cdx:osquery:category') = 'behavioral_reverse_shell'
+        or (
+          $prop($, 'cdx:osquery:category') = 'elevated_processes'
+          and (
+            $safeStr($prop($, 'package_source_hint')) = 'user-writable-path'
+            or $contains($nullSafeProp($, 'path'), '/tmp/')
+            or $contains($nullSafeProp($, 'path'), '/var/tmp/')
+            or $contains($nullSafeProp($, 'path'), '/dev/shm/')
+            or $contains($nullSafeProp($, 'path'), '/home/')
+            or $contains($nullSafeProp($, 'path'), '/run/user/')
+            or $contains($nullSafeProp($, 'cmdline'), '/tmp/')
+            or $contains($nullSafeProp($, 'cmdline'), '/var/tmp/')
+            or $contains($nullSafeProp($, 'cmdline'), '/dev/shm/')
+            or $contains($nullSafeProp($, 'cmdline'), '/home/')
+            or $contains($nullSafeProp($, 'cmdline'), '/run/user/')
+          )
+        )
+      )
+      and (
+        $listContains($prop($, 'cdx:gtfobins:functions'), 'shell')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'command')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Runtime artifact '{{ name }}' matches GTFOBins helper(s) {{ $prop($, 'cdx:gtfobins:names') }} in '{{ $prop($, 'cdx:osquery:category') }}'"
+  mitigation: "Validate the binary provenance and operator intent, then review related sudo, privilege-transition, listener, and remote-connection telemetry before suppressing the finding."
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "gtfobinsNames": $prop($, 'cdx:gtfobins:names'),
+      "functions": $prop($, 'cdx:gtfobins:functions'),
+      "contexts": $prop($, 'cdx:gtfobins:contexts'),
+      "riskTags": $prop($, 'cdx:gtfobins:riskTags'),
+      "path": $prop($, 'path'),
+      "cmdline": $prop($, 'cmdline')
+    }
+
+- id: OBOM-WIN-011
+  name: "Windows Public profile inbound firewall allow rule"
+  description: "Inbound allow rules on the Public firewall profile can expose services beyond expected trust boundaries."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'windows_firewall_rules'
+      and (
+        $lowercase($safeStr($prop($, 'enabled'))) = '1'
+        or $lowercase($safeStr($prop($, 'enabled'))) = 'true'
+      )
+      and $lowercase($safeStr($prop($, 'direction'))) = 'in'
+      and $lowercase($safeStr($prop($, 'action'))) = 'allow'
+      and $contains($lowercase($safeStr($prop($, 'profile'))), 'public')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Firewall rule '{{ name }}' allows inbound traffic on the Public profile"
+  mitigation: "Narrow the rule scope, move it to a more trusted profile when justified, and verify the backing service really needs public-network reachability."
+  evidence: |
+    {
+      "action": $prop($, 'action'),
+      "direction": $prop($, 'direction'),
+      "profile": $prop($, 'profile'),
+      "localPorts": $prop($, 'local_ports'),
+      "remoteAddresses": $prop($, 'remote_addresses')
+    }
+
+- id: OBOM-WIN-012
+  name: "Windows startup or listener binary has invalid Authenticode status"
+  description: "Persistence and network-facing artifacts backed by definitively invalid Authenticode status deserve urgent review on managed Windows hosts."
+  severity: critical
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+        or $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+        or $prop($, 'cdx:osquery:category') = 'startup_items'
+        or $prop($, 'cdx:osquery:category') = 'services_snapshot'
+        or $prop($, 'cdx:osquery:category') = 'listening_ports'
+      )
+      and $not(
+        $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'image_path'),
+              $prop($, 'executable'),
+              $prop($, 'action'),
+              $prop($, 'module_path'),
+              $prop($, 'path'),
+              description,
+              name
+            )
+          ),
+          '.lnk'
+        )
+      )
+      and $hasProp($, 'cdx:windows:authenticode:status')
+      and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'valid'
+      and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknown'
+      and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknownerror'
+      and $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) != 'unknown_error'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' resolves to '{{ $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' with Authenticode status {{ $prop($, 'cdx:windows:authenticode:status') }}"
+  mitigation: "Review the startup/listener registration and backing binary together, treat the executable as suspicious until provenance is confirmed, compare the hash and signer with an approved baseline, and investigate who registered the surface."
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name),
+      "targetPath": $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description),
+      "path": $prop($, 'path'),
+      "imagePath": $prop($, 'image_path'),
+      "action": $prop($, 'action'),
+      "authenticodeStatus": $prop($, 'cdx:windows:authenticode:status'),
+      "signerSubject": $prop($, 'cdx:windows:authenticode:signerSubject')
+    }
+
+- id: OBOM-WIN-014
+  name: "Windows user-controlled startup or listener binary has unresolved Authenticode status"
+  description: "Unknown Authenticode state on binaries launched from user-controlled startup or network-facing surfaces deserves review even when Windows cannot conclusively mark the signature invalid."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:osquery:category') = 'windows_run_keys'
+        or $prop($, 'cdx:osquery:category') = 'scheduled_tasks'
+        or $prop($, 'cdx:osquery:category') = 'startup_items'
+        or $prop($, 'cdx:osquery:category') = 'services_snapshot'
+        or $prop($, 'cdx:osquery:category') = 'listening_ports'
+      )
+      and $not(
+        $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'image_path'),
+              $prop($, 'executable'),
+              $prop($, 'action'),
+              $prop($, 'module_path'),
+              $prop($, 'path'),
+              description,
+              name
+            )
+          ),
+          '.lnk'
+        )
+      )
+      and $hasProp($, 'cdx:windows:authenticode:status')
+      and (
+        $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknown'
+        or $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknownerror'
+        or $lowercase($safeStr($prop($, 'cdx:windows:authenticode:status'))) = 'unknown_error'
+      )
+      and (
+        $isWindowsUserControlledPath(
+          $firstNonEmpty(
+            $prop($, 'image_path'),
+            $prop($, 'executable'),
+            $prop($, 'action'),
+            description,
+            $prop($, 'path'),
+            name
+          )
+        )
+        or $isWindowsUserControlledPath(
+          $firstNonEmpty($prop($, 'path'), $prop($, 'key'), name)
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Windows {{ $prop($, 'cdx:osquery:category') }} registration '{{ $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name) }}' resolves to '{{ $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description, name) }}' with unresolved Authenticode status {{ $prop($, 'cdx:windows:authenticode:status') }}"
+  mitigation: "Review the startup/listener registration and backing binary together, confirm signature collection completed successfully, compare the hash and signer with an approved baseline, and prioritize cleanup of user-controlled execution paths."
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "registrationPath": $firstNonEmpty($prop($, 'key'), $prop($, 'path'), name),
+      "targetPath": $firstNonEmpty($prop($, 'image_path'), $prop($, 'executable'), $prop($, 'action'), $prop($, 'module_path'), $prop($, 'path'), description),
+      "path": $prop($, 'path'),
+      "imagePath": $prop($, 'image_path'),
+      "action": $prop($, 'action'),
+      "authenticodeStatus": $prop($, 'cdx:windows:authenticode:status'),
+      "signerSubject": $prop($, 'cdx:windows:authenticode:signerSubject')
+    }
+
+- id: OBOM-WIN-013
+  name: "Windows host has no active WDAC policies"
+  description: "A managed Windows endpoint with no active WDAC policy loses an important application control and allowlisting layer."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $hasProp($, 'cdx:windows:wdac:activePolicyCount')
+      and $safeStr($prop($, 'cdx:windows:wdac:activePolicyCount')) = '0'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Windows Defender Application Control is not enforcing any active policy on this host"
+  mitigation: "Deploy or restore the approved WDAC policy set and review why policy enforcement is absent on the endpoint."
+  evidence: |
+    {
+      "component": name,
+      "activePolicyCount": $prop($, 'cdx:windows:wdac:activePolicyCount')
+    }
+
+- id: OBOM-MAC-006
+  name: "macOS running app launches from Downloads, Desktop, or temporary path"
+  description: "User-space execution from Downloads, Desktop, or temporary folders is a useful triage signal for ad hoc tooling and unreviewed payloads."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'running_apps'
+      and (
+        $contains($safeStr($prop($, 'bundle_path')), '/Users/')
+        and (
+          $contains($safeStr($prop($, 'bundle_path')), '/Downloads/')
+          or $contains($safeStr($prop($, 'bundle_path')), '/Desktop/')
+          or $contains($safeStr($prop($, 'bundle_path')), '/tmp/')
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Running app '{{ name }}' originates from a risky user path: {{ $prop($, 'bundle_path') }}"
+  mitigation: "Validate the app origin, move approved software into managed application paths, and investigate unexpected user-land execution."
+  evidence: |
+    {
+      "bundlePath": $prop($, 'bundle_path'),
+      "bundleExecutable": $prop($, 'bundle_executable'),
+      "isFinishedLaunching": $prop($, 'is_finished_launching')
+    }
+
+- id: OBOM-MAC-007
+  name: "macOS startup or application artifact failed notarization assessment"
+  description: "Launchd, startup, and application artifacts with rejected notarization assessment deserve review before they are treated as trusted software."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        (
+          (
+            $prop($, 'cdx:osquery:category') = 'launchd_services'
+            or $prop($, 'cdx:osquery:category') = 'startup_items'
+          )
+          and (
+            $not(
+              $isDarwinSystemPath(
+                $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))
+              )
+            )
+            or $not(
+              $isDarwinSystemPath(
+                $firstNonEmpty(
+                  $prop($, 'program'),
+                  $prop($, 'bundle_executable'),
+                  $prop($, 'bundle_path'),
+                  $prop($, 'path')
+                )
+              )
+            )
+          )
+        )
+        or (
+          $prop($, 'cdx:osquery:category') = 'running_apps'
+          and $not(
+            $isDarwinSystemPath(
+              $firstNonEmpty($prop($, 'bundle_path'), $prop($, 'path'))
+            )
+          )
+        )
+      )
+      and $hasProp($, 'cdx:darwin:notarization:assessment')
+      and $lowercase($safeStr($prop($, 'cdx:darwin:notarization:assessment'))) = 'rejected'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "macOS {{ $prop($, 'cdx:osquery:category') }} artifact '{{ name }}' uses registration path '{{ $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path'), name) }}' with notarization assessment {{ $prop($, 'cdx:darwin:notarization:assessment') }}"
+  mitigation: "Review the registration/config path and backing executable together, confirm the signer or team identifier against approved inventory, and remove or quarantine unexpected startup items or app bundles."
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "registrationPath": $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')),
+      "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path')),
+      "label": $prop($, 'label'),
+      "path": $prop($, 'path'),
+      "bundlePath": $prop($, 'bundle_path'),
+      "bundleExecutable": $prop($, 'bundle_executable'),
+      "program": $prop($, 'program'),
+      "programArguments": $prop($, 'program_arguments'),
+      "teamIdentifier": $prop($, 'cdx:darwin:codesign:teamIdentifier'),
+      "notarizationAssessment": $prop($, 'cdx:darwin:notarization:assessment')
+    }
+
+- id: OBOM-MAC-008
+  name: "macOS user-controlled startup or application artifact has unknown notarization assessment"
+  description: "Launchd, startup, and application artifacts with unknown notarization assessment should be reviewed when they execute from user-controlled macOS paths."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        (
+          (
+            $prop($, 'cdx:osquery:category') = 'launchd_services'
+            or $prop($, 'cdx:osquery:category') = 'startup_items'
+          )
+          and (
+            $not(
+              $isDarwinSystemPath(
+                $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))
+              )
+            )
+            or $not(
+              $isDarwinSystemPath(
+                $firstNonEmpty(
+                  $prop($, 'program'),
+                  $prop($, 'bundle_executable'),
+                  $prop($, 'bundle_path'),
+                  $prop($, 'path')
+                )
+              )
+            )
+          )
+        )
+        or (
+          $prop($, 'cdx:osquery:category') = 'running_apps'
+          and $not(
+            $isDarwinSystemPath(
+              $firstNonEmpty($prop($, 'bundle_path'), $prop($, 'path'))
+            )
+          )
+        )
+      )
+      and $hasProp($, 'cdx:darwin:notarization:assessment')
+      and $lowercase($safeStr($prop($, 'cdx:darwin:notarization:assessment'))) = 'unknown'
+      and (
+        $contains(
+          $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))),
+          '/users/'
+        )
+        or $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'program'),
+              $prop($, 'bundle_executable'),
+              $prop($, 'bundle_path'),
+              $prop($, 'path')
+            )
+          ),
+          '/users/'
+        )
+        or $contains(
+          $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))),
+          '/downloads/'
+        )
+        or $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'program'),
+              $prop($, 'bundle_executable'),
+              $prop($, 'bundle_path'),
+              $prop($, 'path')
+            )
+          ),
+          '/downloads/'
+        )
+        or $contains(
+          $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))),
+          '/desktop/'
+        )
+        or $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'program'),
+              $prop($, 'bundle_executable'),
+              $prop($, 'bundle_path'),
+              $prop($, 'path')
+            )
+          ),
+          '/desktop/'
+        )
+        or $contains(
+          $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))),
+          '/tmp/'
+        )
+        or $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'program'),
+              $prop($, 'bundle_executable'),
+              $prop($, 'bundle_path'),
+              $prop($, 'path')
+            )
+          ),
+          '/tmp/'
+        )
+        or $contains(
+          $lowercase($firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'))),
+          '/private/var/'
+        )
+        or $contains(
+          $lowercase(
+            $firstNonEmpty(
+              $prop($, 'program'),
+              $prop($, 'bundle_executable'),
+              $prop($, 'bundle_path'),
+              $prop($, 'path')
+            )
+          ),
+          '/private/var/'
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "macOS {{ $prop($, 'cdx:osquery:category') }} artifact '{{ name }}' uses registration path '{{ $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path'), name) }}' and target '{{ $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path'), name) }}' with unknown notarization assessment on a user-controlled path"
+  mitigation: "Review the registration/config path and backing executable together, re-check notarization and code-signing metadata, and move approved software out of user-controlled paths before suppressing the finding."
+  evidence: |
+    {
+      "queryCategory": $prop($, 'cdx:osquery:category'),
+      "registrationPath": $firstNonEmpty($prop($, 'path'), $prop($, 'bundle_path')),
+      "targetPath": $firstNonEmpty($prop($, 'program'), $prop($, 'bundle_executable'), $prop($, 'bundle_path'), $prop($, 'path')),
+      "label": $prop($, 'label'),
+      "path": $prop($, 'path'),
+      "bundlePath": $prop($, 'bundle_path'),
+      "bundleExecutable": $prop($, 'bundle_executable'),
+      "program": $prop($, 'program'),
+      "programArguments": $prop($, 'program_arguments'),
+      "teamIdentifier": $prop($, 'cdx:darwin:codesign:teamIdentifier'),
+      "notarizationAssessment": $prop($, 'cdx:darwin:notarization:assessment')
+    }
+
+- id: OBOM-LNX-020
+  name: "Privileged Linux listener exposed on a non-local interface from writable or unclassified path"
+  description: "Root or service-account listeners bound to all interfaces from user-controlled or unclassified paths are high-signal persistence or runtime-drift indicators."
+  severity: high
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'privileged_listening_ports'
+      and (
+        $safeStr($prop($, 'address')) = '0.0.0.0'
+        or $safeStr($prop($, 'address')) = '::'
+      )
+      and $safeStr($prop($, 'port')) != '22'
+      and $safeStr($prop($, 'port')) != '53'
+      and $safeStr(name) != 'systemd-resolved'
+      and $safeStr(name) != 'avahi-daemon'
+      and $safeStr(name) != 'cupsd'
+      and (
+        $safeStr($prop($, 'package_source_hint')) = 'user-writable-path'
+        or $safeStr($prop($, 'package_source_hint')) = 'unclassified-path'
+        or $contains($lowercase($nullSafeProp($, 'path')), '/tmp/')
+        or $contains($lowercase($nullSafeProp($, 'path')), '/var/tmp/')
+        or $contains($lowercase($nullSafeProp($, 'path')), '/dev/shm/')
+        or $contains($lowercase($nullSafeProp($, 'path')), '/home/')
+        or $contains($lowercase($nullSafeProp($, 'path')), '/run/user/')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl
+    }
+  message: "Privileged listener '{{ name }}' is reachable on {{ $prop($, 'address') }}:{{ $prop($, 'port') }} from risky path '{{ $firstNonEmpty($prop($, 'path'), name) }}'"
+  mitigation: "Treat the listener path as a high-priority review item, validate package ownership and recent changes, and remove or isolate privileged services sourced from writable or unclassified locations."
+  evidence: |
+    {
+      "account": $prop($, 'account'),
+      "pid": $prop($, 'pid'),
+      "address": $prop($, 'address'),
+      "port": $prop($, 'port'),
+      "path": $prop($, 'path'),
+      "serviceUnit": $prop($, 'service_unit'),
+      "packageSourceHint": $prop($, 'package_source_hint'),
+      "parentCmdline": $prop($, 'parent_cmdline')
+    }
+
+- id: OBOM-LNX-021
+  name: "Linux APT source uses plaintext HTTP transport"
+  description: "Plain HTTP APT mirrors weaken transport integrity and are often called out in baseline hardening reviews even when package signatures remain enabled."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:osquery:category') = 'apt_sources'
+        or $prop($, 'cdx:osquery:category') = 'apt_ppa_sources'
+      )
+      and $startsWith($lowercase($safeStr($prop($, 'base_uri'))), 'http://')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'source')
+    }
+  message: "APT source '{{ name }}' still uses plaintext HTTP transport: {{ $prop($, 'base_uri') }}"
+  mitigation: "Move the repository to HTTPS or an authenticated local mirror, then confirm the source file and mirror policy match your approved package-trust baseline."
+  evidence: |
+    {
+      "sourceFile": $prop($, 'source'),
+      "baseUri": $prop($, 'base_uri'),
+      "release": $prop($, 'release'),
+      "components": $prop($, 'components'),
+      "maintainer": $prop($, 'maintainer')
+    }
+
+- id: OBOM-LNX-022
+  name: "Linux authorized_keys entry uses deprecated ssh-rsa algorithm"
+  description: "ssh-rsa authorized_keys entries rely on an older signature algorithm profile and should be reviewed during SSH hardening work."
+  severity: medium
+  category: obom-runtime
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'authorized_keys_snapshot'
+      and $lowercase($safeStr(version)) = 'ssh-rsa'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'key_file')
+    }
+  message: "Authorized key for account '{{ name }}' in '{{ $prop($, 'key_file') }}' still uses deprecated ssh-rsa"
+  mitigation: "Replace the key with ed25519 or a modern RSA/SHA-2 compatible key, then re-review key restrictions and account ownership before retaining access."
+  evidence: |
+    {
+      "account": name,
+      "algorithm": version,
+      "keyFile": $prop($, 'key_file'),
+      "comment": description,
+      "uid": $prop($, 'uid')
+    }