2016-08-18 21:16:44 +00:00
|
|
|
package kolide
|
|
|
|
|
2017-03-15 15:55:30 +00:00
|
|
|
import (
|
|
|
|
"context"
|
2017-11-19 00:59:32 +00:00
|
|
|
"encoding/json"
|
2017-03-15 15:55:30 +00:00
|
|
|
)
|
2016-08-18 21:16:44 +00:00
|
|
|
|
2016-09-04 05:13:42 +00:00
|
|
|
type OsqueryService interface {
|
2017-01-10 04:40:21 +00:00
|
|
|
EnrollAgent(ctx context.Context, enrollSecret, hostIdentifier string) (nodeKey string, err error)
|
|
|
|
AuthenticateHost(ctx context.Context, nodeKey string) (host *Host, err error)
|
|
|
|
GetClientConfig(ctx context.Context) (config *OsqueryConfig, err error)
|
2017-03-21 16:17:38 +00:00
|
|
|
// GetDistributedQueries retrieves the distributed queries to run for
|
|
|
|
// the host in the provided context. These may be detail queries, label
|
|
|
|
// queries, or user-initiated distributed queries. A map from query
|
|
|
|
// name to query is returned. To enable the osquery "accelerated
|
|
|
|
// checkins" feature, a positive integer (number of seconds to activate
|
|
|
|
// for) should be returned. Returning 0 for this will not activate the
|
|
|
|
// feature.
|
|
|
|
GetDistributedQueries(ctx context.Context) (queries map[string]string, accelerate uint, err error)
|
Push distributed query errors over results websocket (#878)
As of recently, osquery will report when a distributed query fails. We now
expose errors over the results websocket. When a query errored on the host, the
`error` key in the result will be non-null. Note that osquery currently doesn't
provide any details so the error string will always be "failed". I anticipate
that we will fix this and the string is included for future-proofing.
Successful result:
```
{
"type": "result",
"data": {
"distributed_query_execution_id": 15,
"host": {
... omitted ...
},
"rows": [
{
"hour": "1"
}
],
"error": null
}
}
```
Failed result:
```
{
"type": "result",
"data": {
"distributed_query_execution_id": 14,
"host": {
... omitted ...
},
"rows": [
],
"error": "failed"
}
}
```
2017-01-11 03:34:32 +00:00
|
|
|
SubmitDistributedQueryResults(ctx context.Context, results OsqueryDistributedQueryResults, statuses map[string]string) (err error)
|
2017-01-10 04:40:21 +00:00
|
|
|
SubmitStatusLogs(ctx context.Context, logs []OsqueryStatusLog) (err error)
|
2017-11-19 00:59:32 +00:00
|
|
|
SubmitResultLogs(ctx context.Context, logs []json.RawMessage) (err error)
|
2016-08-19 18:24:59 +00:00
|
|
|
}
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// OsqueryDistributedQueryResults represents the format of the results of an
|
|
|
|
// osquery distributed query.
|
2016-09-06 21:28:07 +00:00
|
|
|
type OsqueryDistributedQueryResults map[string][]map[string]string
|
2016-08-24 02:30:55 +00:00
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// QueryContent is the format of a query stanza in an osquery configuration.
|
2016-09-19 23:11:39 +00:00
|
|
|
type QueryContent struct {
|
2016-12-13 22:22:05 +00:00
|
|
|
Query string `json:"query"`
|
|
|
|
Description string `json:"description,omitempty"`
|
|
|
|
Interval uint `json:"interval"`
|
|
|
|
Platform *string `json:"platform,omitempty"`
|
|
|
|
Version *string `json:"version,omitempty"`
|
|
|
|
Snapshot *bool `json:"snapshot,omitempty"`
|
|
|
|
Removed *bool `json:"removed,omitempty"`
|
|
|
|
Shard *uint `json:"shard,omitempty"`
|
2016-09-19 23:11:39 +00:00
|
|
|
}
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// Queries is a helper which represents the format of a set of queries in a pack.
|
2016-09-19 23:11:39 +00:00
|
|
|
type Queries map[string]QueryContent
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// PackContent is the format of an osquery query pack.
|
2016-09-19 23:11:39 +00:00
|
|
|
type PackContent struct {
|
|
|
|
Platform string `json:"platform,omitempty"`
|
|
|
|
Version string `json:"version,omitempty"`
|
|
|
|
Shard uint `json:"shard,omitempty"`
|
|
|
|
Discovery []string `json:"discovery,omitempty"`
|
|
|
|
Queries Queries `json:"queries"`
|
|
|
|
}
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// Packs is a helper which represents the format of a list of osquery query packs.
|
2016-09-19 23:11:39 +00:00
|
|
|
type Packs map[string]PackContent
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// Decorators is the format of the decorator configuration in an osquery config.
|
2016-09-19 23:11:39 +00:00
|
|
|
type Decorators struct {
|
|
|
|
Load []string `json:"load,omitempty"`
|
|
|
|
Always []string `json:"always,omitempty"`
|
|
|
|
Interval map[string][]string `json:"interval,omitempty"`
|
|
|
|
}
|
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// OsqueryConfig is a struct that can be serialized into a valid osquery config
|
|
|
|
// using Go's JSON tooling.
|
2016-09-04 05:13:42 +00:00
|
|
|
type OsqueryConfig struct {
|
2017-08-18 15:37:33 +00:00
|
|
|
Schedule map[string]QueryContent `json:"schedule,omitempty"`
|
|
|
|
Options map[string]interface{} `json:"options"`
|
|
|
|
Decorators Decorators `json:"decorators,omitempty"`
|
|
|
|
Packs Packs `json:"packs,omitempty"`
|
|
|
|
// FilePaths contains named collections of file paths used for
|
|
|
|
// FIM (File Integrity Monitoring)
|
|
|
|
FilePaths FIMSections `json:"file_paths,omitempty"`
|
2016-08-18 21:16:44 +00:00
|
|
|
}
|
2016-08-19 18:24:59 +00:00
|
|
|
|
2017-06-18 18:26:08 +00:00
|
|
|
// OsqueryStatusLog is the format of an osquery status log.
|
2016-09-06 21:28:07 +00:00
|
|
|
type OsqueryStatusLog struct {
|
|
|
|
Severity string `json:"severity"`
|
|
|
|
Filename string `json:"filename"`
|
|
|
|
Line string `json:"line"`
|
|
|
|
Message string `json:"message"`
|
|
|
|
Version string `json:"version"`
|
|
|
|
Decorations map[string]string `json:"decorations"`
|
|
|
|
}
|