2017-12-19 00:04:06 +00:00
|
|
|
/**
|
2016-02-11 19:48:58 +00:00
|
|
|
* Copyright (c) 2014-present, Facebook, Inc.
|
2015-12-11 17:58:50 +00:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
2017-12-19 00:04:06 +00:00
|
|
|
* This source code is licensed under both the Apache 2.0 license (found in the
|
|
|
|
|
* LICENSE file in the root directory of this source tree) and the GPLv2 (found
|
|
|
|
|
* in the COPYING file in the root directory of this source tree).
|
|
|
|
|
* You may select, at your option, one of the above-listed licenses.
|
2015-12-11 17:58:50 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <osquery/events.h>
|
|
|
|
|
#include <osquery/sql.h>
|
|
|
|
|
|
2018-09-21 18:54:31 +00:00
|
|
|
#include <osquery/hashing/hashing.h>
|
|
|
|
|
#include <osquery/tables/events/event_utils.h>
|
2016-02-04 02:13:44 +00:00
|
|
|
|
2015-12-11 17:58:50 +00:00
|
|
|
namespace osquery {
|
|
|
|
|
|
|
|
|
|
const std::set<std::string> kCommonFileColumns = {
|
|
|
|
|
"inode", "uid", "gid", "mode", "size", "atime", "mtime", "ctime",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
void decorateFileEvent(const std::string& path, bool hash, Row& r) {
|
|
|
|
|
auto results = SQL::selectAllFrom("file", "path", EQUALS, path);
|
|
|
|
|
if (results.size() == 1) {
|
|
|
|
|
auto& row = results.at(0);
|
|
|
|
|
for (const auto& key : kCommonFileColumns) {
|
|
|
|
|
if (row.count(key) > 0) {
|
|
|
|
|
r[key] = row.at(key);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (hash) {
|
|
|
|
|
auto hashes = hashMultiFromFile(
|
|
|
|
|
HASH_TYPE_MD5 | HASH_TYPE_SHA1 | HASH_TYPE_SHA256, path);
|
|
|
|
|
r["md5"] = std::move(hashes.md5);
|
|
|
|
|
r["sha1"] = std::move(hashes.sha1);
|
|
|
|
|
r["sha256"] = std::move(hashes.sha256);
|
|
|
|
|
// Hashed determines the success/status of hashing, -1 failed, 1 success.
|
|
|
|
|
r["hashed"] = (r.at("md5").empty()) ? "-1" : "1";
|
|
|
|
|
} else {
|
|
|
|
|
// Alternatively if hashing wasn't needed hashed is a 0.
|
|
|
|
|
r["hashed"] = "0";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
