osquery-1/osquery/events/kernel.h

/*
 *  Copyright (c) 2014, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under the BSD-style license found in the
 *  LICENSE file in the root directory of this source tree. An additional grant
 *  of patent rights can be found in the PATENTS file in the same directory.
 *
 */

#pragma once

#include <vector>

#include <osquery/events.h>
#include <osquery/status.h>

#include "osquery/events/kernel/circular_queue_user.h"

namespace osquery {

/**
 * @brief Name of the kernel communication device node.
 *
 * The kernel component creates an ioctl API for synchronizing kernel-based
 * subscriptions and userland access to regions of shared memory.
 */
extern const std::string kKernelDevice;

/**
 * @brief Load kernel extension if applicable.
 */
void loadKernelExtension();

/**
 * @brief Subscription details for KernelEventPublisher events.
 */
struct KernelSubscriptionContext : public SubscriptionContext {
  /// The kernel event subscription type.
  osquery_event_t event_type;

  /// Optional category passed to the callback.
  std::string category;
};

/**
 * @brief Event details for a KernelEventPubliser events.
 */
struct KernelEventContext : public EventContext {
  /// The event type.
  osquery_event_t event_type;

  /// The observed uptime of the system at event time.
  uint32_t uptime{0};
};

template <typename EventType>
struct TypedKernelEventContext : public KernelEventContext {
  EventType event;

  // The flexible data must remain as the last member.
  std::vector<char> flexible_data;
};

using KernelSubscriptionContextRef = std::shared_ptr<KernelSubscriptionContext>;
using KernelEventContextRef = std::shared_ptr<KernelEventContext>;

template <typename EventType>
using TypedKernelEventContextRef =
    std::shared_ptr<TypedKernelEventContext<EventType> >;

class KernelEventPublisher
    : public EventPublisher<KernelSubscriptionContext, KernelEventContext> {
  DECLARE_PUBLISHER("kernel");

 public:
  KernelEventPublisher() : EventPublisher(), queue_(nullptr){};

  Status setUp() override;

  void configure() override;

  void tearDown() override;

  Status run() override;

 private:
  CQueue *queue_{nullptr};

  /// Check whether the subscription matches the event.
  bool shouldFire(const KernelSubscriptionContextRef &sc,
                  const KernelEventContextRef &ec) const override;

  template <typename EventType>
  KernelEventContextRef createEventContextFrom(osquery_event_t event_type,
                                               CQueue::event *event) const;
};

} // namespace osquery
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`/*`
			`* Copyright (c) 2014, Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD-style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*`
			`*/`

			`#pragma once`

Add a Linux audit event publisher 2015-08-16 03:43:53 +00:00			`#include <vector>`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
			`#include <osquery/events.h>`
			`#include <osquery/status.h>`

Add a Linux audit event publisher 2015-08-16 03:43:53 +00:00			`#include "osquery/events/kernel/circular_queue_user.h"`
Adding environment variables and arguments for process events. 2015-07-27 19:11:44 +00:00
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`namespace osquery {`

Add a Linux audit event publisher 2015-08-16 03:43:53 +00:00			`/**`
			`* @brief Name of the kernel communication device node.`
			`*`
			`* The kernel component creates an ioctl API for synchronizing kernel-based`
			`* subscriptions and userland access to regions of shared memory.`
			`*/`
			`extern const std::string kKernelDevice;`

Added loading of kernel. 2015-07-29 01:38:48 +00:00			`/**`
			`* @brief Load kernel extension if applicable.`
			`*/`
			`void loadKernelExtension();`

Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`/**`
			`* @brief Subscription details for KernelEventPublisher events.`
			`*/`
			`struct KernelSubscriptionContext : public SubscriptionContext {`
			`/// The kernel event subscription type.`
			`osquery_event_t event_type;`
Created a basic publisher system for kernel events in the kernel extension. 2015-07-13 21:38:49 +00:00
Change EventSubscriber API to include subscription references 2015-12-08 06:06:32 +00:00			`/// Optional category passed to the callback.`
			`std::string category;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`};`

			`/**`
			`* @brief Event details for a KernelEventPubliser events.`
			`*/`
			`struct KernelEventContext : public EventContext {`
			`/// The event type.`
			`osquery_event_t event_type;`
Added kernel process events table. 2015-06-30 21:20:04 +00:00
Change EventSubscriber API to include subscription references 2015-12-08 06:06:32 +00:00			`/// The observed uptime of the system at event time.`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`uint32_t uptime{0};`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`};`

			`template <typename EventType>`
			`struct TypedKernelEventContext : public KernelEventContext {`
			`EventType event;`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00
			`// The flexible data must remain as the last member.`
Adding environment variables and arguments for process events. 2015-07-27 19:11:44 +00:00			`std::vector<char> flexible_data;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`};`

Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`using KernelSubscriptionContextRef = std::shared_ptr<KernelSubscriptionContext>;`
			`using KernelEventContextRef = std::shared_ptr<KernelEventContext>;`

Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`template <typename EventType>`
			`using TypedKernelEventContextRef =`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`std::shared_ptr<TypedKernelEventContext<EventType> >;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
			`class KernelEventPublisher`
			`: public EventPublisher<KernelSubscriptionContext, KernelEventContext> {`
			`DECLARE_PUBLISHER("kernel");`

			`public:`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`KernelEventPublisher() : EventPublisher(), queue_(nullptr){};`

			`Status setUp() override;`

			`void configure() override;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`void tearDown() override;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`Status run() override;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
			`private:`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`CQueue *queue_{nullptr};`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
			`/// Check whether the subscription matches the event.`
			`bool shouldFire(const KernelSubscriptionContextRef &sc,`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`const KernelEventContextRef &ec) const override;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00
			`template <typename EventType>`
			`KernelEventContextRef createEventContextFrom(osquery_event_t event_type,`
Added kernel process events table. 2015-06-30 21:20:04 +00:00			`CQueue::event *event) const;`
Added kernel event publisher. 2015-06-30 21:16:43 +00:00			`};`

Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`} // namespace osquery`