osquery-1/osquery/tables/system/linux/processes.cpp

// Copyright 2004-present Facebook. All Rights Reserved.

#include <string>
#include <fstream>
#include <streambuf>
#include <sstream>

#include <stdlib.h>
#include <unistd.h>
#include <proc/readproc.h>

#include <boost/lexical_cast.hpp>

#include "osquery/core.h"
#include "osquery/database.h"
#include "osquery/filesystem.h"

namespace osquery {
namespace tables {

#define PROC_SELECTS                                                 \
  PROC_FILLCOM | PROC_EDITCMDLCVT | PROC_FILLMEM | PROC_FILLSTATUS | \
      PROC_FILLSTAT

std::string proc_name(const proc_t* proc_info) {
  char cmd[17]; // cmd is a 16 char buffer

  memset(cmd, 0, 17);
  memcpy(cmd, proc_info->cmd, 16);
  return std::string(cmd);
}

std::string proc_attr(const std::string& attr, const proc_t* proc_info) {
  std::stringstream filename;

  filename << "/proc/" << proc_info->tid << "/" << attr;
  return filename.str();
}

std::string proc_cmdline(const proc_t* proc_info) {
  std::string attr;
  std::string result;

  attr = proc_attr("cmdline", proc_info);
  std::ifstream fd(attr, std::ios::in | std::ios::binary);
  if (fd) {
    result = std::string(std::istreambuf_iterator<char>(fd),
                         std::istreambuf_iterator<char>());
  }

  return result;
}

std::string proc_link(const proc_t* proc_info) {
  std::string attr;
  std::string result;
  char* link_path;
  long path_max;
  int bytes;

  // The exe is a symlink to the binary on-disk.
  attr = proc_attr("exe", proc_info);
  path_max = pathconf(attr.c_str(), _PC_PATH_MAX);
  link_path = (char*)malloc(path_max);

  memset(link_path, 0, path_max);
  bytes = readlink(attr.c_str(), link_path, path_max);
  if (bytes >= 0) {
    result = std::string(link_path);
  }

  free(link_path);
  return result;
}

QueryData genProcesses() {
  QueryData results;

  proc_t* proc_info;
  PROCTAB* proc = openproc(PROC_SELECTS);

  // Populate proc struc for each process.
  while (proc_info = readproc(proc, NULL)) {
    Row r;

    r["pid"] = boost::lexical_cast<std::string>(proc_info->tid);
    r["name"] = proc_name(proc_info);
    r["cmdline"] = proc_cmdline(proc_info);
    r["path"] = proc_link(proc_info);
    r["on_disk"] = osquery::pathExists(r["path"]).toString();

    r["resident_size"] = boost::lexical_cast<std::string>(proc_info->vm_rss);
    r["phys_footprint"] = boost::lexical_cast<std::string>(proc_info->vm_size);
    r["user_time"] = boost::lexical_cast<std::string>(proc_info->utime);
    r["system_time"] = boost::lexical_cast<std::string>(proc_info->stime);
    r["start_time"] = boost::lexical_cast<std::string>(proc_info->start_time);
    r["parent"] = boost::lexical_cast<std::string>(proc_info->ppid);

    results.push_back(r);
    freeproc(proc_info);
  }

  closeproc(proc);

  return results;
}
}
}
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`// Copyright 2004-present Facebook. All Rights Reserved.`

			`#include <string>`
			`#include <fstream>`
			`#include <streambuf>`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`#include <sstream>`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
			`#include <stdlib.h>`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`#include <unistd.h>`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`#include <proc/readproc.h>`

			`#include <boost/lexical_cast.hpp>`

			`#include "osquery/core.h"`
			`#include "osquery/database.h"`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`#include "osquery/filesystem.h"`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
			`namespace osquery {`
			`namespace tables {`

Revert "Support for Ubuntu 12, precise" This reverts commit ed0e051eba9c3bc767f859f9ca822bb3bf234eae. 2014-10-02 06:00:23 +00:00			`#define PROC_SELECTS \`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`PROC_FILLCOM \| PROC_EDITCMDLCVT \| PROC_FILLMEM \| PROC_FILLSTATUS \| \`
Revert "Support for Ubuntu 12, precise" This reverts commit ed0e051eba9c3bc767f859f9ca822bb3bf234eae. 2014-10-02 06:00:23 +00:00			`PROC_FILLSTAT`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
			`std::string proc_name(const proc_t* proc_info) {`
clang-format 2014-09-09 23:14:54 +00:00			`char cmd[17]; // cmd is a 16 char buffer`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`memset(cmd, 0, 17);`
			`memcpy(cmd, proc_info->cmd, 16);`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`return std::string(cmd);`
			`}`

[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`std::string proc_attr(const std::string& attr, const proc_t* proc_info) {`
			`std::stringstream filename;`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`filename << "/proc/" << proc_info->tid << "/" << attr;`
			`return filename.str();`
			`}`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`std::string proc_cmdline(const proc_t* proc_info) {`
			`std::string attr;`
			`std::string result;`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`attr = proc_attr("cmdline", proc_info);`
			`std::ifstream fd(attr, std::ios::in \| std::ios::binary);`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`if (fd) {`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`result = std::string(std::istreambuf_iterator<char>(fd),`
			`std::istreambuf_iterator<char>());`
			`}`

			`return result;`
			`}`

			`std::string proc_link(const proc_t* proc_info) {`
			`std::string attr;`
			`std::string result;`
			`char* link_path;`
			`long path_max;`
			`int bytes;`

			`// The exe is a symlink to the binary on-disk.`
			`attr = proc_attr("exe", proc_info);`
			`path_max = pathconf(attr.c_str(), _PC_PATH_MAX);`
			`link_path = (char*)malloc(path_max);`

			`memset(link_path, 0, path_max);`
			`bytes = readlink(attr.c_str(), link_path, path_max);`
			`if (bytes >= 0) {`
			`result = std::string(link_path);`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`}`

[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`free(link_path);`
			`return result;`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`}`

			`QueryData genProcesses() {`
			`QueryData results;`

			`proc_t* proc_info;`
			`PROCTAB* proc = openproc(PROC_SELECTS);`

			`// Populate proc struc for each process.`
			`while (proc_info = readproc(proc, NULL)) {`
			`Row r;`

			`r["pid"] = boost::lexical_cast<std::string>(proc_info->tid);`
			`r["name"] = proc_name(proc_info);`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00			`r["cmdline"] = proc_cmdline(proc_info);`
			`r["path"] = proc_link(proc_info);`
moving fs to the global namespace 2014-09-15 18:47:52 +00:00			`r["on_disk"] = osquery::pathExists(r["path"]).toString();`
[vtables] Adding cmdline, path to Linux processes 2014-09-09 17:56:48 +00:00
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`r["resident_size"] = boost::lexical_cast<std::string>(proc_info->vm_rss);`
			`r["phys_footprint"] = boost::lexical_cast<std::string>(proc_info->vm_size);`
			`r["user_time"] = boost::lexical_cast<std::string>(proc_info->utime);`
			`r["system_time"] = boost::lexical_cast<std::string>(proc_info->stime);`
			`r["start_time"] = boost::lexical_cast<std::string>(proc_info->start_time);`
			`r["parent"] = boost::lexical_cast<std::string>(proc_info->ppid);`

			`results.push_back(r);`
			`freeproc(proc_info);`
			`}`

			`closeproc(proc);`

			`return results;`
			`}`
			`}`
			`}`