osquery-1/osquery/tables/system/linux/process_open_files.cpp

/*
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under the BSD-style license found in the
 *  LICENSE file in the root directory of this source tree. An additional grant
 *  of patent rights can be found in the PATENTS file in the same directory.
 *
 */

#include <osquery/core.h>
#include <osquery/logger.h>
#include <osquery/tables.h>
#include <osquery/filesystem.h>

namespace osquery {
namespace tables {

void genDescriptors(const std::string& process,
                    const std::map<std::string, std::string>& descriptors,
                    QueryData& results) {
  for (const auto& fd : descriptors) {
    if (fd.second.find("socket:") != std::string::npos ||
        fd.second.find("anon_inode:") != std::string::npos ||
        fd.second.find("pipe:") != std::string::npos) {
      // This is NOT a vnode/file descriptor.
      continue;
    }

    Row r;
    r["pid"] = process;
    r["fd"] = fd.first;
    r["path"] = fd.second;
    results.push_back(r);
  }

  return;
}

QueryData genOpenFiles(QueryContext& context) {
  QueryData results;

  std::set<std::string> pids;
  if (context.constraints["pid"].exists(EQUALS)) {
    pids = context.constraints["pid"].getAll(EQUALS);
  } else {
    osquery::procProcesses(pids);
  }

  for (const auto& process : pids) {
    std::map<std::string, std::string> descriptors;
    if (osquery::procDescriptors(process, descriptors).ok()) {
      genDescriptors(process, descriptors, results);
    }
  }

  return results;
}
}
}
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`/*`
[osquery] Update copyright headers to new format. 2016-02-11 19:48:58 +00:00			`* Copyright (c) 2014-present, Facebook, Inc.`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD-style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*`
			`*/`

			`#include <osquery/core.h>`
			`#include <osquery/logger.h>`
			`#include <osquery/tables.h>`
			`#include <osquery/filesystem.h>`

			`namespace osquery {`
			`namespace tables {`

			`void genDescriptors(const std::string& process,`
			`const std::map<std::string, std::string>& descriptors,`
			`QueryData& results) {`
			`for (const auto& fd : descriptors) {`
			`if (fd.second.find("socket:") != std::string::npos \|\|`
			`fd.second.find("anon_inode:") != std::string::npos \|\|`
			`fd.second.find("pipe:") != std::string::npos) {`
			`// This is NOT a vnode/file descriptor.`
			`continue;`
			`}`

			`Row r;`
			`r["pid"] = process;`
			`r["fd"] = fd.first;`
			`r["path"] = fd.second;`
			`results.push_back(r);`
			`}`

			`return;`
			`}`

			`QueryData genOpenFiles(QueryContext& context) {`
			`QueryData results;`

Remove libprocps(ng) in favor of parsing proc manually 2015-03-26 23:18:28 +00:00			`std::set<std::string> pids;`
Constraint existence now check for constraints using specific operator types. This change allows QueryContext constraints to be checked for based on operator type. This makes checks for the existence of an equality operator allow enumeration. Example: if (context.constraints["pid"].exists(EQUALS)) { pids = context.constraints["pid"].getAll(EQUALS); } else { osquery::procProcesses(pids); } 2015-05-29 20:47:04 +00:00			`if (context.constraints["pid"].exists(EQUALS)) {`
Remove libprocps(ng) in favor of parsing proc manually 2015-03-26 23:18:28 +00:00			`pids = context.constraints["pid"].getAll(EQUALS);`
			`} else {`
			`osquery::procProcesses(pids);`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`}`

Remove libprocps(ng) in favor of parsing proc manually 2015-03-26 23:18:28 +00:00			`for (const auto& process : pids) {`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`std::map<std::string, std::string> descriptors;`
			`if (osquery::procDescriptors(process, descriptors).ok()) {`
			`genDescriptors(process, descriptors, results);`
			`}`
			`}`

			`return results;`
			`}`
			`}`
			`}`