2017-12-19 00:04:06 +00:00
|
|
|
/**
|
2016-02-11 19:48:58 +00:00
|
|
|
* Copyright (c) 2014-present, Facebook, Inc.
|
2014-12-18 18:50:47 +00:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
2017-12-19 00:04:06 +00:00
|
|
|
* This source code is licensed under both the Apache 2.0 license (found in the
|
|
|
|
|
* LICENSE file in the root directory of this source tree) and the GPLv2 (found
|
|
|
|
|
* in the COPYING file in the root directory of this source tree).
|
|
|
|
|
* You may select, at your option, one of the above-listed licenses.
|
2014-12-18 18:50:47 +00:00
|
|
|
*/
|
2015-05-12 06:31:13 +00:00
|
|
|
|
2018-09-14 15:04:28 +00:00
|
|
|
#include <algorithm>
|
2014-07-31 00:35:19 +00:00
|
|
|
#include <ctime>
|
|
|
|
|
|
2018-07-24 10:33:47 +00:00
|
|
|
#include <boost/format.hpp>
|
2018-09-14 15:04:28 +00:00
|
|
|
#include <boost/io/detail/quoted_manip.hpp>
|
2018-07-24 10:33:47 +00:00
|
|
|
|
2018-09-21 18:54:31 +00:00
|
|
|
#include <osquery/config/config.h>
|
2014-12-03 23:14:02 +00:00
|
|
|
#include <osquery/core.h>
|
2018-09-21 18:54:31 +00:00
|
|
|
#include <osquery/data_logger.h>
|
2014-12-03 23:14:02 +00:00
|
|
|
#include <osquery/database.h>
|
|
|
|
|
#include <osquery/flags.h>
|
2018-09-03 17:02:40 +00:00
|
|
|
#include <osquery/killswitch.h>
|
2018-07-24 10:33:47 +00:00
|
|
|
#include <osquery/numeric_monitoring.h>
|
2018-09-21 18:54:31 +00:00
|
|
|
#include <osquery/process/process.h>
|
2018-09-14 15:04:28 +00:00
|
|
|
#include <osquery/profiler/profiler.h>
|
2017-08-20 09:44:38 +00:00
|
|
|
#include <osquery/query.h>
|
2018-09-21 18:54:31 +00:00
|
|
|
#include <osquery/utils/system/time.h>
|
2015-03-21 17:14:57 +00:00
|
|
|
|
2016-03-29 06:37:34 +00:00
|
|
|
#include "osquery/config/parsers/decorators.h"
|
2015-03-22 21:58:00 +00:00
|
|
|
#include "osquery/dispatcher/scheduler.h"
|
2017-01-26 01:48:33 +00:00
|
|
|
#include "osquery/sql/sqlite_util.h"
|
2014-07-31 00:35:19 +00:00
|
|
|
|
2014-08-15 07:25:30 +00:00
|
|
|
namespace osquery {
|
2014-07-31 00:35:19 +00:00
|
|
|
|
2017-01-26 01:48:33 +00:00
|
|
|
FLAG(uint64, schedule_timeout, 0, "Limit the schedule, 0 for no limit");
|
|
|
|
|
|
2018-05-29 17:48:43 +00:00
|
|
|
FLAG(uint64,
|
|
|
|
|
schedule_max_drift,
|
|
|
|
|
60,
|
|
|
|
|
"Max time drift in seconds. Scheduler tries to compensate the drift until "
|
|
|
|
|
"the drift exceed this value. After it the drift will be reseted to zero "
|
|
|
|
|
"and the compensation process will start from the beginning. It is needed "
|
|
|
|
|
"to avoid the problem of endless compensation (which is CPU greedy) after "
|
|
|
|
|
"a long SIGSTOP/SIGCONT pause or something similar. Set it to zero to "
|
|
|
|
|
"switch off a drift compensation. Default: 60");
|
|
|
|
|
|
2017-01-26 01:48:33 +00:00
|
|
|
FLAG(uint64,
|
|
|
|
|
schedule_reload,
|
2017-03-21 19:38:04 +00:00
|
|
|
300,
|
2017-01-26 01:48:33 +00:00
|
|
|
"Interval in seconds to reload database arenas");
|
2015-03-21 17:14:57 +00:00
|
|
|
|
2017-07-08 00:56:03 +00:00
|
|
|
FLAG(uint64, schedule_epoch, 0, "Epoch for scheduled queries");
|
|
|
|
|
|
2017-04-02 06:05:45 +00:00
|
|
|
HIDDEN_FLAG(bool, enable_monitor, true, "Enable the schedule monitor");
|
|
|
|
|
|
2017-03-21 19:38:04 +00:00
|
|
|
HIDDEN_FLAG(bool,
|
|
|
|
|
schedule_reload_sql,
|
|
|
|
|
false,
|
|
|
|
|
"Reload the SQL implementation during schedule reload");
|
|
|
|
|
|
2016-09-23 23:46:02 +00:00
|
|
|
/// Used to bypass (optimize-out) the set-differential of query results.
|
|
|
|
|
DECLARE_bool(events_optimize);
|
|
|
|
|
|
2016-08-31 22:32:20 +00:00
|
|
|
SQLInternal monitor(const std::string& name, const ScheduledQuery& query) {
|
2015-04-30 01:53:25 +00:00
|
|
|
// Snapshot the performance and times for the worker before running.
|
2018-04-24 21:48:51 +00:00
|
|
|
auto pid = std::to_string(PlatformProcess::getCurrentPid());
|
2018-05-12 16:07:57 +00:00
|
|
|
auto r0 = SQL::selectFrom({"resident_size", "user_time", "system_time"},
|
|
|
|
|
"processes",
|
|
|
|
|
"pid",
|
|
|
|
|
EQUALS,
|
|
|
|
|
pid);
|
2015-12-07 19:58:53 +00:00
|
|
|
auto t0 = getUnixTime();
|
2017-05-29 06:04:53 +00:00
|
|
|
Config::get().recordQueryStart(name);
|
2017-10-13 03:00:51 +00:00
|
|
|
SQLInternal sql(query.query, true);
|
2015-04-30 01:53:25 +00:00
|
|
|
// Snapshot the performance after, and compare.
|
2015-12-07 19:58:53 +00:00
|
|
|
auto t1 = getUnixTime();
|
2018-05-12 16:07:57 +00:00
|
|
|
auto r1 = SQL::selectFrom({"resident_size", "user_time", "system_time"},
|
|
|
|
|
"processes",
|
|
|
|
|
"pid",
|
|
|
|
|
EQUALS,
|
|
|
|
|
pid);
|
2015-04-30 01:53:25 +00:00
|
|
|
if (r0.size() > 0 && r1.size() > 0) {
|
2015-12-07 19:58:53 +00:00
|
|
|
// Always called while processes table is working.
|
2019-01-11 20:12:31 +00:00
|
|
|
Config::get().recordQueryPerformance(name, t1 - t0, r0[0], r1[0]);
|
2015-04-30 01:53:25 +00:00
|
|
|
}
|
|
|
|
|
return sql;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-14 15:04:28 +00:00
|
|
|
Status launchQuery(const std::string& name, const ScheduledQuery& query) {
|
2015-04-27 21:57:04 +00:00
|
|
|
// Execute the scheduled query and create a named query object.
|
2017-01-31 16:07:42 +00:00
|
|
|
LOG(INFO) << "Executing scheduled query " << name << ": " << query.query;
|
2016-03-29 06:37:34 +00:00
|
|
|
runDecorators(DECORATE_ALWAYS);
|
2017-01-07 20:21:35 +00:00
|
|
|
|
2017-04-02 06:05:45 +00:00
|
|
|
auto sql = monitor(name, query);
|
2015-01-02 05:55:10 +00:00
|
|
|
if (!sql.ok()) {
|
2017-01-31 16:07:42 +00:00
|
|
|
LOG(ERROR) << "Error executing scheduled query " << name << ": "
|
2016-09-07 22:35:28 +00:00
|
|
|
<< sql.getMessageString();
|
2018-07-24 10:33:47 +00:00
|
|
|
return Status::failure("Error executing scheduled query");
|
2015-01-02 05:55:10 +00:00
|
|
|
}
|
|
|
|
|
|
2015-04-27 21:57:04 +00:00
|
|
|
// Fill in a host identifier fields based on configuration or availability.
|
2015-07-29 06:08:15 +00:00
|
|
|
std::string ident = getHostIdentifier();
|
2015-04-27 21:57:04 +00:00
|
|
|
|
|
|
|
|
// A query log item contains an optional set of differential results or
|
|
|
|
|
// a copy of the most-recent execution alongside some query metadata.
|
|
|
|
|
QueryLogItem item;
|
|
|
|
|
item.name = name;
|
|
|
|
|
item.identifier = ident;
|
2018-01-21 06:20:48 +00:00
|
|
|
item.columns = sql.columns();
|
2015-04-27 21:57:04 +00:00
|
|
|
item.time = osquery::getUnixTime();
|
2017-07-08 00:56:03 +00:00
|
|
|
item.epoch = FLAGS_schedule_epoch;
|
2015-04-27 21:57:04 +00:00
|
|
|
item.calendar_time = osquery::getAsciiTime();
|
2016-03-29 06:37:34 +00:00
|
|
|
getDecorations(item.decorations);
|
2015-04-27 21:57:04 +00:00
|
|
|
|
|
|
|
|
if (query.options.count("snapshot") && query.options.at("snapshot")) {
|
|
|
|
|
// This is a snapshot query, emit results with a differential or state.
|
2015-04-30 01:53:25 +00:00
|
|
|
item.snapshot_results = std::move(sql.rows());
|
2015-04-27 21:57:04 +00:00
|
|
|
logSnapshotQuery(item);
|
2018-07-24 10:33:47 +00:00
|
|
|
return Status::success();
|
2015-04-27 21:57:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create a database-backed set of query results.
|
2015-03-22 21:58:00 +00:00
|
|
|
auto dbQuery = Query(name, query);
|
2015-11-02 08:46:04 +00:00
|
|
|
// Comparisons and stores must include escaped data.
|
|
|
|
|
sql.escapeResults();
|
|
|
|
|
|
2016-08-31 22:32:20 +00:00
|
|
|
Status status;
|
2017-12-28 03:43:20 +00:00
|
|
|
DiffResults& diff_results = item.results;
|
2015-04-27 21:57:04 +00:00
|
|
|
// Add this execution's set of results to the database-tracked named query.
|
|
|
|
|
// We can then ask for a differential from the last time this named query
|
|
|
|
|
// was executed by exact matching each row.
|
2016-09-23 23:46:02 +00:00
|
|
|
if (!FLAGS_events_optimize || !sql.eventBased()) {
|
2017-09-07 22:01:15 +00:00
|
|
|
status = dbQuery.addNewResults(
|
2017-12-28 03:43:20 +00:00
|
|
|
std::move(sql.rows()), item.epoch, item.counter, diff_results);
|
2016-08-31 22:32:20 +00:00
|
|
|
if (!status.ok()) {
|
2018-09-19 05:51:29 +00:00
|
|
|
std::string line = "Error adding new results to database for query " +
|
|
|
|
|
name + ": " + status.what();
|
2016-08-31 22:32:20 +00:00
|
|
|
LOG(ERROR) << line;
|
|
|
|
|
|
|
|
|
|
// If the database is not available then the daemon cannot continue.
|
|
|
|
|
Initializer::requestShutdown(EXIT_CATASTROPHIC, line);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
diff_results.added = std::move(sql.rows());
|
2015-01-02 05:55:10 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-18 23:21:11 +00:00
|
|
|
if (query.options.count("removed") && !query.options.at("removed")) {
|
|
|
|
|
diff_results.removed.clear();
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-19 23:45:13 +00:00
|
|
|
if (diff_results.added.empty() && diff_results.removed.empty()) {
|
2015-01-02 05:55:10 +00:00
|
|
|
// No diff results or events to emit.
|
2018-07-24 10:33:47 +00:00
|
|
|
return status;
|
2015-01-02 05:55:10 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-07 22:35:28 +00:00
|
|
|
VLOG(1) << "Found results for query: " << name;
|
2015-06-04 18:46:19 +00:00
|
|
|
|
2015-04-27 21:57:04 +00:00
|
|
|
status = logQueryLogItem(item);
|
2015-03-21 17:14:57 +00:00
|
|
|
if (!status.ok()) {
|
2016-11-02 15:37:31 +00:00
|
|
|
// If log directory is not available, then the daemon shouldn't continue.
|
|
|
|
|
std::string error = "Error logging the results of query: " + name + ": " +
|
|
|
|
|
status.toString();
|
|
|
|
|
LOG(ERROR) << error;
|
|
|
|
|
Initializer::requestShutdown(EXIT_CATASTROPHIC, error);
|
2014-07-31 00:35:19 +00:00
|
|
|
}
|
2018-07-24 10:33:47 +00:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-06 00:09:07 +00:00
|
|
|
void SchedulerRunner::start() {
|
2015-11-02 18:33:20 +00:00
|
|
|
// Start the counter at the second.
|
2015-12-07 19:58:53 +00:00
|
|
|
auto i = osquery::getUnixTime();
|
2015-03-21 17:14:57 +00:00
|
|
|
for (; (timeout_ == 0) || (i <= timeout_); ++i) {
|
2018-05-29 17:48:43 +00:00
|
|
|
auto start_time_point = std::chrono::steady_clock::now();
|
2017-05-29 06:04:53 +00:00
|
|
|
Config::get().scheduledQueries(
|
2018-05-09 13:56:19 +00:00
|
|
|
([&i](std::string name, const ScheduledQuery& query) {
|
[fix #1390] query pack re-org
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.
The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.
Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.
For more information, refer to #1390, the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:
```json
{
"options": {
"enable_monitor": "true"
},
"packs": {
"core_os_monitoring": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"kernel_modules": {
"query": "SELECT name, size FROM kernel_modules;",
"interval": 600
},
"system_controls": {
"query": "SELECT * FROM system_controls;",
"interval": 600,
"snapshot": true,
},
"usb_devices": {
"query": "SELECT * FROM usb_devices;",
"interval": 600
}
}
},
"osquery_internal_info": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"info": {
"query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
"interval": 60,
"snapshot": true
},
"registry": {
"query": "SELECT * FROM osquery_registry;",
"interval": 600,
"snapshot": true
},
"schedule": {
"query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
"interval": 60,
"snapshot": true
}
}
}
}
}
```
The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.
Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
2015-08-19 20:27:49 +00:00
|
|
|
if (query.splayed_interval > 0 && i % query.splayed_interval == 0) {
|
2015-11-09 02:31:50 +00:00
|
|
|
TablePlugin::kCacheInterval = query.splayed_interval;
|
|
|
|
|
TablePlugin::kCacheStep = i;
|
2018-09-14 15:04:28 +00:00
|
|
|
{
|
|
|
|
|
CodeProfiler codeProfiler(
|
|
|
|
|
(boost::format("scheduler.executing_query.%s") % name).str());
|
|
|
|
|
const auto status = launchQuery(name, query);
|
|
|
|
|
codeProfiler.appendName(status.ok() ? ".success" : ".failure");
|
|
|
|
|
};
|
[fix #1390] query pack re-org
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.
The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.
Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.
For more information, refer to #1390, the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:
```json
{
"options": {
"enable_monitor": "true"
},
"packs": {
"core_os_monitoring": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"kernel_modules": {
"query": "SELECT name, size FROM kernel_modules;",
"interval": 600
},
"system_controls": {
"query": "SELECT * FROM system_controls;",
"interval": 600,
"snapshot": true,
},
"usb_devices": {
"query": "SELECT * FROM usb_devices;",
"interval": 600
}
}
},
"osquery_internal_info": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"info": {
"query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
"interval": 60,
"snapshot": true
},
"registry": {
"query": "SELECT * FROM osquery_registry;",
"interval": 600,
"snapshot": true
},
"schedule": {
"query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
"interval": 60,
"snapshot": true
}
}
}
}
}
```
The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.
Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
2015-08-19 20:27:49 +00:00
|
|
|
}
|
|
|
|
|
}));
|
2016-03-29 06:37:34 +00:00
|
|
|
// Configuration decorators run on 60 second intervals only.
|
2017-01-26 01:48:33 +00:00
|
|
|
if ((i % 60) == 0) {
|
2016-03-29 06:37:34 +00:00
|
|
|
runDecorators(DECORATE_INTERVAL, i);
|
|
|
|
|
}
|
2017-01-26 01:48:33 +00:00
|
|
|
if (FLAGS_schedule_reload > 0 && (i % FLAGS_schedule_reload) == 0) {
|
2017-03-21 19:38:04 +00:00
|
|
|
if (FLAGS_schedule_reload_sql) {
|
|
|
|
|
SQLiteDBManager::resetPrimary();
|
|
|
|
|
}
|
2017-01-26 01:48:33 +00:00
|
|
|
resetDatabase();
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-06 22:57:44 +00:00
|
|
|
// GLog is not re-entrant, so logs must be flushed in a dedicated thread.
|
|
|
|
|
if ((i % 3) == 0) {
|
|
|
|
|
relayStatusLogs(true);
|
|
|
|
|
}
|
2018-05-29 17:48:43 +00:00
|
|
|
auto loop_step_duration =
|
|
|
|
|
std::chrono::duration_cast<std::chrono::milliseconds>(
|
|
|
|
|
std::chrono::steady_clock::now() - start_time_point);
|
|
|
|
|
if (loop_step_duration + time_drift_ < interval_) {
|
2018-08-02 15:57:02 +00:00
|
|
|
pause(std::chrono::milliseconds(interval_ - loop_step_duration -
|
|
|
|
|
time_drift_));
|
2018-05-29 17:48:43 +00:00
|
|
|
time_drift_ = std::chrono::milliseconds::zero();
|
|
|
|
|
} else {
|
|
|
|
|
time_drift_ += loop_step_duration - interval_;
|
|
|
|
|
if (time_drift_ > max_time_drift_) {
|
|
|
|
|
// giving up
|
|
|
|
|
time_drift_ = std::chrono::milliseconds::zero();
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-03-12 09:23:09 +00:00
|
|
|
if (interrupted()) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-03-21 17:14:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-29 17:48:43 +00:00
|
|
|
std::chrono::milliseconds SchedulerRunner::getCurrentTimeDrift() const
|
|
|
|
|
noexcept {
|
|
|
|
|
return time_drift_;
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-15 08:33:17 +00:00
|
|
|
void startScheduler() {
|
2016-09-02 22:04:03 +00:00
|
|
|
startScheduler(static_cast<unsigned long int>(FLAGS_schedule_timeout), 1);
|
2016-08-15 08:33:17 +00:00
|
|
|
}
|
2015-03-21 17:14:57 +00:00
|
|
|
|
2016-03-19 02:37:11 +00:00
|
|
|
void startScheduler(unsigned long int timeout, size_t interval) {
|
2018-05-29 17:48:43 +00:00
|
|
|
Dispatcher::addService(std::make_shared<SchedulerRunner>(
|
|
|
|
|
timeout, interval, std::chrono::seconds{FLAGS_schedule_max_drift}));
|
2014-07-31 00:35:19 +00:00
|
|
|
}
|
2018-04-24 21:48:51 +00:00
|
|
|
} // namespace osquery
|
