osquery-1/osquery/tables/system/suid_bin.cpp

135 lines
2.9 KiB
C++
Raw Normal View History

/*
* Copyright (c) 2014, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
2015-05-12 06:31:13 +00:00
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*
*/
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
#include <pwd.h>
#include <grp.h>
#include <sys/stat.h>
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
#include <boost/filesystem.hpp>
#include <osquery/filesystem.h>
#include <osquery/logger.h>
#include <osquery/tables.h>
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
namespace fs = boost::filesystem;
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
namespace osquery {
namespace tables {
std::vector<std::string> kBinarySearchPaths = {
"/bin",
"/sbin",
"/usr/bin",
"/usr/sbin",
"/usr/local/bin",
"/usr/local/sbin",
"/tmp",
};
Status genBin(const fs::path& path, int perms, QueryData& results) {
struct stat info;
// store user and group
if (stat(path.c_str(), &info) != 0) {
return Status(1, "stat failed");
}
// store path
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
Row r;
r["path"] = path.string();
struct passwd *pw = getpwuid(info.st_uid);
struct group *gr = getgrgid(info.st_gid);
// get user name + group
std::string user;
if (pw != nullptr) {
user = std::string(pw->pw_name);
} else {
user = boost::lexical_cast<std::string>(info.st_uid);
}
std::string group;
if (gr != nullptr) {
group = std::string(gr->gr_name);
} else {
group = boost::lexical_cast<std::string>(info.st_gid);
}
r["username"] = user;
r["groupname"] = group;
r["permissions"] = "";
if ((perms & 04000) == 04000) {
r["permissions"] += "S";
}
if ((perms & 02000) == 02000) {
r["permissions"] += "G";
}
results.push_back(r);
return Status(0, "OK");
}
bool isSuidBin(const fs::path& path, int perms) {
if (!fs::is_regular_file(path)) {
return false;
}
2014-11-06 22:00:58 +00:00
if ((perms & 04000) == 04000 || (perms & 02000) == 02000) {
return true;
2014-11-06 22:00:58 +00:00
}
return false;
}
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
void genSuidBinsFromPath(const std::string& path, QueryData& results) {
if (!pathExists(path).ok()) {
// Creating an iterator on a missing path will except.
return;
}
auto it = fs::recursive_directory_iterator(fs::path(path));
fs::recursive_directory_iterator end;
while (it != end) {
fs::path path = *it;
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
try {
// Do not traverse symlinked directories.
if (fs::is_directory(path) && fs::is_symlink(path)) {
it.no_push();
}
int perms = it.status().permissions();
if (isSuidBin(path, perms)) {
// Only emit suid bins.
genBin(path, perms, results);
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
}
++it;
} catch (fs::filesystem_error& e) {
VLOG(1) << "Cannot read binary from " << path;
it.no_push();
// Try to recover, otherwise break.
try { ++it; } catch(fs::filesystem_error& e) { break; }
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
}
}
}
QueryData genSuidBin(QueryContext& context) {
QueryData results;
// Todo: add hidden column to select on that triggers non-std path searches.
for (const auto& path : kBinarySearchPaths) {
genSuidBinsFromPath(path, results);
}
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2014-10-29 05:08:10 +00:00
return results;
}
}
}