osquery-1/osquery/scheduler/scheduler.cpp

/*
 *  Copyright (c) 2014, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under the BSD-style license found in the
 *  LICENSE file in the root directory of this source tree. An additional grant 
 *  of patent rights can be found in the PATENTS file in the same directory.
 *
 */
 
#include <climits>
#include <ctime>

#include <glog/logging.h>

#include <osquery/config.h>
#include <osquery/core.h>
#include <osquery/database.h>
#include <osquery/flags.h>
#include <osquery/logger.h>
#include <osquery/sql.h>
#include <osquery/scheduler.h>

namespace osquery {

DEFINE_osquery_flag(string,
                    host_identifier,
                    "hostname",
                    "Field used to identify the host running osqueryd");

Status getHostIdentifier(std::string& ident) {
  std::shared_ptr<DBHandle> db;
  try {
    db = DBHandle::getInstance();
  } catch (const std::exception& e) {
    return Status(1, e.what());
  }

  if (FLAGS_host_identifier == "uuid") {
    std::vector<std::string> results;
    auto status = db->Scan(kConfigurations, results);

    if (!status.ok()) {
      LOG(ERROR) << "Could not access database, using hostname as the host "
                    "identifier.";
      ident = osquery::getHostname();
      return Status(0, "OK");
    }

    if (std::find(results.begin(), results.end(), "hostIdentifier") !=
        results.end()) {
      status = db->Get(kConfigurations, "hostIdentifier", ident);
      if (!status.ok()) {
        LOG(ERROR) << "Could not access database, using hostname as the host "
                      "identifier.";
        ident = osquery::getHostname();
      }
      return status;
    } else {
      // There was no uuid stored in the database, generate one and store it.
      ident = osquery::generateHostUuid();
      LOG(INFO) << "Using uuid " << ident << " to identify this host.";
      return db->Put(kConfigurations, "hostIdentifier", ident);
    }
  } else {
    // use the hostname as the default machine identifier
    ident = osquery::getHostname();
    return Status(0, "OK");
  }
}

void launchQueries(const std::vector<OsqueryScheduledQuery>& queries,
                   const int64_t& second) {
  for (const auto& q : queries) {
    if (second % q.interval == 0) {
      LOG(INFO) << "Executing query: " << q.query;
      int unix_time = std::time(0);
      auto sql = SQL(q.query);
      if (!sql.ok()) {
        LOG(ERROR) << "Error executing query (" << q.query
                   << "): " << sql.getMessageString();
        continue;
      }
      auto dbQuery = Query(q);
      DiffResults diff_results;
      auto status = dbQuery.addNewResults(sql.rows(), diff_results, unix_time);
      if (!status.ok()) {
        LOG(ERROR)
            << "Error adding new results to database: " << status.toString();
        continue;
      }

      if (diff_results.added.size() > 0 || diff_results.removed.size() > 0) {
        ScheduledQueryLogItem item;
        Status s;

        item.diffResults = diff_results;
        item.name = q.name;

        std::string ident;
        s = getHostIdentifier(ident);
        if (s.ok()) {
          item.hostIdentifier = ident;
        } else {
          LOG(ERROR) << "Error getting the host identifier";
          if (ident.empty()) {
            ident = "<unknown>";
          }
        }

        item.unixTime = osquery::getUnixTime();
        item.calendarTime = osquery::getAsciiTime();

        LOG(INFO) << "Found results for query " << q.name
                  << " for host: " << ident;
        s = logScheduledQueryLogItem(item);
        if (!s.ok()) {
          LOG(ERROR) << "Error logging the results of query \"" << q.query
                     << "\""
                     << ": " << s.toString();
        }
      }
    }
  }
}

void initializeScheduler() {
  DLOG(INFO) << "osquery::initializeScheduler";
  time_t t = time(0);
  struct tm* local = localtime(&t);
  unsigned long int second = local->tm_sec;
  auto cfg = Config::getInstance();
#ifdef OSQUERY_TEST_DAEMON
  // if we're testing the daemon, only iterate through 15 "seconds"
  static unsigned long int stop_at = second + 15;
#else
  // if this is production, count forever
  static unsigned long int stop_at = ULONG_MAX;
#endif
  for (; second <= stop_at; ++second) {
    launchQueries(cfg->getScheduledQueries(), second);
    sleep(1);
  }
}
}
Updating the license comment to be the correct open source header As per t5494224, all of the license headers in osquery needed to be updated to reflect the correct open source header style. 2014-12-18 18:50:47 +00:00			`/*`
			`* Copyright (c) 2014, Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD-style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*`
			`*/`

improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`#include <climits>`
Initial commit 2014-07-31 00:35:19 +00:00			`#include <ctime>`

			`#include <glog/logging.h>`

Codemod to improve include search paths 2014-12-03 23:14:02 +00:00			`#include <osquery/config.h>`
			`#include <osquery/core.h>`
			`#include <osquery/database.h>`
			`#include <osquery/flags.h>`
			`#include <osquery/logger.h>`
			`#include <osquery/sql.h>`
			`#include <osquery/scheduler.h>`
Initial commit 2014-07-31 00:35:19 +00:00
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`namespace osquery {`
Initial commit 2014-07-31 00:35:19 +00:00
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`DEFINE_osquery_flag(string,`
			`host_identifier,`
			`"hostname",`
			`"Field used to identify the host running osqueryd");`

Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`Status getHostIdentifier(std::string& ident) {`
			`std::shared_ptr<DBHandle> db;`
			`try {`
Fixed small bug in getHostIdentifier method 2014-12-01 23:02:40 +00:00			`db = DBHandle::getInstance();`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`} catch (const std::exception& e) {`
			`return Status(1, e.what());`
			`}`

			`if (FLAGS_host_identifier == "uuid") {`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`std::vector<std::string> results;`
			`auto status = db->Scan(kConfigurations, results);`

			`if (!status.ok()) {`
			`LOG(ERROR) << "Could not access database, using hostname as the host "`
			`"identifier.";`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`ident = osquery::getHostname();`
			`return Status(0, "OK");`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`}`

Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`if (std::find(results.begin(), results.end(), "hostIdentifier") !=`
			`results.end()) {`
			`status = db->Get(kConfigurations, "hostIdentifier", ident);`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`if (!status.ok()) {`
			`LOG(ERROR) << "Could not access database, using hostname as the host "`
			`"identifier.";`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`ident = osquery::getHostname();`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`}`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`return status;`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`} else {`
			`// There was no uuid stored in the database, generate one and store it.`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`ident = osquery::generateHostUuid();`
			`LOG(INFO) << "Using uuid " << ident << " to identify this host.";`
Fixed typo in getHostIdentifer 2014-12-02 22:09:37 +00:00			`return db->Put(kConfigurations, "hostIdentifier", ident);`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`}`
			`} else {`
			`// use the hostname as the default machine identifier`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`ident = osquery::getHostname();`
			`return Status(0, "OK");`
Added --host_identifier option Conflicts: osquery/core/system.cpp 2014-11-04 02:08:13 +00:00			`}`
			`}`

down with scheduledQueries_t 2014-09-15 18:17:48 +00:00			`void launchQueries(const std::vector<OsqueryScheduledQuery>& queries,`
Intervals at a second instead of a minute (#131) 2014-09-10 21:28:46 +00:00			`const int64_t& second) {`
refactored aggregateQuery to query 2014-09-16 06:07:03 +00:00			`for (const auto& q : queries) {`
			`if (second % q.interval == 0) {`
Move expected errors to info log 2014-11-19 16:45:02 +00:00			`LOG(INFO) << "Executing query: " << q.query;`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`int unix_time = std::time(0);`
Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 07:34:56 +00:00			`auto sql = SQL(q.query);`
			`if (!sql.ok()) {`
Move expected errors to info log 2014-11-19 16:45:02 +00:00			`LOG(ERROR) << "Error executing query (" << q.query`
Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 07:34:56 +00:00			`<< "): " << sql.getMessageString();`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`continue;`
			`}`
Removing the osquery::db namespace 2014-09-21 21:27:09 +00:00			`auto dbQuery = Query(q);`
			`DiffResults diff_results;`
Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 07:34:56 +00:00			`auto status = dbQuery.addNewResults(sql.rows(), diff_results, unix_time);`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`if (!status.ok()) {`
			`LOG(ERROR)`
Move expected errors to info log 2014-11-19 16:45:02 +00:00			`<< "Error adding new results to database: " << status.toString();`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`continue;`
			`}`

Adding LaunchDaemon and flagfile to the repo/package 2014-08-21 21:35:51 +00:00			`if (diff_results.added.size() > 0 \|\| diff_results.removed.size() > 0) {`
Removing the osquery::db namespace 2014-09-21 21:27:09 +00:00			`ScheduledQueryLogItem item;`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00			`Status s;`

Adding LaunchDaemon and flagfile to the repo/package 2014-08-21 21:35:51 +00:00			`item.diffResults = diff_results;`
refactored aggregateQuery to query 2014-09-16 06:07:03 +00:00			`item.name = q.name;`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00
			`std::string ident;`
			`s = getHostIdentifier(ident);`
			`if (s.ok()) {`
			`item.hostIdentifier = ident;`
			`} else {`
			`LOG(ERROR) << "Error getting the host identifier";`
			`if (ident.empty()) {`
			`ident = "<unknown>";`
			`}`
			`}`

Doxyfile, for docs 2014-09-13 21:28:45 +00:00			`item.unixTime = osquery::getUnixTime();`
			`item.calendarTime = osquery::getAsciiTime();`
Refactoring getHostIdentifier and adding some extra logging 2014-11-25 16:47:32 +00:00
			`LOG(INFO) << "Found results for query " << q.name`
			`<< " for host: " << ident;`
			`s = logScheduledQueryLogItem(item);`
improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`if (!s.ok()) {`
refactored aggregateQuery to query 2014-09-16 06:07:03 +00:00			`LOG(ERROR) << "Error logging the results of query \"" << q.query`
clang-format 2014-08-30 11:06:21 +00:00			`<< "\""`
			`<< ": " << s.toString();`
improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`}`
Adding LaunchDaemon and flagfile to the repo/package 2014-08-21 21:35:51 +00:00			`}`
Initial commit 2014-07-31 00:35:19 +00:00			`}`
			`}`
			`}`

moving scheduler to global namespace 2014-09-15 18:26:16 +00:00			`void initializeScheduler() {`
			`DLOG(INFO) << "osquery::initializeScheduler";`
Decomplexifying the scheduler, as to close #73 2014-08-29 00:33:03 +00:00			`time_t t = time(0);`
clang-format 2014-08-30 11:06:21 +00:00			`struct tm* local = localtime(&t);`
Intervals at a second instead of a minute (#131) 2014-09-10 21:28:46 +00:00			`unsigned long int second = local->tm_sec;`
Decomplexifying the scheduler, as to close #73 2014-08-29 00:33:03 +00:00			`auto cfg = Config::getInstance();`
improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`#ifdef OSQUERY_TEST_DAEMON`
Intervals at a second instead of a minute (#131) 2014-09-10 21:28:46 +00:00			`// if we're testing the daemon, only iterate through 15 "seconds"`
			`static unsigned long int stop_at = second + 15;`
improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`#else`
			`// if this is production, count forever`
query time count is a ulong not a long 2014-08-30 11:26:40 +00:00			`static unsigned long int stop_at = ULONG_MAX;`
improved scheduler, now with developer features 2014-08-29 07:36:33 +00:00			`#endif`
Intervals at a second instead of a minute (#131) 2014-09-10 21:28:46 +00:00			`for (; second <= stop_at; ++second) {`
			`launchQueries(cfg->getScheduledQueries(), second);`
			`sleep(1);`
Decomplexifying the scheduler, as to close #73 2014-08-29 00:33:03 +00:00			`}`
Initial commit 2014-07-31 00:35:19 +00:00			`}`
Ran clang-format across the codebase 2014-08-15 07:25:30 +00:00			`}`