osquery-1/osquery/tables/CMakeLists.txt

if(APPLE)
  file(GLOB OSQUERY_OBJC_TABLES "*/darwin/*.mm")
  ADD_OSQUERY_OBJCXX_LIBRARY(FALSE osquery_tables_objc
    ${OSQUERY_OBJC_TABLES}
  )

  file(GLOB OSQUERY_DARWIN_TABLES "*/darwin/*.cpp")
  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_darwin
    ${OSQUERY_DARWIN_TABLES}
  )

  ADD_OSQUERY_LINK(FALSE "-framework CoreFoundation")
  ADD_OSQUERY_LINK(FALSE "-framework Security")
  ADD_OSQUERY_LINK(FALSE "-framework OpenDirectory")
  ADD_OSQUERY_LINK(FALSE "-framework DiskArbitration")
  ADD_OSQUERY_LINK(FALSE "-framework CoreServices")

  file(GLOB OSQUERY_DARWIN_TABLES_TESTS "*/darwin/tests/*.cpp")
  ADD_OSQUERY_TABLE_TEST(${OSQUERY_DARWIN_TABLES_TESTS})
elseif(FREEBSD)
  file(GLOB OSQUERY_FREEBSD_TABLES "*/freebsd/*.cpp")
  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_freebsd
    ${OSQUERY_FREEBSD_TABLES}
  )

  file(GLOB OSQUERY_FREEBSD_TABLES_TESTS "*/freebsd/tests/*.cpp")
  ADD_OSQUERY_TABLE_TEST(${OSQUERY_FREEBSD_TABLES_TESTS})
else()
  file(GLOB OSQUERY_LINUX_TABLES "*/linux/*.cpp")
  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_linux
    ${OSQUERY_LINUX_TABLES}
  )

  file(GLOB OSQUERY_LINUX_TABLES_TESTS "*/linux/tests/*.cpp")
  ADD_OSQUERY_TABLE_TEST(${OSQUERY_LINUX_TABLES_TESTS})

  if(CENTOS OR RHEL OR AMAZON)
    # CentOS specific tables
    file(GLOB OSQUERY_REDHAT_TABLES "*/centos/*.cpp")
    ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat
      ${OSQUERY_REDHAT_TABLES}
    )

    ADD_OSQUERY_LINK(FALSE "rpm rpmio")
  elseif(UBUNTU)
    # Ubuntu specific tables
    file(GLOB OSQUERY_UBUNTU_TABLES "*/ubuntu/*.cpp")
    ADD_OSQUERY_LIBRARY(FALSE osquery_tables_ubuntu
      ${OSQUERY_UBUNTU_TABLES}
    )

    ADD_OSQUERY_LINK(FALSE "apt-pkg dpkg")
  endif()

  ADD_OSQUERY_LINK(FALSE "blkid")
  ADD_OSQUERY_LINK(FALSE "cryptsetup libdevmapper.so libgcrypt.so")
  ADD_OSQUERY_LINK(FALSE "udev")
  ADD_OSQUERY_LINK(FALSE "uuid")
  ADD_OSQUERY_LINK(FALSE "ip4tc")
endif()

file(GLOB OSQUERY_CROSS_TABLES "[!ue]*/*.cpp")
ADD_OSQUERY_LIBRARY(FALSE osquery_tables
  ${OSQUERY_CROSS_TABLES}
)

file(GLOB OSQUERY_CROSS_TABLES_TESTS "[!u]*/tests/*.cpp")
ADD_OSQUERY_TABLE_TEST(${OSQUERY_CROSS_TABLES_TESTS})

file(GLOB OSQUERY_UTILITY_TABLES "utility/*.cpp")
ADD_OSQUERY_LIBRARY(TRUE osquery_tables_utility
  ${OSQUERY_UTILITY_TABLES}
)

if(NOT FREEBSD)
  file(GLOB OSQUERY_UTILS "utils/*.cpp")
  ADD_OSQUERY_LIBRARY(FALSE osquery_utils
    ${OSQUERY_UTILS}
  )

  file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")
  ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})
endif()
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`if(APPLE)`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_OBJC_TABLES "/darwin/.mm")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_OBJCXX_LIBRARY(FALSE osquery_tables_objc`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_OBJC_TABLES}`
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`)`
breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 10:24:35 +00:00
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_DARWIN_TABLES "/darwin/.cpp")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_darwin`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_DARWIN_TABLES}`
breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 10:24:35 +00:00			`)`
Moving sublibs to single libosquery 2014-09-06 01:12:37 +00:00
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "-framework CoreFoundation")`
			`ADD_OSQUERY_LINK(FALSE "-framework Security")`
			`ADD_OSQUERY_LINK(FALSE "-framework OpenDirectory")`
			`ADD_OSQUERY_LINK(FALSE "-framework DiskArbitration")`
Use CoreServices Metadata API to parse kMDItemWhereFroms for file xattrs and now includes non-browser values too 2015-05-20 17:50:25 +00:00			`ADD_OSQUERY_LINK(FALSE "-framework CoreServices")`

			`file(GLOB OSQUERY_DARWIN_TABLES_TESTS "/darwin/tests/.cpp")`
			`ADD_OSQUERY_TABLE_TEST(${OSQUERY_DARWIN_TABLES_TESTS})`
Add libraries and settings for FreeBSD 2014-11-13 20:00:41 +00:00			`elseif(FREEBSD)`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_FREEBSD_TABLES "/freebsd/.cpp")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_freebsd`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_FREEBSD_TABLES}`
Add libraries and settings for FreeBSD 2014-11-13 20:00:41 +00:00			`)`
Fast tests 2015-04-27 09:12:58 +00:00
			`file(GLOB OSQUERY_FREEBSD_TABLES_TESTS "/freebsd/tests/.cpp")`
			`ADD_OSQUERY_TABLE_TEST(${OSQUERY_FREEBSD_TABLES_TESTS})`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`else()`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_LINUX_TABLES "/linux/.cpp")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_linux`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_LINUX_TABLES}`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`)`
RPM Package listing is now working 2014-10-29 05:59:25 +00:00
Fast tests 2015-04-27 09:12:58 +00:00			`file(GLOB OSQUERY_LINUX_TABLES_TESTS "/linux/tests/.cpp")`
			`ADD_OSQUERY_TABLE_TEST(${OSQUERY_LINUX_TABLES_TESTS})`

initial commit for adding support for amazon linux 2015.03 2015-05-10 18:42:30 +00:00			`if(CENTOS OR RHEL OR AMAZON)`
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`# CentOS specific tables`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_REDHAT_TABLES "/centos/.cpp")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_REDHAT_TABLES}`
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`)`
resurrect the deb_packages table 2014-12-30 22:24:49 +00:00
Build libcryptsetup statically 2015-05-13 07:31:02 +00:00			`ADD_OSQUERY_LINK(FALSE "rpm rpmio")`
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`elseif(UBUNTU)`
merging cmake changes for distro-specific tables 2014-12-31 18:06:54 +00:00			`# Ubuntu specific tables`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_UBUNTU_TABLES "/ubuntu/.cpp")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_ubuntu`
[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`${OSQUERY_UBUNTU_TABLES}`
merging cmake changes for distro-specific tables 2014-12-31 18:06:54 +00:00			`)`

Build libcryptsetup statically 2015-05-13 07:31:02 +00:00			`ADD_OSQUERY_LINK(FALSE "apt-pkg dpkg")`
Move table link dependencies into tables CMakeLists 2014-12-23 19:39:03 +00:00			`endif()`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "blkid")`
Build libcryptsetup statically 2015-05-13 07:31:02 +00:00			`ADD_OSQUERY_LINK(FALSE "cryptsetup libdevmapper.so libgcrypt.so")`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "udev")`
			`ADD_OSQUERY_LINK(FALSE "uuid")`
Adding new table to display iptables filters, chains and rules Patching headers to avoid void pointers Adding test for parsing ipt_ip entries 2015-04-28 00:41:58 +00:00			`ADD_OSQUERY_LINK(FALSE "ip4tc")`
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`endif()`

Towards building on FreeBSD/ports 2015-05-07 04:58:23 +00:00			`file(GLOB OSQUERY_CROSS_TABLES "[!ue]/.cpp")`
			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables`
			`${OSQUERY_CROSS_TABLES}`
			`)`
[vtable_cacerts] New CA certificates table. 2014-08-17 08:44:22 +00:00
Fast tests 2015-04-27 09:12:58 +00:00			`file(GLOB OSQUERY_CROSS_TABLES_TESTS "[!u]/tests/.cpp")`
			`ADD_OSQUERY_TABLE_TEST(${OSQUERY_CROSS_TABLES_TESTS})`

[Implement #879] Add managed_policies to OS X 2015-04-09 04:28:24 +00:00			`file(GLOB OSQUERY_UTILITY_TABLES "utility/*.cpp")`
			`ADD_OSQUERY_LIBRARY(TRUE osquery_tables_utility`
			`${OSQUERY_UTILITY_TABLES}`
Build leaner libosquery, allow control over spec/impl 2014-12-24 04:07:12 +00:00			`)`

Towards building on FreeBSD/ports 2015-05-07 04:58:23 +00:00			`if(NOT FREEBSD)`
			`file(GLOB OSQUERY_UTILS "utils/*.cpp")`
			`ADD_OSQUERY_LIBRARY(FALSE osquery_utils`
			`${OSQUERY_UTILS}`
			`)`
Major YARA refactor and enhancements 1. Rename yara_matches to yara_events. 2. Add support for Config::getParser(). - This returns a ConfigPluginRef, which is the ConfigParser for the given key. - Being able to get the parser is useful because the YARAConfigParserPlugin uses it to store the compiled rules as an attribute. 3. Finish rename and use ConfigParserPlugin. - Finish the table rename to yara_events. - Use the new ConfigParserPlugin interface to parse the YARA configuration. The file_paths and signatures are stored in the ConfigParserPlugin named "yara" under the key "yara". The rules are compiled and stored as a private attribute of the same ConfigParserPlugin object. Here is an example config using this new structure: { // Description of the YARA feature. "yara": { "signatures": { // Each key is an arbitrary group name to give the signatures listed "sig_group_1": [ "/Users/wxs/foo.sig", "/Users/wxs//bar.sig" ], "sig_group_2": [ "/Users/wxs/baz.sig" ] }, "file_paths": { // Each key is a key from file_paths // The value is a list of signature groups to run when an event fires // These will be watched for and scanned when the event framework // fire off an event to yara_events table "system_binaries": [ "sig_group_1" ], "tmp": [ "sig_group_1", "sig_group_2" ] } }, // Paths to watch for filesystem events "file_paths": { "system_binaries": [ "/usr/bin/%", "/usr/sbin/%" ], "tmp": [ "/Users/wxs/tmp/%%" ] } } - Currently the signature file must be an absolute path. 3. Move common YARA code to yara_utils. - In preparation for the yara table (different from yara_events) I'm moving the common YARA code into a separate place which is shared between the two tables. 4. Add yara table. - This allows you to do things like: ```sql select * from yara where path="/bin/ls" and sigfile="/tmp/foo.sig"; select * from yara where path="/bin/ls" and sig_group="sig_group_1"; ``` - The latter will use the signature grouping from the config. 5. Check for keys not existing. 2015-04-17 20:03:43 +00:00
Towards building on FreeBSD/ports 2015-05-07 04:58:23 +00:00			`file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")`
			`ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})`
			`endif()`