2014-07-31 00:35:19 +00:00
|
|
|
// Copyright 2004-present Facebook. All Rights Reserved.
|
|
|
|
|
|
|
|
|
|
#include "osquery/scheduler.h"
|
|
|
|
|
|
2014-08-29 07:36:33 +00:00
|
|
|
#include <climits>
|
2014-07-31 00:35:19 +00:00
|
|
|
#include <ctime>
|
|
|
|
|
|
|
|
|
|
#include <glog/logging.h>
|
|
|
|
|
|
|
|
|
|
#include "osquery/config.h"
|
|
|
|
|
#include "osquery/core.h"
|
|
|
|
|
#include "osquery/database.h"
|
|
|
|
|
#include "osquery/logger.h"
|
|
|
|
|
|
|
|
|
|
namespace db = osquery::db;
|
|
|
|
|
|
2014-08-15 07:25:30 +00:00
|
|
|
namespace osquery {
|
|
|
|
|
namespace scheduler {
|
2014-07-31 00:35:19 +00:00
|
|
|
|
2014-09-15 18:09:33 +00:00
|
|
|
void launchQueries(const osquery::scheduledQueries_t& queries,
|
2014-09-10 21:28:46 +00:00
|
|
|
const int64_t& second) {
|
|
|
|
|
LOG(INFO) << "launchQueries: " << second;
|
2014-08-29 00:33:03 +00:00
|
|
|
for (const auto& query : queries) {
|
2014-09-10 21:28:46 +00:00
|
|
|
if (second % query.interval == 0) {
|
2014-08-30 10:55:26 +00:00
|
|
|
LOG(INFO) << "executing query: " << query.query;
|
2014-08-15 07:25:30 +00:00
|
|
|
int unix_time = std::time(0);
|
|
|
|
|
int err;
|
2014-09-13 21:28:45 +00:00
|
|
|
auto query_results = aggregateQuery(query.query, err);
|
2014-08-15 07:25:30 +00:00
|
|
|
if (err != 0) {
|
|
|
|
|
LOG(ERROR) << "error executing query: " << query.query;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
auto dbQuery = db::Query(query);
|
|
|
|
|
db::DiffResults diff_results;
|
|
|
|
|
auto status =
|
|
|
|
|
dbQuery.addNewResults(query_results, diff_results, unix_time);
|
|
|
|
|
if (!status.ok()) {
|
|
|
|
|
LOG(ERROR)
|
|
|
|
|
<< "error adding new results to database: " << status.toString();
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-21 21:35:51 +00:00
|
|
|
if (diff_results.added.size() > 0 || diff_results.removed.size() > 0) {
|
2014-08-29 07:36:33 +00:00
|
|
|
VLOG(1) << "Results found for query: \"" << query.query << "\"";
|
2014-08-21 21:35:51 +00:00
|
|
|
db::ScheduledQueryLogItem item;
|
|
|
|
|
item.diffResults = diff_results;
|
|
|
|
|
item.name = query.name;
|
2014-09-13 21:28:45 +00:00
|
|
|
item.hostname = osquery::getHostname();
|
|
|
|
|
item.unixTime = osquery::getUnixTime();
|
|
|
|
|
item.calendarTime = osquery::getAsciiTime();
|
2014-09-15 18:14:17 +00:00
|
|
|
auto s = logScheduledQueryLogItem(item);
|
2014-08-29 07:36:33 +00:00
|
|
|
if (!s.ok()) {
|
|
|
|
|
LOG(ERROR) << "Error logging the results of query \"" << query.query
|
2014-08-30 11:06:21 +00:00
|
|
|
<< "\""
|
|
|
|
|
<< ": " << s.toString();
|
2014-08-29 07:36:33 +00:00
|
|
|
}
|
2014-08-21 21:35:51 +00:00
|
|
|
}
|
2014-07-31 00:35:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void initialize() {
|
|
|
|
|
DLOG(INFO) << "osquery::scheduler::initialize";
|
2014-08-29 00:33:03 +00:00
|
|
|
time_t t = time(0);
|
2014-08-30 11:06:21 +00:00
|
|
|
struct tm* local = localtime(&t);
|
2014-09-10 21:28:46 +00:00
|
|
|
unsigned long int second = local->tm_sec;
|
2014-08-29 00:33:03 +00:00
|
|
|
auto cfg = Config::getInstance();
|
2014-08-29 07:36:33 +00:00
|
|
|
#ifdef OSQUERY_TEST_DAEMON
|
2014-09-10 21:28:46 +00:00
|
|
|
// if we're testing the daemon, only iterate through 15 "seconds"
|
|
|
|
|
static unsigned long int stop_at = second + 15;
|
2014-08-29 07:36:33 +00:00
|
|
|
#else
|
|
|
|
|
// if this is production, count forever
|
2014-08-30 11:26:40 +00:00
|
|
|
static unsigned long int stop_at = ULONG_MAX;
|
2014-08-29 07:36:33 +00:00
|
|
|
#endif
|
2014-09-10 21:28:46 +00:00
|
|
|
for (; second <= stop_at; ++second) {
|
|
|
|
|
launchQueries(cfg->getScheduledQueries(), second);
|
|
|
|
|
sleep(1);
|
2014-08-29 00:33:03 +00:00
|
|
|
}
|
2014-07-31 00:35:19 +00:00
|
|
|
}
|
2014-08-15 07:25:30 +00:00
|
|
|
}
|
|
|
|
|
}
|
