osquery-1/osquery/main/main.cpp

/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under both the Apache 2.0 license (found in the
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
 */

#include <cstdio>
#include <cstring>

#ifdef WIN32
#include <io.h>
#endif

#include <iostream>

#include <boost/algorithm/string/predicate.hpp>

#include <osquery/core.h>
#include <osquery/database.h>
#include <osquery/extensions.h>
#include <osquery/flags.h>
#include <osquery/logger.h>
#include <osquery/system.h>

#include "osquery/core/process.h"
#include "osquery/core/utils.h"
#include "osquery/core/watcher.h"
#include "osquery/devtools/devtools.h"
#include "osquery/dispatcher/distributed.h"
#include "osquery/dispatcher/io_service.h"
#include "osquery/dispatcher/scheduler.h"
#include "osquery/filesystem/fileops.h"
#include "osquery/main/main.h"
#include "osquery/sql/sqlite_util.h"

namespace fs = boost::filesystem;

namespace osquery {

SHELL_FLAG(int32,
           profile,
           0,
           "Enable profile mode when non-0, set number of iterations");

HIDDEN_FLAG(int32,
            profile_delay,
            0,
            "Sleep a number of seconds before and after the profiling");

CLI_FLAG(bool, install, false, "Install osqueryd as a service");

CLI_FLAG(bool, uninstall, false, "Uninstall osqueryd as a service");

DECLARE_bool(disable_caching);

const std::string kWatcherWorkerName{"osqueryd: worker"};

int profile(int argc, char* argv[]) {
  std::string query;
  if (!osquery::platformIsatty(stdin)) {
    std::getline(std::cin, query);
  } else if (argc < 2) {
    // No query input provided via stdin or as a positional argument.
    fprintf(stderr, "No query provided via stdin or args to profile...\n");
    return 2;
  } else {
    query = std::string(argv[1]);
  }

  if (osquery::FLAGS_profile_delay > 0) {
    osquery::sleepFor(osquery::FLAGS_profile_delay * 1000);
  }

  // Perform some duplication from Initializer with respect to database setup.
  osquery::DatabasePlugin::setAllowOpen(true);
  osquery::RegistryFactory::get().setActive("database", "ephemeral");

  auto dbc = osquery::SQLiteDBManager::get();
  for (size_t i = 0; i < static_cast<size_t>(osquery::FLAGS_profile); ++i) {
    osquery::QueryData results;
    auto status = osquery::queryInternal(query, results, dbc);
    dbc->clearAffectedTables();
    if (!status) {
      fprintf(stderr,
              "Query failed (%d): %s\n",
              status.getCode(),
              status.what().c_str());
      return status.getCode();
    }
  }

  if (osquery::FLAGS_profile_delay > 0) {
    osquery::sleepFor(osquery::FLAGS_profile_delay * 1000);
  }

  return 0;
}

int startDaemon(Initializer& runner) {
  runner.start();

  // Conditionally begin the distributed query service
  auto s = startDistributed();
  if (!s.ok()) {
    VLOG(1) << "Not starting the distributed query service: " << s.toString();
  }

  // Begin the schedule runloop.
  startScheduler();

  // Finally wait for a signal / interrupt to shutdown.
  runner.waitForShutdown();
  return 0;
}

int startShell(osquery::Initializer& runner, int argc, char* argv[]) {
  // Check for shell-specific switches and positional arguments.
  if (argc > 1 || !osquery::platformIsatty(stdin) ||
      !osquery::FLAGS_A.empty() || !osquery::FLAGS_pack.empty() ||
      osquery::FLAGS_L || osquery::FLAGS_profile > 0) {
    // A query was set as a positional argument, via stdin, or profiling is on.
    osquery::FLAGS_disable_events = true;
    osquery::FLAGS_disable_caching = true;
    // The shell may have loaded table extensions, if not, disable the manager.
    if (!osquery::Watcher::get().hasManagedExtensions() &&
        Flag::isDefault("disable_extensions")) {
      osquery::FLAGS_disable_extensions = true;
    }
  }

  int retcode = 0;
  if (osquery::FLAGS_profile <= 0) {
    runner.start();

    // Virtual tables will be attached to the shell's in-memory SQLite DB.
    retcode = osquery::launchIntoShell(argc, argv);
    // Finally shutdown.
    runner.requestShutdown();
  } else {
    retcode = profile(argc, argv);
  }
  return retcode;
}

int startOsquery(int argc, char* argv[], std::function<void()> shutdown) {
  // Parse/apply flags, start registry, load logger/config plugins.
  osquery::Initializer runner(argc, argv, osquery::ToolType::SHELL_DAEMON);

  // Options for installing or uninstalling the osqueryd as a service
  if (FLAGS_install) {
    auto binPath = fs::system_complete(fs::path(argv[0]));
    if (!installService(binPath.string())) {
      LOG(ERROR) << "Unable to install the osqueryd service";
    }
    return 1;
  } else if (FLAGS_uninstall) {
    if (!uninstallService()) {
      LOG(ERROR) << "Unable to uninstall the osqueryd service";
    }
    return 1;
  }

  runner.installShutdown(shutdown);
  runner.initDaemon();

  // When a watchdog is used, the current daemon will fork/exec into a worker.
  // In either case the watcher may start optionally loaded extensions.
  runner.initWorkerWatcher(kWatcherWorkerName);

  // Begin adhoc io service thread.
  startIOService();

  if (runner.isDaemon()) {
    return startDaemon(runner);
  }
  return startShell(runner, argc, argv);
}
} // namespace osquery
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`/**`
[osquery] Update copyright headers to new format. 2016-02-11 19:48:58 +00:00			`* Copyright (c) 2014-present, Facebook, Inc.`
Updating the license comment to be the correct open source header As per t5494224, all of the license headers in osquery needed to be updated to reflect the correct open source header style. 2014-12-18 18:50:47 +00:00			`* All rights reserved.`
			`*`
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`* This source code is licensed under both the Apache 2.0 license (found in the`
			`* LICENSE file in the root directory of this source tree) and the GPLv2 (found`
			`* in the COPYING file in the root directory of this source tree).`
			`* You may select, at your option, one of the above-listed licenses.`
Updating the license comment to be the correct open source header As per t5494224, all of the license headers in osquery needed to be updated to reflect the correct open source header style. 2014-12-18 18:50:47 +00:00			`*/`
Changes to flags, extensions now loaded with shell/daemon 2015-02-05 00:54:44 +00:00
tidy: Improve clang-tidy (modernize) list of checks and run across codebase (#3870) 2017-10-30 05:25:49 +00:00			`#include <cstdio>`
			`#include <cstring>`
Changes to flags, extensions now loaded with shell/daemon 2015-02-05 00:54:44 +00:00
Windows Daemon/Shell: Make osquery code more Windows-friendly (#2188) 2016-07-01 21:56:07 +00:00			`#ifdef WIN32`
			`#include <io.h>`
			`#endif`

Remove boost::thread 2016-03-11 08:30:20 +00:00			`#include <iostream>`

Add autocompletion of table names in osqueryi (#2236) 2016-07-14 21:15:32 +00:00			`#include <boost/algorithm/string/predicate.hpp>`

Codemod to improve include search paths 2014-12-03 23:14:02 +00:00			`#include <osquery/core.h>`
Fix shell's --profile switch 2016-03-20 23:05:13 +00:00			`#include <osquery/database.h>`
[Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 08:21:57 +00:00			`#include <osquery/extensions.h>`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`#include <osquery/flags.h>`
Add autocompletion of table names in osqueryi (#2236) 2016-07-14 21:15:32 +00:00			`#include <osquery/logger.h>`
Add systemLog API (#2229) This includes a minor SDK refactor as it move quite a few specialized functions and facilities from core.h into system.h. There was a breaking point for needing to frequently update core includes. The new logger systemLog function allows a call site to bypass logging config and write a line to the OS logger (aka syslog). 2016-07-07 22:16:28 +00:00			`#include <osquery/system.h>`
Speed up shell and add max value size 2015-03-18 19:01:58 +00:00
Add systemLog API (#2229) This includes a minor SDK refactor as it move quite a few specialized functions and facilities from core.h into system.h. There was a breaking point for needing to frequently update core includes. The new logger systemLog function allows a call site to bypass logging config and write a line to the OS logger (aka syslog). 2016-07-07 22:16:28 +00:00			`#include "osquery/core/process.h"`
Reducing compiler warnings and fails on warn in VS (#2433) 2016-09-02 22:04:03 +00:00			`#include "osquery/core/utils.h"`
[Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 08:21:57 +00:00			`#include "osquery/core/watcher.h"`
Speed up shell and add max value size 2015-03-18 19:01:58 +00:00			`#include "osquery/devtools/devtools.h"`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`#include "osquery/dispatcher/distributed.h"`
TLS session reuse support (#3948) 2018-02-11 09:48:24 +00:00			`#include "osquery/dispatcher/io_service.h"`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`#include "osquery/dispatcher/scheduler.h"`
Windows Daemon/Shell: Make osquery code more Windows-friendly (#2188) 2016-07-01 21:56:07 +00:00			`#include "osquery/filesystem/fileops.h"`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`#include "osquery/main/main.h"`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`#include "osquery/sql/sqlite_util.h"`

service: add full path for service binary (#4316) 2018-05-02 03:47:22 +00:00			`namespace fs = boost::filesystem;`

[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`namespace osquery {`

			`SHELL_FLAG(int32,`
			`profile,`
			`0,`
			`"Enable profile mode when non-0, set number of iterations");`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`HIDDEN_FLAG(int32,`
			`profile_delay,`
			`0,`
			`"Sleep a number of seconds before and after the profiling");`
Fix shell's --profile switch 2016-03-20 23:05:13 +00:00
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`CLI_FLAG(bool, install, false, "Install osqueryd as a service");`

			`CLI_FLAG(bool, uninstall, false, "Uninstall osqueryd as a service");`

Fix shell's --profile switch 2016-03-20 23:05:13 +00:00			`DECLARE_bool(disable_caching);`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00
			`const std::string kWatcherWorkerName{"osqueryd: worker"};`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00
platformGetUid returns 0 for Administrator user (#2643) 2016-10-19 17:25:32 +00:00			`int profile(int argc, char* argv[]) {`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`std::string query;`
Windows Daemon/Shell: Make osquery code more Windows-friendly (#2188) 2016-07-01 21:56:07 +00:00			`if (!osquery::platformIsatty(stdin)) {`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`std::getline(std::cin, query);`
			`} else if (argc < 2) {`
			`// No query input provided via stdin or as a positional argument.`
			`fprintf(stderr, "No query provided via stdin or args to profile...\n");`
			`return 2;`
			`} else {`
			`query = std::string(argv[1]);`
			`}`

			`if (osquery::FLAGS_profile_delay > 0) {`
[Fix #2342] Use seconds for --profile_delay precision (#2348) 2016-08-11 14:49:55 +00:00			`osquery::sleepFor(osquery::FLAGS_profile_delay * 1000);`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`}`

Fix shell's --profile switch 2016-03-20 23:05:13 +00:00			`// Perform some duplication from Initializer with respect to database setup.`
			`osquery::DatabasePlugin::setAllowOpen(true);`
Simplify Registry and plugin concepts (#2887) 2017-01-07 20:21:35 +00:00			`osquery::RegistryFactory::get().setActive("database", "ephemeral");`
Fix shell's --profile switch 2016-03-20 23:05:13 +00:00
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`auto dbc = osquery::SQLiteDBManager::get();`
			`for (size_t i = 0; i < static_cast<size_t>(osquery::FLAGS_profile); ++i) {`
			`osquery::QueryData results;`
[Fix #3859] Lock every access to SQLiteDBInstance::db (#3883) 2017-10-24 18:40:26 +00:00			`auto status = osquery::queryInternal(query, results, dbc);`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`dbc->clearAffectedTables();`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`if (!status) {`
			`fprintf(stderr,`
			`"Query failed (%d): %s\n",`
			`status.getCode(),`
			`status.what().c_str());`
			`return status.getCode();`
			`}`
			`}`

			`if (osquery::FLAGS_profile_delay > 0) {`
Change second FLAGS_pofile_delay to seconds (#2359) 2016-08-15 15:30:20 +00:00			`osquery::sleepFor(osquery::FLAGS_profile_delay * 1000);`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`}`

			`return 0;`
			`}`
Fix GTest/siginfo redefine by libthrift 2015-02-05 01:53:27 +00:00
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`int startDaemon(Initializer& runner) {`
			`runner.start();`
Allow extensions autoloading in osqueryi 2016-02-09 05:50:08 +00:00
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`// Conditionally begin the distributed query service`
			`auto s = startDistributed();`
			`if (!s.ok()) {`
			`VLOG(1) << "Not starting the distributed query service: " << s.toString();`
			`}`

			`// Begin the schedule runloop.`
			`startScheduler();`

			`// Finally wait for a signal / interrupt to shutdown.`
			`runner.waitForShutdown();`
			`return 0;`
			`}`
Allow extensions autoloading in osqueryi 2016-02-09 05:50:08 +00:00
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`int startShell(osquery::Initializer& runner, int argc, char* argv[]) {`
Allow extensions autoloading in osqueryi 2016-02-09 05:50:08 +00:00			`// Check for shell-specific switches and positional arguments.`
[Fix #2342] Use seconds for --profile_delay precision (#2348) 2016-08-11 14:49:55 +00:00			`if (argc > 1 \|\| !osquery::platformIsatty(stdin) \|\|`
tidy: Improve clang-tidy (modernize) list of checks and run across codebase (#3870) 2017-10-30 05:25:49 +00:00			`!osquery::FLAGS_A.empty() \|\| !osquery::FLAGS_pack.empty() \|\|`
[Fix #2342] Use seconds for --profile_delay precision (#2348) 2016-08-11 14:49:55 +00:00			`osquery::FLAGS_L \|\| osquery::FLAGS_profile > 0) {`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`// A query was set as a positional argument, via stdin, or profiling is on.`
Various shell fixups 2015-04-27 23:40:05 +00:00			`osquery::FLAGS_disable_events = true;`
Fix shell's --profile switch 2016-03-20 23:05:13 +00:00			`osquery::FLAGS_disable_caching = true;`
[Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 08:21:57 +00:00			`// The shell may have loaded table extensions, if not, disable the manager.`
[Fix #3831] Do not lock kAttachMutex within shell callbacks (#3837) 2017-10-16 20:46:14 +00:00			`if (!osquery::Watcher::get().hasManagedExtensions() &&`
			`Flag::isDefault("disable_extensions")) {`
[Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 08:21:57 +00:00			`osquery::FLAGS_disable_extensions = true;`
			`}`
Various shell fixups 2015-04-27 23:40:05 +00:00			`}`

[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`int retcode = 0;`
			`if (osquery::FLAGS_profile <= 0) {`
			`runner.start();`
[events] EventType threads for each run loop 2014-09-23 01:35:12 +00:00
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`// Virtual tables will be attached to the shell's in-memory SQLite DB.`
			`retcode = osquery::launchIntoShell(argc, argv);`
Fix shell's --profile switch 2016-03-20 23:05:13 +00:00			`// Finally shutdown.`
			`runner.requestShutdown();`
[#1527] Add a --profile option to the shell, replace 'run' 2015-11-22 04:36:32 +00:00			`} else {`
			`retcode = profile(argc, argv);`
			`}`
[events] EventType threads for each run loop 2014-09-23 01:35:12 +00:00			`return retcode;`
Initial commit 2014-07-31 00:35:19 +00:00			`}`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00
			`int startOsquery(int argc, char* argv[], std::function<void()> shutdown) {`
			`// Parse/apply flags, start registry, load logger/config plugins.`
			`osquery::Initializer runner(argc, argv, osquery::ToolType::SHELL_DAEMON);`

			`// Options for installing or uninstalling the osqueryd as a service`
			`if (FLAGS_install) {`
service: add full path for service binary (#4316) 2018-05-02 03:47:22 +00:00			`auto binPath = fs::system_complete(fs::path(argv[0]));`
			`if (!installService(binPath.string())) {`
Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`LOG(ERROR) << "Unable to install the osqueryd service";`
			`}`
			`return 1;`
			`} else if (FLAGS_uninstall) {`
			`if (!uninstallService()) {`
			`LOG(ERROR) << "Unable to uninstall the osqueryd service";`
			`}`
			`return 1;`
			`}`

			`runner.installShutdown(shutdown);`
			`runner.initDaemon();`

			`// When a watchdog is used, the current daemon will fork/exec into a worker.`
			`// In either case the watcher may start optionally loaded extensions.`
			`runner.initWorkerWatcher(kWatcherWorkerName);`

TLS session reuse support (#3948) 2018-02-11 09:48:24 +00:00			`// Begin adhoc io service thread.`
			`startIOService();`

Combine osqueryi and osqueryd into single binary (#2742) 2017-08-27 18:09:25 +00:00			`if (runner.isDaemon()) {`
			`return startDaemon(runner);`
			`}`
			`return startShell(runner, argc, argv);`
			`}`
			`} // namespace osquery`