osquery-1/osquery/tables/CMakeLists.txt

if(APPLE)
  ADD_OSQUERY_OBJCXX_LIBRARY(FALSE osquery_tables_objc
    system/darwin/users.mm
    system/darwin/groups.mm
    system/darwin/certificates.mm
  )

  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_darwin
    applications/darwin/browser_chrome.cpp
    applications/darwin/browser_firefox.cpp
    applications/darwin/browser_safari.cpp
    events/darwin/passwd_changes.cpp
    events/darwin/file_changes.cpp
    events/darwin/hardware_events.cpp
    networking/darwin/routes.cpp
    system/darwin/acpi_tables.cpp
    system/darwin/apps.cpp
    system/darwin/block_devices.cpp
    system/darwin/keychain_items.cpp
    system/darwin/keychain_utils.cpp
    system/darwin/firewall.h
    system/darwin/firewall.cpp
    system/darwin/homebrew_packages.cpp
    system/darwin/iokit_registry.cpp
    system/darwin/iokit_utils.cpp
    system/darwin/kernel_info.cpp
    system/darwin/kernel_extensions.cpp
    system/darwin/launchd.cpp
    system/darwin/mounts.cpp
    system/darwin/nvram.cpp
    system/darwin/os_version.cpp
    system/darwin/preferences.cpp
    system/darwin/processes.cpp
    system/darwin/process_open_descriptors.cpp
    system/darwin/quarantine.cpp
    system/darwin/pci_devices.cpp
    system/darwin/usb_devices.cpp
    system/darwin/smbios_tables.cpp
    system/darwin/startup_items.cpp
    system/darwin/sysctl_utils.cpp
    system/darwin/xprotect.cpp
    system/darwin/nfs_shares.cpp
    system/darwin/xattr.cpp
  )

  ADD_OSQUERY_LINK(FALSE "-framework CoreFoundation")
  ADD_OSQUERY_LINK(FALSE "-framework Security")
  ADD_OSQUERY_LINK(FALSE "-framework OpenDirectory")
  ADD_OSQUERY_LINK(FALSE "-framework DiskArbitration")
elseif(FREEBSD)
  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_freebsd
    events/freebsd/passwd_changes.cpp
    networking/freebsd/routes.cpp
    system/freebsd/processes.cpp
    system/freebsd/users.cpp
    system/freebsd/groups.cpp
  )
else()
  ADD_OSQUERY_LIBRARY(FALSE osquery_tables_linux
    events/linux/hardware_events.cpp
    events/linux/passwd_changes.cpp
    events/linux/file_changes.cpp
    networking/linux/arp_cache.cpp
    networking/linux/process_open_sockets.cpp
    networking/linux/routes.cpp
    system/linux/acpi_tables.cpp
    system/linux/block_devices.cpp
    system/linux/groups.cpp
    system/linux/kernel_info.cpp
    system/linux/kernel_integrity.cpp
    system/linux/kernel_modules.cpp
    system/linux/memory_map.cpp
    system/linux/mounts.cpp
    system/linux/os_version.cpp
    system/linux/pci_devices.cpp
    system/linux/processes.cpp
    system/linux/process_open_files.cpp
    system/linux/shared_memory.cpp
    system/linux/smbios_tables.cpp
    system/linux/sysctl_utils.cpp
    system/linux/usb_devices.cpp
    system/linux/users.cpp
  )

  if(CENTOS)
    # CentOS specific tables
    ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat
      system/centos/rpm_packages.cpp
    )

    ADD_OSQUERY_LINK(FALSE "rpm")
    ADD_OSQUERY_LINK(FALSE "rpmio")
  elseif(UBUNTU)
    # Ubuntu specific tables
    ADD_OSQUERY_LIBRARY(FALSE osquery_tables_ubuntu
      system/ubuntu/deb_packages.cpp
      system/ubuntu/apt_sources.cpp
    )

    ADD_OSQUERY_LINK(FALSE "apt-pkg")
    ADD_OSQUERY_LINK(FALSE "dpkg")
  endif()

  ADD_OSQUERY_LINK(FALSE "procps" "proc")
  ADD_OSQUERY_LINK(FALSE "blkid")
  ADD_OSQUERY_LINK(FALSE "udev")
  ADD_OSQUERY_LINK(FALSE "uuid")
endif()

ADD_OSQUERY_LIBRARY(FALSE osquery_tables
  networking/etc_hosts.cpp
  networking/etc_services.cpp
  networking/interfaces.cpp
  networking/listening_ports.cpp
  networking/utils.cpp
  system/cpuid.cpp
  system/crontab.cpp
  system/last.cpp
  system/shell_history.cpp
  system/smbios_utils.cpp
  system/suid_bin.cpp
  system/system_controls.cpp
  system/logged_in_users.cpp
)

ADD_OSQUERY_LIBRARY(TRUE osquery_utility_tables
  utility/time.cpp
  utility/hash.cpp
  utility/file.cpp
  utility/osquery.cpp
)

ADD_OSQUERY_TEST(FALSE etc_hosts_tests networking/etc_hosts_tests.cpp)
if(APPLE)
  ADD_OSQUERY_TEST(FALSE xattr_tests system/darwin/xattr_tests.cpp)
  ADD_OSQUERY_TEST(FALSE apps_tests system/darwin/apps_tests.cpp)
  ADD_OSQUERY_TEST(FALSE certificates_tests system/darwin/certificates_tests.cpp)
  ADD_OSQUERY_TEST(FALSE firewall_tests system/darwin/firewall_tests.cpp)
  ADD_OSQUERY_TEST(FALSE launchd_tests system/darwin/launchd_tests.cpp)
endif()
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`if(APPLE)`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_OBJCXX_LIBRARY(FALSE osquery_tables_objc`
OMG memory leaks 2014-10-10 01:08:18 +00:00			`system/darwin/users.mm`
Adding groups vtable and refactoring users 2014-10-10 22:09:14 +00:00			`system/darwin/groups.mm`
Rename ca_certs to certificates 2015-02-25 22:18:43 +00:00			`system/darwin/certificates.mm`
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`)`
breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 10:24:35 +00:00
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_darwin`
[#787] Add chrome, firefox, and safari related tables 2015-03-09 05:21:58 +00:00			`applications/darwin/browser_chrome.cpp`
			`applications/darwin/browser_firefox.cpp`
			`applications/darwin/browser_safari.cpp`
[events] Fleshing out OSX FSEvent framework 2014-09-30 20:17:54 +00:00			`events/darwin/passwd_changes.cpp`
Added ability to specify files to watch with wildcards 2015-02-18 02:04:15 +00:00			`events/darwin/file_changes.cpp`
IOKit HID events and OSX hardware_events table 2014-12-12 02:06:08 +00:00			`events/darwin/hardware_events.cpp`
[vtables] Routes table for Linux 2014-09-09 05:44:46 +00:00			`networking/darwin/routes.cpp`
ACPI tables for OSX 2015-01-16 05:37:02 +00:00			`system/darwin/acpi_tables.cpp`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`system/darwin/apps.cpp`
Adding block_devices to OSX 2015-01-23 17:40:35 +00:00			`system/darwin/block_devices.cpp`
Add keychain_items to include basic item details 2015-03-08 09:59:59 +00:00			`system/darwin/keychain_items.cpp`
			`system/darwin/keychain_utils.cpp`
Adding header files to CMakeLists.txt so that other build tools can perform better introspection into the codebase. 2014-09-09 17:53:59 +00:00			`system/darwin/firewall.h`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`system/darwin/firewall.cpp`
[vtables] Rename homebrew files, some cleanup 2014-10-29 04:16:32 +00:00			`system/darwin/homebrew_packages.cpp`
iokit_registry table 2015-01-15 20:46:49 +00:00			`system/darwin/iokit_registry.cpp`
Adding block_devices to OSX 2015-01-23 17:40:35 +00:00			`system/darwin/iokit_utils.cpp`
Add kernel_info to OSX 2015-01-23 04:47:29 +00:00			`system/darwin/kernel_info.cpp`
[Fix #599] Rename kextstat->kernel_extensions 2015-01-11 07:38:03 +00:00			`system/darwin/kernel_extensions.cpp`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`system/darwin/launchd.cpp`
Mounts table for Darwin. Associated with #255, this adds Mounts table support for Darwin. 2014-11-17 18:43:59 +00:00			`system/darwin/mounts.cpp`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`system/darwin/nvram.cpp`
Renamed osx_version to os_version, include Linux versions 2015-03-15 23:07:49 +00:00			`system/darwin/os_version.cpp`
Added 'defaults' table called 'preferences' 2015-02-10 23:58:08 +00:00			`system/darwin/preferences.cpp`
[vtables] Processes table for Linux (procps3) 2014-09-09 05:19:59 +00:00			`system/darwin/processes.cpp`
Split OSX process_open_files into files/sockets 2015-01-13 18:42:44 +00:00			`system/darwin/process_open_descriptors.cpp`
Add quarantine vtable for OSX The tables reports: - path: The file in quarantine - creator: The application that created the file Example: osquery> select * from quarantine limit 10; +----------------------------------------------------------------------------+---------------+ \| path \| creator \| +----------------------------------------------------------------------------+---------------+ \| /Applications/Adium.app \| Google Chrome \| \| /Applications/Adium.app/Contents \| Google Chrome \| \| /Applications/Adium.app/Contents/_CodeSignature \| Google Chrome \| \| /Applications/Adium.app/Contents/_CodeSignature/CodeResources \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks/Adium.framework \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders \| Google Chrome \| \| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources \| Google Chrome \| +----------------------------------------------------------------------------+---------------+ Fixes issue #231 2014-10-31 13:10:51 +00:00			`system/darwin/quarantine.cpp`
PCI/USB parity 2014-12-10 22:51:43 +00:00			`system/darwin/pci_devices.cpp`
Fix memory leaks in USB Devices for OSX 2014-11-23 02:04:47 +00:00			`system/darwin/usb_devices.cpp`
SMBIOS structure tables for OSX 2015-01-19 00:20:50 +00:00			`system/darwin/smbios_tables.cpp`
Add basic Mac startup items vtable 2014-10-30 01:10:26 +00:00			`system/darwin/startup_items.cpp`
Add sysctl (system_control) table 2015-02-26 22:10:39 +00:00			`system/darwin/sysctl_utils.cpp`
Add XProtect vtable to OSX 2014-12-16 04:16:52 +00:00			`system/darwin/xprotect.cpp`
NFS Table for darwin systems. Currently table readonly field is a string, this may change in the future to an integer to stay consistent with other parts of osquery. 2015-01-15 18:13:15 +00:00			`system/darwin/nfs_shares.cpp`
Can query for where a file came from using the OS X eXtended attributes 2015-01-21 02:02:45 +00:00			`system/darwin/xattr.cpp`
breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 10:24:35 +00:00			`)`
Moving sublibs to single libosquery 2014-09-06 01:12:37 +00:00
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "-framework CoreFoundation")`
			`ADD_OSQUERY_LINK(FALSE "-framework Security")`
			`ADD_OSQUERY_LINK(FALSE "-framework OpenDirectory")`
			`ADD_OSQUERY_LINK(FALSE "-framework DiskArbitration")`
Add libraries and settings for FreeBSD 2014-11-13 20:00:41 +00:00			`elseif(FREEBSD)`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_freebsd`
Add dummy table implementations for FreeBSD 2014-11-18 20:12:03 +00:00			`events/freebsd/passwd_changes.cpp`
			`networking/freebsd/routes.cpp`
			`system/freebsd/processes.cpp`
			`system/freebsd/users.cpp`
			`system/freebsd/groups.cpp`
Add libraries and settings for FreeBSD 2014-11-13 20:00:41 +00:00			`)`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`else()`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_linux`
Linux udev events 2014-12-08 10:22:59 +00:00			`events/linux/hardware_events.cpp`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`events/linux/passwd_changes.cpp`
Added ability to specify files to watch with wildcards 2015-02-18 02:04:15 +00:00			`events/linux/file_changes.cpp`
Cleaner arp_table->arp_cache on Linux/OSX 2014-11-16 21:59:19 +00:00			`networking/linux/arp_cache.cpp`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`networking/linux/process_open_sockets.cpp`
			`networking/linux/routes.cpp`
Add basic acpi_tables hashing to Linux 2015-01-18 07:02:14 +00:00			`system/linux/acpi_tables.cpp`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`system/linux/block_devices.cpp`
			`system/linux/groups.cpp`
Adding kernel_info to Linux 2015-01-22 06:37:43 +00:00			`system/linux/kernel_info.cpp`
kernel_integrity vtable to use camb 2014-12-06 21:40:55 +00:00			`system/linux/kernel_integrity.cpp`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`system/linux/kernel_modules.cpp`
Add Linux memory map table 2015-02-09 07:47:40 +00:00			`system/linux/memory_map.cpp`
Mounts table for linux 2014-11-01 00:16:36 +00:00			`system/linux/mounts.cpp`
Renamed osx_version to os_version, include Linux versions 2015-03-15 23:07:49 +00:00			`system/linux/os_version.cpp`
renamed lspci to pci_devices and specified it linux only 2014-10-31 20:03:27 +00:00			`system/linux/pci_devices.cpp`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`system/linux/processes.cpp`
			`system/linux/process_open_files.cpp`
Add shared_memory table to Linux 2015-02-09 04:32:30 +00:00			`system/linux/shared_memory.cpp`
SMBIOS parsing on Linux using mem 2015-01-19 03:43:40 +00:00			`system/linux/smbios_tables.cpp`
Add sysctl (system_control) table 2015-02-26 22:10:39 +00:00			`system/linux/sysctl_utils.cpp`
PCI/USB parity 2014-12-10 22:51:43 +00:00			`system/linux/usb_devices.cpp`
Moved socket_inode on Linux to process_open_files 2015-01-11 10:17:10 +00:00			`system/linux/users.cpp`
Changes for Linux (Ubuntu 14.04) build 2014-09-05 14:54:41 +00:00			`)`
RPM Package listing is now working 2014-10-29 05:59:25 +00:00
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`if(CENTOS)`
			`# CentOS specific tables`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat`
Renamed osx_version to os_version, include Linux versions 2015-03-15 23:07:49 +00:00			`system/centos/rpm_packages.cpp`
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`)`
resurrect the deb_packages table 2014-12-30 22:24:49 +00:00
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "rpm")`
			`ADD_OSQUERY_LINK(FALSE "rpmio")`
Support centos/ubuntu-specific tables 2014-12-31 17:33:19 +00:00			`elseif(UBUNTU)`
merging cmake changes for distro-specific tables 2014-12-31 18:06:54 +00:00			`# Ubuntu specific tables`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables_ubuntu`
Renamed osx_version to os_version, include Linux versions 2015-03-15 23:07:49 +00:00			`system/ubuntu/deb_packages.cpp`
			`system/ubuntu/apt_sources.cpp`
merging cmake changes for distro-specific tables 2014-12-31 18:06:54 +00:00			`)`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "apt-pkg")`
			`ADD_OSQUERY_LINK(FALSE "dpkg")`
Move table link dependencies into tables CMakeLists 2014-12-23 19:39:03 +00:00			`endif()`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LINK(FALSE "procps" "proc")`
			`ADD_OSQUERY_LINK(FALSE "blkid")`
			`ADD_OSQUERY_LINK(FALSE "udev")`
			`ADD_OSQUERY_LINK(FALSE "uuid")`
breaking out objective-c tables such that they use arc 2014-08-30 10:17:52 +00:00			`endif()`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(FALSE osquery_tables`
alphabetizing the order of sources in the tables cmake file 2014-08-30 10:46:08 +00:00			`networking/etc_hosts.cpp`
Adding a table which maps services from /etc/services. Signed-off-by: anuka <david.vas1@gmail.com> 2014-11-29 16:06:34 +00:00			`networking/etc_services.cpp`
Split OSX process_open_files into files/sockets 2015-01-13 18:42:44 +00:00			`networking/interfaces.cpp`
			`networking/listening_ports.cpp`
			`networking/utils.cpp`
[vtables] CPUID asm call feature information 2014-10-28 22:43:37 +00:00			`system/cpuid.cpp`
Moved crontab out of utility 2014-12-23 22:39:59 +00:00			`system/crontab.cpp`
Adding support for last in linux 2014-10-14 01:19:08 +00:00			`system/last.cpp`
Rename/improve bash_history to shell_history 2014-11-29 01:38:04 +00:00			`system/shell_history.cpp`
SMBIOS parsing on Linux using mem 2015-01-19 03:43:40 +00:00			`system/smbios_utils.cpp`
Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| path \| unix_user \| unix_group \| permissions \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ \| "/bin/ps" \| root \| wheel \| S \| \| "/bin/rcp" \| root \| wheel \| S \| \| "/Users/vmauge/suid_test" \| vmauge \| 999 \| SG \| \| "/usr/bin/at" \| root \| wheel \| S \| \| "/usr/bin/atq" \| root \| wheel \| S \| \| "/usr/bin/atrm" \| root \| wheel \| S \| \| "/usr/bin/batch" \| root \| wheel \| S \| \| "/usr/bin/crontab" \| root \| wheel \| S \| \| "/usr/bin/ipcs" \| root \| wheel \| S \| \| "/usr/bin/lockfile" \| root \| mail \| G \| \| "/usr/bin/login" \| root \| wheel \| S \| \| "/usr/bin/newgrp" \| root \| wheel \| S \| \| "/usr/bin/procmail" \| root \| mail \| G \| \| "/usr/bin/quota" \| root \| wheel \| S \| \| "/usr/bin/rlogin" \| root \| wheel \| S \| \| "/usr/bin/rsh" \| root \| wheel \| S \| \| "/usr/bin/su" \| root \| wheel \| S \| \| "/usr/bin/sudo" \| root \| wheel \| S \| \| "/usr/bin/top" \| root \| wheel \| S \| \| "/usr/bin/wall" \| root \| tty \| G \| \| "/usr/bin/write" \| root \| tty \| G \| \| "/usr/sbin/postdrop" \| root \| _postdrop \| G \| \| "/usr/sbin/postqueue" \| root \| _postdrop \| G \| \| "/usr/sbin/rpc.net" \| root \| wheel \| S \| \| "/usr/sbin/rpcset" \| root \| wheel \| S \| \| "/usr/sbin/traceroute" \| root \| wheel \| S \| \| "/usr/sbin/traceroute6" \| root \| wheel \| S \| +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253. 2014-10-29 05:08:10 +00:00			`system/suid_bin.cpp`
Add sysctl (system_control) table 2015-02-26 22:10:39 +00:00			`system/system_controls.cpp`
Implement logged_in_users. Fixes #9. 2014-11-23 04:49:37 +00:00			`system/logged_in_users.cpp`
Initial commit 2014-07-31 00:35:19 +00:00			`)`
[vtable_cacerts] New CA certificates table. 2014-08-17 08:44:22 +00:00
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_LIBRARY(TRUE osquery_utility_tables`
Build leaner libosquery, allow control over spec/impl 2014-12-24 04:07:12 +00:00			`utility/time.cpp`
			`utility/hash.cpp`
			`utility/file.cpp`
			`utility/osquery.cpp`
			`)`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_TEST(FALSE etc_hosts_tests networking/etc_hosts_tests.cpp)`
enabling unit tests for tables 2014-08-30 21:26:24 +00:00			`if(APPLE)`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_TEST(FALSE xattr_tests system/darwin/xattr_tests.cpp)`
			`ADD_OSQUERY_TEST(FALSE apps_tests system/darwin/apps_tests.cpp)`
Rename ca_certs to certificates 2015-02-25 22:18:43 +00:00			`ADD_OSQUERY_TEST(FALSE certificates_tests system/darwin/certificates_tests.cpp)`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`ADD_OSQUERY_TEST(FALSE firewall_tests system/darwin/firewall_tests.cpp)`
			`ADD_OSQUERY_TEST(FALSE launchd_tests system/darwin/launchd_tests.cpp)`
enabling unit tests for tables 2014-08-30 21:26:24 +00:00			`endif()`