Adding magic table to check for libmagic data

osquery/tables/CMakeLists.txt

@@ -62,6 +62,8 @@ else()
   ADD_OSQUERY_LINK_ADDITIONAL("ip4tc")
 endif()
 
+ADD_OSQUERY_LINK_ADDITIONAL("magic")
+
 file(GLOB OSQUERY_CROSS_APPLICATIONS_TABLES "applications/*.cpp")
 file(GLOB OSQUERY_CROSS_SYSTEM_TABLES "system/*.cpp")
 file(GLOB OSQUERY_CROSS_NETWORKING_TABLES "networking/*.cpp")

osquery/tables/system/magic.cpp

@@ -0,0 +1,59 @@
+/*
+ *  Copyright (c) 2014, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <stdio.h>
+#include <magic.h>
+
+#include <osquery/logger.h>
+#include <osquery/tables.h>
+
+namespace osquery {
+namespace tables {
+
+QueryData genMagicData(QueryContext& context) {
+  QueryData results;
+  magic_t magic_cookie = nullptr;
+
+  // No default flags
+  magic_cookie = magic_open(MAGIC_NONE);
+
+  if (magic_cookie == nullptr) {
+    VLOG(1) << "Unable to initialize magic library";
+    return results;
+  }
+  if (magic_load(magic_cookie, nullptr) != 0) {
+    VLOG(1) << "Unable to load magic database : " << magic_error(magic_cookie);
+    magic_close(magic_cookie);
+    return results;
+  }
+
+  // Iterate through all the provided paths
+  auto paths = context.constraints["path"].getAll(EQUALS);
+  for (const auto& path_string : paths) {
+    Row r;
+    r["path"] = path_string;
+    r["data"] = magic_file(magic_cookie, path_string.c_str());
+
+    // Retrieve MIME type
+    magic_setflags(magic_cookie, MAGIC_MIME_TYPE);
+    r["mime_type"] = magic_file(magic_cookie, path_string.c_str());
+
+    // Retrieve MIME encoding
+    magic_setflags(magic_cookie, MAGIC_MIME_ENCODING);
+    r["mime_encoding"] = magic_file(magic_cookie, path_string.c_str());
+
+    results.push_back(r);
+  }
+
+  magic_close(magic_cookie);
+  return results;
+}
+}
+}

specs/magic.table

@@ -0,0 +1,9 @@
+table_name("magic")
+description("Magic number recognition library table.")
+schema([
+    Column("path", TEXT, "Absolute path to target file", required=True),
+    Column("data", TEXT, "Magic number data from libmagic"),
+    Column("mime_type", TEXT, "MIME type data from libmagic"),
+    Column("mime_encoding", TEXT, "MIME encoding data from libmagic"),
+])
+implementation("system/magic@genMagicData")

tools/provision/amazon.sh

@@ -48,7 +48,7 @@ function main_amazon() {
 
   package libudev-devel
   package cryptsetup-luks-devel
-  
+
   install_gflags
   install_iptables_dev
 
@@ -56,6 +56,7 @@ function main_amazon() {
   package byacc
   package flex
   package bison
+  package file-libs
 
   remove_package libunwind-devel
 

tools/provision/centos.sh

@@ -85,10 +85,13 @@ function main_centos() {
     install_autoconf
     install_automake
     install_libtool
+
+    package file-libs
   elif [[ $DISTRO = "centos7" ]]; then
     package autoconf
     package automake
     package libtool
+    package file-devel
   fi
 
   install_snappy

tools/provision/darwin.sh

@@ -30,4 +30,5 @@ function main_darwin() {
   package thrift
   package yara
   package doxygen
+  package libmagic
 }

tools/provision/freebsd.sh

@@ -17,4 +17,5 @@ function main_freebsd() {
   package thrift
   package thrift-cpp
   package yara
+  package libmagic
 }

tools/provision/oracle.sh

@@ -124,5 +124,7 @@ function main_oracle() {
     package rubygems
   fi
 
+  package file-libs
+
   gem_install fpm
 }

tools/provision/rhel.sh

@@ -123,10 +123,13 @@ function main_rhel() {
     install_autoconf
     install_automake
     install_libtool
+
+    package file-libs
   elif [[ $DISTRO = "rhel7" ]]; then
     package autoconf
     package automake
     package libtool
+    package file-devel
   fi
 
   install_snappy

tools/provision/ubuntu.sh

@@ -142,4 +142,5 @@ function main_ubuntu() {
 
   install_libcryptsetup
 
+  package libmagic-dev
 }