From 1a50977a23c2ab1e0c8112619ae08fbb01905098 Mon Sep 17 00:00:00 2001
From: Javier Marcos <javier.marcos@gmail.com>
Date: Fri, 28 Aug 2015 12:49:46 -0700
Subject: [PATCH] Adding magic table to check for libmagic data

---
 osquery/tables/CMakeLists.txt   |  2 ++
 osquery/tables/system/magic.cpp | 59 +++++++++++++++++++++++++++++++++
 specs/magic.table               |  9 +++++
 tools/provision/amazon.sh       |  3 +-
 tools/provision/centos.sh       |  3 ++
 tools/provision/darwin.sh       |  1 +
 tools/provision/freebsd.sh      |  1 +
 tools/provision/oracle.sh       |  2 ++
 tools/provision/rhel.sh         |  3 ++
 tools/provision/ubuntu.sh       |  1 +
 10 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 osquery/tables/system/magic.cpp
 create mode 100644 specs/magic.table

diff --git a/osquery/tables/CMakeLists.txt b/osquery/tables/CMakeLists.txt
index 0952b27e..b63b7fbf 100644
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@@ -62,6 +62,8 @@ else()
   ADD_OSQUERY_LINK_ADDITIONAL("ip4tc")
 endif()
 
+ADD_OSQUERY_LINK_ADDITIONAL("magic")
+
 file(GLOB OSQUERY_CROSS_APPLICATIONS_TABLES "applications/*.cpp")
 file(GLOB OSQUERY_CROSS_SYSTEM_TABLES "system/*.cpp")
 file(GLOB OSQUERY_CROSS_NETWORKING_TABLES "networking/*.cpp")
diff --git a/osquery/tables/system/magic.cpp b/osquery/tables/system/magic.cpp
new file mode 100644
index 00000000..ac6b0477
--- /dev/null
+++ b/osquery/tables/system/magic.cpp
@@ -0,0 +1,59 @@
+/*
+ *  Copyright (c) 2014, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <stdio.h>
+#include <magic.h>
+
+#include <osquery/logger.h>
+#include <osquery/tables.h>
+
+namespace osquery {
+namespace tables {
+
+QueryData genMagicData(QueryContext& context) {
+  QueryData results;
+  magic_t magic_cookie = nullptr;
+
+  // No default flags
+  magic_cookie = magic_open(MAGIC_NONE);
+
+  if (magic_cookie == nullptr) {
+    VLOG(1) << "Unable to initialize magic library";
+    return results;
+  }
+  if (magic_load(magic_cookie, nullptr) != 0) {
+    VLOG(1) << "Unable to load magic database : " << magic_error(magic_cookie);
+    magic_close(magic_cookie);
+    return results;
+  }
+
+  // Iterate through all the provided paths
+  auto paths = context.constraints["path"].getAll(EQUALS);
+  for (const auto& path_string : paths) {
+    Row r;
+    r["path"] = path_string;
+    r["data"] = magic_file(magic_cookie, path_string.c_str());
+
+    // Retrieve MIME type
+    magic_setflags(magic_cookie, MAGIC_MIME_TYPE);
+    r["mime_type"] = magic_file(magic_cookie, path_string.c_str());
+
+    // Retrieve MIME encoding
+    magic_setflags(magic_cookie, MAGIC_MIME_ENCODING);
+    r["mime_encoding"] = magic_file(magic_cookie, path_string.c_str());
+
+    results.push_back(r);
+  }
+
+  magic_close(magic_cookie);
+  return results;
+}
+}
+}
diff --git a/specs/magic.table b/specs/magic.table
new file mode 100644
index 00000000..0286dfa4
--- /dev/null
+++ b/specs/magic.table
@@ -0,0 +1,9 @@
+table_name("magic")
+description("Magic number recognition library table.")
+schema([
+    Column("path", TEXT, "Absolute path to target file", required=True),
+    Column("data", TEXT, "Magic number data from libmagic"),
+    Column("mime_type", TEXT, "MIME type data from libmagic"),
+    Column("mime_encoding", TEXT, "MIME encoding data from libmagic"),
+])
+implementation("system/magic@genMagicData")
diff --git a/tools/provision/amazon.sh b/tools/provision/amazon.sh
index f44f8c92..73bd8bef 100755
--- a/tools/provision/amazon.sh
+++ b/tools/provision/amazon.sh
@@ -48,7 +48,7 @@ function main_amazon() {
 
   package libudev-devel
   package cryptsetup-luks-devel
-  
+
   install_gflags
   install_iptables_dev
 
@@ -56,6 +56,7 @@ function main_amazon() {
   package byacc
   package flex
   package bison
+  package file-libs
 
   remove_package libunwind-devel
 
diff --git a/tools/provision/centos.sh b/tools/provision/centos.sh
index 8d5e42ae..3a2b17ae 100755
--- a/tools/provision/centos.sh
+++ b/tools/provision/centos.sh
@@ -85,10 +85,13 @@ function main_centos() {
     install_autoconf
     install_automake
     install_libtool
+
+    package file-libs
   elif [[ $DISTRO = "centos7" ]]; then
     package autoconf
     package automake
     package libtool
+    package file-devel
   fi
 
   install_snappy
diff --git a/tools/provision/darwin.sh b/tools/provision/darwin.sh
index b7f6d193..e2a51ff0 100755
--- a/tools/provision/darwin.sh
+++ b/tools/provision/darwin.sh
@@ -30,4 +30,5 @@ function main_darwin() {
   package thrift
   package yara
   package doxygen
+  package libmagic
 }
diff --git a/tools/provision/freebsd.sh b/tools/provision/freebsd.sh
index c890cb79..fe4708c8 100755
--- a/tools/provision/freebsd.sh
+++ b/tools/provision/freebsd.sh
@@ -17,4 +17,5 @@ function main_freebsd() {
   package thrift
   package thrift-cpp
   package yara
+  package libmagic
 }
diff --git a/tools/provision/oracle.sh b/tools/provision/oracle.sh
index 3a5b154d..632b2e4b 100755
--- a/tools/provision/oracle.sh
+++ b/tools/provision/oracle.sh
@@ -124,5 +124,7 @@ function main_oracle() {
     package rubygems
   fi
 
+  package file-libs
+
   gem_install fpm
 }
diff --git a/tools/provision/rhel.sh b/tools/provision/rhel.sh
index 0e2e822c..2b2303a9 100755
--- a/tools/provision/rhel.sh
+++ b/tools/provision/rhel.sh
@@ -123,10 +123,13 @@ function main_rhel() {
     install_autoconf
     install_automake
     install_libtool
+
+    package file-libs
   elif [[ $DISTRO = "rhel7" ]]; then
     package autoconf
     package automake
     package libtool
+    package file-devel
   fi
 
   install_snappy
diff --git a/tools/provision/ubuntu.sh b/tools/provision/ubuntu.sh
index 6c66182f..b5e82d22 100755
--- a/tools/provision/ubuntu.sh
+++ b/tools/provision/ubuntu.sh
@@ -142,4 +142,5 @@ function main_ubuntu() {
 
   install_libcryptsetup
 
+  package libmagic-dev
 }