Adding kernel_info to Linux

2024-11-07 09:58:54 +00:00 · 2015-01-21 23:37:43 -07:00 · 2015-01-21 23:37:43 -07:00 · 22273b403d
commit 22273b403d
parent 803e72563a
3 changed files with 89 additions and 0 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -56,6 +56,7 @@ else()
    system/linux/acpi_tables.cpp
    system/linux/block_devices.cpp
    system/linux/groups.cpp
+    system/linux/kernel_info.cpp
    system/linux/kernel_integrity.cpp
    system/linux/kernel_modules.cpp
    system/linux/mounts.cpp
--- a/osquery/tables/specs/linux/kernel_info.table
+++ b/osquery/tables/specs/linux/kernel_info.table
@ -0,0 +1,9 @@
+table_name("kernel_info")
+schema([
+  Column("version", TEXT),
+  Column("arguments", TEXT),
+  Column("path", TEXT),
+  Column("device", TEXT),
+  Column("md5", TEXT),
+])
+implementation("system/kernel_info@genKernelInfo")
--- a/osquery/tables/system/linux/kernel_info.cpp
+++ b/osquery/tables/system/linux/kernel_info.cpp
@ -0,0 +1,79 @@
+/*
+ *  Copyright (c) 2014, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <boost/algorithm/string/split.hpp>
+
+#include <osquery/core.h>
+#include <osquery/filesystem.h>
+#include <osquery/hash.h>
+#include <osquery/logger.h>
+#include <osquery/tables.h>
+
+namespace osquery {
+namespace tables {
+
+const std::string kKernelArgumentsPath = "/proc/cmdline";
+const std::string kKernelSignaturePath = "/proc/version";
+
+QueryData genKernelInfo(QueryContext& context) {
+  QueryData results;
+  Row r;
+
+  if (pathExists(kKernelArgumentsPath).ok()) {
+    std::string arguments_line;
+    // Grab the whole arguments string from proc.
+    if (readFile(kKernelArgumentsPath, arguments_line).ok()) {
+      auto arguments = split(arguments_line, " ");
+      std::string additional_arguments;
+
+      // Iterate over each space-tokenized argument.
+      for (const auto& argument : arguments) {
+        if (argument.substr(0, 11) == "BOOT_IMAGE=") {
+          r["path"] = argument.substr(11);
+        } else if (argument.substr(0, 5) == "root=") {
+          r["device"] = argument.substr(5);
+        } else {
+          if (additional_arguments.size() > 0) {
+            additional_arguments += " ";
+          }
+          additional_arguments += argument;
+        }
+      }
+      r["arguments"] = additional_arguments;
+    }
+  } else {
+    VLOG(1) << "Cannot find kernel arguments file: " << kKernelArgumentsPath;
+  }
+
+  if (pathExists(kKernelSignaturePath).ok()) {
+    std::string signature;
+
+    // The signature includes the kernel version, build data, buildhost,
+    // GCC version used, and possibly build date.
+    if (readFile(kKernelSignaturePath, signature).ok()) {
+      auto details = split(signature, " ");
+      if (details.size() > 2 && details[1] == "version") {
+        r["version"] = details[2];
+      }
+    }
+  } else {
+    VLOG(1) << "Cannot find kernel signature file: " << kKernelSignaturePath;
+  }
+
+  // Using the path of the boot image, attempt to calculate a hash.
+  if (r.count("path") > 0) {
+    r["md5"] = hashFromFile(HASH_TYPE_MD5, r.at("path"));
+  }
+
+  results.push_back(r);
+  return results;
+}
+}
+}