Add suid_bin vtable

The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253.
2024-11-07 18:08:53 +00:00 · 2014-10-28 22:08:10 -07:00 · 2014-10-28 22:08:10 -07:00 · 471d5faaa0
commit 471d5faaa0
parent 8578cb53f1
3 changed files with 79 additions and 0 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -50,6 +50,7 @@ ADD_OSQUERY_LIBRARY(osquery_tables
  utility/time.cpp
  system/last.cpp
  system/bash_history.cpp
+  system/suid_bin.cpp
  base.h
 )

--- a/osquery/tables/specs/x/suid_bin.table
+++ b/osquery/tables/specs/x/suid_bin.table
@ -0,0 +1,8 @@
+table_name("suid_bin")
+schema([
+    Column(name="path", type="std::string"),
+    Column(name="unix_user", type="std::string"),
+    Column(name="unix_group", type="std::string"),
+    Column(name="permissions", type="std::string"),
+])
+implementation("suid_bin@genSuidBin")
--- a/osquery/tables/system/suid_bin.cpp
+++ b/osquery/tables/system/suid_bin.cpp
@ -0,0 +1,70 @@
+// Copyright 2004-present Facebook. All Rights Reserved.
+
+#include <ctime>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/stat.h>
+#include <boost/lexical_cast.hpp>
+#include <boost/filesystem.hpp>
+#include "osquery/database.h"
+
+using std::string;
+using boost::lexical_cast;
+
+namespace osquery {
+namespace tables {
+
+QueryData genSuidBin() {
+  Row r;
+  QueryData results;
+  struct stat info;
+
+  boost::filesystem::recursive_directory_iterator it =
+      boost::filesystem::recursive_directory_iterator(
+          boost::filesystem::path("/"));
+  boost::filesystem::recursive_directory_iterator end;
+
+  while (it != end) {
+    boost::filesystem::path path = *it;
+    try {
+      if (boost::filesystem::is_regular_file(path) &&
+          ((it.status().permissions() & 04000) == 04000 ||
+           (it.status().permissions() & 02000) == 02000)) {
+        // store path
+        r["path"] = boost::lexical_cast<std::string>(path);
+
+        // store user and group
+        if (stat(path.c_str(), &info) == 0) {
+          struct passwd *pw = getpwuid(info.st_uid);
+          struct group *gr = getgrgid(info.st_gid);
+          // get user name
+          r["unix_user"] = pw ? boost::lexical_cast<std::string>(pw->pw_name)
+                              : boost::lexical_cast<std::string>(info.st_uid);
+          // get group
+          r["unix_group"] = gr ? boost::lexical_cast<std::string>(gr->gr_name)
+                               : boost::lexical_cast<std::string>(info.st_gid);
+
+          // get permission
+          r["permissions"] = "";
+          r["permissions"] +=
+              (it.status().permissions() & 04000) == 04000 ? "S" : "";
+          r["permissions"] +=
+              (it.status().permissions() & 02000) == 02000 ? "G" : "";
+
+          results.push_back(r);
+        }
+      }
+    } catch (...) {
+      // handle invalid files like /dev/fd/3
+    }
+    try {
+      ++it; 
+    } catch (std::exception &ex) {
+      it.no_push(); // handle permission error.
+    }
+  }
+
+  return results;
+}
+}
+}