valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1730 from theopolis/fixes

Browse Source 
Fixes for various build/sanitize/deps nice-to-haves
This commit is contained in:
Teddy Reed 2015-12-14 15:38:23 -08:00
commit 48ec36d4dd
13 changed files with 90 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CMake/FindRocksDB.cmake
View File

@ -25,7 +25,6 @@ SET(_rocksdb_LIBRARIES_SEARCH_DIRS
/opt/rocksdb /opt/rocksdb
) )
##
if( "${ROCKSDB_HOME}" STREQUAL "") if( "${ROCKSDB_HOME}" STREQUAL "")
if("" MATCHES "$ENV{ROCKSDB_HOME}") if("" MATCHES "$ENV{ROCKSDB_HOME}")
set (ROCKSDB_HOME ${_rocksdb_HOME}) set (ROCKSDB_HOME ${_rocksdb_HOME})
@ -35,7 +34,6 @@ if( "${ROCKSDB_HOME}" STREQUAL "")
else( "${ROCKSDB_HOME}" STREQUAL "") else( "${ROCKSDB_HOME}" STREQUAL "")
message(STATUS "ROCKSDB_HOME is not empty: \"${ROCKSDB_HOME}\"") message(STATUS "ROCKSDB_HOME is not empty: \"${ROCKSDB_HOME}\"")
endif( "${ROCKSDB_HOME}" STREQUAL "") endif( "${ROCKSDB_HOME}" STREQUAL "")
##
IF( NOT ${ROCKSDB_HOME} STREQUAL "" ) IF( NOT ${ROCKSDB_HOME} STREQUAL "" )
SET(_rocksdb_INCLUDE_SEARCH_DIRS ${ROCKSDB_HOME}/include ${_rocksdb_INCLUDE_SEARCH_DIRS}) SET(_rocksdb_INCLUDE_SEARCH_DIRS ${ROCKSDB_HOME}/include ${_rocksdb_INCLUDE_SEARCH_DIRS})
@ -100,7 +98,7 @@ if (NOT DEFINED ROCKSDB_FOUND)
HINTS ${_rocksdb_LIBRARIES_SEARCH_DIRS} HINTS ${_rocksdb_LIBRARIES_SEARCH_DIRS}
) )
find_library(ROCKSDB_SNAPPY_LIBRARY NAMES libsnappy.a find_library(ROCKSDB_SNAPPY_LIBRARY NAMES snappy
HINTS ${_rocksdb_LIBRARIES_SEARCH_DIRS} HINTS ${_rocksdb_LIBRARIES_SEARCH_DIRS}
) )

2
osquery/events/darwin/fsevents.cpp
View File

@ -57,7 +57,7 @@ void FSEventsSubscriptionContext::requireAction(const std::string& action) {
void FSEventsEventPublisher::restart() { void FSEventsEventPublisher::restart() {
if (paths_.empty()) { if (paths_.empty()) {
// There are no paths to watch. // There are no paths to watch.
paths_.insert("/dev/null/"); paths_.insert("/dev/null");
} }
if (run_loop_ == nullptr) { if (run_loop_ == nullptr) {

3
osquery/events/events.cpp
View File

@ -764,7 +764,8 @@ void attachEvents() {
for (const auto& subscriber : subscribers) { for (const auto& subscriber : subscribers) {
auto status = EventFactory::registerEventSubscriber(subscriber.second); auto status = EventFactory::registerEventSubscriber(subscriber.second);
if (!status.ok()) { if (!status.ok()) {
LOG(WARNING) << "Error registering subscriber: " << status.getMessage(); LOG(WARNING) << "Error registering subscriber: " << subscriber.first
<< ": " << status.getMessage();
} }
} }

2
osquery/filesystem/filesystem.cpp
View File

@ -181,7 +181,7 @@ Status readFile(const fs::path& path,
if (buffer.size() == size) { if (buffer.size() == size) {
content += std::move(buffer); content += std::move(buffer);
} else { } else {
content += std::move(std::string(buffer, size)); content += buffer.substr(0, size);
} }
})); }));
} }

2
osquery/tables/events/process_file_events.cpp
View File

@ -23,7 +23,7 @@ class ProcessFileEventSubscriber
Status init() override { Status init() override {
auto pubref = EventFactory::getEventPublisher("kernel"); auto pubref = EventFactory::getEventPublisher("kernel");
if (pubref == nullptr || !pubref->hasStarted() || pubref->isEnding()) { if (pubref == nullptr || !pubref->hasStarted() || pubref->isEnding()) {
return Status(1); return Status(1, "No kernel event publisher");
} }
configure(); configure();

13
osquery/tables/forensic/sleuthkit.cpp
View File

@ -85,6 +85,7 @@ class DeviceHelper : private boost::noncopyable {
/// Reset stack counting for directory iteration. /// Reset stack counting for directory iteration.
void resetStack() { void resetStack() {
stack_ = 0; stack_ = 0;
count_ = 0;
std::set<std::string>().swap(loops_); std::set<std::string>().swap(loops_);
} }
@ -109,6 +110,7 @@ class DeviceHelper : private boost::noncopyable {
std::string device_path_; std::string device_path_;
size_t stack_{0}; size_t stack_{0};
size_t count_{0};
std::set<std::string> loops_; std::set<std::string> loops_;
}; };
@ -213,6 +215,10 @@ void DeviceHelper::generateFiles(const std::string& partition,
// Iterate through the directory. // Iterate through the directory.
std::map<TSK_INUM_T, std::string> additional; std::map<TSK_INUM_T, std::string> additional;
for (size_t i = 0; i < dir->getSize(); i++) { for (size_t i = 0; i < dir->getSize(); i++) {
if (count_++ > 1024 * 10) {
break;
}
auto* file = dir->getFile(i); auto* file = dir->getFile(i);
if (file == nullptr) { if (file == nullptr) {
continue; continue;
@ -269,10 +275,13 @@ MultiHashes hashInode(TskFsFile* file) {
// Set a maximum 'chunk' or block size to 1 page or the file size. // Set a maximum 'chunk' or block size to 1 page or the file size.
TSK_OFF_T size = meta->getSize(); TSK_OFF_T size = meta->getSize();
auto buffer_size = (size < 4096) ? size : 4096; if (size == 0) {
return MultiHashes();
}
// Allocate some heap memory and iterate over reading a chunk and updating. // Allocate some heap memory and iterate over reading a chunk and updating.
auto* buffer = (char*)malloc(buffer_size * sizeof(char*)); auto buffer_size = (size < 4096) ? size : 4096;
auto* buffer = (char*)malloc(buffer_size * sizeof(char));
if (buffer != nullptr) { if (buffer != nullptr) {
ssize_t chunk_size = 0; ssize_t chunk_size = 0;
for (ssize_t offset = 0; offset < size; offset += chunk_size) { for (ssize_t offset = 0; offset < size; offset += chunk_size) {

6
osquery/tables/system/linux/os_version.cpp
View File

@ -27,6 +27,12 @@ const std::string kLinuxOSRelease = "/etc/redhat-release";
const std::string kLinuxOSRegex = const std::string kLinuxOSRegex =
"(?P<name>[\\w+\\s]+) .* " "(?P<name>[\\w+\\s]+) .* "
"(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.?(?P<patch>\\w+)?"; "(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.?(?P<patch>\\w+)?";
#elif defined(DEBIAN)
const std::string kLinuxOSRelease = "/etc/os-release";
const std::string kLinuxOSRegex =
"PRETTY_NAME=\"(?P<name>[\\w \\/]*) "
"(?P<major>[0-9]+)[\\.]{0,1}(?P<minor>[0-9]*)[\\.]{0,1}(?P<patch>[0-9]*).*"
"\"";
#else #else
const std::string kLinuxOSRelease = "/etc/os-release"; const std::string kLinuxOSRelease = "/etc/os-release";
const std::string kLinuxOSRegex = const std::string kLinuxOSRegex =

10
osquery/tables/system/linux/processes.cpp
View File

@ -24,7 +24,8 @@
namespace osquery { namespace osquery {
namespace tables { namespace tables {
inline std::string getProcAttr(const std::string& attr, const std::string& pid) { inline std::string getProcAttr(const std::string& attr,
const std::string& pid) {
return "/proc/" + pid + "/" + attr; return "/proc/" + pid + "/" + attr;
} }
@ -43,7 +44,8 @@ inline std::string readProcCMDLine(const std::string& pid) {
return content; return content;
} }
inline std::string readProcLink(const std::string& attr, const std::string& pid) { inline std::string readProcLink(const std::string& attr,
const std::string& pid) {
// The exe is a symlink to the binary on-disk. // The exe is a symlink to the binary on-disk.
auto attr_path = getProcAttr(attr, pid); auto attr_path = getProcAttr(attr, pid);
@ -154,7 +156,7 @@ struct SimpleProcStat {
std::string saved_gid; // Gid: - - * - std::string saved_gid; // Gid: - - * -
std::string resident_size; // VmRSS: std::string resident_size; // VmRSS:
std::string phys_footprint; // VmSize: std::string phys_footprint; // VmSize:
// Output from sring parsing /proc/<pid>/stat. // Output from sring parsing /proc/<pid>/stat.
std::string state; std::string state;
@ -254,8 +256,10 @@ void genProcess(const std::string& pid, QueryData& results) {
r["root"] = readProcLink("root", pid); r["root"] = readProcLink("root", pid);
r["uid"] = proc_stat.real_uid; r["uid"] = proc_stat.real_uid;
r["euid"] = proc_stat.effective_uid; r["euid"] = proc_stat.effective_uid;
r["suid"] = proc_stat.saved_uid;
r["gid"] = proc_stat.real_gid; r["gid"] = proc_stat.real_gid;
r["egid"] = proc_stat.effective_gid; r["egid"] = proc_stat.effective_gid;
r["sgid"] = proc_stat.saved_gid;
// If the path of the executable that started the process is available and // If the path of the executable that started the process is available and
// the path exists on disk, set on_disk to 1. If the path is not // the path exists on disk, set on_disk to 1. If the path is not

15
osquery/tables/system/tests/system_tables_tests.cpp
View File

@ -12,6 +12,7 @@
#include <osquery/logger.h> #include <osquery/logger.h>
#include <osquery/tables.h> #include <osquery/tables.h>
#include <osquery/sql.h>
#include "osquery/core/test_util.h" #include "osquery/core/test_util.h"
@ -29,10 +30,24 @@ TEST_F(SystemsTablesTests, test_os_version) {
// Make sure major and minor contain data (a missing value of -1 is an error). // Make sure major and minor contain data (a missing value of -1 is an error).
EXPECT_FALSE(result[0]["major"].empty()); EXPECT_FALSE(result[0]["major"].empty());
// Debian does not define a minor.
#if !defined(DEBIAN)
EXPECT_FALSE(result[0]["minor"].empty()); EXPECT_FALSE(result[0]["minor"].empty());
#endif
// The OS name should be filled in too. // The OS name should be filled in too.
EXPECT_FALSE(result[0]["name"].empty()); EXPECT_FALSE(result[0]["name"].empty());
} }
TEST_F(SystemsTablesTests, test_process_info) {
auto results = SQL("select * from osquery_info join processes using (pid)");
ASSERT_EQ(results.rows().size(), 1U);
// Make sure there is a valid UID and parent.
EXPECT_EQ(results.rows()[0].count("uid"), 1U);
EXPECT_NE(results.rows()[0].at("uid"), "-1");
EXPECT_NE(results.rows()[0].at("parent"), "-1");
}
} }
} }

34
tools/provision/fedora.sh
View File

@ -8,7 +8,7 @@
# of patent rights can be found in the PATENTS file in the same directory. # of patent rights can be found in the PATENTS file in the same directory.
function main_fedora() { function main_fedora() {
sudo yum update -y sudo dnf update -y
package texinfo package texinfo
package wget package wget
@ -34,15 +34,22 @@ function main_fedora() {
package clang package clang
package clang-devel package clang-devel
install_cmake
set_cc clang set_cc clang
set_cxx clang++ set_cxx clang++
install_boost if [[ $DISTRO -lt "22" ]]; then
install_cmake
install_gflags install_boost
install_iptables_dev install_gflags
install_iptables_dev
else
package cmake
package boost-devel
package boost-static
package gflags
package gflags-devel
package iptables-devel
fi
package doxygen package doxygen
package byacc package byacc
@ -52,9 +59,17 @@ function main_fedora() {
package automake package automake
package libtool package libtool
install_snappy if [[ $DISTRO -lt "22" ]]; then
install_snappy
install_thrift
else
package snappy
package snappy-devel
package thrift
package thrift-devel
fi
install_rocksdb install_rocksdb
install_thrift
install_yara install_yara
install_cppnetlib install_cppnetlib
install_google_benchmark install_google_benchmark
@ -62,6 +77,7 @@ function main_fedora() {
package device-mapper-devel package device-mapper-devel
package libgcrypt-devel package libgcrypt-devel
package gettext-devel package gettext-devel
install_libcryptsetup install_libcryptsetup
install_sleuthkit install_sleuthkit

19
tools/provision/lib.sh
View File

@ -90,7 +90,7 @@ function install_sleuthkit() {
TARBALL=$SOURCE.tar.gz TARBALL=$SOURCE.tar.gz
URL=$DEPS_URL/$TARBALL URL=$DEPS_URL/$TARBALL
if provision sleuthkid /usr/local/lib/libtsk.a; then if provision sleuthkit /usr/local/lib/libtsk.a; then
pushd $SOURCE pushd $SOURCE
./bootstrap ./bootstrap
./configure --prefix=/usr/local --without-afflib \ ./configure --prefix=/usr/local --without-afflib \
@ -129,12 +129,13 @@ function install_thrift() {
} }
function install_rocksdb() { function install_rocksdb() {
TARBALL=rocksdb-3.10.2.tar.gz VERSION=4.1
TARBALL=rocksdb-$VERSION.tar.gz
URL=$DEPS_URL/$TARBALL URL=$DEPS_URL/$TARBALL
SOURCE=rocksdb-rocksdb-3.10.2 SOURCE=rocksdb-rocksdb-$VERSION
if provision rocksdb /usr/local/lib/librocksdb_lite.a; then if provision rocksdb /usr/local/lib/librocksdb_lite.a; then
if [[ ! -f rocksdb-rocksdb-3.10.2/librocksdb_lite.a ]]; then if [[ ! -f rocksdb-rocksdb-$VERSION/librocksdb_lite.a ]]; then
if [[ $FAMILY = "debian" ]]; then if [[ $FAMILY = "debian" ]]; then
CLANG_INCLUDE="-I/usr/include/clang/3.4/include" CLANG_INCLUDE="-I/usr/include/clang/3.4/include"
elif [[ $FAMILY = "redhat" ]]; then elif [[ $FAMILY = "redhat" ]]; then
@ -153,8 +154,8 @@ function install_rocksdb() {
$MAKE -j $THREADS static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS" $MAKE -j $THREADS static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
popd popd
fi fi
sudo cp rocksdb-rocksdb-3.10.2/librocksdb_lite.a /usr/local/lib sudo cp rocksdb-rocksdb-$VERSION/librocksdb_lite.a /usr/local/lib
sudo cp -R rocksdb-rocksdb-3.10.2/include/rocksdb /usr/local/include sudo cp -R rocksdb-rocksdb-$VERSION/include/rocksdb /usr/local/include
fi fi
} }
@ -466,7 +467,11 @@ function package() {
log "$1 is already installed. skipping." log "$1 is already installed. skipping."
else else
log "installing $1" log "installing $1"
sudo yum install $1 -y if [[ $OS = "fedora" ]]; then
sudo dnf install $1 -y
else
sudo yum install $1 -y
fi
fi fi
elif [[ $OS = "darwin" ]]; then elif [[ $OS = "darwin" ]]; then
if [[ -n "$(brew list | grep $1)" ]]; then if [[ -n "$(brew list | grep $1)" ]]; then

2
tools/tests/asan.supp Normal file
View File

@ -0,0 +1,2 @@
interceptor_via_fun:google::SetArgv
interceptor_via_lib:gflags

6
tools/tests/sanitize_blacklist.txt
View File

@ -4,3 +4,9 @@
# ASIO 0-lookups # ASIO 0-lookups
fun:*get_io_service* fun:*get_io_service*
src:*asio/impl/* src:*asio/impl/*
# GFlags
fun:*SetArgv*
# RocksDB
fun:*ColumnFamilyOptions*