mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 09:58:54 +00:00
Process open sockets on Linux was added '['
This commit is contained in:
parent
02a22b4cde
commit
49eb22ef44
@ -61,13 +61,17 @@ unsigned short portFromHex(const std::string &encoded_port) {
|
|||||||
return decoded;
|
return decoded;
|
||||||
}
|
}
|
||||||
|
|
||||||
void genSocketsFromProc(const std::map<std::string, std::string> &socket_inodes,
|
void genSocketsFromProc(const std::map<std::string, std::string> &inodes,
|
||||||
int protocol,
|
int protocol,
|
||||||
int family,
|
int family,
|
||||||
QueryData &results) {
|
QueryData &results) {
|
||||||
std::string path = "/proc/net/";
|
std::string path = "/proc/net/";
|
||||||
path += kLinuxProtocolNames.at(protocol);
|
if (family == AF_UNIX) {
|
||||||
path += (family == AF_INET6) ? "6" : "";
|
path += "unix";
|
||||||
|
} else {
|
||||||
|
path += kLinuxProtocolNames.at(protocol);
|
||||||
|
path += (family == AF_INET6) ? "6" : "";
|
||||||
|
}
|
||||||
|
|
||||||
std::string content;
|
std::string content;
|
||||||
if (!osquery::readFile(path, content).ok()) {
|
if (!osquery::readFile(path, content).ok()) {
|
||||||
@ -78,10 +82,10 @@ void genSocketsFromProc(const std::map<std::string, std::string> &socket_inodes,
|
|||||||
// The system's socket information is tokenized by line.
|
// The system's socket information is tokenized by line.
|
||||||
size_t index = 0;
|
size_t index = 0;
|
||||||
for (const auto &line : osquery::split(content, "\n")) {
|
for (const auto &line : osquery::split(content, "\n")) {
|
||||||
index += 1;
|
if (++index == 1) {
|
||||||
if (index == 1) {
|
|
||||||
// The first line is a textual header and will be ignored.
|
// The first line is a textual header and will be ignored.
|
||||||
if (line.find("sl") != 0) {
|
if (line.find("sl") != 0 && line.find("sk") != 0 &&
|
||||||
|
line.find("Num") != 0) {
|
||||||
// Header fields are unknown, stop parsing.
|
// Header fields are unknown, stop parsing.
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -90,30 +94,46 @@ void genSocketsFromProc(const std::map<std::string, std::string> &socket_inodes,
|
|||||||
|
|
||||||
// The socket information is tokenized by spaces, each a field.
|
// The socket information is tokenized by spaces, each a field.
|
||||||
auto fields = osquery::split(line, " ");
|
auto fields = osquery::split(line, " ");
|
||||||
if (fields.size() < 10) {
|
// UNIX socket reporting has a smaller number of fields.
|
||||||
|
size_t min_fields = (family == AF_UNIX) ? 7 : 10;
|
||||||
|
if (fields.size() < min_fields) {
|
||||||
// Unknown/malformed socket information.
|
// Unknown/malformed socket information.
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Two of the fields are the local/remote address/port pairs.
|
|
||||||
auto locals = osquery::split(fields[1], ":");
|
|
||||||
auto remotes = osquery::split(fields[2], ":");
|
|
||||||
if (locals.size() != 2 || remotes.size() != 2) {
|
|
||||||
// Unknown/malformed socket information.
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
Row r;
|
Row r;
|
||||||
r["socket"] = fields[9];
|
if (family == AF_UNIX) {
|
||||||
r["family"] = INTEGER(family);
|
r["socket"] = fields[6];
|
||||||
r["protocol"] = INTEGER(protocol);
|
r["family"] = "0";
|
||||||
r["local_address"] = addressFromHex(locals[0], family);
|
r["protocol"] = fields[2];
|
||||||
r["local_port"] = INTEGER(portFromHex(locals[1]));
|
r["local_address"] = "";
|
||||||
r["remote_address"] = addressFromHex(remotes[0], family);
|
r["local_port"] = "0";
|
||||||
r["remote_port"] = INTEGER(portFromHex(remotes[1]));
|
r["remote_address"] = "";
|
||||||
|
r["remote_port"] = "0";
|
||||||
|
r["path"] = (fields.size() >= 8) ? fields[7] : "";
|
||||||
|
} else {
|
||||||
|
// Two of the fields are the local/remote address/port pairs.
|
||||||
|
auto locals = osquery::split(fields[1], ":");
|
||||||
|
auto remotes = osquery::split(fields[2], ":");
|
||||||
|
if (locals.size() != 2 || remotes.size() != 2) {
|
||||||
|
// Unknown/malformed socket information.
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if (socket_inodes.count(r["socket"]) > 0) {
|
r["socket"] = fields[9];
|
||||||
r["pid"] = socket_inodes.at(r["socket"]);
|
r["family"] = INTEGER(family);
|
||||||
|
r["protocol"] = INTEGER(protocol);
|
||||||
|
r["local_address"] = addressFromHex(locals[0], family);
|
||||||
|
r["local_port"] = INTEGER(portFromHex(locals[1]));
|
||||||
|
r["remote_address"] = addressFromHex(remotes[0], family);
|
||||||
|
r["remote_port"] = INTEGER(portFromHex(remotes[1]));
|
||||||
|
// Path is only used for UNIX domain sockets.
|
||||||
|
r["path"] = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
if (inodes.count(r["socket"]) > 0) {
|
||||||
|
r["pid"] = inodes.at(r["socket"]);
|
||||||
} else {
|
} else {
|
||||||
r["pid"] = "-1";
|
r["pid"] = "-1";
|
||||||
}
|
}
|
||||||
@ -139,9 +159,9 @@ QueryData genOpenSockets(QueryContext &context) {
|
|||||||
std::map<std::string, std::string> descriptors;
|
std::map<std::string, std::string> descriptors;
|
||||||
if (osquery::procDescriptors(process, descriptors).ok()) {
|
if (osquery::procDescriptors(process, descriptors).ok()) {
|
||||||
for (const auto& fd : descriptors) {
|
for (const auto& fd : descriptors) {
|
||||||
if (fd.second.find("socket:") != std::string::npos) {
|
if (fd.second.find("socket:[") == 0) {
|
||||||
// See #792: std::regex is incomplete until GCC 4.9
|
// See #792: std::regex is incomplete until GCC 4.9 (skip 8 chars)
|
||||||
auto inode = fd.second.substr(fd.second.find("socket:") + 8);
|
auto inode = fd.second.substr(8);
|
||||||
socket_inodes[inode.substr(0, inode.size() - 1)] = process;
|
socket_inodes[inode.substr(0, inode.size() - 1)] = process;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -155,6 +175,7 @@ QueryData genOpenSockets(QueryContext &context) {
|
|||||||
genSocketsFromProc(socket_inodes, protocol.first, AF_INET6, results);
|
genSocketsFromProc(socket_inodes, protocol.first, AF_INET6, results);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
genSocketsFromProc(socket_inodes, IPPROTO_IP, AF_UNIX, results);
|
||||||
return results;
|
return results;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -103,11 +103,13 @@ void genSocketDescriptor(int pid, int descriptor, QueryData &results) {
|
|||||||
PROC_PIDFDSOCKETINFO_SIZE) <= 0) {
|
PROC_PIDFDSOCKETINFO_SIZE) <= 0) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (si.psi.soi_kind == SOCKINFO_IN || si.psi.soi_kind == SOCKINFO_TCP) {
|
|
||||||
|
if (si.psi.soi_family == AF_INET || si.psi.soi_family == AF_INET6) {
|
||||||
Row r;
|
Row r;
|
||||||
|
|
||||||
r["pid"] = INTEGER(pid);
|
r["pid"] = INTEGER(pid);
|
||||||
r["socket"] = INTEGER(descriptor);
|
r["socket"] = INTEGER(descriptor);
|
||||||
|
r["path"] = "";
|
||||||
|
|
||||||
// Darwin/OSX SOCKINFO_TCP is not IPPROTO_TCP
|
// Darwin/OSX SOCKINFO_TCP is not IPPROTO_TCP
|
||||||
if (si.psi.soi_kind == SOCKINFO_TCP) {
|
if (si.psi.soi_kind == SOCKINFO_TCP) {
|
||||||
@ -125,6 +127,29 @@ void genSocketDescriptor(int pid, int descriptor, QueryData &results) {
|
|||||||
|
|
||||||
parseNetworkSocket(si, r);
|
parseNetworkSocket(si, r);
|
||||||
results.push_back(r);
|
results.push_back(r);
|
||||||
|
} else if (si.psi.soi_family == AF_UNIX) {
|
||||||
|
Row r;
|
||||||
|
|
||||||
|
r["pid"] = INTEGER(pid);
|
||||||
|
r["socket"] = INTEGER(descriptor);
|
||||||
|
r["family"] = "0";
|
||||||
|
r["protocol"] = "0";
|
||||||
|
r["local_address"] = "";
|
||||||
|
r["local_port"] = "0";
|
||||||
|
r["remote_address"] = "";
|
||||||
|
r["remote_port"] = "0";
|
||||||
|
if ((char *)si.psi.soi_proto.pri_un.unsi_addr.ua_sun.sun_path != nullptr) {
|
||||||
|
r["path"] = si.psi.soi_proto.pri_un.unsi_addr.ua_sun.sun_path;
|
||||||
|
} else {
|
||||||
|
r["path"] = "";
|
||||||
|
}
|
||||||
|
results.push_back(r);
|
||||||
|
} else if (si.psi.soi_family == AF_APPLETALK) {
|
||||||
|
// AF_APPLETALK = 17
|
||||||
|
} else if (si.psi.soi_family == AF_NATM) {
|
||||||
|
// AF_NATM = 32
|
||||||
|
} else {
|
||||||
|
// Unsupported socket type.
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -9,6 +9,7 @@ schema([
|
|||||||
Column("remote_address", TEXT, "Socket remote address"),
|
Column("remote_address", TEXT, "Socket remote address"),
|
||||||
Column("local_port", INTEGER, "Socket local port"),
|
Column("local_port", INTEGER, "Socket local port"),
|
||||||
Column("remote_port", INTEGER, "Socket remote port"),
|
Column("remote_port", INTEGER, "Socket remote port"),
|
||||||
|
Column("path", TEXT, "For UNIX sockets (family=AF_UNIX), the domain path"),
|
||||||
])
|
])
|
||||||
implementation("system/process_open_sockets@genOpenSockets")
|
implementation("system/process_open_sockets@genOpenSockets")
|
||||||
examples([
|
examples([
|
||||||
|
Loading…
Reference in New Issue
Block a user