Merge pull request #269 from vmauge/suidbin

Add suid_bin vtable
2024-11-07 18:08:53 +00:00 · 2014-10-29 02:30:29 -07:00 · 2014-10-29 02:30:29 -07:00 · 6db0c67555
commit 6db0c67555
parent 94c64d80ce 471d5faaa0
3 changed files with 79 additions and 0 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -51,6 +51,7 @@ ADD_OSQUERY_LIBRARY(osquery_tables
  utility/time.cpp
  system/last.cpp
  system/bash_history.cpp
+  system/suid_bin.cpp
  base.h
 )

--- a/osquery/tables/specs/x/suid_bin.table
+++ b/osquery/tables/specs/x/suid_bin.table
@ -0,0 +1,8 @@
+table_name("suid_bin")
+schema([
+    Column(name="path", type="std::string"),
+    Column(name="unix_user", type="std::string"),
+    Column(name="unix_group", type="std::string"),
+    Column(name="permissions", type="std::string"),
+])
+implementation("suid_bin@genSuidBin")
--- a/osquery/tables/system/suid_bin.cpp
+++ b/osquery/tables/system/suid_bin.cpp
@ -0,0 +1,70 @@
+// Copyright 2004-present Facebook. All Rights Reserved.
+
+#include <ctime>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/stat.h>
+#include <boost/lexical_cast.hpp>
+#include <boost/filesystem.hpp>
+#include "osquery/database.h"
+
+using std::string;
+using boost::lexical_cast;
+
+namespace osquery {
+namespace tables {
+
+QueryData genSuidBin() {
+  Row r;
+  QueryData results;
+  struct stat info;
+
+  boost::filesystem::recursive_directory_iterator it =
+      boost::filesystem::recursive_directory_iterator(
+          boost::filesystem::path("/"));
+  boost::filesystem::recursive_directory_iterator end;
+
+  while (it != end) {
+    boost::filesystem::path path = *it;
+    try {
+      if (boost::filesystem::is_regular_file(path) &&
+          ((it.status().permissions() & 04000) == 04000 ||
+           (it.status().permissions() & 02000) == 02000)) {
+        // store path
+        r["path"] = boost::lexical_cast<std::string>(path);
+
+        // store user and group
+        if (stat(path.c_str(), &info) == 0) {
+          struct passwd *pw = getpwuid(info.st_uid);
+          struct group *gr = getgrgid(info.st_gid);
+          // get user name
+          r["unix_user"] = pw ? boost::lexical_cast<std::string>(pw->pw_name)
+                              : boost::lexical_cast<std::string>(info.st_uid);
+          // get group
+          r["unix_group"] = gr ? boost::lexical_cast<std::string>(gr->gr_name)
+                               : boost::lexical_cast<std::string>(info.st_gid);
+
+          // get permission
+          r["permissions"] = "";
+          r["permissions"] +=
+              (it.status().permissions() & 04000) == 04000 ? "S" : "";
+          r["permissions"] +=
+              (it.status().permissions() & 02000) == 02000 ? "G" : "";
+
+          results.push_back(r);
+        }
+      }
+    } catch (...) {
+      // handle invalid files like /dev/fd/3
+    }
+    try {
+      ++it; 
+    } catch (std::exception &ex) {
+      it.no_push(); // handle permission error.
+    }
+  }
+
+  return results;
+}
+}
+}