From 471d5faaa0f9f998a63a2f974a480cc93d660f63 Mon Sep 17 00:00:00 2001 From: Vincent Mauge Date: Tue, 28 Oct 2014 22:08:10 -0700 Subject: [PATCH] Add suid_bin vtable The vtabel report : - path: full path of the file - unix_user: name of the owner (if not available display the uid) - unix_group: name of the groupe (if not available display the gid) - permissions: report suid or guid * S for suid bin * G for guid bin Example : osquery> select * from suid_bin; +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | path | unix_user | unix_group | permissions | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ | "/bin/ps" | root | wheel | S | | "/bin/rcp" | root | wheel | S | | "/Users/vmauge/suid_test" | vmauge | 999 | SG | | "/usr/bin/at" | root | wheel | S | | "/usr/bin/atq" | root | wheel | S | | "/usr/bin/atrm" | root | wheel | S | | "/usr/bin/batch" | root | wheel | S | | "/usr/bin/crontab" | root | wheel | S | | "/usr/bin/ipcs" | root | wheel | S | | "/usr/bin/lockfile" | root | mail | G | | "/usr/bin/login" | root | wheel | S | | "/usr/bin/newgrp" | root | wheel | S | | "/usr/bin/procmail" | root | mail | G | | "/usr/bin/quota" | root | wheel | S | | "/usr/bin/rlogin" | root | wheel | S | | "/usr/bin/rsh" | root | wheel | S | | "/usr/bin/su" | root | wheel | S | | "/usr/bin/sudo" | root | wheel | S | | "/usr/bin/top" | root | wheel | S | | "/usr/bin/wall" | root | tty | G | | "/usr/bin/write" | root | tty | G | | "/usr/sbin/postdrop" | root | _postdrop | G | | "/usr/sbin/postqueue" | root | _postdrop | G | | "/usr/sbin/rpc.net" | root | wheel | S | | "/usr/sbin/rpcset" | root | wheel | S | | "/usr/sbin/traceroute" | root | wheel | S | | "/usr/sbin/traceroute6" | root | wheel | S | +----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+ This commit fixes issue #253. --- osquery/tables/CMakeLists.txt | 1 + osquery/tables/specs/x/suid_bin.table | 8 +++ osquery/tables/system/suid_bin.cpp | 70 +++++++++++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 osquery/tables/specs/x/suid_bin.table create mode 100644 osquery/tables/system/suid_bin.cpp diff --git a/osquery/tables/CMakeLists.txt b/osquery/tables/CMakeLists.txt index bd3141c6..fbddb1fb 100644 --- a/osquery/tables/CMakeLists.txt +++ b/osquery/tables/CMakeLists.txt @@ -50,6 +50,7 @@ ADD_OSQUERY_LIBRARY(osquery_tables utility/time.cpp system/last.cpp system/bash_history.cpp + system/suid_bin.cpp base.h ) diff --git a/osquery/tables/specs/x/suid_bin.table b/osquery/tables/specs/x/suid_bin.table new file mode 100644 index 00000000..4e1523da --- /dev/null +++ b/osquery/tables/specs/x/suid_bin.table @@ -0,0 +1,8 @@ +table_name("suid_bin") +schema([ + Column(name="path", type="std::string"), + Column(name="unix_user", type="std::string"), + Column(name="unix_group", type="std::string"), + Column(name="permissions", type="std::string"), +]) +implementation("suid_bin@genSuidBin") diff --git a/osquery/tables/system/suid_bin.cpp b/osquery/tables/system/suid_bin.cpp new file mode 100644 index 00000000..0c1f1df8 --- /dev/null +++ b/osquery/tables/system/suid_bin.cpp @@ -0,0 +1,70 @@ +// Copyright 2004-present Facebook. All Rights Reserved. + +#include +#include +#include +#include +#include +#include +#include "osquery/database.h" + +using std::string; +using boost::lexical_cast; + +namespace osquery { +namespace tables { + +QueryData genSuidBin() { + Row r; + QueryData results; + struct stat info; + + boost::filesystem::recursive_directory_iterator it = + boost::filesystem::recursive_directory_iterator( + boost::filesystem::path("/")); + boost::filesystem::recursive_directory_iterator end; + + while (it != end) { + boost::filesystem::path path = *it; + try { + if (boost::filesystem::is_regular_file(path) && + ((it.status().permissions() & 04000) == 04000 || + (it.status().permissions() & 02000) == 02000)) { + // store path + r["path"] = boost::lexical_cast(path); + + // store user and group + if (stat(path.c_str(), &info) == 0) { + struct passwd *pw = getpwuid(info.st_uid); + struct group *gr = getgrgid(info.st_gid); + // get user name + r["unix_user"] = pw ? boost::lexical_cast(pw->pw_name) + : boost::lexical_cast(info.st_uid); + // get group + r["unix_group"] = gr ? boost::lexical_cast(gr->gr_name) + : boost::lexical_cast(info.st_gid); + + // get permission + r["permissions"] = ""; + r["permissions"] += + (it.status().permissions() & 04000) == 04000 ? "S" : ""; + r["permissions"] += + (it.status().permissions() & 02000) == 02000 ? "G" : ""; + + results.push_back(r); + } + } + } catch (...) { + // handle invalid files like /dev/fd/3 + } + try { + ++it; + } catch (std::exception &ex) { + it.no_push(); // handle permission error. + } + } + + return results; +} +} +}