valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 01:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

carver: Update table to use JSON (#6656)

Browse Source
This commit is contained in:
Teddy Reed 2020-09-21 19:29:19 -04:00 committed by GitHub
parent 5b8f20bfce
commit 775830270e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
osquery/tables/forensic/CMakeLists.txt
View File

@ -19,8 +19,6 @@ function(generateOsqueryTablesForensic)
osquery_carver
osquery_core
osquery_database
osquery_dispatcher
osquery_distributed
osquery_logger
osquery_utils_json
thirdparty_boost

53
osquery/tables/forensic/carves.cpp
View File

@ -7,64 +7,63 @@
* SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
*/
#include <boost/algorithm/string/join.hpp>
#include <boost/property_tree/json_parser.hpp>
#include <boost/property_tree/ptree.hpp>
#include <boost/uuid/uuid.hpp>
#include <boost/uuid/uuid_generators.hpp>
#include <boost/uuid/uuid_io.hpp>
#include <osquery/carver/carver.h>
#include <osquery/core/flags.h>
#include <osquery/core/tables.h>
#include <osquery/database/database.h>
#include <osquery/dispatcher/dispatcher.h>
#include <osquery/distributed/distributed.h>
#include <osquery/logger/logger.h>
#include <osquery/utils/json/json.h>
namespace pt = boost::property_tree;
namespace osquery {
DECLARE_bool(disable_carver);
std::string generateNewUUID();
namespace tables {
namespace {
inline void stringToRow(const std::string& key, Row& r, JSON& tree) {
if (tree.doc().HasMember(key) && tree.doc()[key].IsString()) {
r[key] = tree.doc()[key].GetString();
}
}
void enumerateCarves(QueryData& results) {
std::vector<std::string> carves;
scanDatabaseKeys(kCarveDbDomain, carves, kCarverDBPrefix);
scanDatabaseKeys(kCarves, carves, kCarverDBPrefix);
for (const auto& carveGuid : carves) {
std::string carve;
auto s = getDatabaseValue(kCarveDbDomain, carveGuid, carve);
auto s = getDatabaseValue(kCarves, carveGuid, carve);
if (!s.ok()) {
VLOG(1) << "Failed to retrieve carve GUID";
continue;
}
pt::ptree tree;
try {
std::stringstream ss(carve);
pt::read_json(ss, tree);
} catch (const pt::ptree_error& e) {
VLOG(1) << "Failed to parse carve entries: " << e.what();
JSON tree;
s = tree.fromString(carve);
if (!s.ok() || !tree.doc().IsObject()) {
VLOG(1) << "Failed to parse carve entries: " << s.getMessage();
return;
}
Row r;
r["time"] = BIGINT(tree.get<int>("time"));
r["size"] = INTEGER(tree.get<int>("size"));
r["sha256"] = SQL_TEXT(tree.get<std::string>("sha256"));
r["carve_guid"] = SQL_TEXT(tree.get<std::string>("carve_guid"));
r["status"] = SQL_TEXT(tree.get<std::string>("status"));
if (tree.doc().HasMember("time")) {
r["time"] = INTEGER(tree.doc()["time"].GetUint64());
}
if (tree.doc().HasMember("size")) {
r["size"] = INTEGER(tree.doc()["size"].GetInt());
}
stringToRow("sha256", r, tree);
stringToRow("carve_guid", r, tree);
stringToRow("status", r, tree);
stringToRow("path", r, tree);
r["carve"] = INTEGER(0);
r["path"] = SQL_TEXT(tree.get<std::string>("path"));
results.push_back(r);
}
}
} // namespace
QueryData genCarves(QueryContext& context) {
QueryData results;