[#1814] Do not stat inotify access subscriptions

2024-11-07 09:58:54 +00:00 · 2016-02-03 18:13:44 -08:00 · 2016-02-03 18:13:44 -08:00 · 77ceca4693
commit 77ceca4693
parent 00ee0654fa
5 changed files with 23 additions and 9 deletions
--- a/osquery/events/linux/inotify.cpp
+++ b/osquery/events/linux/inotify.cpp
@ -40,10 +40,10 @@ std::map<int, std::string> kMaskActions = {
    {IN_OPEN, "OPENED"},
 };

-const int kFileDefaultMasks = IN_MOVED_TO | IN_MOVED_FROM | IN_MODIFY |
-                              IN_DELETE | IN_CREATE | IN_CLOSE_WRITE |
-                              IN_ATTRIB;
-const int kFileAccessMasks = IN_OPEN | IN_ACCESS;
+const uint32_t kFileDefaultMasks = IN_MOVED_TO | IN_MOVED_FROM | IN_MODIFY |
+                                   IN_DELETE | IN_CREATE | IN_CLOSE_WRITE |
+                                   IN_ATTRIB;
+const uint32_t kFileAccessMasks = IN_OPEN | IN_ACCESS;

 REGISTER(INotifyEventPublisher, "event_publisher", "inotify");

--- a/osquery/events/linux/inotify.h
+++ b/osquery/events/linux/inotify.h
@ -22,8 +22,8 @@ namespace osquery {

 extern std::map<int, std::string> kMaskActions;

-extern const int kFileDefaultMasks;
-extern const int kFileAccessMasks;
+extern const uint32_t kFileDefaultMasks;
+extern const uint32_t kFileAccessMasks;

 /**
 * @brief Subscription details for INotifyEventPublisher events.
--- a/osquery/tables/events/event_utils.cpp
+++ b/osquery/tables/events/event_utils.cpp
@ -12,6 +12,8 @@
 #include <osquery/hash.h>
 #include <osquery/sql.h>

+#include "osquery/tables/events/event_utils.h"
+
 namespace osquery {

 const std::set<std::string> kCommonFileColumns = {
--- a/osquery/tables/events/event_utils.h
+++ b/osquery/tables/events/event_utils.h
@ -8,12 +8,16 @@
 *
 */

+#include <set>
 #include <string>

 #include <osquery/tables.h>

 namespace osquery {

+/// List of columns decorated for file events.
+extern const std::set<std::string> kCommonFileColumns;
+
 /**
 * @brief A helper function for each platform's implementation of file_events.
 *
--- a/osquery/tables/events/linux/file_events.cpp
+++ b/osquery/tables/events/linux/file_events.cpp
@ -93,9 +93,17 @@ Status FileEventSubscriber::Callback(const ECRef& ec, const SCRef& sc) {
  r["category"] = sc->category;
  r["transaction_id"] = INTEGER(ec->event->cookie);

-  // Add hashing and 'join' against the file table for stat-information.
-  decorateFileEvent(
-      ec->path, (ec->action == "CREATED" || ec->action == "UPDATED"), r);
+  if ((sc->mask & kFileAccessMasks) != kFileAccessMasks) {
+    // Add hashing and 'join' against the file table for stat-information.
+    decorateFileEvent(
+        ec->path, (ec->action == "CREATED" || ec->action == "UPDATED"), r);
+  } else {
+    // The access event on Linux would generate additional events if stated.
+    for (const auto& column : kCommonFileColumns) {
+      r[column] = "0";
+    }
+    r["hashed"] = "0";
+  }

  // A callback is somewhat useless unless it changes the EventSubscriber
  // state or calls `add` to store a marked up event.