Merge pull request #1471 from theopolis/process_start_fix

[Fix #1453] Use second precision for process start times

osquery/tables/system/darwin/processes.cpp

@@ -13,6 +13,7 @@
 
 #include <libproc.h>
 #include <mach/mach.h>
+#include <mach/mach_time.h>
 #include <sys/sysctl.h>
 
 #include <mach-o/dyld_images.h>
@@ -33,6 +34,9 @@ namespace tables {
 // The maximum number of expected memory regions per process.
 #define MAX_MEMORY_MAPS 512
 
+#define CPU_TIME_RATIO 1000000
+#define START_TIME_RATIO 1000000000
+
 std::set<int> getProcList(const QueryContext &context) {
   std::set<int> pidlist;
   if (context.constraints.count("pid") > 0 &&
@@ -216,6 +220,12 @@ proc_args getProcRawArgs(int pid, size_t argmax) {
 QueryData genProcesses(QueryContext &context) {
   QueryData results;
 
+  // Initialize time conversions.
+  static mach_timebase_info_data_t time_base;
+  if (time_base.denom == 0) {
+    mach_timebase_info(&time_base);
+  }
+
   auto pidlist = getProcList(context);
   auto parent_pid = getParentMap(pidlist);
   int argmax = genMaxArgs();
@@ -279,9 +289,13 @@ QueryData genProcesses(QueryContext &context) {
       r["phys_footprint"] = TEXT(rusage_info_data.ri_phys_footprint);
 
       // time information
-      r["user_time"] = TEXT(rusage_info_data.ri_user_time / 1000000);
-      r["system_time"] = TEXT(rusage_info_data.ri_system_time / 1000000);
-      r["start_time"] = TEXT(rusage_info_data.ri_proc_start_abstime);
+      r["user_time"] = TEXT(rusage_info_data.ri_user_time / CPU_TIME_RATIO);
+      r["system_time"] = TEXT(rusage_info_data.ri_system_time / CPU_TIME_RATIO);
+      // Convert the time in CPU ticks since boot to seconds.
+      // This is relative to time not-sleeping since boot.
+      r["start_time"] =
+          TEXT((rusage_info_data.ri_proc_start_abstime / START_TIME_RATIO) *
+               time_base.numer / time_base.denom);
     } else {
       r["wired_size"] = "-1";
       r["resident_size"] = "-1";

osquery/tables/system/linux/processes.cpp

@@ -160,7 +160,7 @@ SimpleProcStat getProcStat(const std::string& pid) {
     stat.parent = details.at(1);
     stat.user_time = details.at(11);
     stat.system_time = details.at(12);
-    stat.start_time = details.at(19);
+    stat.start_time = TEXT(AS_LITERAL(BIGINT_LITERAL, details.at(19)) / 100);
   }
 
   if (readFile(getProcAttr("status", pid), content).ok()) {

specs/processes.table

@@ -11,13 +11,15 @@ schema([
     Column("gid", BIGINT, "Unsgiend groud ID"),
     Column("euid", BIGINT, "Unsigned effective user ID"),
     Column("egid", BIGINT, "Unsigned effective group ID"),
-    Column("on_disk", TEXT, "The process path exists yes=1, no=0, unknown=-1"),
-    Column("wired_size", TEXT, "Bytes of unpagable memory used by process"),
-    Column("resident_size", TEXT, "Bytes of private memory used by process"),
-    Column("phys_footprint", TEXT, "Bytes of total physical memory used"),
-    Column("user_time", TEXT, "CPU time spent in user space"),
-    Column("system_time", TEXT, "CPU time spent in kernel space"),
-    Column("start_time", TEXT, "Unix timestamp of process start"),
+    Column("on_disk", INTEGER,
+        "The process path exists yes=1, no=0, unknown=-1"),
+    Column("wired_size", BIGINT, "Bytes of unpagable memory used by process"),
+    Column("resident_size", BIGINT, "Bytes of private memory used by process"),
+    Column("phys_footprint", BIGINT, "Bytes of total physical memory used"),
+    Column("user_time", BIGINT, "CPU time spent in user space"),
+    Column("system_time", BIGINT, "CPU time spent in kernel space"),
+    Column("start_time", BIGINT,
+        "Process start in seconds since boot (non-sleeping)"),
     Column("parent", INTEGER, "Process parent's PID"),
 ])
 implementation("system/processes@genProcesses")