Add quarantine vtable for OSX

The tables reports: - path: The file in quarantine - creator: The application that created the file Example: osquery> select * from quarantine limit 10; +----------------------------------------------------------------------------+---------------+ | path | creator | +----------------------------------------------------------------------------+---------------+ | /Applications/Adium.app | Google Chrome | | /Applications/Adium.app/Contents | Google Chrome | | /Applications/Adium.app/Contents/_CodeSignature | Google Chrome | | /Applications/Adium.app/Contents/_CodeSignature/CodeResources | Google Chrome | | /Applications/Adium.app/Contents/Frameworks | Google Chrome | | /Applications/Adium.app/Contents/Frameworks/Adium.framework | Google Chrome | | /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium | Google Chrome | | /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers | Google Chrome | | /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders | Google Chrome | | /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources | Google Chrome | +----------------------------------------------------------------------------+---------------+ Fixes issue #231
2024-11-07 18:08:53 +00:00 · 2014-10-31 06:10:51 -07:00 · 2014-10-31 06:10:51 -07:00 · a6e04efdd7
commit a6e04efdd7
parent cdb5b29bda
3 changed files with 71 additions and 0 deletions
--- a/osquery/tables/CMakeLists.txt
+++ b/osquery/tables/CMakeLists.txt
@ -22,6 +22,7 @@ if(APPLE)
    system/darwin/launchd.cpp
    system/darwin/nvram.cpp
    system/darwin/processes.cpp
+    system/darwin/quarantine.cpp
  )

  ADD_OSQUERY_LINK("-framework Foundation")
--- a/osquery/tables/specs/darwin/quarantine.table
+++ b/osquery/tables/specs/darwin/quarantine.table
@ -0,0 +1,6 @@
+table_name("quarantine")
+schema([
+    Column(name="path", type="std::string"),
+    Column(name="creator", type="std::string"),
+])
+implementation("system@genQuarantine")
--- a/osquery/tables/system/darwin/quarantine.cpp
+++ b/osquery/tables/system/darwin/quarantine.cpp
@ -0,0 +1,64 @@
+// Copyright 2004-present Facebook. All Rights Reserved.
+
+#include <ctime>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/stat.h>
+#include <sys/xattr.h>
+#include <boost/lexical_cast.hpp>
+#include <boost/filesystem.hpp>
+#include <boost/algorithm/string.hpp>
+#include "osquery/database.h"
+
+using std::string;
+using boost::lexical_cast;
+
+namespace osquery {
+namespace tables {
+
+const char *xattr_quarantine = "com.apple.quarantine";
+
+QueryData genQuarantine() {
+  Row r;
+  QueryData results;
+
+  boost::filesystem::recursive_directory_iterator it =
+      boost::filesystem::recursive_directory_iterator(
+          boost::filesystem::path("/"));
+  boost::filesystem::recursive_directory_iterator end;
+
+  while (it != end) {
+    boost::filesystem::path path = *it;
+    try {
+      std::vector<std::string> values;
+      std::string filePathQuotes = boost::lexical_cast<std::string>(path);
+      std::string filePath = filePathQuotes.substr(1, filePathQuotes.length() - 2);
+
+      int bufferLength = getxattr(filePath.c_str(), xattr_quarantine, NULL, 0, 0, 0);
+      if (bufferLength > 0) {
+	char *value = (char *) malloc(sizeof(char *) * bufferLength);
+	getxattr(filePath.c_str(), xattr_quarantine, value, bufferLength, 0, 0);
+
+	boost::split(values, value, boost::is_any_of(";"));
+	boost::trim(values[2]);
+
+	r["path"] = filePath;
+	r["creator"] = values[2];
+
+	results.push_back(r);
+	free(value);
+      }
+    } catch (...) {
+      // handle invalid files like /dev/fd/3
+    }
+    try {
+      ++it;
+    } catch (std::exception &ex) {
+      it.no_push(); // handle permission error.
+    }
+  }
+
+  return results;
+}
+}
+}