adding bash_session logging (#4640)

* adding bash_session logging * adding genShellHistoryFromBashSessions updated to include new function for adding bash_sessions * adding genShellHistoryFromBashSessions and tests and header updated test use canonical for filepath updated to include new function for adding bash_sessions
2024-11-07 01:55:20 +00:00 · 2018-07-04 07:25:38 -07:00 · 2018-07-04 07:25:38 -07:00 · b75821658b
commit b75821658b
parent 159d893655
3 changed files with 102 additions and 0 deletions
--- a/osquery/tables/system/posix/shell_history.cpp
+++ b/osquery/tables/system/posix/shell_history.cpp
@ -91,6 +91,24 @@ void genShellHistoryForUser(const std::string& uid,
  }
 }

+void genShellHistoryFromBashSessions(const std::string& uid,
+                                     const std::string& directory,
+                                     QueryData& results) {
+  boost::filesystem::path bash_sessions = directory;
+  bash_sessions /= ".bash_sessions";
+
+  if (pathExists(bash_sessions)) {
+    bash_sessions /= "*.history";
+    std::vector<std::string> session_hist_files;
+    resolveFilePattern(bash_sessions, session_hist_files);
+
+    for (const auto& hfile : session_hist_files) {
+      boost::filesystem::path history_file = hfile;
+      genShellHistoryFromFile(uid, history_file, results);
+    }
+  }
+}
+
 QueryData genShellHistory(QueryContext& context) {
  QueryData results;

@ -102,6 +120,7 @@ QueryData genShellHistory(QueryContext& context) {
    auto dir = row.find("directory");
    if (uid != row.end() && gid != row.end() && dir != row.end()) {
      genShellHistoryForUser(uid->second, gid->second, dir->second, results);
+      genShellHistoryFromBashSessions(uid->second, dir->second, results);
    }
  }

--- a/osquery/tables/system/posix/shell_history.h
+++ b/osquery/tables/system/posix/shell_history.h
@ -16,6 +16,10 @@
 namespace osquery {
 namespace tables {

+void genShellHistoryFromBashSessions(const std::string& uid,
+                                     const std::string& directory,
+                                     QueryData& results);
+
 void genShellHistoryForUser(const std::string& uid,
                            const std::string& gid,
                            const std::string& directory,
--- a/osquery/tables/system/posix/tests/shell_history_tests.cpp
+++ b/osquery/tables/system/posix/tests/shell_history_tests.cpp
@ -59,5 +59,84 @@ TEST_F(ShellHistoryTests, empty_timestamp) {
  fs::remove_all(directory);
 }

+TEST_F(ShellHistoryTests, bash_sessions_no_exist) {
+  auto results = QueryData{};
+  auto directory =
+      fs::temp_directory_path() /
+      fs::unique_path(
+          "osquery.shell_history_tests.bash_sessions_no_exist.%%%%-%%%%");
+  ASSERT_TRUE(fs::create_directory(directory));
+  auto const uid = std::to_string(geteuid());
+
+  // test non-existent .bash_sessions directory
+  genShellHistoryFromBashSessions(uid, directory.native(), results);
+  ASSERT_EQ(results.size(), 0u);
+  fs::remove_all(directory);
+}
+
+TEST_F(ShellHistoryTests, bash_sessions_no_history) {
+  auto results = QueryData{};
+  auto directory =
+      fs::temp_directory_path() /
+      fs::unique_path(
+          "osquery.shell_history_tests.bash_sessions_no_exist.%%%%-%%%%");
+  ASSERT_TRUE(fs::create_directory(directory));
+
+  auto bash_sessions_directory = directory / ".bash_sessions";
+  ASSERT_TRUE(fs::create_directory(bash_sessions_directory));
+  // create a junk session file that will not be read
+  auto filepath = bash_sessions_directory / fs::path("some_guid_here.session");
+  auto const restore_string =
+      R"raw(echo Restored session: "$(date -r 1479082319)")raw";
+  {
+    auto fout =
+        std::ofstream(filepath.native(), std::ios::out | std::ios::binary);
+    fout << restore_string << '\n';
+  }
+  auto const uid = std::to_string(geteuid());
+  // test non-existent some_guid_here.history file
+  genShellHistoryFromBashSessions(uid, directory.native(), results);
+  ASSERT_EQ(results.size(), 0u);
+  fs::remove_all(directory);
+}
+
+TEST_F(ShellHistoryTests, bash_sessions_empty_ts) {
+  auto results = QueryData{};
+  auto directory =
+      fs::temp_directory_path() /
+      fs::unique_path(
+          "osquery.shell_history_tests.bash_sessions_empty_ts.%%%%-%%%%");
+  ASSERT_TRUE(fs::create_directory(directory));
+
+  auto bash_sessions_directory = directory / ".bash_sessions";
+  ASSERT_TRUE(fs::create_directory(bash_sessions_directory));
+  // create a junk session file that will not be read
+  auto filepath = bash_sessions_directory / fs::path("some_guid_here.history");
+  auto const first_line = R"raw([\]^_`!a"b#c$d %e&f'g(h)i*j+k,l-m.n/o0p1q2)raw";
+  auto const second_line = R"raw(r 3 s4t5u6v7w8 x9y:9:z; {<|=}>~?)raw";
+  {
+    auto fout =
+        std::ofstream(filepath.native(), std::ios::out | std::ios::binary);
+    fout << first_line << '\n';
+    fout << second_line << '\n';
+  }
+  auto const uid = std::to_string(geteuid());
+  genShellHistoryFromBashSessions(uid, directory.native(), results);
+  ASSERT_EQ(results.size(), 2u);
+
+  const auto& first_row = results[0];
+  EXPECT_EQ(first_row.at("uid"), uid);
+  EXPECT_EQ(first_row.at("time"), "0");
+  EXPECT_EQ(first_row.at("command"), first_line);
+  EXPECT_EQ(first_row.at("history_file"), fs::canonical(filepath).native());
+
+  const auto& second_row = results[1];
+  EXPECT_EQ(second_row.at("uid"), uid);
+  EXPECT_EQ(second_row.at("time"), "0");
+  EXPECT_EQ(second_row.at("command"), second_line);
+  EXPECT_EQ(second_row.at("history_file"), fs::canonical(filepath).native());
+  fs::remove_all(directory);
+}
+
 } // namespace tables
 } // namespace osquery