valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 01:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

events: Remove selectAllFrom from linux process events callback (#6638)

Browse Source
This commit is contained in:
Teddy Reed 2020-09-08 16:16:22 -04:00 committed by GitHub
parent 4f9ab34581
commit c32953e139
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
osquery/tables/events/linux/process_events.cpp
View File

@ -7,13 +7,16 @@
* SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
*/
#include <osquery/core/flags.h>
#include <osquery/events/linux/process_events.h>
#include <osquery/filesystem/filesystem.h>
#include <osquery/logger/logger.h>
#include <osquery/registry/registry_factory.h>
#include <osquery/sql/sql.h>
#include <osquery/tables/events/linux/process_events.h>
#include <osquery/utils/system/uptime.h>
#include <sys/stat.h>
namespace osquery {
namespace {
const std::unordered_map<int, std::string> kSyscallNameMap = {
@ -65,25 +68,17 @@ Status AuditProcessEventSubscriber::Callback(const ECRef& ec, const SCRef& sc) {
}
for (auto& row : emitted_row_list) {
auto qd = SQL::selectAllFrom("file", "path", EQUALS, row.at("path"));
// In general, we should always have the AUDIT_PATH record; if we don't
// have it then we probably just lost it
if (row["mode"].empty()) {
row["mode"] = qd.front().at("mode");
}
row["btime"] = "0";
if (qd.size() == 1) {
row["ctime"] = qd.front().at("ctime");
row["atime"] = qd.front().at("atime");
row["mtime"] = qd.front().at("mtime");
struct stat file_stat;
if (stat(row.at("path").c_str(), &file_stat)) {
if (row["mode"].empty()) {
row["mode"] = lsperms(file_stat.st_mode);
}
row["btime"] = "0";
row["atime"] = BIGINT(file_stat.st_atime);
row["mtime"] = BIGINT(file_stat.st_mtime);
row["ctime"] = BIGINT(file_stat.st_ctime);
} else {
VLOG(1) << "Failed to acquire the ctime/atime/mtime values for path "
<< row.at("path");
VLOG(1) << "Failed to stat path: " << row.at("path");
row["ctime"] = "0";
row["atime"] = "0";
row["mtime"] = "0";
@ -192,7 +187,8 @@ Status AuditProcessEventSubscriber::ProcessEvents(
if (!GetSyscallName(row["syscall"], event_data.syscall_number)) {
row["syscall"] = std::to_string(event_data.syscall_number);
VLOG(1) << "Failed to locate the system call name";
VLOG(1) << "Failed to locate the system call name: "
<< event_data.syscall_number;
}
std::string field_value;
@ -244,7 +240,7 @@ Status AuditProcessEventSubscriber::ProcessEvents(
row["owner_gid"] = "0";
}
emitted_row_list.push_back(row);
emitted_row_list.emplace_back(row);
}
return Status::success();