Merge pull request #570 from maclennann/apt_sources

apt_sources table

CMakeLists.txt

@@ -78,6 +78,7 @@ find_package(Crypto REQUIRED)
 find_package(BZip2 REQUIRED)
 find_package(Dl REQUIRED)
 find_package(Readline REQUIRED)
+
 if(NOT APPLE)
   find_package(Unwind REQUIRED)
 endif()

osquery/CMakeLists.txt

@@ -37,6 +37,10 @@ else()
   ADD_OSQUERY_CORE_LINK("boost_thread")
 endif()
 
+if(UBUNTU)
+  ADD_OSQUERY_CORE_LINK("apt-pkg")
+endif()
+
 # The remaining boost libraries are discovered with find_library.
 ADD_OSQUERY_CORE_LINK("boost_system")
 ADD_OSQUERY_CORE_LINK("boost_filesystem")

osquery/tables/CMakeLists.txt

@@ -75,6 +75,7 @@ else()
     # Ubuntu specific tables
     ADD_OSQUERY_LIBRARY(osquery_tables_ubuntu
       system/linux/deb_packages.cpp
+      system/linux/apt_sources.cpp
     )
 
     ADD_OSQUERY_LINK("dpkg")

osquery/tables/specs/ubuntu/apt_sources.table

@@ -0,0 +1,12 @@
+table_name("apt_sources")
+schema([
+    Column("name", TEXT),
+    Column("base_uri", TEXT),
+    Column("package_cache_file", TEXT),
+    Column("release", TEXT),
+    Column("component", TEXT),
+    Column("version", TEXT),
+    Column("maintainer", TEXT),
+    Column("site", TEXT),
+])
+implementation("system/apt_sources@genAptSrcs")

osquery/tables/system/linux/apt_sources.cpp

@@ -0,0 +1,88 @@
+#include <apt-pkg/init.h>
+#include <apt-pkg/cachefile.h>
+#include <osquery/tables.h>
+
+namespace osquery {
+namespace tables {
+
+/**
+* @brief Empty the configuration out of memory when we're done with it
+*
+* Newer versions of libapt-pkg provide this as _config->Clear(), brought
+* forward for compatibility with older library versions.
+*/
+void closeConfig() {
+  const Configuration::Item* Top = _config->Tree(0);
+  while (Top != 0) {
+    _config->Clear(Top->FullTag());
+    Top = Top->Next;
+  }
+}
+
+bool isFieldOkay(const char* fieldValue) {
+  // Ensure the value is initialized so we don't segfault
+  return (fieldValue != 0 && fieldValue[0] != 0);
+}
+
+void extractAptSourceInfo(pkgCache::PkgFileIterator src,
+                          const struct pkgIndexFile* pkgIndex,
+                          QueryData& results) {
+  Row r;
+
+  r["name"] = pkgIndex->Describe(true);
+
+  // If we don't pass it a path to construct, it will
+  // just return the base URI of the repo
+  r["base_uri"] = pkgIndex->ArchiveURI("");
+
+  if (isFieldOkay(src.FileName()))
+    r["package_cache_file"] = src.FileName();
+  if (isFieldOkay(src.Archive()))
+    r["release"] = src.Archive();
+  if (isFieldOkay(src.Component()))
+    r["component"] = src.Component();
+  if (isFieldOkay(src.Version()))
+    r["version"] = src.Version();
+  if (isFieldOkay(src.Origin()))
+    r["maintainer"] = src.Origin();
+  if (isFieldOkay(src.Label()))
+    r["label"] = src.Label();
+  if (isFieldOkay(src.Site()))
+    r["site"] = src.Site();
+
+  results.push_back(r);
+}
+
+QueryData genAptSrcs(QueryContext& context) {
+  QueryData results;
+
+  // Load our apt configuration into memory
+  // Note: _config comes from apt-pkg/configuration.h
+  //       _system comes from apt-pkg/pkgsystem.h
+  pkgInitConfig(*_config);
+  pkgInitSystem(*_config, _system);
+
+  pkgCacheFile cache_file;
+  pkgCache* cache = cache_file.GetPkgCache();
+  pkgSourceList* src_list = cache_file.GetSourceList();
+
+  // For each apt cache file that contains packages
+  for (pkgCache::PkgFileIterator file = cache->FileBegin(); !file.end();
+       ++file) {
+
+    // Locate the associated index files to ensure the repository is installed
+    pkgIndexFile* pkgIndex;
+    if (!src_list->FindIndex(file, pkgIndex))
+      continue;
+
+    extractAptSourceInfo(file, pkgIndex, results);
+  }
+
+  // Cleanup
+  cache_file.Close();
+  closeConfig();
+
+  return results;
+}
+}
+}

tools/provision.sh

@@ -347,6 +347,7 @@ function main() {
     package clang-format-3.4
     package librpm-dev
     package libdpkg-dev
+    package libapt-pkg-dev
     package libudev-dev
     package libblkid-dev
     package linux-headers-generic