Table for osquery packs

osquery/config/parsers/query_packs.cpp

@@ -15,28 +15,13 @@
 #include <osquery/filesystem.h>
 #include <osquery/config.h>
 #include <osquery/logger.h>
+#include <osquery/query_packs.h>
 
 namespace pt = boost::property_tree;
-namespace fs = boost::filesystem;
 
 namespace osquery {
 namespace tables {
 
-
-/**
- * @brief A simple ConfigParserPlugin for a "packs" dictionary key.
- *
- */
-class QueryPackConfigParserPlugin : public ConfigParserPlugin {
- public:
-  /// Request "packs" top level key.
-  std::vector<std::string> keys() { return {"packs"}; }
-
- private:
-  /// Store the signatures and file_paths and compile the rules.
-  Status update(const std::map<std::string, ConfigTree>& config);
-};
-
 pt::ptree QueryPackSingleEntry(const pt::ptree& pack_data) {
   // Extract all the pack fields
   std::string query = pack_data.get<std::string>("query", "");

osquery/tables/specs/utility/osquery_packs.table

@@ -0,0 +1,17 @@
+table_name("osquery_packs")
+description("Information about the current query packs that are loaded in osquery.")
+schema([
+    Column("name", TEXT, "The given name for this query pack"),
+    Column("path", TEXT, "Path where the pack configuration is found"),
+    Column("query_name", TEXT, "The given name for this query"),
+    Column("query", TEXT, "The exact query to run"),
+    Column("interval", INTEGER, "The interval in seconds to run this query, not an exact interval"),
+    Column("platform", TEXT, "Platforms this query is supported on"),
+    Column("version", TEXT, "Minimum osquery version that this query will run on"),
+    Column("description", TEXT, "Description of the data retrieved by this query"),
+    Column("value", TEXT, "Value of the data retrieved by this query"),
+    Column("scheduled", INTEGER, "Status if query is scheduled to run. If query is scheduled 1, else 0"),
+    Column("scheduled_name", TEXT, "Name of the query in the scheduled table")
+])
+attributes(utility=True)
+implementation("osquery@genOsqueryPacks")

osquery/tables/utility/osquery.cpp

@@ -9,6 +9,7 @@
  */
 
 #include <osquery/config.h>
+#include <osquery/query_packs.h>
 #include <osquery/core.h>
 #include <osquery/extensions.h>
 #include <osquery/flags.h>
@@ -16,6 +17,7 @@
 #include <osquery/registry.h>
 #include <osquery/sql.h>
 #include <osquery/tables.h>
+#include <osquery/filesystem.h>
 
 namespace osquery {
 namespace tables {
@@ -159,5 +161,67 @@ QueryData genOsquerySchedule(QueryContext& context) {
 
   return results;
 }
+
+QueryData genOsqueryPacks(QueryContext& context) {
+  QueryData results;
+  ConfigDataInstance config;
+
+  const auto& pack_config = config.getParsedData("packs");
+  const auto& pack_parser = config.getParser("packs");
+  if (pack_parser == nullptr) {
+    return results;
+  }
+  const auto& queryPackParser = std::static_pointer_cast<QueryPackConfigParserPlugin>(pack_parser);
+  if (queryPackParser == nullptr) {
+    return results;
+  }
+
+  for(auto const &pack_element : pack_config) {
+    Row r;
+
+    // Iterate through all the packs to get the configuration
+    auto pack_name = std::string(pack_element.first.data());
+    auto pack_path = std::string(pack_element.second.data());
+
+    r["name"] = TEXT(pack_name);
+    r["path"] = TEXT(pack_path);
+
+    // Read each pack configuration in JSON
+    pt::ptree pack_tree;
+    Status status = osquery::parseJSON(pack_path, pack_tree);
+
+    // Get all the parsed elements from the pack JSON file
+    if (pack_tree.count(pack_name) == 0) {
+      continue;
+    }
+    pt::ptree pack_file_element = pack_tree.get_child(pack_name);
+
+    // Get all the valid packs and return them in a map
+
+    std::map<std::string, pt::ptree> clean_packs = queryPackParser->QueryPackParsePacks(pack_file_element, false, false);
+
+    // Iterate through the already parsed and valid packs
+    std::map<std::string, pt::ptree>::iterator pk = clean_packs.begin();
+    for(pk=clean_packs.begin(); pk!=clean_packs.end(); ++pk) {
+      // Adding a prefix to the pack queries, to be easily found in the scheduled queries
+      std::string pk_name = "pack_" + pack_name + "_" + pk->first;
+      pt::ptree pk_data = pk->second;
+
+      r["query_name"] = TEXT(pk->first);
+
+      // Query data to return as Row
+      r["query"] = TEXT(pk_data.get<std::string>("query"));
+      r["interval"] = INTEGER(pk_data.get<int>("interval"));
+      r["platform"] = TEXT(pk_data.get<std::string>("platform"));
+      r["version"] = TEXT(pk_data.get<std::string>("version"));
+      r["description"] = TEXT(pk_data.get<std::string>("description"));
+      r["value"] = TEXT(pk_data.get<std::string>("value"));
+
+      results.push_back(r);
+    }
+  }
+
+  return results;
+}
 }
 }

tools/lib.sh

@@ -67,7 +67,7 @@ function _distro() {
 function threads() {
   local __out=$1
   platform OS
-  if [ $FAMILY = "redhat" ] || [ $FAMILY = "debian" ]; then
+  if [[ $FAMILY = "redhat" ]] || [[ $FAMILY = "debian" ]]; then
     eval $__out=`cat /proc/cpuinfo | grep processor | wc -l`
   elif [[ $OS = "darwin" ]]; then
     eval $__out=`sysctl hw.ncpu | awk '{print $2}'`

tools/provision/lib.sh

@@ -117,7 +117,7 @@ function install_rocksdb() {
     if [[ ! -f rocksdb-rocksdb-3.10.2/librocksdb.a ]]; then
       if [[ $FAMILY = "debian" ]]; then
         CLANG_INCLUDE="-I/usr/include/clang/3.4/include"
-      elif [ $FAMILY = "redhat" ]; then
+      elif [[ $FAMILY = "redhat" ]]; then
         CLANG_VERSION=`clang --version | grep version | cut -d" " -f3`
         CLANG_INCLUDE="-I/usr/lib/clang/$CLANG_VERSION/include"
       fi
@@ -353,7 +353,7 @@ function package() {
       log "installing $1"
       sudo apt-get install $1 -y
     fi
-  elif [ $FAMILY = "redhat" ]; then
+  elif [[ $FAMILY = "redhat" ]]; then
     if [[ ! -n "$(rpm -V $1)" ]]; then
       log "$1 is already installed. skipping."
     else
@@ -385,7 +385,7 @@ function remove_package() {
     else
       log "Removing: $1 is not installed. skipping."
     fi
-  elif [ $FAMILY = "redhat" ]; then
+  elif [[ $FAMILY = "redhat" ]]; then
     if [[ -n "$(rpm -qa | grep $1)" ]]; then
       log "removing $1"
       sudo yum remove $1 -y