valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #64 from facebook/launchdaemon

Browse Source 
Productionalizing
This commit is contained in:
Mike Arpaia 2014-08-30 03:59:01 -07:00
commit d3bcee8f6f
49 changed files with 855 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CMake/FindGtest.cmake Normal file
View File

@ -0,0 +1,2 @@
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/gtest-1.7.0/include")
ADD_SUBDIRECTORY("${CMAKE_SOURCE_DIR}/third-party/gtest-1.7.0")

9
CMake/FindRocksDB.cmake Normal file
View File

@ -0,0 +1,9 @@
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/rocksdb/include")
include(ExternalProject)
ExternalProject_Add(librocksdb
SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/rocksdb"
CONFIGURE_COMMAND ""
BUILD_IN_SOURCE 1
BUILD_COMMAND make shared_lib && make static_lib
INSTALL_COMMAND cp librocksdb.dylib /usr/local/lib/librocksdb.dylib && cp librocksdb.a /usr/local/lib/librocksdb.a
)

2
CMake/FindSqlite3.cmake Normal file
View File

@ -0,0 +1,2 @@
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/sqlite3")
ADD_SUBDIRECTORY("${CMAKE_SOURCE_DIR}/third-party/sqlite3")

28
CMakeLists.txt
View File

@ -1,27 +1,15 @@
CMAKE_MINIMUM_REQUIRED(VERSION 2.8)
PROJECT(OSQUERY)
SET(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake" ${CMAKE_MODULE_PATH})
FIND_PACKAGE(Gtest REQUIRED)
FIND_PACKAGE(RocksDB REQUIRED)
FIND_PACKAGE(Sqlite3 REQUIRED)
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}")
INCLUDE_DIRECTORIES("/usr/local/include")
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/gtest-1.7.0/include")
ADD_SUBDIRECTORY("${CMAKE_SOURCE_DIR}/third-party/gtest-1.7.0")
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/rocksdb/include")
include(ExternalProject)
ExternalProject_Add(librocksdb
SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/rocksdb"
CONFIGURE_COMMAND ""
BUILD_IN_SOURCE 1
BUILD_COMMAND make shared_lib && make static_lib
INSTALL_COMMAND cp librocksdb.dylib /usr/local/lib/librocksdb.dylib && cp librocksdb.a /usr/local/lib/librocksdb.a
)
INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/third-party/sqlite3")
ADD_SUBDIRECTORY("${CMAKE_SOURCE_DIR}/third-party/sqlite3")
SET(CMAKE_C_FLAGS "-std=c99")
SET(CMAKE_CXX_FLAGS "-std=c++11 -stdlib=libc++")
SET(GEN_TABLE_PATH "${CMAKE_SOURCE_DIR}/tools/gentable.py")
LINK_DIRECTORIES("/usr/local/lib")
ADD_SUBDIRECTORY(osquery/config)
ADD_SUBDIRECTORY(osquery/core)
@ -53,11 +41,13 @@ SET_TARGET_PROPERTIES(osquery_static PROPERTIES OUTPUT_NAME osquery)
ADD_EXECUTABLE(shell osquery/main/shell.cpp)
TARGET_LINK_LIBRARIES(shell osquery_static)
SET_TARGET_PROPERTIES(shell PROPERTIES OUTPUT_NAME osqueryi)
SET_TARGET_PROPERTIES(shell PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
INSTALL(TARGETS shell DESTINATION bin)
ADD_EXECUTABLE(daemon osquery/main/daemon.cpp)
TARGET_LINK_LIBRARIES(daemon osquery_static)
SET_TARGET_PROPERTIES(daemon PROPERTIES OUTPUT_NAME osqueryd)
SET_TARGET_PROPERTIES(daemon PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
INSTALL(TARGETS daemon DESTINATION bin)
ADD_SUBDIRECTORY(tools)

15
Makefile
View File

@ -1,5 +1,9 @@
OS=$(shell uname)
BUILD_THREADS=5
ifeq ($(OS),Darwin)
OSQUERYD_PLIST_PATH="/Library/LaunchDaemons/com.facebook.osqueryd.plist"
endif
ROCKSDB_PATH="/tmp/rocksdb-osquery"
all: tables build
@ -15,6 +19,17 @@ build:
clean: clean_tables
cd build && make clean
ifeq ($(OS),Darwin)
clean_install:
rm -rf /var/osquery
rm -rf $(ROCKSDB_PATH)
rm -f /usr/local/bin/osqueryi
rm -f /usr/local/bin/osqueryd
rm -f /var/log/osquery.log
if [ -f $(OSQUERYD_PLIST_PATH) ]; then launchctl unload $(OSQUERYD_PLIST_PATH); fi;
rm -f $(OSQUERYD_PLIST_PATH)
endif
clean_tables:
rm -rf osquery/tables/generated

212
osquery.supp Normal file
View File

@ -0,0 +1,212 @@
{
<dyld_cond>
Memcheck:Cond
...
fun:*dyld*
}
{
<imageloader_cond>
Memcheck:Cond
...
fun:*ImageLoader*
}
{
<imageloader_leak>
Memcheck:Leak
...
fun:*ImageLoader*
}
{
<dyld_initialize>
Memcheck:Leak
...
fun:*dyld*
}
{
<glog>
Memcheck:Leak
...
fun:*google*LogMessage*Init*
}
{
<localtime_statically_allocated>
Memcheck:Leak
...
fun:localtime
}
{
<rocksdb_init_module>
Memcheck:Leak
...
fun:*rocksdb*InitModule*
}
{
<rocksdb_posixenv>
Memcheck:Leak
...
fun:*rocksdb*PosixEnv*
}
{
<rocksdb_sanitize_options>
Memcheck:Leak
...
fun:*rocksdb*SanitizeOptions*
}
{
<rocksdb_internalstats>
Memcheck:Leak
...
fun:*rocksdb*InternalStats*
}
{
<core_foundation>
Memcheck:Leak
...
fun:_CFRuntimeBridgeClasses
}
{
<core_foundation_preferences>
Memcheck:Leak
...
fun:____CFXPreferencesInitialize_block_invoke
}
{
<objective_c_startip>
Memcheck:Leak
...
fun:-[NSThread init]
}
{
<foundation_initialize_1>
Memcheck:Leak
...
fun:dispatch_once_f
...
fun:__CFInitialize
}
{
<foundation_initialize_2>
Memcheck:Leak
...
fun:dispatch_once_f
...
fun:CFArrayCreate
}
{
<foundation_initialize_3>
Memcheck:Leak
...
fun:dispatch_once_f
...
fun:_class_initialize
}
{
<foundation_initialize_4>
Memcheck:Addr8
...
fun:_malloc_initialize
}
{
<foundation_initialize_5>
Memcheck:Addr4
...
fun:_malloc_initialize
}
{
<foundation_initialize_6>
Memcheck:Cond
...
fun:-[__NSPlaceholderTimeZone __initWithName:cache:]
fun:+[NSTimeZone timeZoneWithName:]
fun:+[NSTimeZone systemTimeZone]
fun:+[NSTimeZone defaultTimeZone]
}
{
<foundation_initialize_7>
Memcheck:Addr8
...
fun:_os_alloc_once
...
fun:cache_create
...
fun:dispatch_once_f
}
{
<foundation_initialize_8>
Memcheck:Addr1
...
fun:_os_alloc_once
...
fun:cache_create
...
fun:dispatch_once_f
}
{
<foundation_initialize_9>
Memcheck:Leak
...
fun:ucal_getCanonicalTimeZoneID
}
{
<foundation_initialize_10>
Memcheck:Leak
...
fun:ures_openDirect
}
{
<foundation_initialize_11>
Memcheck:Leak
match-leak-kinds: definite
...
fun:malloc_zone_malloc
fun:malloc_set_zone_name
fun:_malloc_initialize
fun:malloc_good_size
...
}
{
<foundation_initialize_12>
Memcheck:Leak
...
fun:objc_msgSend
fun:+[NSTimeZone allocWithZone:]
fun:+[NSTimeZone timeZoneWithName:]
fun:+[NSTimeZone systemTimeZone]
fun:+[NSTimeZone defaultTimeZone]
...
}
{
<foundation_initialize_12>
Memcheck:Leak
...
fun:_os_once
fun:_os_alloc_once
fun:cache_create
...
fun:dispatch_once_f
...
}
{
<glog_cond>
Memcheck:Cond
...
fun:*google*LogMessage*
}
{
<glog_leak>
Memcheck:Leak
...
fun:*google*LogMessage*
}
{
<objc_startup_1>
Memcheck:Leak
...
fun:CFBundleGetMainBundle
}
{
<arc_false_positive>
Memcheck:Leak
...
fun:lookUpImpOrForward
}

2
osquery/config/CMakeLists.txt
View File

@ -8,9 +8,11 @@ TARGET_LINK_LIBRARIES(osquery_config boost_thread-mt)
TARGET_LINK_LIBRARIES(osquery_config gflags)
TARGET_LINK_LIBRARIES(osquery_config glog)
TARGET_LINK_LIBRARIES(osquery_config "-Wl,-all_load")
SET_TARGET_PROPERTIES(osquery_config PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(config_tests config_tests.cpp)
TARGET_LINK_LIBRARIES(config_tests gtest)
TARGET_LINK_LIBRARIES(config_tests osquery_config)
TARGET_LINK_LIBRARIES(config_tests osquery_core)
TARGET_LINK_LIBRARIES(config_tests osquery_sqlite)
SET_TARGET_PROPERTIES(config_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

2
osquery/config/plugins/filesystem.cpp
View File

@ -19,7 +19,7 @@ using osquery::Status;
namespace osquery {
namespace config {
DEFINE_string(config_path, "/var/osquery/config.json", "Path to config file");
DEFINE_string(config_path, "/var/osquery/osquery.conf", "Path to config file");
class FilesystemConfigPlugin : public ConfigPlugin {
public:

12
osquery/core.h
View File

@ -28,6 +28,18 @@ void initOsquery(int argc, char* argv[]);
// supplied, the string will be split based on whitespace.
std::vector<std::string> split(const std::string& s);
std::vector<std::string> split(const std::string& s, const std::string& delim);
// getHostname returns a std::string which contains the current host's hostname
std::string getHostname();
// getAsciiTime() returns a string containing the current time in the following
// format: Wed Sep 21 10:27:52 2011
std::string getAsciiTime();
// getUnixTime() returns an int which represents the current time since the
// unix epoch
int getUnixTime();
}
}

6
osquery/core/CMakeLists.txt
View File

@ -1,6 +1,7 @@
ADD_LIBRARY(osquery_core
init_osquery.cpp
sqlite_util.cpp
system.cpp
test_util.cpp
text.cpp
)
@ -11,23 +12,28 @@ TARGET_LINK_LIBRARIES(osquery_core osquery_database)
TARGET_LINK_LIBRARIES(osquery_core osquery_filesystem)
TARGET_LINK_LIBRARIES(osquery_core osquery_sqlite)
TARGET_LINK_LIBRARIES(osquery_core osquery_tables)
SET_TARGET_PROPERTIES(osquery_core PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(status_tests status_tests.cpp)
TARGET_LINK_LIBRARIES(status_tests gtest)
SET_TARGET_PROPERTIES(status_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(sqlite_util_tests sqlite_util_tests.cpp)
TARGET_LINK_LIBRARIES(sqlite_util_tests gtest)
TARGET_LINK_LIBRARIES(sqlite_util_tests osquery_core)
TARGET_LINK_LIBRARIES(sqlite_util_tests osquery_database)
TARGET_LINK_LIBRARIES(sqlite_util_tests osquery_sqlite)
SET_TARGET_PROPERTIES(sqlite_util_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(test_util_tests test_util_tests.cpp)
TARGET_LINK_LIBRARIES(test_util_tests gtest)
TARGET_LINK_LIBRARIES(test_util_tests glog)
TARGET_LINK_LIBRARIES(test_util_tests osquery_core)
TARGET_LINK_LIBRARIES(test_util_tests osquery_sqlite)
SET_TARGET_PROPERTIES(test_util_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(text_tests text_tests.cpp)
TARGET_LINK_LIBRARIES(text_tests gtest)
TARGET_LINK_LIBRARIES(text_tests glog)
TARGET_LINK_LIBRARIES(text_tests osquery_core)
SET_TARGET_PROPERTIES(text_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

5
osquery/core/sqlite_util.cpp
View File

@ -28,7 +28,10 @@ sqlite3* createDB() {
}
QueryData aggregateQuery(const std::string& q, int& error_return) {
return aggregateQuery(q, error_return, createDB());
sqlite3* db = createDB();
QueryData results = aggregateQuery(q, error_return, db);
sqlite3_close(db);
return results;
}
QueryData aggregateQuery(const std::string& q, int& error_return, sqlite3* db) {

12
osquery/core/sqlite_util_tests.cpp
View File

@ -17,15 +17,19 @@ class SQLiteUtilTests : public testing::Test {};
TEST_F(SQLiteUtilTests, test_simple_query_execution) {
int err;
auto results = aggregateQuery(kTestQuery, err, createTestDB());
auto db = createTestDB();
auto results = aggregateQuery(kTestQuery, err, db);
sqlite3_close(db);
EXPECT_EQ(err, 0);
EXPECT_EQ(results, getTestDBExpectedResults());
}
TEST_F(SQLiteUtilTests, test_passing_callback_no_data_param) {
char* err = nullptr;
auto db = createTestDB();
sqlite3_exec(
createTestDB(), kTestQuery.c_str(), query_data_callback, nullptr, &err);
db, kTestQuery.c_str(), query_data_callback, nullptr, &err);
sqlite3_close(db);
EXPECT_TRUE(err != nullptr);
if (err != nullptr) {
sqlite3_free(err);
@ -34,7 +38,9 @@ TEST_F(SQLiteUtilTests, test_passing_callback_no_data_param) {
TEST_F(SQLiteUtilTests, test_aggregate_query) {
int err;
QueryData d = aggregateQuery(kTestQuery, err, createTestDB());
auto db = createTestDB();
QueryData d = aggregateQuery(kTestQuery, err, db);
sqlite3_close(db);
EXPECT_EQ(err, 0);
}

36
osquery/core/system.cpp Normal file
View File

@ -0,0 +1,36 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include "osquery/core.h"
#include <cstring>
#include <ctime>
#include <unistd.h>
#include <boost/algorithm/string/trim.hpp>
namespace osquery {
namespace core {
std::string getHostname() {
char hostname[256];
memset(hostname, 0, 255);
gethostname(hostname, 255);
std::string hostname_string = std::string(hostname);
boost::algorithm::trim(hostname_string);
return hostname_string;
}
std::string getAsciiTime() {
std::time_t result = std::time(NULL);
std::string time_str = std::string(std::asctime(std::localtime(&result)));
boost::algorithm::trim(time_str);
return time_str;
}
int getUnixTime() {
std::time_t result = std::time(NULL);
return result;
}
}
}

6
osquery/core/test_util.cpp
View File

@ -205,8 +205,14 @@ getSerializedScheduledQueryLogItem() {
auto dr = getSerializedDiffResults();
i.diffResults = dr.second;
i.name = "foobar";
i.calendarTime = "Mon Aug 25 12:10:57 2014";
i.unixTime = 1408993857;
i.hostname = "foobaz";
root.add_child("diffResults", dr.first);
root.put<std::string>("name", "foobar");
root.put<std::string>("hostname", "foobaz");
root.put<std::string>("calendarTime", "Mon Aug 25 12:10:57 2014");
root.put<int>("unixTime", 1408993857);
return std::make_pair(root, i);
}

5
osquery/core/test_util_tests.cpp
View File

@ -13,7 +13,9 @@ class TestUtilTests : public testing::Test {};
TEST_F(TestUtilTests, test_expected_results) {
int err;
auto results = aggregateQuery(kTestQuery, err, createTestDB());
auto db = createTestDB();
auto results = aggregateQuery(kTestQuery, err, db);
sqlite3_close(db);
EXPECT_EQ(err, 0);
EXPECT_EQ(results, getTestDBExpectedResults());
}
@ -33,6 +35,7 @@ TEST_F(TestUtilTests, test_get_test_db_result_stream) {
auto expected = aggregateQuery(kTestQuery, err_int, db);
EXPECT_EQ(expected, r.second);
}
sqlite3_close(db);
}
int main(int argc, char* argv[]) {

4
osquery/database/CMakeLists.txt
View File

@ -13,20 +13,24 @@ TARGET_LINK_LIBRARIES(osquery_database rocksdb)
TARGET_LINK_LIBRARIES(osquery_database snappy)
TARGET_LINK_LIBRARIES(osquery_database z)
TARGET_LINK_LIBRARIES(osquery_database osquery_config)
SET_TARGET_PROPERTIES(osquery_database PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(query_tests query_tests.cpp)
ADD_DEPENDENCIES(query_tests librocksdb)
TARGET_LINK_LIBRARIES(query_tests gtest)
TARGET_LINK_LIBRARIES(query_tests osquery_core)
TARGET_LINK_LIBRARIES(query_tests osquery_database)
SET_TARGET_PROPERTIES(query_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(db_handle_tests db_handle_tests.cpp)
ADD_DEPENDENCIES(db_handle_tests librocksdb)
TARGET_LINK_LIBRARIES(db_handle_tests gtest)
TARGET_LINK_LIBRARIES(db_handle_tests osquery_database)
SET_TARGET_PROPERTIES(db_handle_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(results_tests results_tests)
ADD_DEPENDENCIES(results_tests librocksdb)
TARGET_LINK_LIBRARIES(results_tests gtest)
TARGET_LINK_LIBRARIES(results_tests osquery_core)
TARGET_LINK_LIBRARIES(results_tests osquery_database)
SET_TARGET_PROPERTIES(results_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

2
osquery/database/db_handle.cpp
View File

@ -52,7 +52,7 @@ DBHandle::DBHandle(std::string path, bool in_memory) {
column_families_.push_back(rocksdb::ColumnFamilyDescriptor(
rocksdb::kDefaultColumnFamilyName, rocksdb::ColumnFamilyOptions()));
for (auto cf_name : kDomains) {
for (const auto& cf_name : kDomains) {
column_families_.push_back(rocksdb::ColumnFamilyDescriptor(
cf_name, rocksdb::ColumnFamilyOptions()));
}

3
osquery/database/results.cpp
View File

@ -292,6 +292,9 @@ Status serializeScheduledQueryLogItem(const ScheduledQueryLogItem& i,
}
tree.add_child("diffResults", diffResults);
tree.put<std::string>("name", i.name);
tree.put<std::string>("hostname", i.hostname);
tree.put<std::string>("calendarTime", i.calendarTime);
tree.put<int>("unixTime", i.unixTime);
}
catch (const std::exception& e) {
return Status(1, e.what());

9
osquery/database/results.h
View File

@ -177,6 +177,15 @@ struct ScheduledQueryLogItem {
// the name of the scheduled query
std::string name;
// the hostname of the host which the scheduled query was executed on
std::string hostname;
// the time that the query was executed, in unix time
int unixTime;
// the time that the query was executed, in ASCII
std::string calendarTime;
// equals operator
bool operator==(const ScheduledQueryLogItem& comp) const {
return (comp.diffResults == diffResults) && (comp.name == name);

1
osquery/devtools/CMakeLists.txt
View File

@ -3,3 +3,4 @@ TARGET_LINK_LIBRARIES(osquery_devtools glog)
TARGET_LINK_LIBRARIES(osquery_devtools readline)
TARGET_LINK_LIBRARIES(osquery_devtools osquery_sqlite)
TARGET_LINK_LIBRARIES(osquery_devtools osquery_tables)
SET_TARGET_PROPERTIES(osquery_devtools PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

42
osquery/filesystem/CMakeLists.txt
View File

@ -1,15 +1,15 @@
if(APPLE)
ADD_LIBRARY(osquery_filesystem_osx
plist.mm
)
TARGET_LINK_LIBRARIES(osquery_filesystem_osx boost_program_options)
TARGET_LINK_LIBRARIES(osquery_filesystem_osx glog)
TARGET_LINK_LIBRARIES(osquery_filesystem_osx "-fobjc-arc -fobjc-link-runtime -framework Foundation")
endif()
ADD_LIBRARY(osquery_filesystem
filesystem.cpp
)
if(APPLE)
ADD_LIBRARY(osquery_filesystem_objc
plist.mm
)
TARGET_LINK_LIBRARIES(osquery_filesystem_objc "-framework Foundation")
SET_TARGET_PROPERTIES(osquery_filesystem_objc PROPERTIES COMPILE_FLAGS "-x objective-c++ -fobjc-arc")
endif()
TARGET_LINK_LIBRARIES(osquery_filesystem boost_filesystem)
TARGET_LINK_LIBRARIES(osquery_filesystem boost_system)
TARGET_LINK_LIBRARIES(osquery_filesystem boost_program_options)
@ -17,17 +17,29 @@ TARGET_LINK_LIBRARIES(osquery_filesystem boost_thread-mt)
TARGET_LINK_LIBRARIES(osquery_filesystem gflags)
TARGET_LINK_LIBRARIES(osquery_filesystem glog)
if(APPLE)
TARGET_LINK_LIBRARIES(osquery_filesystem osquery_filesystem_osx)
TARGET_LINK_LIBRARIES(osquery_filesystem osquery_filesystem_objc)
endif()
SET_TARGET_PROPERTIES(osquery_filesystem PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(filesystem_tests filesystem_tests.cpp)
TARGET_LINK_LIBRARIES(filesystem_tests gtest)
TARGET_LINK_LIBRARIES(filesystem_tests osquery_filesystem)
SET_TARGET_PROPERTIES(filesystem_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
if(APPLE)
ADD_EXECUTABLE(plist_tests plist_tests.mm)
TARGET_LINK_LIBRARIES(plist_tests glog)
TARGET_LINK_LIBRARIES(plist_tests gtest)
TARGET_LINK_LIBRARIES(plist_tests osquery_core)
TARGET_LINK_LIBRARIES(plist_tests osquery_filesystem)
ADD_EXECUTABLE(plist_tests plist_tests.cpp)
TARGET_LINK_LIBRARIES(plist_tests glog)
TARGET_LINK_LIBRARIES(plist_tests gtest)
TARGET_LINK_LIBRARIES(plist_tests osquery_core)
TARGET_LINK_LIBRARIES(plist_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(plist_tests osquery_filesystem_objc)
SET_TARGET_PROPERTIES(plist_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(plist_benchmark plist_benchmark.cpp)
TARGET_LINK_LIBRARIES(plist_benchmark glog)
TARGET_LINK_LIBRARIES(plist_benchmark gtest)
TARGET_LINK_LIBRARIES(plist_benchmark osquery_core)
TARGET_LINK_LIBRARIES(plist_benchmark osquery_filesystem)
TARGET_LINK_LIBRARIES(plist_benchmark osquery_filesystem_objc)
SET_TARGET_PROPERTIES(plist_benchmark PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
endif()

23
osquery/filesystem/filesystem.cpp
View File

@ -2,7 +2,6 @@
#include "osquery/filesystem.h"
#include <iostream>
#include <fstream>
#include <sstream>
@ -22,22 +21,36 @@ Status readFile(const std::string& path, std::string& content) {
return Status(1, "File not found");
}
int statusCode = 0;
std::string statusMessage = "OK";
char* buffer;
std::ifstream file_h(path);
if (file_h) {
file_h.seekg(0, file_h.end);
int len = file_h.tellg();
file_h.seekg(0, file_h.beg);
char* buffer = new char[len];
buffer = new char[len];
file_h.read(buffer, len);
if (!file_h) {
return Status(1, "Could not read file");
statusCode = 1;
statusMessage = "Could not read file";
goto cleanup_buffer;
}
content.assign(buffer, len);
} else {
return Status(1, "Could not open file for reading");
statusCode = 1;
statusMessage = "Could not open file for reading";
goto cleanup;
}
return Status(0, "OK");
cleanup_buffer:
delete[] buffer;
cleanup:
if (file_h) {
file_h.close();
}
return Status(statusCode, statusMessage);
}
Status listFilesInDirectory(const std::string& path,

60
osquery/filesystem/plist.mm
View File

@ -19,10 +19,11 @@ namespace fs {
NSMutableArray* filterArray(id dataStructure);
NSMutableDictionary* filterDictionary(id dataStructure) {
@autoreleasepool {
NSMutableDictionary* result = [NSMutableDictionary new];
for (id key in [dataStructure allKeys]) {
NSString* className =
NSStringFromClass([[dataStructure objectForKey:key] class]);
id klass = [[dataStructure objectForKey:key] class];
NSString* className = NSStringFromClass(klass);
if ([className isEqualToString:@"__NSArrayI"] ||
[className isEqualToString:@"__NSArrayM"] ||
[className isEqualToString:@"__NSCFArray"]) {
@ -38,9 +39,11 @@ NSMutableDictionary* filterDictionary(id dataStructure) {
}
}
return result;
}
}
NSMutableArray* filterArray(id dataStructure) {
@autoreleasepool {
NSMutableArray* result = [NSMutableArray new];
for (id value in dataStructure) {
NSString* className = NSStringFromClass([value class]);
@ -57,6 +60,7 @@ NSMutableArray* filterArray(id dataStructure) {
}
}
return result;
}
}
NSMutableDictionary* filterPlist(NSMutableDictionary* plist) {
@ -64,21 +68,32 @@ NSMutableDictionary* filterPlist(NSMutableDictionary* plist) {
}
Status parsePlistContent(const std::string& fileContent, pt::ptree& tree) {
@autoreleasepool {
int statusCode = 0;
std::string statusString = "OK";
std::stringstream ss;
std::string jsonStringCxx;
NSString* jsonStringObjc;
NSData* jsonDataObjc;
NSData* plistContent =
[NSData dataWithBytes:fileContent.c_str() length:fileContent.size()];
NSError* error;
NSError* error = nil;
NSPropertyListFormat plistFormat;
NSMutableDictionary* plist = (NSMutableDictionary*)
[NSPropertyListSerialization propertyListWithData:plistContent
options:NSPropertyListImmutable
format:&plistFormat
error:&error];
id plistData = [NSPropertyListSerialization propertyListWithData:plistContent
options:NSPropertyListImmutable
format:&plistFormat
error:&error];
NSMutableDictionary* plist = (NSMutableDictionary*)plistData;
if (plist == nil) {
std::string errorMessage([[error localizedFailureReason] UTF8String]);
LOG(ERROR) << errorMessage;
return Status(1, errorMessage);
statusCode = 1;
statusString = errorMessage;
goto cleanup;
} else {
switch (plistFormat) {
case NSPropertyListOpenStepFormat:
@ -102,39 +117,46 @@ Status parsePlistContent(const std::string& fileContent, pt::ptree& tree) {
catch (const std::exception& e) {
LOG(ERROR)
<< "An exception occured while filtering the plist: " << e.what();
return Status(1, e.what());
statusCode = 1;
statusString = e.what();
goto cleanup;
}
NSData* jsonDataObjc;
if ([NSJSONSerialization isValidJSONObject:plist]) {
jsonDataObjc =
[NSJSONSerialization dataWithJSONObject:plist options:0 error:&error];
} else {
return Status(1, "Valid JSON was not deserialized");
statusCode = 1;
statusString = "Valid JSON was not deserialized";
goto cleanup;
}
if (jsonDataObjc == nil) {
std::string errorMessage([[error localizedFailureReason] UTF8String]);
LOG(ERROR) << errorMessage;
return Status(1, errorMessage);
statusCode = 1;
statusString = errorMessage;
goto cleanup;
}
NSString* jsonStringObjc =
jsonStringObjc =
[[NSString alloc] initWithBytes:[jsonDataObjc bytes]
length:[jsonDataObjc length]
encoding:NSUTF8StringEncoding];
std::string jsonStringCxx = std::string([jsonStringObjc UTF8String]);
VLOG(2) << "Deserialized JSON content from plist: " << jsonStringCxx;
std::stringstream ss;
jsonStringCxx = std::string([jsonStringObjc UTF8String]);
ss << jsonStringCxx;
try {
pt::read_json(ss, tree);
}
catch (pt::json_parser::json_parser_error& e) {
LOG(ERROR) << "Error reading JSON: " << e.what();
return Status(1, e.what());
statusCode = 1;
statusString = e.what();
goto cleanup;
}
return Status(0, "OK");
cleanup:
return Status(statusCode, statusString);
}
}
Status parsePlist(const std::string& path, pt::ptree& tree) {

62
osquery/filesystem/plist_benchmark.cpp Normal file
View File

@ -0,0 +1,62 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include "osquery/filesystem.h"
#include <gflags/gflags.h>
#include <glog/logging.h>
#include <gtest/gtest.h>
#include "osquery/core.h"
#include "osquery/core/test_util.h"
using namespace osquery::core;
namespace pt = boost::property_tree;
namespace osquery {
namespace fs {
// run this benchmark with --iterations=9001 to parse over 9000 property lists
DEFINE_int32(iterations, 100, "Iterations to execute");
class PlistBenchmark : public testing::Test {};
TEST_F(PlistBenchmark, bench_parse_plist_content) {
// using LOG(ERROR) as a quick hack so that gtest displays the log line even
// when the test passes
LOG(ERROR) << "Starting: " << getAsciiTime();
LOG(ERROR) << "Performing " << FLAGS_iterations << " iterations";
int time = getUnixTime();
for (int i = 0; i < FLAGS_iterations; ++i) {
std::string content = getPlistContent();
pt::ptree tree;
auto s = parsePlistContent(content, tree);
EXPECT_TRUE(s.ok());
EXPECT_EQ(s.toString(), "OK");
EXPECT_EQ(tree.get<bool>("Disabled"), true);
EXPECT_THROW(tree.get<bool>("foobar"), pt::ptree_bad_path);
EXPECT_EQ(tree.get<std::string>("Label"), "com.apple.FileSyncAgent.sshd");
std::vector<std::string> program_arguments = {
"/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/"
"FileSyncAgent_sshd-keygen-wrapper",
"-i", "-f",
"/System/Library/CoreServices/FileSyncAgent.app/Contents/Resources/"
"FileSyncAgent_sshd_config", };
pt::ptree program_arguments_tree = tree.get_child("ProgramArguments");
std::vector<std::string> program_arguments_parsed;
for (const auto& argument : program_arguments_tree) {
program_arguments_parsed.push_back(argument.second.get<std::string>(""));
}
EXPECT_EQ(program_arguments_parsed, program_arguments);
}
LOG(ERROR) << "Ending: " << getAsciiTime();
LOG(ERROR) << "Benchmark executed in " << (getUnixTime() - time) << " seconds";
}
}
}
int main(int argc, char* argv[]) {
google::ParseCommandLineFlags(&argc, &argv, true);
testing::InitGoogleTest(&argc, argv);
google::InitGoogleLogging(argv[0]);
return RUN_ALL_TESTS();
}

2
osquery/filesystem/plist_tests.mm → osquery/filesystem/plist_tests.cpp
View File

@ -5,8 +5,6 @@
#include <glog/logging.h>
#include <gtest/gtest.h>
#import <Foundation/Foundation.h>
#include "osquery/core/test_util.h"
using namespace osquery::core;

3
osquery/logger/CMakeLists.txt
View File

@ -4,7 +4,10 @@ ADD_LIBRARY(osquery_logger
)
TARGET_LINK_LIBRARIES(osquery_logger osquery_database)
TARGET_LINK_LIBRARIES(osquery_logger "-Wl,-all_load")
SET_TARGET_PROPERTIES(osquery_logger PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(logger_tests logger_tests.cpp)
TARGET_LINK_LIBRARIES(logger_tests gtest)
TARGET_LINK_LIBRARIES(logger_tests osquery_core)
TARGET_LINK_LIBRARIES(logger_tests osquery_logger)
SET_TARGET_PROPERTIES(logger_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

4
osquery/logger/logger_tests.cpp
View File

@ -6,6 +6,8 @@
#include <gtest/gtest.h>
#include <glog/logging.h>
#include "osquery/core.h"
using namespace osquery::db;
using namespace osquery::logger;
using osquery::Status;
@ -40,6 +42,6 @@ TEST_F(LoggerTests, test_plugin) {
int main(int argc, char* argv[]) {
testing::InitGoogleTest(&argc, argv);
google::InitGoogleLogging(argv[0]);
osquery::core::initOsquery(argc, argv);
return RUN_ALL_TESTS();
}

19
osquery/main/daemon.cpp
View File

@ -2,12 +2,31 @@
#include <boost/thread.hpp>
#include <glog/logging.h>
#include "osquery/config.h"
#include "osquery/config/plugin.h"
#include "osquery/core.h"
#include "osquery/logger.h"
#include "osquery/logger/plugin.h"
#include "osquery/registry.h"
#include "osquery/scheduler.h"
int main(int argc, char *argv[]) {
osquery::core::initOsquery(argc, argv);
LOG(INFO) << "Listing all plugins";
LOG(INFO) << "Logger plugins:";
for (const auto& it : REGISTERED_LOGGER_PLUGINS) {
LOG(INFO) << " - " << it.first;
}
LOG(INFO) << "Config plugins:";
for (const auto& it : REGISTERED_CONFIG_PLUGINS) {
LOG(INFO) << " - " << it.first;
}
boost::thread scheduler_thread(osquery::scheduler::initialize);
scheduler_thread.join();

3
osquery/scheduler/CMakeLists.txt
View File

@ -1,10 +1,9 @@
ADD_LIBRARY(osquery_scheduler
scheduler.cpp
)
TARGET_LINK_LIBRARIES(osquery_scheduler boost_system)
TARGET_LINK_LIBRARIES(osquery_scheduler boost_thread-mt)
TARGET_LINK_LIBRARIES(osquery_scheduler glog)
TARGET_LINK_LIBRARIES(osquery_scheduler osquery_config)
TARGET_LINK_LIBRARIES(osquery_scheduler osquery_core)
TARGET_LINK_LIBRARIES(osquery_scheduler osquery_database)
TARGET_LINK_LIBRARIES(osquery_scheduler osquery_logger)
SET_TARGET_PROPERTIES(osquery_scheduler PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

77
osquery/scheduler/scheduler.cpp
View File

@ -2,12 +2,8 @@
#include "osquery/scheduler.h"
#include <climits>
#include <ctime>
#include <iostream>
#include <boost/asio.hpp>
#include <boost/bind.hpp>
#include <boost/date_time/posix_time/posix_time.hpp>
#include <glog/logging.h>
@ -16,7 +12,14 @@
#include "osquery/database.h"
#include "osquery/logger.h"
#define SCHEDULER_INTERVAL 60
#ifdef OSQUERY_TEST_DAEMON
// if we're testing the daemon, set the time between each "minute" to be one
// second so that we see results faster
#define SECONDS_IN_A_MINUTE 1
#else
// in production, a minute is 60 seconds long
#define SECONDS_IN_A_MINUTE 60
#endif
using namespace osquery::config;
namespace core = osquery::core;
@ -26,13 +29,11 @@ namespace logger = osquery::logger;
namespace osquery {
namespace scheduler {
void launchQueries(boost::asio::deadline_timer& t, int mins) {
DLOG(INFO) << "launchQueries: " << mins;
auto cfg = Config::getInstance();
for (auto query : cfg->getScheduledQueries()) {
if ((mins % query.interval) == 0) {
VLOG(1) << "executing query: " << query.query;
void launchQueries(const osquery::config::scheduledQueries_t& queries, const int64_t& minute) {
LOG(INFO) << "launchQueries: " << minute;
for (const auto& query : queries) {
if (minute % query.interval == 0) {
LOG(INFO) << "executing query: " << query.query;
int unix_time = std::time(0);
int err;
auto query_results = core::aggregateQuery(query.query, err);
@ -50,33 +51,41 @@ void launchQueries(boost::asio::deadline_timer& t, int mins) {
continue;
}
db::ScheduledQueryLogItem item;
item.diffResults = diff_results;
item.name = query.name;
logger::logScheduledQueryLogItem(item);
if (diff_results.added.size() > 0 || diff_results.removed.size() > 0) {
VLOG(1) << "Results found for query: \"" << query.query << "\"";
db::ScheduledQueryLogItem item;
item.diffResults = diff_results;
item.name = query.name;
item.hostname = osquery::core::getHostname();
item.unixTime = osquery::core::getUnixTime();
item.calendarTime = osquery::core::getAsciiTime();
auto s = logger::logScheduledQueryLogItem(item);
if (!s.ok()) {
LOG(ERROR) << "Error logging the results of query \"" << query.query
<< "\"" << ": " << s.toString();
}
}
}
}
++mins;
t.expires_at(t.expires_at() + boost::posix_time::seconds(SCHEDULER_INTERVAL));
t.async_wait(boost::bind(launchQueries, boost::ref(t), mins));
}
void initialize() {
DLOG(INFO) << "osquery::scheduler::initialize";
boost::asio::io_service io;
time_t _time = time(0);
struct tm* now = localtime(&_time);
int mins = now->tm_min;
boost::asio::deadline_timer t(io,
boost::posix_time::seconds(SCHEDULER_INTERVAL));
t.async_wait(boost::bind(launchQueries, boost::ref(t), mins));
io.run();
time_t t = time(0);
struct tm *local = localtime(&t);
unsigned long int minute = local->tm_min;
auto cfg = Config::getInstance();
#ifdef OSQUERY_TEST_DAEMON
// if we're testing the daemon, only iterate through 15 "minutes"
static unsigned long int stop_at = minute + 15;
#else
// if this is production, count forever
static unsigned long int stop_at = LONG_MAX;
#endif
for (; minute <= stop_at; ++minute) {
launchQueries(cfg->getScheduledQueries(), minute);
sleep(SECONDS_IN_A_MINUTE);
}
}
}
}

84
osquery/tables/CMakeLists.txt
View File

@ -1,3 +1,31 @@
if(APPLE)
ADD_LIBRARY(osquery_tables_objc
../core/osx/NSProcessInfo+PECocoaBackports.mm
system/osx_version.mm
)
TARGET_LINK_LIBRARIES(osquery_tables_objc "-framework Foundation")
SET_TARGET_PROPERTIES(osquery_tables_objc PROPERTIES COMPILE_FLAGS "-x objective-c++ -fobjc-arc")
ADD_LIBRARY(osquery_tables_osx
networking/interfaces.cpp
networking/listening_ports.cpp
networking/routes.cpp
networking/utils.cpp
system/apps.cpp
system/cacerts.cpp
system/firewall.cpp
system/kextstat.cpp
system/launchd.cpp
system/nvram.cpp
system/processes.cpp
)
TARGET_LINK_LIBRARIES(osquery_tables_osx boost_filesystem)
TARGET_LINK_LIBRARIES(osquery_tables_osx osquery_database)
TARGET_LINK_LIBRARIES(osquery_tables_osx osquery_filesystem)
SET_TARGET_PROPERTIES(osquery_tables_osx PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
TARGET_LINK_LIBRARIES(osquery_tables_osx "-framework IOKit -framework CoreFoundation -framework Security")
endif()
FILE(GLOB table_sources
"generated/*.cpp"
"manual/*.cpp"
@ -6,28 +34,18 @@ FILE(GLOB table_sources
ADD_LIBRARY(osquery_tables
registry.cpp
${table_sources}
networking/utils.cpp
networking/etc_hosts.cpp
networking/listening_ports.cpp
networking/routes.cpp
networking/interfaces.cpp
system/kextstat.cpp
system/processes.cpp
system/nvram.cpp
../core/osx/NSProcessInfo+PECocoaBackports.mm
system/osx_version.mm
system/firewall.cpp
system/apps.cpp
system/launchd.cpp
system/cacerts.cpp
utility/time.cpp
)
TARGET_LINK_LIBRARIES(osquery_tables boost_filesystem)
TARGET_LINK_LIBRARIES(osquery_tables glog)
TARGET_LINK_LIBRARIES(osquery_tables osquery_filesystem)
TARGET_LINK_LIBRARIES(osquery_tables osquery_sqlite)
TARGET_LINK_LIBRARIES(osquery_tables "-Wl,-all_load")
TARGET_LINK_LIBRARIES(osquery_tables "-fobjc-arc -fobjc-link-runtime -framework Foundation -framework IOKit -framework CoreFoundation -framework Security")
if(APPLE)
TARGET_LINK_LIBRARIES(osquery_tables osquery_tables_objc)
TARGET_LINK_LIBRARIES(osquery_tables osquery_tables_osx)
endif()
SET_TARGET_PROPERTIES(osquery_tables PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(etc_hosts_tests networking/etc_hosts_tests.cpp)
TARGET_LINK_LIBRARIES(etc_hosts_tests gtest)
@ -36,36 +54,4 @@ TARGET_LINK_LIBRARIES(etc_hosts_tests osquery_core)
TARGET_LINK_LIBRARIES(etc_hosts_tests osquery_database)
TARGET_LINK_LIBRARIES(etc_hosts_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(etc_hosts_tests osquery_tables)
ADD_EXECUTABLE(firewall_tests system/firewall_tests.cpp)
TARGET_LINK_LIBRARIES(firewall_tests gtest)
TARGET_LINK_LIBRARIES(firewall_tests glog)
TARGET_LINK_LIBRARIES(firewall_tests osquery_core)
TARGET_LINK_LIBRARIES(firewall_tests osquery_database)
TARGET_LINK_LIBRARIES(firewall_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(firewall_tests osquery_tables)
ADD_EXECUTABLE(apps_tests system/apps_tests.cpp)
TARGET_LINK_LIBRARIES(apps_tests gtest)
TARGET_LINK_LIBRARIES(apps_tests glog)
TARGET_LINK_LIBRARIES(apps_tests osquery_core)
TARGET_LINK_LIBRARIES(apps_tests osquery_database)
TARGET_LINK_LIBRARIES(apps_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(apps_tests osquery_tables)
ADD_EXECUTABLE(launchd_tests system/launchd_tests.cpp)
TARGET_LINK_LIBRARIES(launchd_tests gtest)
TARGET_LINK_LIBRARIES(launchd_tests glog)
TARGET_LINK_LIBRARIES(launchd_tests osquery_core)
TARGET_LINK_LIBRARIES(launchd_tests osquery_database)
TARGET_LINK_LIBRARIES(launchd_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(launchd_tests osquery_tables)
ADD_EXECUTABLE(cacerts_tests system/cacerts_tests.cpp)
TARGET_LINK_LIBRARIES(cacerts_tests gtest)
TARGET_LINK_LIBRARIES(cacerts_tests glog)
TARGET_LINK_LIBRARIES(cacerts_tests osquery_core)
TARGET_LINK_LIBRARIES(cacerts_tests osquery_database)
TARGET_LINK_LIBRARIES(cacerts_tests osquery_filesystem)
TARGET_LINK_LIBRARIES(cacerts_tests osquery_tables)
TARGET_LINK_LIBRARIES(osquery_tables "-framework CoreFoundation -framework Security")
SET_TARGET_PROPERTIES(etc_hosts_tests PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

24
osquery/tables/base.h
View File

@ -3,6 +3,7 @@
#ifndef OSQUERY_TABLES_BASE_H
#define OSQUERY_TABLES_BASE_H
#include <stdio.h>
#include <sqlite3.h>
namespace osquery {
@ -35,7 +36,8 @@ struct x_vtab {
template <class T_VTAB>
int xDestroy(sqlite3_vtab *p) {
T_VTAB *pVtab = (T_VTAB *)p;
sqlite3_free(pVtab);
delete pVtab->pContent;
delete pVtab;
return SQLITE_OK;
}
@ -148,7 +150,7 @@ int xCreate(sqlite3 *db, /* Database where module is created */
// sqlite3_create_module_v2() call that registered the virtual table
// module. This sets the pContent value of the virtual table struct to
// whatever that value was
pVtab->pContent = (T_STRUCT *)pAux;
pVtab->pContent = new T_STRUCT;
// this interface is called to declare the format (the names and datatypes
// of the columns) of the virtual tables they implement
@ -177,20 +179,14 @@ int sqlite3_attach_vtable(sqlite3 *db,
const char *zName,
const sqlite3_module *module) {
int rc = SQLITE_OK;
T_STRUCT *p = new T_STRUCT;
if (p == 0) {
return SQLITE_NOMEM;
}
memset(p, 0, sizeof(*p));
rc = sqlite3_create_module(db, zName, module, p);
rc = sqlite3_create_module(db, zName, module, 0);
if (rc == SQLITE_OK) {
char *zSql;
zSql =
sqlite3_mprintf("CREATE VIRTUAL TABLE temp.%Q USING %Q", zName, zName);
const char zFormat[] = "CREATE VIRTUAL TABLE temp.%s USING %s";
size_t zSize = (((((sizeof(zFormat) + (sizeof(zName)) + 2) * 2)) + 1) * sizeof(char));
char *zSql = (char*)malloc(1024 * sizeof(char));
snprintf(zSql, zSize, zFormat, zName, zName);
rc = sqlite3_exec(db, zSql, 0, 0, 0);
sqlite3_free(zSql);
free(zSql);
}
return rc;

2
osquery/tables/networking/interfaces.cpp
View File

@ -12,7 +12,7 @@
#include "osquery/core.h"
#include "osquery/database.h"
#include "utils.h"
#include "osquery/tables/networking/utils.h"
using namespace osquery::core;
using namespace osquery::db;

1
osquery/tables/networking/listening_ports.cpp
View File

@ -130,6 +130,7 @@ QueryData genListeningPorts() {
free(fd_list);
}
free(pids);
return results;
}
}

2
osquery/tables/networking/utils.cpp
View File

@ -7,7 +7,7 @@
#include <boost/algorithm/string/trim.hpp>
#include "utils.h"
#include "osquery/tables/networking/utils.h"
std::string canonical_ip_address(const struct sockaddr *in) {
char dst[INET6_ADDRSTRLEN];

7
osquery/tables/specs/x/time.table Normal file
View File

@ -0,0 +1,7 @@
table_name("time")
schema([
Column(name="hour", type="std::string"),
Column(name="minutes", type="std::string"),
Column(name="seconds", type="std::string"),
])
implementation("osquery/tables/utility/time@genTime")

1
osquery/tables/system/cacerts.cpp
View File

@ -256,6 +256,7 @@ CFDataRef CreatePropertyFromCertificate(const SecCertificateRef &cert,
property = (CFDataRef)CFNumberCreateCopy((CFNumberRef)property);
} else {
LOG(ERROR) << "This property type is unknown...";
property = NULL;
}
// Release and give the caller control of the property.

36
osquery/tables/system/kextstat.cpp
View File

@ -1,7 +1,6 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include <CoreFoundation/CoreFoundation.h>
#include <iostream>
#include <boost/algorithm/string/trim.hpp>
#include <boost/lexical_cast.hpp>
@ -20,11 +19,6 @@ extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
namespace osquery {
namespace tables {
// Convert a CFString to a standard C string
inline char *cfstring_to_cstring(CFStringRef s) {
return ((char *)CFStringGetCStringPtr(s, kCFStringEncodingMacRoman));
}
QueryData genKextstat() {
QueryData results;
CFDictionaryRef dict = OSKextCopyLoadedKextInfo(NULL, NULL);
@ -49,9 +43,18 @@ QueryData genKextstat() {
unsigned long long wired_size;
// name
std::string name =
std::string(cfstring_to_cstring((CFStringRef)CFDictionaryGetValue(
(CFDictionaryRef)(values)[j], CFSTR("CFBundleIdentifier"))));
std::string name;
CFStringRef nameRef = (CFStringRef)CFDictionaryGetValue(
(CFDictionaryRef)(values)[j], CFSTR("CFBundleIdentifier"));
CFIndex nameLen = CFStringGetLength(nameRef) + 1;
char* nameBuffer = (char*)malloc(nameLen);
if (nameBuffer && CFStringGetCString(nameRef, nameBuffer, nameLen, kCFStringEncodingUTF8)) {
name = std::string(nameBuffer);
boost::algorithm::trim(name);
}
if (nameBuffer != 0) {
free(nameBuffer);
}
// index
CFNumberGetValue(
@ -93,9 +96,18 @@ QueryData genKextstat() {
boost::algorithm::trim(wired);
// version
std::string version =
std::string(cfstring_to_cstring((CFStringRef)CFDictionaryGetValue(
(CFDictionaryRef)values[j], CFSTR("CFBundleVersion"))));
std::string version;
CFStringRef versionRef = (CFStringRef)CFDictionaryGetValue(
(CFDictionaryRef)values[j], CFSTR("CFBundleVersion"));
CFIndex versionLen = CFStringGetLength(versionRef) + 1;
char* versionBuffer = (char*)malloc(versionLen);
if (versionBuffer && CFStringGetCString(versionRef, versionBuffer, versionLen, kCFStringEncodingUTF8)) {
version = std::string(versionBuffer);
boost::algorithm::trim(version);
}
if (versionBuffer != 0) {
free(versionBuffer);
}
// linked_against
CFArrayRef dependencies = (CFArrayRef)CFDictionaryGetValue(

12
osquery/tables/system/nvram.cpp
View File

@ -35,12 +35,13 @@ void genVariable(const void *key, const void *value, void *results) {
const char *valueString = 0;
uint32_t number, length;
// OF variable canonical type casting.
CFTypeID typeID;
CFTypeID typeID = CFGetTypeID(value);
CFIndex typeLen;
char *typeBuffer;
// Get the OF variable's name.
CFIndex nameLen;
char *nameBuffer = 0;
CFStringRef typeIDDescription = CFCopyTypeIDDescription(typeID);
nameLen = CFStringGetLength((CFStringRef)key) + 1;
nameBuffer = (char *)malloc(nameLen);
@ -55,13 +56,14 @@ void genVariable(const void *key, const void *value, void *results) {
// Get the OF variable's type.
typeID = CFGetTypeID(value);
typeLen = CFStringGetLength(CFCopyTypeIDDescription(typeID)) + 1;
typeIDDescription = CFCopyTypeIDDescription(CFGetTypeID(value));
typeLen = CFStringGetLength(typeIDDescription) + 1;
typeBuffer = (char *)malloc(typeLen);
if (typeBuffer && CFStringGetCString(CFCopyTypeIDDescription(typeID),
if (typeBuffer && CFStringGetCString(typeIDDescription,
typeBuffer,
typeLen,
kCFStringEncodingUTF8)) {
nvram_row["type"] = boost::lexical_cast<std::string>(typeBuffer);
nvram_row["type"] = std::string(typeBuffer);
} else {
goto cleanup;
}
@ -134,6 +136,7 @@ cleanup:
if (valueBuffer != 0) {
free(valueBuffer);
}
CFRelease(typeIDDescription);
}
QueryData genNVRAM() {
@ -169,6 +172,7 @@ QueryData genNVRAM() {
cleanup:
// Cleanup (registry entry context).
IOObjectRelease(options_ref);
CFRelease(options_dict);
return results;
}
}

8
osquery/tables/system/osx_version.mm
View File

@ -1,6 +1,6 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include "osquery/database.h"
#include "osquery/database/results.h"
#include <string>
@ -14,6 +14,8 @@ namespace osquery {
namespace tables {
QueryData genOSXVersion() {
QueryData results;
@autoreleasepool {
NSOperatingSystemVersion v =
[[NSProcessInfo processInfo] operatingSystemVersion];
@ -23,7 +25,9 @@ QueryData genOSXVersion() {
r["minor"] = boost::lexical_cast<std::string>(v.minorVersion);
r["patch"] = boost::lexical_cast<std::string>(v.patchVersion);
return {r};
results.push_back(r);
}
return results;
}
}
}

30
osquery/tables/utility/time.cpp Normal file
View File

@ -0,0 +1,30 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include <ctime>
#include <boost/lexical_cast.hpp>
#include "osquery/database.h"
using namespace osquery::db;
namespace osquery {
namespace tables {
const int kNumCols = 1;
QueryData genTime() {
Row r;
time_t _time = time(0);
struct tm* now = localtime(&_time);
r["hour"] = boost::lexical_cast<std::string>(now->tm_hour);
r["minutes"] = boost::lexical_cast<std::string>(now->tm_min);
r["seconds"] = boost::lexical_cast<std::string>(now->tm_sec);
QueryData results;
for (int i = 0; i < kNumCols; ++i) {
results.push_back(r);
}
return results;
}
}
}

18
package/darwin/com.facebook.osqueryd.plist Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Disabled</key>
<false/>
<key>OnDemand</key>
<false/>
<key>Label</key>
<string>com.facebook.osqueryd</string>
<key>Program</key>
<string>/usr/local/bin/osqueryd</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

9
package/darwin/osquery.conf Normal file
View File

@ -0,0 +1,9 @@
{
"scheduledQueries": [
{
"name": "time",
"query": "SELECT * FROM time;",
"interval": 2
}
]
}

75
package/darwin/osquery.pkgproj
View File

@ -7,7 +7,7 @@
<key>PACKAGE_FILES</key>
<dict>
<key>DEFAULT_INSTALL_LOCATION</key>
<string>/usr/local/bin</string>
<string>/</string>
<key>HIERARCHY</key>
<dict>
<key>CHILDREN</key>
@ -162,7 +162,24 @@
</dict>
<dict>
<key>CHILDREN</key>
<array/>
<array>
<dict>
<key>CHILDREN</key>
<array/>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
<string>com.facebook.osqueryd.plist</string>
<key>PATH_TYPE</key>
<integer>1</integer>
<key>PERMISSIONS</key>
<integer>420</integer>
<key>TYPE</key>
<integer>3</integer>
<key>UID</key>
<integer>0</integer>
</dict>
</array>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
@ -933,6 +950,56 @@
<key>UID</key>
<integer>0</integer>
</dict>
<dict>
<key>CHILDREN</key>
<array>
<dict>
<key>CHILDREN</key>
<array>
<dict>
<key>CHILDREN</key>
<array/>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
<string>osquery.conf</string>
<key>PATH_TYPE</key>
<integer>1</integer>
<key>PERMISSIONS</key>
<integer>420</integer>
<key>TYPE</key>
<integer>3</integer>
<key>UID</key>
<integer>0</integer>
</dict>
</array>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
<string>osquery</string>
<key>PATH_TYPE</key>
<integer>0</integer>
<key>PERMISSIONS</key>
<integer>493</integer>
<key>TYPE</key>
<integer>2</integer>
<key>UID</key>
<integer>0</integer>
</dict>
</array>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
<string>var</string>
<key>PATH_TYPE</key>
<integer>0</integer>
<key>PERMISSIONS</key>
<integer>493</integer>
<key>TYPE</key>
<integer>2</integer>
<key>UID</key>
<integer>0</integer>
</dict>
</array>
<key>GID</key>
<integer>0</integer>
@ -961,8 +1028,6 @@
<key>PATH_TYPE</key>
<integer>1</integer>
</dict>
<key>PREINSTALL_PATH</key>
<dict/>
<key>RESOURCES</key>
<array/>
</dict>
@ -972,6 +1037,8 @@
<integer>1</integer>
<key>CONCLUSION_ACTION</key>
<integer>0</integer>
<key>FOLLOW_SYMBOLIC_LINKS</key>
<false/>
<key>IDENTIFIER</key>
<string>com.facebook.pkg.osquery</string>
<key>OVERWRITE_PERMISSIONS</key>

2
package/darwin/osquery_post_install.sh
View File

@ -3,7 +3,7 @@
# Copyright 2004-present Facebook. All Rights Reserved.
OSQUERY_LAUNCD_STRING="osquery"
OSQUERY_LAUNCD_LABEL="com.facebook.osquery.plist"
OSQUERY_LAUNCD_LABEL="com.facebook.osqueryd.plist"
OSQUERY_LAUNCD_PATH="/Library/LaunchDaemons/$OSQUERY_LAUNCD_LABEL"
OSQUERY_PROCESS_STRING="osqueryd"

11
tools/CMakeLists.txt
View File

@ -1,3 +1,12 @@
ADD_EXECUTABLE(flag_test flag_test.cpp)
TARGET_LINK_LIBRARIES(flag_test gflags glog)
SET_TARGET_PROPERTIES(flag_test PROPERTIES OUTPUT_NAME flag_test)
SET_TARGET_PROPERTIES(flag_test PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(registry_test registry_test.cpp)
TARGET_LINK_LIBRARIES(registry_test osquery_static)
SET_TARGET_PROPERTIES(registry_test PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")
ADD_EXECUTABLE(run run.cpp)
TARGET_LINK_LIBRARIES(run osquery_static)
SET_TARGET_PROPERTIES(run PROPERTIES COMPILE_FLAGS "-std=c++11 -stdlib=libc++")

4
tools/gentable.py
View File

@ -25,9 +25,9 @@ IMPL_TEMPLATE = """// Copyright 2004-present Facebook. All Rights Reserved.
** This file is generated. Do not modify it manually!
*/
#include <cstring>
#include <string>
#include <vector>
#include <cstring>
#include <boost/lexical_cast.hpp>
@ -122,7 +122,7 @@ int {{table_name_cc}}Filter(
pCur->row = 0;
{% for col in schema %}\
pVtab->pContent->{{col.name}} = {};
pVtab->pContent->{{col.name}}.clear();
{% endfor %}\
for (auto& row : osquery::tables::{{function}}()) {

28
tools/registry_test.cpp Normal file
View File

@ -0,0 +1,28 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include <glog/logging.h>
#include "osquery/config.h"
#include "osquery/config/plugin.h"
#include "osquery/core.h"
#include "osquery/logger.h"
#include "osquery/logger/plugin.h"
#include "osquery/registry.h"
int main(int argc, char *argv[]) {
osquery::core::initOsquery(argc, argv);
LOG(INFO) << "Listing all plugins";
LOG(INFO) << "Logger plugins:";
for (const auto& it : REGISTERED_LOGGER_PLUGINS) {
LOG(INFO) << " - " << it.first;
}
LOG(INFO) << "Config plugins:";
for (const auto& it : REGISTERED_CONFIG_PLUGINS) {
LOG(INFO) << " - " << it.first;
}
return 0;
}

28
tools/run.cpp Normal file
View File

@ -0,0 +1,28 @@
// Copyright 2004-present Facebook. All Rights Reserved.
#include <gflags/gflags.h>
#include <glog/logging.h>
#include "osquery/core.h"
DEFINE_string(query, "", "query to execute");
int main(int argc, char* argv[]) {
osquery::core::initOsquery(argc, argv);
if (FLAGS_query != "") {
int err;
LOG(INFO) << "Executing: " << FLAGS_query;
osquery::core::aggregateQuery(FLAGS_query, err);
if (err != 0) {
LOG(ERROR) << "Query failed: " << err;
return 1;
}
LOG(INFO) << "Query succedded";
} else {
LOG(ERROR) << "Usage: run --query=\"<query>\"";
return 1;
}
return 0;
}