Added parsing of extra data along with its addition to the osqueryconfig structure

Added tests as well
2024-11-07 09:58:54 +00:00 · 2015-02-10 14:32:54 -08:00 · 2015-02-10 14:32:54 -08:00 · dca2f9d7bb
commit dca2f9d7bb
parent 65e0da4790
4 changed files with 54 additions and 1 deletions
--- a/include/osquery/config.h
+++ b/include/osquery/config.h
@ -34,6 +34,7 @@ struct OsqueryConfig {
  /// A vector of all of the queries that are scheduled to execute.
  std::vector<OsqueryScheduledQuery> scheduledQueries;
  std::map<std::string, std::string> options;
+  std::map<std::string, std::vector<std::string> > threatFiles;
 };

 /**
@ -94,6 +95,15 @@ class Config {
   */
  std::vector<OsqueryScheduledQuery> getScheduledQueries();

+  /**
+   * @brief Get a map of all the files in the intel JSON blob
+   *
+   *
+   *
+   * @return A map all the files in the JSON blob organized by category
+   */
+  std::map<std::string, std::vector<std::string> > getThreatFiles();
+
  /**
   * @brief Calculate the has of the osquery config
   *
--- a/osquery/config/config.cpp
+++ b/osquery/config/config.cpp
@ -29,6 +29,9 @@ DEFINE_osquery_flag(string,
                    "filesystem",
                    "Config type (plugin)");

+// This lock is used to protect the entirety of the OSqueryConfig struct
+// Is should be used when ever accessing the structs members, reading or
+// writing.
 static boost::shared_mutex rw_lock;

 std::shared_ptr<Config> Config::getInstance() {
@ -105,6 +108,19 @@ Status Config::genConfig(OsqueryConfig& conf) {
        conf.options[v.first.data()] = v.second.data();
      }
    }
+
+    // We may have threat intelligence hooks to setup
+    if (tree.count("threat_intel") > 0) {
+      for (const pt::ptree::value_type& v : tree.get_child("threat_intel")) {
+        if (v.first == "file_paths") {
+          for (const pt::ptree::value_type& file_cat : v.second) {
+            for (const pt::ptree::value_type& file : file_cat.second) {
+              conf.threatFiles[file_cat.first].push_back(file.first);
+            }
+          }
+        }
+      }
+    }
  } catch (const std::exception& e) {
    LOG(ERROR) << "Error parsing config JSON: " << e.what();
    return Status(1, e.what());
@ -118,6 +134,11 @@ std::vector<OsqueryScheduledQuery> Config::getScheduledQueries() {
  return cfg_.scheduledQueries;
 }

+std::map<std::string, std::vector<std::string> > Config::getThreatFiles() {
+  boost::shared_lock<boost::shared_mutex> lock(rw_lock);
+  return cfg_.threatFiles;
+}
+
 Status Config::getMD5(std::string& hash_string) {
  std::string config_string;
  auto s = genConfig(config_string);
--- a/osquery/config/config_tests.cpp
+++ b/osquery/config/config_tests.cpp
@ -67,6 +67,16 @@ TEST_F(ConfigTests, test_queries_execute) {
    EXPECT_TRUE(status.ok());
  }
 }
+
+TEST_F(ConfigTests, test_threatfiles_execute) {
+  auto c = Config::getInstance();
+  auto files = c->getThreatFiles();
+
+  EXPECT_EQ(files.size(), 2);
+  EXPECT_EQ(files["downloads"].size(), 1);
+  EXPECT_EQ(files["system_binaries"].size(), 3);
+  
+}
 }

 int main(int argc, char* argv[]) {
--- a/tools/tests/test.config
+++ b/tools/tests/test.config
@ -5,5 +5,17 @@
      "query": "select * from time;",
      "interval": 1
    }
+  ],
+  "threat_intel" : {
+    "file_paths": {
+      "downloads": [
+        "/Users/%/Downloads/%%"
+      ],
+      "system_binaries": [
+        "/bin/%",
+        "/usr/bin/%",
+        "/usr/local/bin/%"
      ]
    }
+  }
+}