Added memory_info table for Linux (#2282)

2024-11-07 01:55:20 +00:00 · 2016-07-27 17:20:07 -05:00 · 2016-07-27 17:20:07 -05:00 · e015c132f6
commit e015c132f6
parent 5463a7d15c
2 changed files with 79 additions and 0 deletions
--- a/osquery/tables/system/linux/memory_info.cpp
+++ b/osquery/tables/system/linux/memory_info.cpp
@ -0,0 +1,62 @@
+/*
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the BSD-style license found in the
+ *  LICENSE file in the root directory of this source tree. An additional grant
+ *  of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <string>
+
+#include <boost/algorithm/string.hpp>
+
+#include <osquery/core.h>
+#include <osquery/tables.h>
+#include <osquery/filesystem.h>
+
+#include "osquery/core/conversions.h"
+
+namespace osquery {
+namespace tables {
+
+const std::string kMemInfoPath = {"/proc/meminfo"};
+
+const std::map<std::string, std::string> kMemInfoMap = {
+    {"memory_total", "MemTotal:"},
+    {"memory_free", "MemFree:"},
+    {"buffers", "Buffers:"},
+    {"cached", "Cached:"},
+    {"swap_cached", "SwapCached:"},
+    {"active", "Active:"},
+    {"inactive", "Inactive:"},
+    {"swap_total", "SwapTotal:"},
+    {"swap_free", "SwapFree:"},
+};
+
+QueryData getMemoryInfo(QueryContext& context) {
+  QueryData results;
+  Row r;
+
+  std::string meminfo_content;
+  if (forensicReadFile(kMemInfoPath, meminfo_content).ok()) {
+    // Able to read meminfo file, now grab info we want
+    for (const auto& line : split(meminfo_content, "\n")) {
+      std::vector<std::string> tokens;
+      boost::split(
+          tokens, line, boost::is_any_of("\t "), boost::token_compress_on);
+      // Look for mapping
+      for (const auto& singleMap : kMemInfoMap) {
+        if (line.find(singleMap.second) == 0) {
+          r[singleMap.first] = INTEGER(std::stol(tokens[1]) * 1024l);
+          break;
+        }
+      }
+    }
+  }
+  results.push_back(r);
+  return results;
+}
+}
+}
--- a/specs/linux/memory_info.table
+++ b/specs/linux/memory_info.table
@ -0,0 +1,17 @@
+table_name("memory_info")
+
+description("Main memory information, in bytes")
+
+schema([
+    Column("memory_total", INTEGER, "Total amount of physical RAM, in bytes"),
+    Column("memory_free", INTEGER, "The amount of physical RAM, in bytes, left unused by the system"),
+    Column("buffers", INTEGER, "The amount of physical RAM, in bytes, used for file buffers"),
+    Column("cached", INTEGER, "The amount of physical RAM, in bytes, used as cache memory"),
+    Column("swap_cached", INTEGER, "The amount of swap, in bytes, used as cache memory"),
+    Column("active", INTEGER, "The total amount of buffer or page cache memory, in bytes, that is in active use"),
+    Column("inactive", INTEGER, "The total amount of buffer or page cache memory, in bytes, that are free and available"),
+    Column("swap_total", INTEGER, "The total amount of swap available, in bytes"),
+    Column("swap_free", INTEGER, "The total amount of swap free, in bytes"),
+])
+
+implementation("memory_info@getMemoryInfo")