Merge pull request #1815 from theopolis/fix_1814

[Fix #1814] Various fixes for Linux inotify

osquery/events/events.cpp

@@ -89,6 +89,12 @@ QueryData EventSubscriberPlugin::genTable(QueryContext& context) {
     // allows optimization, only emit events since the last query.
     start = optimize_time_;
     optimize_time_ = getUnixTime() - 1;
+
+    // Store the optimize time such that it can be restored if the daemon is
+    // restarted.
+    auto db = DBHandle::getInstance();
+    auto index_key = "optimize." + dbNamespace();
+    db->Put(kEvents, index_key, std::to_string(optimize_time_));
   }
 
   return get(start, stop);
@@ -668,6 +674,18 @@ Status EventFactory::registerEventSubscriber(const PluginRef& sub) {
   auto& ef = EventFactory::getInstance();
   ef.event_subs_[name] = specialized_sub;
 
+  // Restore optimize times for a daemon.
+  if (kToolType == OSQUERY_TOOL_DAEMON && FLAGS_events_optimize) {
+    auto db = DBHandle::getInstance();
+    auto index_key = "optimize." + specialized_sub->dbNamespace();
+    std::string content;
+    if (db->Get(kEvents, index_key, content)) {
+      long long optimize_time = 0;
+      safeStrtoll(content, 10, optimize_time);
+      specialized_sub->optimize_time_ = static_cast<EventTime>(optimize_time);
+    }
+  }
+
   // Set state of subscriber.
   if (!status.ok()) {
     specialized_sub->state(SUBSCRIBER_FAILED);

osquery/events/tests/events_database_tests.cpp

@@ -169,6 +169,9 @@ TEST_F(EventsDatabaseTests, test_record_expiration) {
 
 TEST_F(EventsDatabaseTests, test_gentable) {
   auto sub = std::make_shared<DBFakeEventSubscriber>();
+  // Lie about the tool type to enable optimizations.
+  auto default_type = kToolType;
+  kToolType = OSQUERY_TOOL_DAEMON;
   ASSERT_EQ(sub->optimize_time_, 0U);
   ASSERT_EQ(sub->expire_time_, 0U);
 
@@ -186,11 +189,16 @@ TEST_F(EventsDatabaseTests, test_gentable) {
   // Perform a "select" equivalent.
   QueryContext context;
   auto results = sub->genTable(context);
+
   // Expect all non-expired results: 11, +
   EXPECT_EQ(results.size(), 9U);
   // The expiration time is now - events_expiry.
   EXPECT_GT(sub->expire_time_, getUnixTime() - (FLAGS_events_expiry * 2));
   EXPECT_LT(sub->expire_time_, getUnixTime());
+  // The optimize time will be changed too.
+  ASSERT_GT(sub->optimize_time_, 0U);
+  // Restore the tool type.
+  kToolType = default_type;
 
   results = sub->genTable(context);
   EXPECT_EQ(results.size(), 3U);
@@ -198,6 +206,13 @@ TEST_F(EventsDatabaseTests, test_gentable) {
   results = sub->genTable(context);
   EXPECT_EQ(results.size(), 3U);
 
+  // The optimize time should have been written to the database.
+  // It should be the same as the current (relative) optimize time.
+  std::string content;
+  getDatabaseValue(
+      "events", "optimize.DBFakePublisher.DBFakeSubscriber", content);
+  EXPECT_EQ(std::to_string(sub->optimize_time_), content);
+
   keys.clear();
   scanDatabaseKeys("events", keys);
   EXPECT_LT(keys.size(), 30U);

osquery/filesystem/filesystem.cpp

@@ -38,7 +38,7 @@ FLAG(uint64, read_user_max, 10 * 1024 * 1024, "Maximum non-su read size");
 HIDDEN_FLAG(bool, allow_unsafe, false, "Allow unsafe executable permissions");
 
 /// Disable forensics (atime/mtime preserving) file reads.
-HIDDEN_FLAG(bool, disable_forensic, false, "Disable atime/mtime preservation");
+HIDDEN_FLAG(bool, disable_forensic, true, "Disable atime/mtime preservation");
 
 static const size_t kMaxRecursiveGlobs = 64;