valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 18:33:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
956 Commits 2 Branches 109 Tags 25 MiB
05ce70f871
Commit Graph

956 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sean Williams
05ce70f871 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:30 +00:00
Sean Williams
6ad17759d8 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
Sean Williams
218f74ae80 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
mike@arpaia.co
ece9d4fa00 removing trailing content 2014-12-08 23:47:26 +00:00
mike@arpaia.co
1ce1e17902 new headers 2014-12-08 23:47:25 +00:00
mike@arpaia.co
5b80664c5e moving to top-level kernel directory 2014-12-08 23:47:25 +00:00
Sean Williams
279d55e49d Fix a couple bugs; cleanup unused code/includes 2014-12-08 23:47:24 +00:00
Sean Williams
0953b17e93 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:24 +00:00
mike@arpaia.co
e260007f04 Change exit(-1) to exit(EXIT_FAILURE) 2014-12-08 10:40:10 -08:00
Teddy Reed
fb5048596c Merge pull request #527 from theopolis/fix_linux_processes_cmdline 
Replace linux cmdline tokens with spaces
 2014-12-07 18:11:07 -08:00
Teddy Reed
f8cc579d36 Fix json results clear 2014-12-07 15:53:37 -07:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
a0866c0972 Merge pull request #524 from theopolis/events_expiry 
Events expiry
 2014-12-06 19:52:16 -08:00
Teddy Reed
b77f469752 Merge pull request #526 from theopolis/json-output 
Add -json output mode for shell
 2014-12-06 19:52:06 -08:00
Teddy Reed
19695d40aa Add expiration to events 2014-12-06 18:28:03 -07:00
Teddy Reed
78ecc73d81 Add -json output mode for shell 2014-12-06 18:22:48 -07:00
Sean Williams
c74c972e1d Update CONTRIBUTING.md 2014-12-06 12:35:02 -08:00
Sean Williams
9c513c20e7 Update CONTRIBUTING.md 2014-12-06 12:34:19 -08:00
Teddy Reed
7b16e45f55 Improve pubsub unittests 2014-12-05 16:18:05 -07:00
Teddy Reed
76597aa25f Merge pull request #522 from theopolis/make_pkg_simple 
Add -s flag to OSX package script
 2014-12-04 09:46:03 -08:00
Teddy Reed
f3ab333cf1 Add -s flag to OSX package script 2014-12-04 09:33:04 -08:00
Teddy Reed
bd64fb4619 Merge pull request #519 from theopolis/better_includes2 
Codemod to improve include search paths for includes
 2014-12-03 17:40:06 -08:00
Teddy Reed
b7765a6af0 Codemod to improve include search paths for includes 2014-12-03 15:31:09 -08:00
Teddy Reed
400199f05e Merge pull request #518 from theopolis/better_includes 
Codemod to improve include search paths
 2014-12-03 15:29:23 -08:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
119eb37731 Simple template functions 2014-12-02 21:02:50 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Teddy Reed
7ad06d856d Merge pull request #514 from eastebry/fix_hostIdentifier_typo 
Fixed typo in getHostIdentifier
 2014-12-02 19:34:35 -08:00
Bryan Eastes
5eef747025 Fixed typo in getHostIdentifer 2014-12-02 14:09:37 -08:00
Teddy Reed
d99e8a4c5a Merge pull request #513 from theopolis/filesystem_constraints 
Port manual/filesystem to file using constraints
 2014-12-02 14:02:51 -08:00
Teddy Reed
d885bf420d Port manual/filesystem to file using constraints 2014-12-02 12:37:26 -08:00
Teddy Reed
3ac9c3be09 Verbose option for profile 2014-12-02 12:19:17 -08:00
Teddy Reed
13fb05ab48 Move config member set back to end of ctor 2014-12-02 01:52:32 -08:00
Teddy Reed
366c646cb8 Merge pull request #507 from theopolis/config_options 
Read arguments/options from config
 2014-12-01 23:57:53 -08:00
Teddy Reed
f8e9750ea2 Merge pull request #508 from theopolis/workaround_422 
[Fix #422] Workaround for multiple selects
 2014-12-01 23:57:37 -08:00
Teddy Reed
b000541d2f Merge pull request #509 from theopolis/fix_500 
[Fix #500] Add virtual dtors to event pub/subs
 2014-12-01 23:57:24 -08:00
Teddy Reed
d904d34e3a Merge pull request #511 from eastebry/scheduler_bug_fix 
Fixed small bug in getHostIdentifier method
 2014-12-01 23:57:07 -08:00
Bryan Eastes
d2d021df24 Fixed small bug in getHostIdentifier method 2014-12-01 15:02:40 -08:00
Wesley Shields
2504c06feb Implement signed columns for users and groups. 
Fixes #475.
 2014-12-01 11:52:13 -05:00
Teddy Reed
8db44f70f3 [Fix #500] Add virtual dtors to event pub/subs 2014-12-01 02:44:35 -07:00
Teddy Reed
fc69ccf22a [Fix #422] Workaround for multiple selects 2014-12-01 02:27:51 -07:00
Teddy Reed
43b4debd47 Read arguments/options from config 2014-12-01 02:05:46 -07:00
Teddy Reed
6a46513a08 Fix abrt in osqueryd as non-su 2014-11-30 22:36:55 -07:00
Teddy Reed
f280ecd9aa Merge pull request #505 from theopolis/fix_498 
[Fix #498] Remove default catch in quaratine
 2014-11-30 21:19:55 -08:00
Teddy Reed
3ec6b473dd [Fix #498] Remove default catch in quaratine 2014-11-30 22:01:31 -07:00