valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 18:33:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
706 Commits 2 Branches 109 Tags 25 MiB
08bbd47a02
Commit Graph

383 Commits

Author SHA1 Message Date
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Teddy Reed
47d1f13966 Using Cpp03 to remove double right angle brackets 2014-10-27 17:56:55 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9 Merge pull request #228 from facebook/bash_history_table 
Adding virtual table bash_history, for linux and darwin
 2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534 updating comment 2014-10-27 16:34:00 -04:00
Teddy Reed
0a1925200e Clean flags usage in daemon/shell and dbhandle 2014-10-27 12:09:35 -07:00
Teddy Reed
6d50d762ce Changing flag infra, reducing config testing, adding debug macro 2014-10-27 10:30:02 -07:00
Teddy Reed
16c1fa68ba Merge pull request #246 from facebook/db_handle_problems 
Fix permissions on DB handle
 2014-10-27 10:27:07 -07:00
Teddy Reed
991cbdfb00 Fix permissions on DB handle 2014-10-27 10:05:08 -07:00
Mike Arpaia
a5f7dc1aa3 Merge pull request #247 from facebook/time-types 
time types
 2014-10-27 12:47:52 -04:00
mike@arpaia.co
2ba54f5211 time types 2014-10-27 09:13:21 -04:00
Teddy Reed
53afc6b8b2 Merge pull request #240 from facebook/event_logs 
Change log formatting to individual events
 2014-10-26 14:53:58 -07:00
Teddy Reed
67dce20974 Log event results as a flat map 2014-10-26 10:18:26 -07:00
Teddy Reed
2346fa00d5 Merge pull request #243 from facebook/fix_100p 
[events] Fix SCNetwork runloop thrashing
 2014-10-25 16:41:57 -07:00
Teddy Reed
9d6efc83b8 [events] Fix SCNetwork runloop thrashing 2014-10-25 07:01:57 -07:00
Javier Marcos
c8c3363455 Changed logic to ignore when history file is not found (expected) 2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e Refactoring and added column for history file, also more history files supported 2014-10-24 20:29:23 -07:00
Teddy Reed
84e8718d62 Merge pull request #238 from facebook/unify_routes 
[vtable] Unify routes table for OSX/Linux
 2014-10-24 17:08:16 -07:00
Teddy Reed
a82792b3f7 Log results as events 2014-10-24 17:05:17 -07:00
Teddy Reed
3d7c8b5684 [vtable] Unify routes table for OSX/Linux 2014-10-24 12:34:18 -07:00
Teddy Reed
35aeb1e87d Merge pull request #237 from facebook/dual_build 
Build into platform-specific build dirs
 2014-10-24 09:24:11 -07:00
Javier Marcos
bf3cd15c91 Final fix for the allocation problem 2014-10-23 17:17:50 -07:00
Teddy Reed
1598892ab1 Fix Ubuntu build issues (proc/bz2/z) 2014-10-23 16:27:43 -07:00
Teddy Reed
5b2510784e Build into platform-specific build dirs 2014-10-23 14:39:15 -07:00
Javier Marcos
f69913938f Bad memory leak with OpenDirectory and pwd/grp.h code 2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Teddy Reed
21a0fd1aec Merge pull request #207 from facebook/scnetwork_publisher 
[events] OSX SCNetwork Publisher
 2014-10-16 16:27:35 -07:00
Javier Marcos
bf1ffb1537 Removing old code for generating virtual tables 2014-10-13 21:58:26 -07:00
Javier Marcos
c2f4453749 Merge pull request #213 from facebook/last_access_linux 
Adding support for last vtable in linux
 2014-10-13 19:07:59 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
mike@arpaia.co
ce5d53e169 fixing the shell text [skip ci] 2014-10-13 17:23:20 -07:00
Javier Marcos
b3208bab70 Errors handled, shit is on fire 2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e only index if it's not nullptr 2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02 cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959 Making sure we do not add duplicated users 2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
d09e6037dd Fixing infinite loop adding mutex 2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873 Install package depending on arch and better comments 2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5 Adding support to build osquery in centos 6.5 2014-10-08 03:45:56 +00:00
Teddy Reed
55ef15fa3d [events] OSX SCNetwork Publisher 2014-10-07 16:00:28 -07:00
Teddy Reed
ded0717e94 [events] Additional INotify tests 2014-10-07 12:27:25 -07:00
Teddy Reed
8213e7dcbc [events] Improve inotify 2014-10-06 14:37:44 -07:00
Teddy Reed
37352f862a [events] Formatting from name changes 2014-10-04 13:29:17 -07:00
Teddy Reed
2063252f73 [vtable] Fix warning for process in-condition assignment 2014-10-04 13:29:17 -07:00
mike@arpaia.co
99f5052d15 cleaning up deploy materials 2014-10-03 22:34:59 -07:00
Teddy Reed
b5352729af Merge pull request #198 from facebook/inotify_tests 
[events] Stabilize INotify event tests
 2014-10-03 17:59:20 -07:00
Teddy Reed
5e6be33767 Merge pull request #199 from facebook/unify_processes 
[vtable] Parity with OSX/Linux processes table
 2014-10-03 17:30:47 -07:00
Teddy Reed
a36117670b Revert "disabling inotify_tests" 2014-10-03 17:02:00 -07:00
Teddy Reed
25aee56af9 [events] Stabilize INotify event tests 2014-10-03 17:01:32 -07:00
Teddy Reed
69607c7b32 [vtable] Parity with OSX/Linux processes table 2014-10-03 16:24:11 -07:00
mike@arpaia.co
96986773b3 disabling inotify_tests 2014-10-03 14:21:50 -07:00
mike@arpaia.co
660ef01777 iostream in shell 2014-10-03 13:48:31 -07:00
mike@arpaia.co
c118e7a1f8 iostream 2014-10-03 13:48:31 -07:00
Mike Arpaia
1d062bb038 Merge pull request #185 from facebook/ubuntu12_precise_build_support 
Adding support to build in Ubuntu 12
 2014-10-03 12:57:25 -07:00
Teddy Reed
b37785e665 Merge pull request #195 from facebook/events_pubsub 
Events pubsub
 2014-10-03 11:50:37 -07:00
Teddy Reed
c553a59745 [events] Use pub/sub diction for events 2014-10-03 11:30:51 -07:00
Teddy Reed
1e36b494b4 [events] Rename MonitorContext to SubscriptionContext 2014-10-03 08:26:41 -07:00
Teddy Reed
b2474b49eb [events] Renamed EventType to EventPublisher 2014-10-03 08:14:36 -07:00
Teddy Reed
e77ae22fe2 [events] Rename EventModule to EventSubscriber 2014-10-03 08:08:06 -07:00
Teddy Reed
368ab483a7 Merge pull request #184 from facebook/fsevents 
[events] Fleshing out OSX FSEvent framework
 2014-10-03 07:54:17 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
mike@arpaia.co
d1e2ee1241 glog logger plugin 2014-10-02 19:44:45 -07:00
Javier Marcos
7f5d1eee8c Fixes broken build in Mac OSX 2014-10-02 16:30:29 -07:00
Javier Marcos
06b35c45f0 Adding support to build in Ubuntu 12 2014-10-02 16:30:29 -07:00
mike@arpaia.co
569545648d lz4 2014-10-02 14:51:18 -07:00
mike@arpaia.co
2348460ca4 Revert "Support for Ubuntu 12, precise" 
This reverts commit ed0e051eba.
 2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba Support for Ubuntu 12, precise 2014-10-02 01:24:23 +00:00
mike@arpaia.co
764619c849 Adding a function to read tomcat configs from disk 2014-09-30 19:59:52 -07:00
Mike Arpaia
3fb8c8a5d4 Merge pull request #183 from facebook/tomcat-users 
Adding a function to parse the Tomcat users XML file
 2014-09-30 19:51:54 -07:00
mike@arpaia.co
196ec880ab Adding a function to parse the Tomcat users XML file 
This is apart of a bigger, better virtual table idea that @carnal0wnage
had.
 2014-09-30 19:49:38 -07:00
Teddy Reed
bf8209ca90 Merge pull request #182 from facebook/events_docs 
[events] Added remaining doxy comments
 2014-09-30 15:00:08 -07:00
Teddy Reed
ef044c4a72 [events] Added remaining doxy comments 2014-09-30 12:50:14 -07:00
Teddy Reed
6eb9c5fd44 EventFactory, Dispatcher as singletons 2014-09-29 20:47:24 -07:00
Teddy Reed
588f1198f3 Merge pull request #174 from facebook/passwd_changes_vtable 
[events] Events lifecycle complete, passwd_changes vtable
 2014-09-26 21:13:52 -07:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
0c783ebf0a Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 00:34:56 -07:00
mike@arpaia.co
7076aa813c SQL class for executing queries 
implements #141
 2014-09-26 00:28:18 -07:00
mike@arpaia.co
636ced854f Pretty shell results 
Example:

```
osquery> select name, program || program_arguments as executable from launchd limit 5;

+----------------------------------+-------------------------------------------------------------------------------+
| name                             | executable                                                                    |
+----------------------------------+-------------------------------------------------------------------------------+
| bootps.plist                     | /usr/libexec/bootpd                                                           |
| com.apple.afpfs_afpLoad.plist    | /System/Library/Filesystems/AppleShare/afpLoad                                |
| com.apple.afpfs_checkafp.plist   | /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp |
| com.apple.AirPlayXPCHelper.plist | /usr/libexec/AirPlayXPCHelper                                                 |
| com.apple.airport.wps.plist      | /usr/libexec/wps                                                              |
+----------------------------------+-------------------------------------------------------------------------------+
osquery> .tables
  => alf
  => alf_exceptions
  => alf_explicit_auths
  => alf_services
  => apps
  => ca_certs
  => etc_hosts
  => interface_addresses
  => interface_details
  => kextstat
  => last
  => launchd
  => listening_ports
  => nvram
  => osx_version
  => processes
  => routes
  => time
```
 2014-09-25 21:39:07 -07:00
Abe Stanway
663e6756d7 Add libboost_regex.a 2014-09-25 19:18:47 +00:00
mike@arpaia.co
0387fde8b8 Adding permissions check around setting default log directory #130 2014-09-25 10:26:39 -07:00
Mike Arpaia
e1fa406096 Merge pull request #165 from facebook/travis 
travis
 2014-09-24 18:06:32 -07:00
mike@arpaia.co
135dd0dbe4 TravisCI configuration 2014-09-24 18:05:33 -07:00
Teddy Reed
8aaecefec0 Merge branch 'master' of github.com:facebook/osquery into events_updates 2014-09-24 13:55:42 -07:00
Teddy Reed
9220da7e3d [events] Registry integration 2014-09-24 12:43:14 -07:00
mike@arpaia.co
5f4108c503 Moving all boost smart pointers to std smart pointers 2014-09-24 10:54:59 -07:00
Teddy Reed
9a2d299424 [events] Events and registry coordination 2014-09-24 10:46:37 -07:00
mike@arpaia.co
d7546de036 Relocatable build 
Making it such that osquery doesn't need to be built in the repo "build"
subdirectory. gentable.py now accepts a positional argument which
indicates the output (which is calculated by cmake) so they don't have
to agree on a destination ahead of time.
 2014-09-24 01:58:12 -07:00
mike@arpaia.co
466df023ef makefile cleanups 2014-09-23 22:06:32 -07:00
mike@arpaia.co
91efb3963f moving packages subdir to deploy 2014-09-23 21:37:55 -07:00
mike@arpaia.co
cc9aa5d73b clang-format 2014-09-23 20:31:12 -07:00
mike@arpaia.co
6b25a216c9 periodic clang-format 2014-09-23 20:15:41 -07:00
mike@arpaia.co
7ca879215f moving things from Makefile to CMake 2014-09-23 20:12:53 -07:00
mike@arpaia.co
9dc4c50fe4 moving generated tables to build subdir 2014-09-23 18:44:42 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
Mike Arpaia
65bc860fb8 Merge pull request #157 from facebook/deb 
Deb package creation for Ubuntu
 2014-09-23 17:03:50 -07:00
mike@arpaia.co
e973c856c6 Deb package creation for Ubuntu 
I used CPack to generate deb package files from the CMake "install"
target. What this means is, whatever would get installed my "make
install" will get installed by the deb.

"make package" on ubuntu will generate a file named: `osquery-$VERSION-$DISTRO.$ARCH.deb`

Consider the following example:

```
root@vagrant-ubuntu-trusty-64:/vagrant/build# dpkg --info osquery-0.0.1-trusty.amd64.deb
 new debian package, version 2.0.
 size 11311330 bytes: control archive=350 bytes.
     207 bytes,     9 lines      control
     102 bytes,     2 lines      md5sums
 Package: osquery
 Version: 0.0.1
 Section: devel
 Priority: optional
 Architecture: amd64
 Installed-Size: 43369
 Maintainer: marpaia@fb.com
 Description: osquery is an operating system instrumentation toolchain.
```
 2014-09-23 17:03:30 -07:00
Teddy Reed
974a53dd98 Merge pull request #155 from facebook/events_modules 
Events modules and basic INotifyEventType
 2014-09-23 13:01:59 -07:00
Teddy Reed
94953df90e [events] Flesh out inotify eventtype 2014-09-23 13:01:03 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
mike@arpaia.co
1e774e50bf static build on OS X and Linux 2014-09-22 19:27:19 -07:00
Teddy Reed
bb7097a255 [events] EventType threads for each run loop 2014-09-22 18:35:12 -07:00
mike@arpaia.co
fc324b929f Revert "build shared by default" 
This reverts commit 90703b95f0.
 2014-09-22 17:27:57 -07:00
mike@arpaia.co
ebfc47b399 Edits to https://github.com/facebook/osquery/pull/148/ 2014-09-22 14:35:59 -07:00
mike@arpaia.co
16122544f5 Reorganizing tests so that the public headers don't have to include gtest 2014-09-22 14:30:52 -07:00
Teddy Reed
9b42c060ea [events] Linux inotify event type 2014-09-22 01:47:50 -07:00
mike@arpaia.co
627821abc1 Periodic clang-format 2014-09-21 14:29:28 -07:00
mike@arpaia.co
b5ee19f49f Removing the osquery::db namespace 2014-09-21 14:27:09 -07:00
mike@arpaia.co
90703b95f0 build shared by default 2014-09-20 18:53:49 -07:00
mike@arpaia.co
20bbef53b6 Cross platform build environment maker 
Currently works on Ubuntu 14.04 and Mac OS X 10.9. There are more
supported operating systems coming soon to a theater near you.
 2014-09-20 16:01:47 -07:00
Teddy Reed
eee37034b4 [events] Intro of non-async event framework 2014-09-18 15:05:41 -07:00
Teddy Reed
9516bf8fd7 Regressions from core NS removal, linux includes 2014-09-17 10:29:22 -06:00
mike@arpaia.co
f06a4ba52e cleaning up the plugin interfaces 2014-09-16 01:34:39 -07:00
mike@arpaia.co
5998dbd1c5 clang-format 2014-09-16 00:36:49 -07:00
mike@arpaia.co
d9edc81041 Updating the format of doxygen comment blocks 2014-09-16 00:28:23 -07:00
mike@arpaia.co
0eab76a20c refactored aggregateQuery to query 2014-09-15 23:07:03 -07:00
mike@arpaia.co
65ec7685f1 doxygenifying conversion header 2014-09-15 22:56:11 -07:00
mike@arpaia.co
4a048db278 database namespace documentation 2014-09-15 17:13:22 -07:00
mike@arpaia.co
7d97186a26 comments for core.h 2014-09-15 12:23:07 -07:00
mike@arpaia.co
de426754d9 moving fs to the global namespace 2014-09-15 11:47:52 -07:00
mike@arpaia.co
d29c58f795 moving scheduler to global namespace 2014-09-15 11:26:16 -07:00
mike@arpaia.co
05f4bc513c down with scheduledQueries_t 2014-09-15 11:17:48 -07:00
mike@arpaia.co
b7f8f5f72a moving logger to the global namespace 2014-09-15 11:14:17 -07:00
mike@arpaia.co
fb2591d82a #143 2014-09-15 11:09:33 -07:00
mike@arpaia.co
ad9b0bb5c1 Doxyfile, for docs 2014-09-13 15:18:26 -07:00
mike@arpaia.co
d11bf05167 casting google::int32 to size_t 2014-09-13 14:19:14 -07:00
mike@arpaia.co
7953bce125 fixing a typo in a variable name 2014-09-13 14:18:54 -07:00
mike@arpaia.co
6a0e5b7ddb Removing the unimplemented transaction locking methods in DBHandle 2014-09-13 13:53:12 -07:00
mike@arpaia.co
e838110e84 Moving header to include 2014-09-12 17:50:03 -07:00
Mike Arpaia
7534dc60f9 Merge pull request #134 from facebook/queue 
osquery thread pool
 2014-09-12 17:45:20 -07:00
mike@arpaia.co
073dd2d5c4 osquery thread pool 
this is an implementation of a thread pool, using thrift's thread
manager class.
 2014-09-12 08:18:25 -07:00
Abe Stanway
516b7b4563 Intervals at a second instead of a minute (#131) 2014-09-10 17:29:59 -04:00
Mike Arpaia
db0f0105dd Revert "Skip tests when making 'fast'" 2014-09-09 21:37:08 -07:00
mike@arpaia.co
c9fafc00d3 using '#pragma once' instead of '#ifndef HEADER' 
let's start using #pragma once for our headers. it's less lines of code,
clang supports it, headers become more movable, etc. it's all around a
better plan.
 2014-09-09 18:54:53 -07:00
mike@arpaia.co
cec7b33afb removing unused header includes 2014-09-09 18:43:41 -07:00
Teddy Reed
2e150ef8a9 Skip tests when making 'fast' 2014-09-09 16:25:22 -07:00
mike@arpaia.co
df1332277d clang-format 2014-09-09 16:14:54 -07:00
mike@arpaia.co
4f2298ef33 improving the organization of command line flag parsing 2014-09-09 16:10:57 -07:00
Teddy Reed
bb33e4b6e8 Merge pull request #120 from facebook/linux-routes-vtable 
[vtables] Routes table for Linux
 2014-09-09 16:08:00 -07:00
Teddy Reed
825b50f932 [vtables] Routes table for Linux 2014-09-09 16:07:36 -07:00
Mike Arpaia
d71478ea29 Merge pull request #121 from facebook/osquery-84 
override --help flag and print custom help
 2014-09-09 15:59:34 -07:00
mike@arpaia.co
4f223766fc osquery-84 override --help flag and print custom help 2014-09-09 15:35:34 -07:00
Teddy Reed
bfba3d491d Merge pull request #117 from facebook/linux-processes-vtable 
[vtables] Processes table for Linux (procps3)
 2014-09-09 14:43:26 -07:00
mike@arpaia.co
d4c7673011 re-adding the scheduler tests 2014-09-09 11:17:09 -07:00
mike@arpaia.co
509aba53bb re-adding registry_tests after getting apparently disabled 2014-09-09 11:13:21 -07:00
Mike Arpaia
79c964a641 Update status.h 2014-09-09 11:03:23 -07:00
mike@arpaia.co
130fe2ad41 updates to status.h 
making it such that all the return values are const. added a few method
comments.
 2014-09-09 11:02:17 -07:00