Read the analysis within #5952.
There are multiple sources suggesting an optimal value is 0. Our
implementation previously hardcoded the value to 1. It is now 0 and can
be configured to a different value using the audit_backlog_wait_time
option or command line flag.
If a Thrift server is requested to stop before everything is
properly initialized a race condition could happen.
Specifically if stopping during a listen() a race condition will happen
accessing childInterruptSockWriter_, which is a socket initialized by listen(),
in a non thread-safe way, and used by stop() to notify other threads
that they should shutdown.
This was determined to be the wrong approach to adding simple
killswitches. The intent was to quickly flip on/off features. It was
not widely adopted due to the dependencies killswitching has.
A different approach is to implement the same functions with something
simple like filesystem flags.
There is a bug in RapidJSON 1.1.0 that results in wild pointer reads
when parsing exponents. We want to prevent regressing.
This requires updating the Buck/pre-built libraries.
Multiple flags are moved from FLAG to CLI_FLAG due to the way they are
implemented/used in code. If they were FLAG(s), meaning if they were
also configurable via configuration at runtime, the new values would
still be ignored.
These are:
- logger_tls_endpoint
- logger_tls_period
- logger_tls_max
The flag logger_tls_max has been renamed to logger_tls_max_linesize and
an alias is added for compatibility.
A new flag is added, logger_tls_max_lines, to expose a previously
hardcoded value of 1024 for the maximum number of log lines to send
every period.
When a thread different from the main requests a shutdown
through Initializer::requestShutdown, it should not call
waitForShutdown; there's no reason to wait, moreover the function
doesn't only wait, but also actually stops other components and then
finally calls exit().
Since the main thread is already inside the waitForShutdown call
waiting on Dispatcher::joinServices or inside the shutdown() callable
on Windows, having a secondary thread do
the same work potentially at the same time is wrong.
Moreover calling exit() from a secondary thread is most of the time
incorrect.
The waitForShutdown function has been renamed to waitThenShutdown
to better represent what it's actually doing.
On macOS it is possible to have interfaces that have no netmask
set, for example:
| utun1 | 100.xx.xx.xx | | | 100.xx.xx.xx | unknown |
This causes the interfaces test to fail. This change allows the
mask field to be blank and the test to pass on systems with this
type of interface configured.
The sockaddr for this interface has an ifa_netmask with sa_family
set to zero (AF_UNSPEC) which causes getnameinfo(3) to fail.
ifconfig does return a netmask for this interface but it's not
clear if the value is at all meaningful.
Right now, there is no way to tell what platform osquery is running on. We have `os_version.platform` and `os_version.platform_like`, but they are highly inconsistent, and require a lot of custom parsing to use. We should expose the underlying platform bitmask.
This adds the `platform_mask` to the `osquery_info` table.
This replaces https://github.com/osquery/osquery/pull/5488
There is a memory leak when a SQL statement is evaluated and returns an
error while stepping. An example includes returning sqlite3_result_error
from regexStringMatchFunc. The root cause is not finalizing a prepared
statement.
This commit creates a new osquery/main/harnesses directory and moves fuzz-config there.
It removes OSQUERY_FUZZ for a new option OSQUERY_ENABLE_FUZZER_SANITIZERS
It creates a new option OSQUERY_ENABLE_ADDRESS_SANITIZER
The following behaviors are intended:
OSQUERY_BUILD_TESTS=ON will build the fuzzing harness. This configuration is not
intended for fuzzing purposes. OSQUERY_ENABLE_FUZZER_SANITIZERS=ON will also build
the fuzzing harness. However if this variable is true, it also requires
OSQUERY_ENABLE_ADDRESS_SANITIZER=ON and either CMAKE_BUILD_TYPE=Release or
RelWithDebInfo This configuration is actually intended for fuzzing.
CMake utility functions(generateOsqueryExtensionGroup,addOsqueryExtensioni{Ex},
addOsqueryModule) to add extensions.
Updates the boost library submodules needed for extensions build.
Use cache variable(OSQUERY_EXTENSION_GROUP_NAME) for the grouping of extensions
and fix the linkage with osquery interface library.
Instead of moving a patched submodule from source to build directory,
we copy it and then hard reset the submodule to its original HEAD.
Minor message change when a library fails to be imported.
When requesting kSecClassIdentity items from the keychain sometimes
invalid items are returned. These cause errSecInvalidItemRef to
be returned from SecKeychainItemCopyAttributesAndData and result
in an empty row in the table. Catch the error and avoid returning
empty rows.
