valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,805 Commits 2 Branches 109 Tags 25 MiB
0ba2861cf9
Commit Graph

360 Commits

Author SHA1 Message Date
Teddy Reed
0ba2861cf9 [Fix #1920] Detach thread before joining/clearing (terminate) 2016-03-13 12:15:18 -07:00
Teddy Reed
3de52846d0 Remove boost::thread 2016-03-11 11:50:44 -08:00
Teddy Reed
26c8b5640f Fix various lint issues 2016-03-09 19:55:39 -08:00
Teddy Reed
afd17f8134 1. Reorganize RocksDB database handle into a plugin 
2. Introduce a SQLite-based database plugin
3. Refactor database usage to include local 'fast-calls'
4. Introduce an 'ephemeral' database plugin for testing (like a mock)
 2016-03-06 20:40:16 -08:00
Teddy Reed
b21c2ed943 [#1816] Refactor DB instance management 2016-02-25 19:07:52 -08:00
Teddy Reed
9c42ba51b3 Merge pull request #1858 from theopolis/sqlite_3.11 
Bump sqlite to 3.11.0
 2016-02-21 23:35:01 -08:00
Teddy Reed
9a54af29ce Bump sqlite to 3.11.0 2016-02-21 22:40:37 -08:00
Teddy Reed
3101a32b01 Improve logging tests, add filesystem logger tests 2016-02-21 19:40:16 -08:00
Teddy Reed
15b037542e Merge pull request #1850 from theopolis/consolidate_conversions 
Consolidate string/text conversions outside of API
 2016-02-13 09:53:03 -08:00
Teddy Reed
8dc0fc1c95 Consolidate string/text conversions outside of API 2016-02-12 11:38:15 -08:00
Teddy Reed
a9f1c65324 [Fix #1828] Remove inline include from distributed 2016-02-11 22:19:49 -08:00
Baraa Hamodi
21c2237eca [osquery] Update copyright headers to new format. 2016-02-11 11:48:58 -08:00
Teddy Reed
4031e299bb Cleanup/stabilize file_events-related APIs 2016-02-10 22:50:38 -08:00
Teddy Reed
48a1adf77b Allow extensions autoloading in osqueryi 2016-02-10 10:20:23 -08:00
Teddy Reed
02eb57fc47 Merge pull request #1832 from theopolis/pack_valid 
Valid bool in packs for shard/plaform/version checking
 2016-02-06 20:29:55 -08:00
Teddy Reed
a2754a01ef Valid bool in packs for shard/plaform/version checking 2016-02-06 17:54:56 -08:00
Teddy Reed
7f37304c77 Refactor dispatcher shutdown logic 2016-02-05 01:29:42 -08:00
Teddy Reed
f05cc345d3 Add an events_max limit for event buffering 2016-02-01 08:38:58 -08:00
Teddy Reed
87ea41c6ec Improve TLS logger performance 2016-01-21 10:43:15 -08:00
Teddy Reed
21b3af199e Allow packs to add file_path categories 2016-01-08 17:59:19 -08:00
Teddy Reed
75f545c16b Merge pull request #1698 from theopolis/single_line_logger 
[#1518] Only emit a single line for each logString
 2015-12-18 00:32:56 -08:00
Teddy Reed
c4f3db1613 Fix double event subscriber select 2015-12-17 19:23:26 -08:00
Teddy Reed
c5766da6d0 [#1518] Only emit a single line for each logString 2015-12-16 16:42:55 -08:00
Teddy Reed
51fd73c449 Assure dropTo can be used safely consecutively 2015-12-14 21:27:00 -08:00
Teddy Reed
a99b62a31d Preserve atime and mtime by default for readFile 2015-12-11 22:18:45 -08:00
Teddy Reed
59750ec87d Speed up file hashing 2015-12-11 00:36:16 -08:00
Teddy Reed
9d394065e3 [#1636] Add simple sharding to packs and pack queries 2015-12-10 10:01:53 -08:00
Teddy Reed
309944c586 Configuration triggered publisher reconfiguration 2015-12-08 14:03:35 -08:00
Teddy Reed
6602a59b7d Change EventSubscriber API to include subscription references 2015-12-07 22:22:04 -08:00
Teddy Reed
b7650e5291 Remove passwd_changes and user_data from event callbacks 2015-12-07 17:47:38 -08:00
Teddy Reed
12716496aa [Fix #1694] Expire results for 'old' scheduled queries 2015-12-07 12:23:43 -08:00
Teddy Reed
c020bb87b4 Merge pull request #1705 from theopolis/dump 
[#1702] Add config and database dumping to stdout
 2015-12-06 21:41:31 -08:00
Teddy Reed
eeff5d0bf0 [#1676] Clear node key on node_invalid 2015-12-06 14:28:00 -08:00
Teddy Reed
fef53fa0d0 Add config and database dumping to stdout 2015-12-06 11:01:26 -08:00
Teddy Reed
35129a7af7 [#1665, #1615] Refactor user-based tables to act uniformly 2015-11-24 12:46:25 -08:00
Teddy Reed
e1d7511600 Remove column type string representations 2015-11-14 15:57:30 -08:00
Teddy Reed
c2be670806 Table results caching 
1. Table implementations (spec files) can mark the table as 'cachable'.
2. Cached results depend on the shortest/quickest interval of scheduled
queries that act on results of the table.
3. The table API generator blocks caching on index/additional/required
table column options.
 2015-11-14 15:57:23 -08:00
Teddy Reed
4c2319f8dd Add GID to PrivilegeDropper 2015-11-08 01:03:08 -08:00
Teddy Reed
41ba637030 Linux inotify should accept non-glob dirs 2015-11-04 13:46:47 -08:00
Teddy Reed
edea3d6edd [Fix #1626] Add schedule blacklist and protect DBHandle 2015-11-03 20:50:22 -08:00
Teddy Reed
15215cdbc0 Add persistent splays 2015-11-02 14:10:04 -08:00
Teddy Reed
402490e75b Attempt to improve DB/query performance 2015-11-02 10:57:01 -08:00
Teddy Reed
5233d7dcf8 Add start time to osquery_info, remove md5/path 2015-11-02 10:57:01 -08:00
Teddy Reed
a1a9131174 Optimize socket_events and Linux users 2015-11-02 10:37:56 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Teddy Reed
97a6521445 Merge pull request #1614 from theopolis/drop_around_files 
Expand the scope of permissions dropping
 2015-10-30 17:07:04 -07:00
Teddy Reed
09e4e3c42e Expand the scope of permissions dropping 2015-10-30 09:56:33 -07:00
Teddy Reed
2cf7543181 [Fix #1611] Prevent fs links in inotify path search 2015-10-29 23:19:07 -07:00
Teddy Reed
811d578739 Merge pull request #1599 from theopolis/socket_events 
Refactor a bit of config and add socket_events table to Linux
 2015-10-27 15:30:15 -07:00
Teddy Reed
b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux. 
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
 2015-10-27 15:13:02 -07:00