valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,506 Commits 2 Branches 109 Tags 25 MiB
12716496aa
Commit Graph

1420 Commits

Author SHA1 Message Date
Teddy Reed
ff926730a9 Remove VirtualTable matrix rotation 2015-08-17 16:58:54 -07:00
Teddy Reed
5bf30a779d RocksDB usage speedups 2015-08-15 20:43:53 -07:00
Teddy Reed
43cf5f1a0a Merge pull request #1448 from theopolis/strol-speedup 
Speedup type conversions, yara, and 10.10 symbols at runtime
 2015-08-14 11:01:46 -07:00
Teddy Reed
68d7a6e0be Speedup type conversions, yara, and 10.10 symbols at runtime 2015-08-13 18:04:03 -07:00
Teddy Reed
634dfe7da1 Merge pull request #1438 from sharvilshah/fix_homebrew_version 
[Fix #1434] version reporting for homewbrew_packages
 2015-08-12 11:30:21 -07:00
Sharvil Shah
b190f5f99a Fix #1433, os_version reporting for 10.11 2015-08-11 14:03:27 -07:00
Sharvil Shah
369040e69b Fix version reporting for homewbrew_packages. Fixes #1434 2015-08-11 01:50:40 -07:00
Michael O'Farrell
eefccf27b1 Switch boost lexical casts to strtol. This should be faster than a boost lexical cast. 2015-08-07 16:33:32 -07:00
Sharvil Shah
64588be88b Fix build on OS X 10.11 
enum `SecItemClass` changed in 10.11 headers,
so don't instantiate with rvalue of int.

Update `SecKeychainSearchCreateFromAttributes` to match the stricter definition.

Fixes #1423
 2015-08-05 18:29:29 -07:00
Teddy Reed
1eea02ed9b Merge pull request #1419 from theopolis/sql_optimizations 
Several small optimizations around internal SQL queries
 2015-08-03 16:11:36 -07:00
Teddy Reed
a11dfcc222 Merge pull request #1422 from theopolis/options_on_packs 
Apply query options to pack queries
 2015-08-03 15:50:05 -07:00
Teddy Reed
f86c9e7778 Apply query options to pack queries 2015-08-03 15:33:55 -07:00
Teddy Reed
67b0f51ab5 Several small optimizations around internal SQL queries 2015-08-03 07:56:55 -07:00
Michael O'Farrell
5d0e4be6a1 Merge pull request #1335 from mofarrell/kernel-file-events 
Added kernel file access events.
 2015-07-31 15:22:11 -07:00
Michael O'Farrell
9f2b318778 Added kernel file access events. 2015-07-31 15:06:46 -07:00
Mike Arpaia
a45c794f52 building on 10.9 2015-07-31 11:57:39 -07:00
osquery
ae8305e00e Revert "Remove OS X 10.9 code path since we no longer support it" 
This reverts commit 05bbe2ce06.
 2015-07-31 11:44:34 -07:00
Michael O'Farrell
b0289adcf5 Merge pull request #1414 from theopolis/env_limits 
Add optional environment variable whitelist to process_events
 2015-07-30 18:17:31 -07:00
Teddy Reed
dc82ffa636 Add optional environment variable whitelist to process_events 2015-07-30 16:05:11 -07:00
Michael O'Farrell
8c8c591195 Merge pull request #1404 from mofarrell/load-kernel 
Added loading of kernel.
 2015-07-30 15:20:33 -07:00
Michael O'Farrell
eaf7de08df Added loading of kernel. 2015-07-30 14:36:46 -07:00
Michael O'Farrell
9e20d5904d Merge pull request #1412 from theopolis/use_sigkill 
Use SIGKILL on OS X
 2015-07-30 10:55:56 -07:00
Michael O'Farrell
f694149584 Merge pull request #1411 from mofarrell/benchmark-means 
Benchmark using mean across 5 runs.
 2015-07-29 18:00:35 -07:00
Teddy Reed
8082a0b5ac Use SIGKILL on OS X 2015-07-29 17:05:45 -07:00
Michael O'Farrell
346743e87f Benchmark using mean across 5 runs. 2015-07-29 16:50:19 -07:00
Chris Down
260df0d6d0 linux users table: Do not drop users with duplicate UIDs 
See Github issue #1301. FreeBSD (which also uses this table) by default has two
users which are UID 0 -- both `toor` and `root`. 19a2d64959 made it so that we
would only get the first one from `getpwent`, but this feature is undesirable
in cases where two different users share the same UID.
 2015-07-29 09:00:47 -07:00
Teddy Reed
fa36a8918b Merge pull request #1401 from theopolis/tests_and_benchmarks 
Various additional tests and benchmarks
 2015-07-28 13:20:46 -07:00
Teddy Reed
ff9cb71628 Various additional tests and benchmarks 2015-07-28 12:26:17 -07:00
Michael O'Farrell
93a65eaf04 Merge pull request #1400 from mofarrell/process-events-env-arg 
Adding environment variables and arguments for process events.
 2015-07-27 17:54:06 -07:00
Michael O'Farrell
3f87d5832f Adding environment variables and arguments for process events. 2015-07-27 15:48:47 -07:00
Wesley Shields
698e226b80 Add tags and strings columns to YARA tables. 
When strings match they will be populated into the "strings" column of
the table. The format is identifier:offset.

When a matching rule has tags defined the tags will be put into the
"tags" column of the table in a comma separated list.
 2015-07-27 08:20:24 -04:00
Teddy Reed
e2553e26b1 Merge pull request #1391 from theopolis/1374 
[Fix #1374] Allow subscription subclassing
 2015-07-26 13:46:19 -07:00
Alex Gaynor
e9dca0ef4d Fixed #1392 -- removed non-existant modes from .mode's help 2015-07-26 13:34:08 -04:00
Teddy Reed
d2effc539c [Fix #1374] Allow subscription subclassing 2015-07-26 01:48:27 -07:00
Teddy Reed
af13c1b7ea Silence google benchmark CMake output, remove benchmark tests 2015-07-24 09:52:29 -07:00
Teddy Reed
cce8a6aab3 Merge pull request #1384 from theopolis/table_cleanups 
Remove some non-warning/error log lines from tables
 2015-07-24 00:32:11 -07:00
Teddy Reed
2d7ce9341a Remove some non-warning/error log lines from tables 2015-07-24 00:09:06 -07:00
Teddy Reed
928f46c00f Merge pull request #1379 from theopolis/fix_1369 
[Fix #1369] Limit IOKit HID events
 2015-07-23 18:26:04 -07:00
Teddy Reed
5e3a86d2a8 Merge pull request #1376 from theopolis/fix_1367 
[Fix #1367] Disable user-controlled FIFO reads
 2015-07-23 18:25:52 -07:00
Teddy Reed
220fa0bd92 Merge pull request #1383 from theopolis/fix_1381 
[Fix #1381] Add documentation/install for daemon+Homebrew
 2015-07-23 18:25:40 -07:00
Teddy Reed
264ec99bd3 Merge pull request #1378 from mlw/fix-ubuntu10-string-concat-crash 
Support for older GCC compiler
 2015-07-23 18:25:05 -07:00
Michael O'Farrell
66b075a685 Merge pull request #1377 from mofarrell/benchmark 
Added benchmarking targets.
 2015-07-23 17:37:56 -07:00
Michael O'Farrell
a65f8dd93c Added benchmarking targets. 2015-07-23 17:07:42 -07:00
Teddy Reed
81aa36ecc7 [Fix #1381] Add documentation/install for daemon+Homebrew 2015-07-23 16:05:59 -07:00
Javier Marcos
f91a96f590 Fixing problem with versionChecker and adding usecase to tests 2015-07-23 14:21:43 -07:00
Teddy Reed
7c330f0bf8 [Fix #1369] Limit IOKit HID events 2015-07-23 11:52:23 -07:00
Matthew White
1c3587b95a Changed where string concat was being performed to support older GCC compiler 2015-07-23 08:56:26 -07:00
Teddy Reed
ad94eaf0b8 [Fix #1367] Disable user-controlled FIFO reads 2015-07-22 10:15:39 -07:00
Teddy Reed
fc24682816 Fix profile platform bug in leaks checking 2015-07-20 02:06:52 -07:00
Teddy Reed
e8cb919f03 Merge pull request #1364 from theopolis/harden_applications 
[Fix #1357] Use OS X LS API for app listing
 2015-07-20 01:14:07 -07:00
Mike Arpaia
5ccfe886ba Merge pull request #1363 from theopolis/less_rows 
[Fix #1303] Only emit rows when appropriate for processes/users.
 2015-07-19 20:36:26 -07:00
Mike Arpaia
8a760d52db Merge pull request #1361 from theopolis/dot_plist 
[Fix #1355] Allow plist keys with '.'
 2015-07-19 20:34:19 -07:00
Mike Arpaia
74021459c2 Merge pull request #1359 from theopolis/mutable_config_parser 
Allow ConfigParserPlugins to update the ConfigData.
 2015-07-19 20:34:11 -07:00
Mike Arpaia
4d05b54647 Merge pull request #1358 from theopolis/optimize_events 
Optimize event publisher database namespace lookups.
 2015-07-19 20:34:03 -07:00
Teddy Reed
dd7990b719 [Fix #1357] Use OS X LS API for app listing 
Attempt to use OS X's LaunchServices to get a list of applications.
Fall back to basic directory traversal of well-known application paths.
 2015-07-19 20:22:48 -07:00
Teddy Reed
5249e74146 [Fix #1303] Only emit rows when appropriate for processes/users. 
When optimizing a table using query constraints an implementation should not add unneeded rows.
A user experience bug exists when selecting with an explicit non-existing pid/uid.
 2015-07-19 20:20:04 -07:00
Teddy Reed
8eaf389010 Optimize event publisher database namespace lookups. 
Previously, event publishers used a canonicalized 'type' name for async callbacks.
This type was used to lookup the publisher plugin in the registry as well as for backing store namespacing.
The type is still used but subscribers, which made heavy used of the lookup, store the value locally.
This prevents unneeded publisher plugin allocation when adding events.
 2015-07-19 17:10:42 -07:00
Teddy Reed
95775be1d9 [Fix #1355] Allow plist keys with '.' 
Boost property trees are level delimited using '.' characters.
An Apple property list may contain keys with '.' characters, so the plist conversion must use iterators and raw node appends.
 2015-07-19 16:24:43 -07:00
Teddy Reed
bcdbb40f0c [Fix #1356] Tokenize process environ by '\0' on Linux 2015-07-19 14:34:49 -07:00
Teddy Reed
2109ae85b7 Allow ConfigParserPlugins to update the ConfigData. 
Previously, `ConfigParserPlugin`s could only maintain an internal derived object called `data_`.
Then parts of the code that knew to use the plugin's data would call `getParsedData` and provide the name of the plugin.

Parser plugins can now request a mutable version of the `ConfigData` using `::mutableConfigData`.
This requires a lock on the `ConfigDataInstance` and must be provided to their mutable accessor.

Acess to a mutable config enables parsers to make modifications to internal config structures like options and the query schedule.
 2015-07-18 15:08:51 -07:00
Teddy Reed
a713d09f0e Install additional configs for HB/packages 2015-07-17 16:07:22 -07:00
Teddy Reed
6104aaebfe Add optional TLS config plugin refresh 2015-07-17 14:59:08 -07:00
Teddy Reed
c36fbda274 Merge pull request #1349 from theopolis/centos_version 
[Fix #1319] CentOS version reporting and file read error
 2015-07-17 09:07:29 -07:00
Teddy Reed
270b4da540 [Fix #1339] Add kernel-build to packages when used 2015-07-16 15:23:29 -07:00
Teddy Reed
f06820f578 [Fix #1319] CentOS version reporting and file read error 
1. Redhat-based distributions were not reporting their version correct.
2. The file read API assumed stat would return an accurate file size.
This has been replaced with an attempt to seek to the end of the file.
 2015-07-16 14:16:51 -07:00
Teddy Reed
4cb6e37f1d Merge pull request #1338 from theopolis/join_bug 
Fix broken JOIN predicate passing
 2015-07-16 11:45:33 -07:00
Teddy Reed
deecef81c5 Fix broken JOIN predicate passing 2015-07-16 11:29:56 -07:00
Mike Arpaia
9eeb224ce7 clang-format authorizations files 2015-07-16 11:09:16 -07:00
Mike Arpaia
333f0c5799 Merge pull request #1345 from achmiel/fix_symlinks 
Updated the readFile function to correctly handle symbolic links
 2015-07-15 23:21:35 -07:00
Artur Chmiel
ac9a320218 Updated the readFile function to correctly handle symbolic links 2015-07-16 07:55:12 +02:00
Mike Arpaia
485a7f78fb Merge pull request #1318 from tburgin/master 
Added authdb table
 2015-07-15 21:51:53 -07:00
Teddy Reed
5f6577deb2 [Fix #1341] Add osqueryctl to make install target 2015-07-15 11:32:55 -07:00
Tom Burgin
e8d3e45cea Added authorization_mechanisms and authorizations tables 2015-07-15 14:25:19 -04:00
Michael O'Farrell
0eba0776e5 Merge pull request #1336 from mofarrell/master 
Kernel publisher only log info when not connected.  [Fix #1334]
 2015-07-14 20:27:45 -07:00
Michael O'Farrell
019defc788 Kernel publisher only log info when not connected. [Fix #1334] 2015-07-14 20:10:50 -07:00
Teddy Reed
263090e8f2 [Fix #1332] Check mode for links in readFile 
1. "really" check for links in readFile
2. Apply the same restrictions and flag ACLs to file hashing.
 2015-07-14 14:24:52 -07:00
Teddy Reed
c269bbeaf3 Rollup of build changes 2015-07-14 13:45:53 -07:00
Michael O'Farrell
276891ad00 Merge pull request #1330 from mofarrell/kernel 
Kernel!!!
 2015-07-13 17:29:08 -07:00
Michael O'Farrell
58ec6415d3 Created a basic publisher system for kernel events in the kernel extension. 2015-07-13 16:42:55 -07:00
Teddy Reed
3bd6b64b8b Silence OS X OpenSSL-related deprecations 2015-07-13 10:14:47 -07:00
Teddy Reed
1d336ccdb0 Merge pull request #1321 from sharvilshah/cert_parsing_fixes 
[Fix #1032] Better/faster performance when querying certificates on OS X
 2015-07-13 09:02:44 -07:00
Sharvil Shah
1ac6702f32 Better/faster performance when querying certificates on OS X 
X509 parsing is now handled by OpenSSL as there does seem to be a
memory leak in SecCertificateCopyValues of Security framework which resulted
in a performance hit when querying certificates.

key_usage and key_algorithm columns now display human readable strings
(e.g. Digital Signature, CRL Sign rsaEncryption)
than the raw flags and OIDs (e.g 0x86, 1.2.840.1).

This fixes #1032
 2015-07-12 11:18:53 -07:00
Mike Arpaia
370290d103 Merge pull request #1312 from theopolis/fix_getifaddres 
Fix getifaddrs result / data checking
 2015-07-10 01:46:55 -04:00
Teddy Reed
1de9eb68bc Enable registry exceptions for benchmarking/testing 2015-07-08 23:35:49 -07:00
Teddy Reed
d3424f5831 Fix getifaddrs checking 2015-07-08 22:37:35 -07:00
Michael O'Farrell
4bbb591b37 Added kernel process events table. 2015-07-08 13:47:07 -07:00
Michael O'Farrell
0284b9e60d Merge branch 'master' into kernel 
Conflicts:
	mkdocs.yml
 2015-07-08 10:26:32 -07:00
Michael O'Farrell
ba28b47239 Merge pull request #1298 from theopolis/event_streams 
Event index time and streaming
 2015-07-07 18:27:35 -07:00
Teddy Reed
ab56011881 Apply FIM pattern matching to inotify 2015-07-07 18:18:45 -07:00
Teddy Reed
0854c3ddc3 Merge pull request #1292 from theopolis/memory_tweaks 
Some tweaks to estimated scratch/heap for SQLite and RocksDB
 2015-07-07 08:11:30 -07:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00
Teddy Reed
41002b829c Merge pull request #1299 from timzimmermann/date 
Add date information to time table
 2015-07-07 00:46:32 -07:00
Teddy Reed
d2685cfa41 [#1142] Move path resolution into publisher logic 2015-07-07 00:45:55 -07:00
Teddy Reed
bf65e3d2d6 Event index time and streaming 2015-07-07 00:44:57 -07:00
Tim Zimmermann
0c3b123cb1 Add date information to time table 
The fix also includes the time in ISO 8601 format
as well as the format returned by C++'s asctime().
See #1297.
 2015-07-07 00:00:50 -07:00
Ari Rubinstein
be72e42bf1 Fix version string for TLS plugins 
Before, osqueryd would send `osquery/OSQUERY_BUILD_VERSION` as the user agent and appeared broken.  I copied the logic from the osquery version table and used that var here also so the user agent now reads 1.4.7
 2015-07-06 22:12:26 -07:00
Teddy Reed
dd9fa25d78 [Fix #1171, #1089] Add configurable max reads 
There are 3 new options that control how files are read:
--read_max: controls the maximum size, in bytes, for file reads. If a file is larger than `read_max` the read will fail.
--read_user_max: similar to `read_max` but applies additional limitations to user-controlled files.
--read_user_links: a boolean control to enable/disable following symlinks for user-controlled files.

Important highlights:
If files exceed the configured max, those reads will fail.
The `read_max` will override `read_user_max` if it is set lower.
A default integer value of `0` will disable the limitations.

The default `read_max` is set to 50M and the default `read_user_max` is 10M.
 2015-07-06 00:49:43 -07:00
Ryan Steinmetz
6f6bd8cabc - Fix build under FreeBSD 2015-07-03 19:47:47 -04:00
Teddy Reed
e73a867b75 Merge pull request #1269 from theopolis/fsevents_symlinks 
[Fix #1063] Allow configure-time symlink resolution in FSEvents
 2015-07-03 00:37:58 -07:00
Mike Arpaia
4f94c0034c Merge pull request #1290 from timzimmermann/uptime 
Uptime
 2015-07-03 00:23:44 -07:00
Tim Zimmermann
fa988b4e56 Add uptime table 
The table contains information about the time passed since the last boot.
 2015-07-02 22:32:48 -07:00
Michael O'Farrell
a712cd5036 Fix processes table to report gid correctly. 2015-07-02 17:03:25 -07:00
Teddy Reed
546aaa885d [Fix #1063] Allow configure-time symlink resolution in FSEvents 2015-07-02 16:50:27 -07:00
Teddy Reed
7aac5fd358 Replace custom wildcarding with POSIX-glob 
POSIX-globbing will allow event publishers/subscribers to post-check
results against glob-syntax, fnpath matching, and POSIX C-regex.
These checks are anecdotally speedy.
 2015-07-02 13:53:16 -07:00
Teddy Reed
a8813ab7d8 Some tweaks to estimated scratch/heap for SQLite and RocksDB 2015-07-02 13:52:39 -07:00
Teddy Reed
e24614c959 Merge pull request #1286 from theopolis/relay_status_logs 
[#1277] Forward status logs to osqueryd workers
 2015-07-02 10:33:58 -07:00
Michael O'Farrell
a00fb638c2 Added kernel event publisher. 2015-07-01 17:40:42 -07:00
Mike Arpaia
ba89b67cc5 Install snappy headers instead of just the library 
We found that not installing the headers for snappy caused RocksDB's
snappy detection to not find that snappy was installed:
https://goo.gl/YOWJl0

The snippet there requires that the headers are installed, not just the
library. By installing the headers, we can ensure that snappy is linked.

OR, alternatively, we could just leave it and not link snappy. It's
uncertain what the specific benefits of including snappy are for our
use-case. (CC @igorcanadi)
 2015-07-01 16:14:06 -07:00
Teddy Reed
79de0a5def [#1277] Forward status logs to osqueryd workers 
If watcher processes generate warning or error status logs they
will "relay" to the worker processes upon successful sanity check.
 2015-07-01 15:26:26 -07:00
Michael O'Farrell
1ab7040d83 Kernel extension fixes for daemon shutdown process. 2015-06-30 18:00:25 -07:00
Michael O'Farrell
a7bd4bd3db Merge pull request #1278 from facebook/master 
Merge branch 'master' into kernel
 2015-06-30 13:12:16 -07:00
Mike Arpaia
a2ec9d5885 rename osquery::getConfig to osquery::makeTLSConfigRequest 2015-06-29 23:33:40 -07:00
Teddy Reed
0d6ab16281 Yara events was not building 2015-06-29 14:45:31 -07:00
Michael O'Farrell
680ffd3bc8 Added a gangsta test (gtest) for the kernel communications. 
This test does not evaluate the functionality of the kernel
communication unless the KERNEL_TEST flag was set during the build.
The test will not succeed unless the tests are being run as root.
 2015-06-29 12:12:54 -07:00
Teddy Reed
d339877c01 Merge branch 'master' into kernel 2015-06-28 11:30:14 -07:00
Teddy Reed
6011ad06eb Fix small issue with printing 2015-06-28 11:18:35 -07:00
Teddy Reed
8db6ca4a3f [Fix #1198] Add a small retry to ext watcher 2015-06-28 02:12:50 -07:00
Michael O'Farrell
f4e05b992a Merge branch 'master' into kernel 
Conflicts:
	mkdocs.yml
 2015-06-26 17:04:42 -07:00
Michael O'Farrell
89fb4fbaf0 Moved kernel userland code into the osquery directory structure. 
Test cpp files are dead.
 2015-06-25 12:38:39 -07:00
Teddy Reed
e7ed68e187 [Fix #1198] Faster death/timeout checks in extensions tests 2015-06-25 02:53:53 -07:00
Teddy Reed
6437ddb82d Merge pull request #1235 from sharvilshah/remove_os_x_10_9_code 
Remove OS X 10.9 code path
 2015-06-24 15:18:32 -07:00
Mike Arpaia
7d5cb221dd Merge pull request #1239 from marpaia/1237-segfault 
Check for nullptr in CreatePropertyFromCertificate
 2015-06-24 08:25:25 -07:00
Mike Arpaia
d6389dc64d Check for nullptr in CreatePropertyFromCertificate 2015-06-23 21:45:46 -07:00
Sharvil Shah
05bbe2ce06 Remove OS X 10.9 code path since we no longer support it 2015-06-22 20:49:34 -07:00
Teddy Reed
040d9d5fd1 Merge pull request #1216 from sharvilshah/osx_mount_events 
[Implement #1103] DMG Mount Events
 2015-06-22 12:38:32 -07:00
Sharvil Shah
f676ba7642 Implements disk_events and the related publisher and subscriber. 
We now have a Publisher to report on disk events and its metadata,
using the DiskArbitration framework on OS X. Currently disk appearance
and disappearance events are published for both physical and
virtual disks (DMG files). On an event trigger, disk properties are
parsed and that metadata is reported along with the action.

The Subscriber subscribes to virtual disk events currently.

This closes #1103.
 2015-06-22 11:09:18 -07:00
Teddy Reed
37188f788b Fixups in tables, add DOUBLE, shell extensions 2015-06-22 04:17:23 -04:00
Teddy Reed
55f270ff97 OS X application duti/scheme listing table 2015-06-21 14:08:21 -04:00
Mike Arpaia
be85046d32 typo in keychain_acls table where path was being returned as app_path 2015-06-21 13:52:01 -04:00
Mike Arpaia
0a83572f08 Table to enumerate keychain ACLs 2015-06-20 14:59:07 -04:00
Mike Arpaia
fe8b25f443 Merge pull request #1218 from theopolis/osx_sandboxes 
Add application sandbox container metadata
 2015-06-19 11:01:03 -04:00
Teddy Reed
09ea12a2a7 Add application sandbox container metadata 2015-06-19 01:53:09 -04:00
Teddy Reed
fcc875ca47 Merge pull request #1212 from theopolis/syslog_plugin 
[#1207] Add syslog plugin
 2015-06-18 19:49:16 -04:00
Teddy Reed
b24cf6f20d Add syslog plugin 2015-06-18 15:59:40 -04:00
Teddy Reed
f74af5a063 [Fix #1205] Prevent wrapping when calculating average schedule memory 2015-06-13 02:25:24 -07:00
Teddy Reed
e7ab2fc47b Limit scope of git/tag version defines. 
Harden plist parsing against internal fuzzing tests.
Improve file/stream read speeds.
 2015-06-12 10:10:20 -07:00
Teddy Reed
d143b22cfa [Fix #1202] Replace argv[*] with spaces, fallback to path in [0] 2015-06-11 20:58:17 -07:00
Teddy Reed
b56e9efd47 Merge pull request #1199 from theopolis/fix_open_sockets 
Process open sockets on Linux needs '['
 2015-06-07 14:04:45 -07:00
Teddy Reed
49eb22ef44 Process open sockets on Linux was added '[' 2015-06-07 13:28:17 -07:00
Teddy Reed
e57d15da86 Merge pull request #1195 from theopolis/feature-nice 
Various table perf improvements and TLS docs
 2015-06-06 15:19:31 -07:00
Teddy Reed
727f5b091f Various table perf improvements and TLS docs 2015-06-05 22:03:15 -07:00
Teddy Reed
4c80891010 Fix FSEvents multiplexing actions 2015-06-05 17:36:29 -07:00
Teddy Reed
1168b6ef3b Fix the watchdog/scheduler limit tracking 2015-06-04 17:43:37 -07:00
Teddy Reed
4e59bcf4c1 Merge pull request #1191 from theopolis/feature-backoffs 
[#1190] Schedule queries without logging removed results
 2015-06-04 14:58:19 -07:00
Teddy Reed
e244883ea4 [#1190] Schedule queries without logging removed results 2015-06-04 13:53:55 -07:00
Mike Arpaia
ea70781f25 Merge pull request #1188 from marpaia/msr_format 
Formatting the callback function in the model_specific_register table
 2015-06-04 12:17:19 -07:00
Teddy Reed
a70828c2a4 Merge pull request #1187 from sharvilshah/xattr_update 
Extended Attributes: Use LaunchServices API for quarantine data
 2015-06-03 22:38:17 -07:00
Sharvil Shah
065fe6412d Use LaunchServices (part of CoreServices) to grab quarantine properties instead of manually parsing the colon separated attribute data. 
Fall back to deprecated LaunchService API for OS X 10.9 Mavericks.

Added tests for extended_attributes

Better error handling and cleanup
 2015-06-03 22:18:45 -07:00
Teddy Reed
8e2b7e1281 Merge pull request #1189 from theopolis/tooling 
Update tooling/profiling paths and use a better random seed
 2015-06-03 22:15:22 -07:00
Teddy Reed
c934ad0df3 Update tooling/profiling paths 2015-06-03 21:22:12 -07:00
Mike Arpaia
657731b11c Formatting the callback function in the model_specific_register table 
`int osquery::filter(const struct dirent*)` seemed like a pretty generic
symbol to have in our symbol table, so I changed it to
`int msrScandirFilter(const struct dirent*)`
 2015-06-03 20:56:16 -07:00
Michael O'Farrell
5e9383a16b Created a table for information in the model specific register. 
This infomation is primarily related to the performance of processor
cores.  The information given constitutes only a small portion of
the information in the model specific register, but this table
has been designed so that more information may easily be added.
The table requires osquery be run as the root, and that the msr
kernel module is loaded.  The table reads the msr data from /dev
 2015-06-03 15:55:57 -07:00
Teddy Reed
8aacaca7eb Query pack platform binds should match any/all 2015-06-03 13:56:39 -07:00
Teddy Reed
a105924804 Move specs to a top-level path, add query examples 
1. Example queries will run with an (optional) integration test.
2. Fix bad accesses with OS X package BOMs
3. Move spec files from ./osquery/tables/specs to ./specs
4. Remove server parsers (netlib) from client builds.
 2015-06-03 10:39:05 -07:00
Teddy Reed
31ee0e35c0 Merge pull request #1177 from sharvilshah/fix_deallocation_build_error 
Fix OS X build: Deallocate array with delete[] instead of delete
 2015-06-02 15:24:24 -07:00
Javier Marcos
64c94f9043 Merge pull request #1179 from javuto/fix_platform_packs_schedule 
Fix that checks the right platform to schedule packs
 2015-06-02 15:22:11 -07:00
Javier Marcos
b87f9f6a50 Final fix for the platform check 2015-06-02 15:11:57 -07:00
Sharvil Shah
4ab79a8bd6 deallocate array with delete[] instead of delete 2015-06-02 15:09:22 -07:00
Teddy Reed
0669d8205e Merge pull request #1174 from theopolis/remote_logger 
TLS/HTTPS-based logger plugin
 2015-06-02 02:59:34 -07:00
Teddy Reed
33f53809ad Fix DBHandle checking with concurrent processes. 
`make tests` fails with another osquery process running.
The backing-store check happens after a config plugin is setUp and
the initial load occures. This may involve calls to cached keys, the
check should occur pre-config initialize.
 2015-06-02 02:50:04 -07:00
Teddy Reed
da9bd5801b Migrate HTTP remote logger to TLS logger 2015-06-01 10:12:31 -07:00
Wesley Shields
80749c3531 Chase constraint changes introduced in #1170. 
The changes done in #1170 broke some of the tables on FreeBSD.
 2015-05-30 01:42:44 +00:00
Wesley Shields
571fd65796 Fix build on FreeBSD. 
Missing osquery/tables.h include in routes.cpp and need to add gen_users
to blacklist on FreeBSD.
 2015-05-30 01:14:08 +00:00
Teddy Reed
f954e2c7e8 Merge pull request #1170 from mofarrell/exists-all 
Constraint existence now check for constraints using specific operator types.
 2015-05-29 16:10:30 -07:00
Michael O'Farrell
77aa36fa0b Constraint existence now check for constraints using specific operator types. 
This change allows QueryContext constraints to be checked for based on
operator type.  This makes checks for the existence of an equality
operator allow enumeration.

Example:
  if (context.constraints["pid"].exists(EQUALS)) {
    pids = context.constraints["pid"].getAll(EQUALS);
  } else {
    osquery::procProcesses(pids);
  }
 2015-05-29 13:47:04 -07:00
Wesley Shields
6558f605ff Implement process related tables on FreeBSD. 
This implements the following tables on FreeBSD:

process_envs
process_memory_map
process_open_files
process_open_sockets
processes

All the heavy lifting is done with libprocstat(3). All the tables follow
the same general principle. Use the common function, getProcesses() in
procstat.cpp, to get the processes and then generate the rows for each
process returned. There is also a procstatCleanup() function commonly
used across all the tables.

The one thing I am not able to test is the process_open_sockets table on
an IPv6 machine.
 2015-05-29 19:17:49 +00:00
Mitchell Grenier
418e6495c0 Adding a remote logger for osquery 
The first draft of the remote logger for osquery. This should give a rough idea
of how the code will be structured and function. RFC please.

At the advice of @theopolis, I removed the category type and added the
http_logger key. We figure this should be more efficient and doesn't have to
be known at compile time.
 2015-05-28 17:14:56 -07:00
Teddy Reed
ce3ac8a7e3 Merge pull request #1164 from theopolis/packs 
Pack and testing fixups
 2015-05-28 16:47:35 -07:00
Teddy Reed
4064fa6eb5 Pack and testing fixups 2015-05-28 12:17:27 -07:00
Mark Ignacio
84f8203dfd Converted CFAbsoluteTime in X509 certificates to UNIX time 2015-05-27 15:23:46 -07:00
Teddy Reed
ff9243bce1 Merge pull request #1159 from mofarrell/user-groups-table 
Wrote a user_groups table for darwin and linux based system.
 2015-05-27 11:38:06 -07:00
Michael O'Farrell
80356b26f0 Wrote a user_groups table for darwin and linux based system. 
The user_groups table represents the association between user ids and group ids.

Darwin Issue:
Issues arise in darwin systems with users that are members of many groups due
to a bug in Apple's implementation of getgrouplist.  If the number of groups a
user is a member of is greater than 64 a truncated association table may
be returned.
 2015-05-27 10:32:46 -07:00
Teddy Reed
8b3686a58a TLS plugin workflow tests 2015-05-26 19:55:00 -07:00
Teddy Reed
b90b21bc2d [Fix #1154] Clean up CMake messages and check TP 2015-05-23 17:15:28 -07:00
Teddy Reed
5e8c9b66d4 Merge pull request #1153 from theopolis/cleans 
Detect TLS version from OpenSSL/CMake FIND_LIBRARY
 2015-05-23 13:57:23 -07:00
Teddy Reed
4a6c002f62 Allow unit tests execs from project root 2015-05-23 13:12:31 -07:00
Teddy Reed
5969ae4fbf Clean up TLS-version from OpenSSL detection 2015-05-23 13:04:36 -07:00
Teddy Reed
700384dedc Minify tables namespace, extra CMake macros 2015-05-22 10:29:04 -07:00
Javier Marcos
9a4f611baf Merge pull request #1155 from javuto/osquery_packs_table 
Osquery packs table
 2015-05-21 20:32:45 -07:00
Javier Marcos
f86b2bc6f3 Adding checks to avoid duplicated queries in the schedule 2015-05-21 19:23:38 -07:00
Mike Arpaia
6f30c40041 Merge pull request #1152 from sharvilshah/xattr_parse_where_from 
More thorough where_from parsing in extended_attributes
 2015-05-21 16:32:32 -07:00
Javier Marcos
2b834a401a Fixing problem with extensions test, utility tables were added to core 2015-05-21 14:10:20 -07:00
Javier Marcos
886ad6e928 Added table for the packs and check for already scheduled queries 2015-05-21 13:42:45 -07:00
Sharvil Shah
a216ef2886 Use CoreServices Metadata API to parse kMDItemWhereFroms for file xattrs and now includes non-browser values too 2015-05-20 10:50:25 -07:00
Teddy Reed
4ff2fc1db2 Merge pull request #1151 from theopolis/crontab-fix 
Include several search paths for user contabs
 2015-05-20 10:47:32 -07:00
Javier Marcos
c6855fab43 Table for osquery packs 2015-05-19 18:44:28 -07:00
Teddy Reed
b3338dc5d2 Merge pull request #1146 from theopolis/tls 
Towards TLS config/logging
 2015-05-19 17:17:04 -07:00
Teddy Reed
2a1f496cc5 Towards TLS config/logging 2015-05-19 17:05:55 -07:00
Teddy Reed
983d107fe6 Search for cronstabs in /cron and /cron/crontabs 2015-05-19 15:51:03 -07:00
Ryan Steinmetz
949f84f3a8 Add mounts table support under FreeBSD 
Cleanup blacklist entries for FreeBSD (mounts/users/groups)
 2015-05-19 15:33:06 -07:00
Javier Marcos
65e6e38e0f Merge pull request #1143 from javuto/pack_config_changes 
Support to load query packs as scheduled queries
 2015-05-16 15:37:27 -07:00
Javier Marcos
47e680e825 Adding tests and implementing version checker 2015-05-15 22:25:19 -07:00
Teddy Reed
525c584a0b Merge pull request #1141 from theopolis/static_cryptsetup 
Build libcryptsetup statically
 2015-05-14 22:33:56 -07:00
Teddy Reed
9ee839b265 Build libcryptsetup statically 2015-05-14 19:36:00 -07:00
Javier Marcos
aa27159bb8 Proper update of the schedule and iterate all the packs 2015-05-14 17:20:00 -07:00
Javier Marcos
e170692db6 Top level key is packs 2015-05-13 23:10:44 -07:00
Javier Marcos
4d8b05d861 Adding parsed packs to schedule 2015-05-13 21:19:54 -07:00
Javier Marcos
9e9ab079ec Adding support for packs in configuration files 2015-05-13 13:55:01 -07:00
Blake Frantz
3a49fc46c8 Merge remote-tracking branch 'upstream/master' 2015-05-13 07:38:41 -07:00
Ryan Steinmetz
0777fa5fe2 - Add users/groups support for FreeBSD 2015-05-12 23:47:20 -07:00
Wesley Shields
81eac8e89a Fix build on FreeBSD. 2015-05-12 19:13:43 +00:00
Mike Arpaia
fff36af0af Removing trailing whitespace 2015-05-11 23:31:13 -07:00
Blake Frantz
805db480c5 Merge remote-tracking branch 'upstream/master' 2015-05-11 16:08:59 -07:00
Teddy Reed
5b43067c98 Merge pull request #1130 from theopolis/patch-134 
[Fix #1125 #1126] Flag padding checks, config_check tests
 2015-05-11 13:43:36 -07:00
Teddy Reed
771ed4da2f [Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 10:37:16 -07:00
Mike Arpaia
25bd6e7b70 [Fix #1132] Headers to /usr/local/include 2015-05-11 09:36:15 -07:00
Blake Frantz
2e865a69d6 Merge remote-tracking branch 'upstream/master' 2015-05-10 14:38:33 -07:00
Blake Frantz
2c4ae6758a initial commit for adding support for amazon linux 2015.03 2015-05-10 11:42:30 -07:00
Teddy Reed
8235fd155f Merge pull request #1122 from theopolis/relax_deps 
Relaxing iptables, EL-deps
 2015-05-09 23:52:28 -07:00
Teddy Reed
3e9f40f73f [Fix #1121] Minify shell table/schema, add meta tests 2015-05-09 19:48:28 -07:00
Teddy Reed
98b52c39a1 elaxing iptables, EL-deps 2015-05-09 18:16:13 -07:00
Teddy Reed
b5be0212e2 Merge pull request #1120 from theopolis/iptables_best 
Adding new table to display iptables filters, chains and rules
 2015-05-08 20:10:34 -07:00
Javier Marcos
4f21090fb8 Adding new table to display iptables filters, chains and rules 
Patching headers to avoid void pointers
Adding test for parsing ipt_ip entries
 2015-05-08 19:11:49 -07:00
Teddy Reed
1de7cfb331 Use CMake find_package for python, fix ifaddrs on FreeBSD 2015-05-08 18:49:01 -07:00
Teddy Reed
24a638eaaf Remove cpp-netlib from make install 2015-05-08 14:00:09 -07:00
Teddy Reed
434ace85d5 Merge pull request #1113 from theopolis/http_tests 
[Fix #1048] Cleaner additional tests
 2015-05-08 11:54:25 -07:00
Teddy Reed
258dd62b24 Merge pull request #1114 from theopolis/rhel_centos_tables 
RHEL table parity with CENTOS
 2015-05-08 11:54:20 -07:00
Teddy Reed
bf1de3b95e Merge pull request #1110 from theopolis/build_freebsd 
Towards building on FreeBSD/ports
 2015-05-08 10:53:07 -07:00
Teddy Reed
6919065b4b RHEL table parity with CENTOS 2015-05-07 23:23:32 -07:00
Teddy Reed
c7b9114975 Towards building on FreeBSD/ports 2015-05-07 23:12:30 -07:00
Teddy Reed
311f9bd55f Cleaner additional tests 2015-05-07 22:07:14 -07:00
Teddy Reed
a7daa0ace5 Apply a safe permissions check to worker 2015-05-07 00:19:10 -07:00
Teddy Reed
a64270f324 Merge pull request #1106 from theopolis/dispatcher_hardening 
Harden extensions/dispatcher tests
 2015-05-06 21:07:46 -07:00
Teddy Reed
c50838922f Merge pull request #1102 from theopolis/sync_builds 
Easier build host-based sync
 2015-05-06 21:06:53 -07:00
Teddy Reed
ee872d3fbe Harden events tests 2015-05-06 20:33:39 -07:00
Jack Naglieri
8e3e7ef7be Fixed crontab parsing issue in RHEL 6.5.X 2015-05-06 13:03:34 -07:00
Teddy Reed
23933cefe8 Harden extensions/dispatcher tests 2015-05-05 23:34:10 -07:00
Teddy Reed
e6c838131b Limit the number of RocksDB log files 2015-05-05 16:14:24 -07:00
Teddy Reed
70e3c190bb Easier build host-based sync 2015-05-05 15:15:45 -07:00
Teddy Reed
cdb112eccb Add a CMake variable for packages 2015-05-04 17:09:09 -07:00
Teddy Reed
d6eb63ae2f Merge pull request #1097 from theopolis/intel_perf_limits 
Limit memory checks to worker allocations
 2015-05-04 12:14:43 -07:00
Teddy Reed
fa35ee5f7b Merge pull request #1095 from theopolis/raw_sockets 
[Fix #1080] Remove netlink, support raw sockets
 2015-05-04 12:09:37 -07:00
Teddy Reed
5b60eb9fb8 Limit memory checks to worker allocations 2015-05-04 11:30:25 -07:00
Teddy Reed
893f678403 Linting and asan fixups 2015-05-04 11:00:21 -07:00
Teddy Reed
7da8b6f68a [Fix #1080] Remove netlink, support raw sockets 2015-05-04 10:57:49 -07:00
Teddy Reed
c63bf0451a Various exception hardening 2015-05-03 14:18:20 -07:00
Teddy Reed
e01a73b4f3 Schedule monitoring, doc updates, logger plugin fixes 2015-05-03 11:54:15 -07:00
Mike Arpaia
3311e17c06 [FIX #1082] Removing cpp-netlib from SDK 2015-05-01 14:00:10 -07:00
Sharvil Shah
2735e731de Implement --disable_tables runtime flag 2015-04-30 01:41:01 -07:00
Teddy Reed
13c4e27629 Merge pull request #1067 from theopolis/snapshots 
[#966] Allow snapshot scheduled items
 2015-04-29 18:47:24 -07:00
Teddy Reed
a4c3a869de Merge pull request #1073 from theopolis/file_events 
Rename file_changes to file_events
 2015-04-29 18:43:57 -07:00
Javier Marcos
e83b813399 Support RHEL6 
This enables support for building osquery in RHEL6
 2015-04-29 18:31:13 -07:00
Teddy Reed
9658d4377c Rename file_changes to file_events 2015-04-29 16:27:29 -07:00
Teddy Reed
c012d1c1d3 Merge pull request #1070 from wxsBSD/yara_relative 
Make YARA rule compiling handle relative paths.
 2015-04-29 15:56:17 -07:00
Teddy Reed
b66a350526 Allow snapshot scheduled items 2015-04-29 15:55:00 -07:00
Teddy Reed
d0bbb0bc4f Towards safer and shuffled unittests 2015-04-29 14:43:27 -07:00
Wesley Shields
546d298196 Move yara relative paths to /etc/osquery/yara. 2015-04-29 10:16:11 -04:00
Wesley Shields
82123d14d1 Make YARA rule compiling handle relative paths. 
Previously this only existed in the yara table, but it now exists in the
yara config parser land, which will compile signature groups upon
update. Now your signature groups can reference signature files using
paths relative to /var/osquery.
 2015-04-28 23:06:02 -04:00
Teddy Reed
467ecc20ae Merge pull request #1059 from theopolis/shell_improv 
Various shell fixups
 2015-04-27 17:29:02 -07:00
Teddy Reed
d5b9c0216b Merge pull request #1058 from theopolis/catching_registry 
Apply vegas-style rules to call
 2015-04-27 17:28:18 -07:00