valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 18:33:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
918 Commits 2 Branches 109 Tags 25 MiB
13fb05ab48
Commit Graph

493 Commits

Author SHA1 Message Date
Teddy Reed
1f1b38976a Merge pull request #261 from facebook/crontab 
[vtables] Crontab parsing for system/users
 2014-10-29 02:52:11 -07:00
Teddy Reed
6db0c67555 Merge pull request #269 from vmauge/suidbin 
Add suid_bin vtable
 2014-10-29 02:30:29 -07:00
Teddy Reed
8a9374d6e3 [vtables] Support linux crontab vars 2014-10-29 02:24:00 -07:00
Teddy Reed
94c64d80ce Merge pull request #267 from facebook/kernel_modules 
[vtables] Linux kernel modules from procfs
 2014-10-29 02:03:46 -07:00
Vincent Mauge
471d5faaa0 Add suid_bin vtable 
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
	* S for suid bin
	* G for guid bin

Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path                                                                                               | unix_user | unix_group    | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps"                                                                                          | root      | wheel         | S           |
| "/bin/rcp"                                                                                         | root      | wheel         | S           |
| "/Users/vmauge/suid_test"                                                                          | vmauge    | 999           | SG          |
| "/usr/bin/at"                                                                                      | root      | wheel         | S           |
| "/usr/bin/atq"                                                                                     | root      | wheel         | S           |
| "/usr/bin/atrm"                                                                                    | root      | wheel         | S           |
| "/usr/bin/batch"                                                                                   | root      | wheel         | S           |
| "/usr/bin/crontab"                                                                                 | root      | wheel         | S           |
| "/usr/bin/ipcs"                                                                                    | root      | wheel         | S           |
| "/usr/bin/lockfile"                                                                                | root      | mail          | G           |
| "/usr/bin/login"                                                                                   | root      | wheel         | S           |
| "/usr/bin/newgrp"                                                                                  | root      | wheel         | S           |
| "/usr/bin/procmail"                                                                                | root      | mail          | G           |
| "/usr/bin/quota"                                                                                   | root      | wheel         | S           |
| "/usr/bin/rlogin"                                                                                  | root      | wheel         | S           |
| "/usr/bin/rsh"                                                                                     | root      | wheel         | S           |
| "/usr/bin/su"                                                                                      | root      | wheel         | S           |
| "/usr/bin/sudo"                                                                                    | root      | wheel         | S           |
| "/usr/bin/top"                                                                                     | root      | wheel         | S           |
| "/usr/bin/wall"                                                                                    | root      | tty           | G           |
| "/usr/bin/write"                                                                                   | root      | tty           | G           |
| "/usr/sbin/postdrop"                                                                               | root      | _postdrop     | G           |
| "/usr/sbin/postqueue"                                                                              | root      | _postdrop     | G           |
| "/usr/sbin/rpc.net"                                                                                | root      | wheel         | S           |
| "/usr/sbin/rpcset"                                                                                 | root      | wheel         | S           |
| "/usr/sbin/traceroute"                                                                             | root      | wheel         | S           |
| "/usr/sbin/traceroute6"                                                                            | root      | wheel         | S           |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+

This commit fixes issue #253.
 2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e [vtables] Rename homebrew files, some cleanup 2014-10-29 00:34:55 -07:00
Teddy Reed
c1991e94e5 [vtables] Add user crons and use files 2014-10-29 00:28:19 -07:00
Martin Majlis
d645dfc257 Initial implementation for the homebrew table. 2014-10-28 21:03:56 -07:00
Teddy Reed
9abcbcd485 [vtables] Linux kernel modules from procfs 2014-10-28 21:01:51 -07:00
Martin Majlis
e8eb1e222f Reformating the code with clang-formatter. 2014-10-28 19:43:13 -07:00
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Teddy Reed
47d1f13966 Using Cpp03 to remove double right angle brackets 2014-10-27 17:56:55 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9 Merge pull request #228 from facebook/bash_history_table 
Adding virtual table bash_history, for linux and darwin
 2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534 updating comment 2014-10-27 16:34:00 -04:00
Teddy Reed
0a1925200e Clean flags usage in daemon/shell and dbhandle 2014-10-27 12:09:35 -07:00
Teddy Reed
6d50d762ce Changing flag infra, reducing config testing, adding debug macro 2014-10-27 10:30:02 -07:00
Teddy Reed
16c1fa68ba Merge pull request #246 from facebook/db_handle_problems 
Fix permissions on DB handle
 2014-10-27 10:27:07 -07:00
Teddy Reed
991cbdfb00 Fix permissions on DB handle 2014-10-27 10:05:08 -07:00
Mike Arpaia
a5f7dc1aa3 Merge pull request #247 from facebook/time-types 
time types
 2014-10-27 12:47:52 -04:00
mike@arpaia.co
2ba54f5211 time types 2014-10-27 09:13:21 -04:00
Teddy Reed
53afc6b8b2 Merge pull request #240 from facebook/event_logs 
Change log formatting to individual events
 2014-10-26 14:53:58 -07:00
Teddy Reed
67dce20974 Log event results as a flat map 2014-10-26 10:18:26 -07:00
Teddy Reed
2346fa00d5 Merge pull request #243 from facebook/fix_100p 
[events] Fix SCNetwork runloop thrashing
 2014-10-25 16:41:57 -07:00
Teddy Reed
9d6efc83b8 [events] Fix SCNetwork runloop thrashing 2014-10-25 07:01:57 -07:00
Javier Marcos
c8c3363455 Changed logic to ignore when history file is not found (expected) 2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e Refactoring and added column for history file, also more history files supported 2014-10-24 20:29:23 -07:00
Teddy Reed
84e8718d62 Merge pull request #238 from facebook/unify_routes 
[vtable] Unify routes table for OSX/Linux
 2014-10-24 17:08:16 -07:00
Teddy Reed
a82792b3f7 Log results as events 2014-10-24 17:05:17 -07:00
Teddy Reed
3d7c8b5684 [vtable] Unify routes table for OSX/Linux 2014-10-24 12:34:18 -07:00
Teddy Reed
35aeb1e87d Merge pull request #237 from facebook/dual_build 
Build into platform-specific build dirs
 2014-10-24 09:24:11 -07:00
Javier Marcos
bf3cd15c91 Final fix for the allocation problem 2014-10-23 17:17:50 -07:00
Teddy Reed
1598892ab1 Fix Ubuntu build issues (proc/bz2/z) 2014-10-23 16:27:43 -07:00
Teddy Reed
5b2510784e Build into platform-specific build dirs 2014-10-23 14:39:15 -07:00
Javier Marcos
f69913938f Bad memory leak with OpenDirectory and pwd/grp.h code 2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Teddy Reed
21a0fd1aec Merge pull request #207 from facebook/scnetwork_publisher 
[events] OSX SCNetwork Publisher
 2014-10-16 16:27:35 -07:00
Javier Marcos
bf1ffb1537 Removing old code for generating virtual tables 2014-10-13 21:58:26 -07:00
Javier Marcos
c2f4453749 Merge pull request #213 from facebook/last_access_linux 
Adding support for last vtable in linux
 2014-10-13 19:07:59 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
mike@arpaia.co
ce5d53e169 fixing the shell text [skip ci] 2014-10-13 17:23:20 -07:00
Javier Marcos
b3208bab70 Errors handled, shit is on fire 2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e only index if it's not nullptr 2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02 cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959 Making sure we do not add duplicated users 2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
d09e6037dd Fixing infinite loop adding mutex 2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873 Install package depending on arch and better comments 2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5 Adding support to build osquery in centos 6.5 2014-10-08 03:45:56 +00:00
Teddy Reed
55ef15fa3d [events] OSX SCNetwork Publisher 2014-10-07 16:00:28 -07:00
Teddy Reed
ded0717e94 [events] Additional INotify tests 2014-10-07 12:27:25 -07:00
Teddy Reed
8213e7dcbc [events] Improve inotify 2014-10-06 14:37:44 -07:00
Teddy Reed
37352f862a [events] Formatting from name changes 2014-10-04 13:29:17 -07:00
Teddy Reed
2063252f73 [vtable] Fix warning for process in-condition assignment 2014-10-04 13:29:17 -07:00
mike@arpaia.co
99f5052d15 cleaning up deploy materials 2014-10-03 22:34:59 -07:00
Teddy Reed
b5352729af Merge pull request #198 from facebook/inotify_tests 
[events] Stabilize INotify event tests
 2014-10-03 17:59:20 -07:00
Teddy Reed
5e6be33767 Merge pull request #199 from facebook/unify_processes 
[vtable] Parity with OSX/Linux processes table
 2014-10-03 17:30:47 -07:00
Teddy Reed
a36117670b Revert "disabling inotify_tests" 2014-10-03 17:02:00 -07:00
Teddy Reed
25aee56af9 [events] Stabilize INotify event tests 2014-10-03 17:01:32 -07:00
Teddy Reed
69607c7b32 [vtable] Parity with OSX/Linux processes table 2014-10-03 16:24:11 -07:00
mike@arpaia.co
96986773b3 disabling inotify_tests 2014-10-03 14:21:50 -07:00
mike@arpaia.co
660ef01777 iostream in shell 2014-10-03 13:48:31 -07:00
mike@arpaia.co
c118e7a1f8 iostream 2014-10-03 13:48:31 -07:00
Mike Arpaia
1d062bb038 Merge pull request #185 from facebook/ubuntu12_precise_build_support 
Adding support to build in Ubuntu 12
 2014-10-03 12:57:25 -07:00
Teddy Reed
b37785e665 Merge pull request #195 from facebook/events_pubsub 
Events pubsub
 2014-10-03 11:50:37 -07:00
Teddy Reed
c553a59745 [events] Use pub/sub diction for events 2014-10-03 11:30:51 -07:00
Teddy Reed
1e36b494b4 [events] Rename MonitorContext to SubscriptionContext 2014-10-03 08:26:41 -07:00
Teddy Reed
b2474b49eb [events] Renamed EventType to EventPublisher 2014-10-03 08:14:36 -07:00
Teddy Reed
e77ae22fe2 [events] Rename EventModule to EventSubscriber 2014-10-03 08:08:06 -07:00
Teddy Reed
368ab483a7 Merge pull request #184 from facebook/fsevents 
[events] Fleshing out OSX FSEvent framework
 2014-10-03 07:54:17 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
mike@arpaia.co
d1e2ee1241 glog logger plugin 2014-10-02 19:44:45 -07:00
Javier Marcos
7f5d1eee8c Fixes broken build in Mac OSX 2014-10-02 16:30:29 -07:00
Javier Marcos
06b35c45f0 Adding support to build in Ubuntu 12 2014-10-02 16:30:29 -07:00
mike@arpaia.co
569545648d lz4 2014-10-02 14:51:18 -07:00
mike@arpaia.co
2348460ca4 Revert "Support for Ubuntu 12, precise" 
This reverts commit ed0e051eba.
 2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba Support for Ubuntu 12, precise 2014-10-02 01:24:23 +00:00
mike@arpaia.co
764619c849 Adding a function to read tomcat configs from disk 2014-09-30 19:59:52 -07:00
Mike Arpaia
3fb8c8a5d4 Merge pull request #183 from facebook/tomcat-users 
Adding a function to parse the Tomcat users XML file
 2014-09-30 19:51:54 -07:00
mike@arpaia.co
196ec880ab Adding a function to parse the Tomcat users XML file 
This is apart of a bigger, better virtual table idea that @carnal0wnage
had.
 2014-09-30 19:49:38 -07:00
Teddy Reed
bf8209ca90 Merge pull request #182 from facebook/events_docs 
[events] Added remaining doxy comments
 2014-09-30 15:00:08 -07:00
Teddy Reed
ef044c4a72 [events] Added remaining doxy comments 2014-09-30 12:50:14 -07:00
Teddy Reed
6eb9c5fd44 EventFactory, Dispatcher as singletons 2014-09-29 20:47:24 -07:00
Teddy Reed
588f1198f3 Merge pull request #174 from facebook/passwd_changes_vtable 
[events] Events lifecycle complete, passwd_changes vtable
 2014-09-26 21:13:52 -07:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
0c783ebf0a Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 00:34:56 -07:00
mike@arpaia.co
7076aa813c SQL class for executing queries 
implements #141
 2014-09-26 00:28:18 -07:00
mike@arpaia.co
636ced854f Pretty shell results 
Example:

```
osquery> select name, program || program_arguments as executable from launchd limit 5;

+----------------------------------+-------------------------------------------------------------------------------+
| name                             | executable                                                                    |
+----------------------------------+-------------------------------------------------------------------------------+
| bootps.plist                     | /usr/libexec/bootpd                                                           |
| com.apple.afpfs_afpLoad.plist    | /System/Library/Filesystems/AppleShare/afpLoad                                |
| com.apple.afpfs_checkafp.plist   | /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp |
| com.apple.AirPlayXPCHelper.plist | /usr/libexec/AirPlayXPCHelper                                                 |
| com.apple.airport.wps.plist      | /usr/libexec/wps                                                              |
+----------------------------------+-------------------------------------------------------------------------------+
osquery> .tables
  => alf
  => alf_exceptions
  => alf_explicit_auths
  => alf_services
  => apps
  => ca_certs
  => etc_hosts
  => interface_addresses
  => interface_details
  => kextstat
  => last
  => launchd
  => listening_ports
  => nvram
  => osx_version
  => processes
  => routes
  => time
```
 2014-09-25 21:39:07 -07:00
Abe Stanway
663e6756d7 Add libboost_regex.a 2014-09-25 19:18:47 +00:00
mike@arpaia.co
0387fde8b8 Adding permissions check around setting default log directory #130 2014-09-25 10:26:39 -07:00
Mike Arpaia
e1fa406096 Merge pull request #165 from facebook/travis 
travis
 2014-09-24 18:06:32 -07:00
mike@arpaia.co
135dd0dbe4 TravisCI configuration 2014-09-24 18:05:33 -07:00
Teddy Reed
8aaecefec0 Merge branch 'master' of github.com:facebook/osquery into events_updates 2014-09-24 13:55:42 -07:00
Teddy Reed
9220da7e3d [events] Registry integration 2014-09-24 12:43:14 -07:00
mike@arpaia.co
5f4108c503 Moving all boost smart pointers to std smart pointers 2014-09-24 10:54:59 -07:00
Teddy Reed
9a2d299424 [events] Events and registry coordination 2014-09-24 10:46:37 -07:00
mike@arpaia.co
d7546de036 Relocatable build 
Making it such that osquery doesn't need to be built in the repo "build"
subdirectory. gentable.py now accepts a positional argument which
indicates the output (which is calculated by cmake) so they don't have
to agree on a destination ahead of time.
 2014-09-24 01:58:12 -07:00
mike@arpaia.co
466df023ef makefile cleanups 2014-09-23 22:06:32 -07:00
mike@arpaia.co
91efb3963f moving packages subdir to deploy 2014-09-23 21:37:55 -07:00
mike@arpaia.co
cc9aa5d73b clang-format 2014-09-23 20:31:12 -07:00
mike@arpaia.co
6b25a216c9 periodic clang-format 2014-09-23 20:15:41 -07:00
mike@arpaia.co
7ca879215f moving things from Makefile to CMake 2014-09-23 20:12:53 -07:00
mike@arpaia.co
9dc4c50fe4 moving generated tables to build subdir 2014-09-23 18:44:42 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
Mike Arpaia
65bc860fb8 Merge pull request #157 from facebook/deb 
Deb package creation for Ubuntu
 2014-09-23 17:03:50 -07:00
mike@arpaia.co
e973c856c6 Deb package creation for Ubuntu 
I used CPack to generate deb package files from the CMake "install"
target. What this means is, whatever would get installed my "make
install" will get installed by the deb.

"make package" on ubuntu will generate a file named: `osquery-$VERSION-$DISTRO.$ARCH.deb`

Consider the following example:

```
root@vagrant-ubuntu-trusty-64:/vagrant/build# dpkg --info osquery-0.0.1-trusty.amd64.deb
 new debian package, version 2.0.
 size 11311330 bytes: control archive=350 bytes.
     207 bytes,     9 lines      control
     102 bytes,     2 lines      md5sums
 Package: osquery
 Version: 0.0.1
 Section: devel
 Priority: optional
 Architecture: amd64
 Installed-Size: 43369
 Maintainer: marpaia@fb.com
 Description: osquery is an operating system instrumentation toolchain.
```
 2014-09-23 17:03:30 -07:00
Teddy Reed
974a53dd98 Merge pull request #155 from facebook/events_modules 
Events modules and basic INotifyEventType
 2014-09-23 13:01:59 -07:00
Teddy Reed
94953df90e [events] Flesh out inotify eventtype 2014-09-23 13:01:03 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
mike@arpaia.co
1e774e50bf static build on OS X and Linux 2014-09-22 19:27:19 -07:00
Teddy Reed
bb7097a255 [events] EventType threads for each run loop 2014-09-22 18:35:12 -07:00
mike@arpaia.co
fc324b929f Revert "build shared by default" 
This reverts commit 90703b95f0.
 2014-09-22 17:27:57 -07:00
mike@arpaia.co
ebfc47b399 Edits to https://github.com/facebook/osquery/pull/148/ 2014-09-22 14:35:59 -07:00
mike@arpaia.co
16122544f5 Reorganizing tests so that the public headers don't have to include gtest 2014-09-22 14:30:52 -07:00
Teddy Reed
9b42c060ea [events] Linux inotify event type 2014-09-22 01:47:50 -07:00
mike@arpaia.co
627821abc1 Periodic clang-format 2014-09-21 14:29:28 -07:00
mike@arpaia.co
b5ee19f49f Removing the osquery::db namespace 2014-09-21 14:27:09 -07:00
mike@arpaia.co
90703b95f0 build shared by default 2014-09-20 18:53:49 -07:00
mike@arpaia.co
20bbef53b6 Cross platform build environment maker 
Currently works on Ubuntu 14.04 and Mac OS X 10.9. There are more
supported operating systems coming soon to a theater near you.
 2014-09-20 16:01:47 -07:00
Teddy Reed
eee37034b4 [events] Intro of non-async event framework 2014-09-18 15:05:41 -07:00
Teddy Reed
9516bf8fd7 Regressions from core NS removal, linux includes 2014-09-17 10:29:22 -06:00
mike@arpaia.co
f06a4ba52e cleaning up the plugin interfaces 2014-09-16 01:34:39 -07:00
mike@arpaia.co
5998dbd1c5 clang-format 2014-09-16 00:36:49 -07:00
mike@arpaia.co
d9edc81041 Updating the format of doxygen comment blocks 2014-09-16 00:28:23 -07:00
mike@arpaia.co
0eab76a20c refactored aggregateQuery to query 2014-09-15 23:07:03 -07:00
mike@arpaia.co
65ec7685f1 doxygenifying conversion header 2014-09-15 22:56:11 -07:00
mike@arpaia.co
4a048db278 database namespace documentation 2014-09-15 17:13:22 -07:00
mike@arpaia.co
7d97186a26 comments for core.h 2014-09-15 12:23:07 -07:00
mike@arpaia.co
de426754d9 moving fs to the global namespace 2014-09-15 11:47:52 -07:00
mike@arpaia.co
d29c58f795 moving scheduler to global namespace 2014-09-15 11:26:16 -07:00
mike@arpaia.co
05f4bc513c down with scheduledQueries_t 2014-09-15 11:17:48 -07:00
mike@arpaia.co
b7f8f5f72a moving logger to the global namespace 2014-09-15 11:14:17 -07:00
mike@arpaia.co
fb2591d82a #143 2014-09-15 11:09:33 -07:00
mike@arpaia.co
ad9b0bb5c1 Doxyfile, for docs 2014-09-13 15:18:26 -07:00
mike@arpaia.co
d11bf05167 casting google::int32 to size_t 2014-09-13 14:19:14 -07:00
mike@arpaia.co
7953bce125 fixing a typo in a variable name 2014-09-13 14:18:54 -07:00
mike@arpaia.co
6a0e5b7ddb Removing the unimplemented transaction locking methods in DBHandle 2014-09-13 13:53:12 -07:00
mike@arpaia.co
e838110e84 Moving header to include 2014-09-12 17:50:03 -07:00
Mike Arpaia
7534dc60f9 Merge pull request #134 from facebook/queue 
osquery thread pool
 2014-09-12 17:45:20 -07:00
mike@arpaia.co
073dd2d5c4 osquery thread pool 
this is an implementation of a thread pool, using thrift's thread
manager class.
 2014-09-12 08:18:25 -07:00
Abe Stanway
516b7b4563 Intervals at a second instead of a minute (#131) 2014-09-10 17:29:59 -04:00
Mike Arpaia
db0f0105dd Revert "Skip tests when making 'fast'" 2014-09-09 21:37:08 -07:00
mike@arpaia.co
c9fafc00d3 using '#pragma once' instead of '#ifndef HEADER' 
let's start using #pragma once for our headers. it's less lines of code,
clang supports it, headers become more movable, etc. it's all around a
better plan.
 2014-09-09 18:54:53 -07:00
mike@arpaia.co
cec7b33afb removing unused header includes 2014-09-09 18:43:41 -07:00
Teddy Reed
2e150ef8a9 Skip tests when making 'fast' 2014-09-09 16:25:22 -07:00
mike@arpaia.co
df1332277d clang-format 2014-09-09 16:14:54 -07:00
mike@arpaia.co
4f2298ef33 improving the organization of command line flag parsing 2014-09-09 16:10:57 -07:00
Teddy Reed
bb33e4b6e8 Merge pull request #120 from facebook/linux-routes-vtable 
[vtables] Routes table for Linux
 2014-09-09 16:08:00 -07:00
Teddy Reed
825b50f932 [vtables] Routes table for Linux 2014-09-09 16:07:36 -07:00
Mike Arpaia
d71478ea29 Merge pull request #121 from facebook/osquery-84 
override --help flag and print custom help
 2014-09-09 15:59:34 -07:00
mike@arpaia.co
4f223766fc osquery-84 override --help flag and print custom help 2014-09-09 15:35:34 -07:00
Teddy Reed
bfba3d491d Merge pull request #117 from facebook/linux-processes-vtable 
[vtables] Processes table for Linux (procps3)
 2014-09-09 14:43:26 -07:00
mike@arpaia.co
d4c7673011 re-adding the scheduler tests 2014-09-09 11:17:09 -07:00
mike@arpaia.co
509aba53bb re-adding registry_tests after getting apparently disabled 2014-09-09 11:13:21 -07:00
Mike Arpaia
79c964a641 Update status.h 2014-09-09 11:03:23 -07:00
mike@arpaia.co
130fe2ad41 updates to status.h 
making it such that all the return values are const. added a few method
comments.
 2014-09-09 11:02:17 -07:00
Teddy Reed
2bcd89d70f [vtables] Adding cmdline, path to Linux processes 2014-09-09 10:59:16 -07:00
Mike Arpaia
d6699bd0fe Adding header files to CMakeLists.txt so that other build tools can perform better introspection into the codebase. 2014-09-09 10:53:59 -07:00
mike@arpaia.co
8fcad82b35 periodic clang-format 2014-09-09 00:56:27 -07:00
Teddy Reed
c6a7e86b18 [vtables] Processes table for Linux (procps3) 2014-09-08 22:42:17 -07:00
mike@arpaia.co
c72d069689 vagrant and make deps on linux 2014-09-08 19:24:23 -07:00
Teddy Reed
26e83f8ee9 Merging for linux build and libosquery compiling options 2014-09-08 17:17:30 -07:00
Teddy Reed
7e470747b4 Moving sublibs to single libosquery 2014-09-08 01:58:29 -07:00
mike@arpaia.co
7d387ec605 status default constructor 2014-09-06 03:41:10 -07:00
Teddy Reed
e23e7bdab8 Merge pull request #102 from facebook/linux-build 
Changes for Linux (Ubuntu 14.04) build
 2014-09-05 14:52:35 -07:00
Teddy Reed
4ffd184eaf Changes for Linux (Ubuntu 14.04) build 2014-09-05 10:58:58 -07:00
mike@arpaia.co
cc3985b275 clang-format 2014-09-05 01:01:09 -07:00
Javier Marcos
344ca31f26 Adding last virtual table 2014-09-04 16:42:18 -07:00
mike@arpaia.co
c1c9284079 example unit test 2014-09-03 23:46:24 -07:00
mike@arpaia.co
ebc746eef2 0.0.1 Release 2014-09-02 18:40:51 -07:00
mike@arpaia.co
66a2a6fdec Fix performance issue with the disk serializer 
This is the issue noted in #76. Keeping all historical results of
queries in the HistoricalQueryResults struct makes serializing and
deserializing those structs very, very slow as time goes on. By only
storing the last execution of the query, we keep the performance
constant, but we kill the feature where osquery can rebuild timelines
without accessing logs. After talking it over, we decided that this
isn't actually that big of a deal because, if you really wanted to
rebuild the old data, you should be able to process the logs, similarly
to bin log replication in MySQL.
 2014-09-02 13:13:12 -07:00
mike@arpaia.co
2b08ba60e3 Fixing #67 
Escaping spaces in the Program field of the launchd table since it
represents a path
 2014-09-02 12:22:12 -07:00
mike@arpaia.co
c6b7c04626 Fixing #65 
The column name was misspelled in the table spec, causing the column to
look blank.
 2014-09-02 12:15:45 -07:00
mike@arpaia.co
63070a0d49 migrating project to use CMake's CTest to run unit tests 2014-09-02 11:14:21 -07:00
mike@arpaia.co
b1291879f1 Moving osquery cmake code into the source tree. 
I like the pattern of the root CMakeLists.txt being the parent file
which sets global parameters and the children doing their level of
compilation.

I also updated the OS X pkg creator.
 2014-09-02 01:00:58 -07:00
mike@arpaia.co
6498f45924 renaming the cacerts table to ca_certs 2014-09-01 18:46:16 -07:00
Mike Arpaia
8332e3577f Merge pull request #87 from facebook/nvram_memleak 
[vtable_nvram] Fixing type description memory leak, and re-org
 2014-09-01 18:40:27 -07:00
Teddy Reed
c653e0b1be [vtable_nvram] Fixing type description memory leak, and re-org 2014-09-01 18:32:49 -07:00
mike@arpaia.co
e673b7a127 more robust filesystem logging 2014-09-01 18:15:17 -07:00
Mike Arpaia
e5f4d5f64b Merge pull request #83 from facebook/glog-to-file 
Log files to disk close #78
 2014-09-01 17:15:59 -07:00
mike@arpaia.co
303e73e9ba Log files to disk close #78 2014-09-01 17:13:04 -07:00
Mike Arpaia
ffaa763209 Update registry.h 2014-08-30 15:03:31 -07:00
Mike Arpaia
8cff961173 Update registry.h 2014-08-30 15:03:06 -07:00
mike@arpaia.co
468f88645d more sane comments in registry.h 2014-08-30 15:02:43 -07:00
mike@arpaia.co
8649951fab minimum possible linkages 2014-08-30 14:29:45 -07:00
mike@arpaia.co
f174c4dbd0 enabling unit tests for tables 2014-08-30 14:26:24 -07:00
mike@arpaia.co
2e5810ae9a proper ordering in tables/CMakeLists.txt 2014-08-30 04:28:49 -07:00
mike@arpaia.co
f5402d5035 query time count is a ulong not a long 2014-08-30 04:26:40 -07:00
mike@arpaia.co
47bfe57272 clang-format 2014-08-30 04:06:31 -07:00
mike@arpaia.co
f1e3b7443d more verbose logging by default 2014-08-30 03:55:26 -07:00
mike@arpaia.co
b7f9ecc6e1 add an extra char for the \0 2014-08-30 03:53:32 -07:00
mike@arpaia.co
d2b96401a4 was closing the db in the middle of the loop instead of after it, causing subsequent queries to fail 2014-08-30 03:49:49 -07:00
mike@arpaia.co
b1f86466e0 alphabetizing the order of sources in the tables cmake file 2014-08-30 03:46:08 -07:00
mike@arpaia.co
5b904cca26 moving the table_sources blob down to just above where it's used 2014-08-30 03:43:02 -07:00
mike@arpaia.co
dd909ed39d breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 03:24:35 -07:00
mike@arpaia.co
3b05ffb97d breaking out objective-c tables such that they use arc 2014-08-30 03:19:16 -07:00
mike@arpaia.co
92845146d7 re-adding all of the virtual tables that depended on performant objective-c interop 2014-08-30 03:09:04 -07:00
mike@arpaia.co
1ff68cabf3 making sure the db is closed in sqlite_util_tests 2014-08-30 03:07:14 -07:00
mike@arpaia.co
0e806eff83 Proper ARC in Objective-C++ code 2014-08-30 00:22:26 -07:00
mike@arpaia.co
123dcc2cff improved scheduler, now with developer features 2014-08-29 00:36:33 -07:00
mike@arpaia.co
bb46cd31b4 fixing a dirty memory overwrite 2014-08-29 00:24:48 -07:00
mike@arpaia.co
da7ec74840 new time virtual table. it's pretty useful to have a light weight table that doesn't leak at all which returns data that's always changing. 2014-08-28 23:15:45 -07:00
mike@arpaia.co
1da3fab7b7 fix memory leak in sqlite3_attach_tables #74 2014-08-28 21:33:44 -07:00
mike@arpaia.co
eaed8c2dec const reference iteration of kDomains vector (since it's const itself) 2014-08-28 19:21:52 -07:00
mike@arpaia.co
a4eb0bbaf9 Decomplexifying the scheduler, as to close #73 2014-08-28 17:33:03 -07:00
mike@arpaia.co
eed24a7615 removing logging of full plist data 2014-08-27 12:52:58 -07:00
mike@arpaia.co
f640bc23af updating include paths in networking utils 2014-08-27 11:39:36 -07:00
mike@arpaia.co
969b694e23 memory improvements to plist parsing 2014-08-26 21:18:24 -07:00
mike@arpaia.co
194127bf08 more memory leak fixed 2014-08-26 16:27:33 -07:00
mike@arpaia.co
648303b1a0 CFReleasing options_dict 2014-08-26 14:58:22 -07:00
mike@arpaia.co
6279f5cb96 setting property to null in the event that the property type is unknown 2014-08-26 14:58:10 -07:00
mike@arpaia.co
df580161f8 fixing leak of pids in listening_ports.cpp 2014-08-26 14:53:56 -07:00
mike@arpaia.co
3d3271a625 kextstat allocation clarity 2014-08-26 13:34:08 -07:00
mike@arpaia.co
7e3a2772a2 autorelease whaaaaaat 2014-08-26 11:39:27 -07:00
mike@arpaia.co
15519b348e Adding LaunchDaemon and flagfile to the repo/package 2014-08-26 11:26:52 -07:00
Teddy Reed
02fc4538d7 [Fix #66] Moving not_valid fields in cacerts to std string 2014-08-22 23:14:44 -07:00
Teddy Reed
f461605b94 [vtable_interfaces] Add interface_{details, addresses} vtables 2014-08-21 18:49:15 -07:00
mike@arpaia.co
c9fb930ee4 OS specific table specs directory structure 2014-08-20 01:14:20 -07:00
mike@arpaia.co
807a3617c2 Removing example table 2014-08-19 21:49:42 -07:00
Mike Arpaia
f08ab26841 Merge pull request #60 from facebook/vtable_routes 
[vtable_routes] Added vtable for various network routes
 2014-08-19 21:46:36 -07:00
Teddy Reed
42d7f982e9 [vtable_routes] Added vtable for various network routes 2014-08-19 21:39:16 -07:00
mike@arpaia.co
fbc37d9399 clang-format on objective-c++ files 2014-08-19 20:18:49 -07:00
Mike Arpaia
b8e823f190 Merge pull request #58 from facebook/plist_parsing 
fixing an issue with json serializing raw data attributes in plists
 2014-08-19 20:09:14 -07:00
mike@arpaia.co
745b74c7de fixing an issue with json serializing raw data attributes in plists 2014-08-19 18:54:03 -07:00
Teddy Reed
95ceb21ec5 [vtable_listening_ports] Listening sockets, IPv4, IPv6 2014-08-19 15:25:16 -07:00
Teddy Reed
444cea0649 [vtable_cacerts] New CA certificates table. 2014-08-19 13:47:09 -07:00
mike@arpaia.co
3760e4cce5 Apple virtual table for LaunchAgents and LaunchDaemons 2014-08-15 13:46:09 -07:00
mike@arpaia.co
9973335e49 OS X virtual tables for currently installed applications 2014-08-15 12:58:19 -07:00
mike@arpaia.co
e723306c13 Ran clang-format across the codebase 2014-08-15 12:29:51 -07:00
mike@arpaia.co
f1b0bef782 listFilesInDirectory 2014-08-14 16:27:20 -07:00
mike@arpaia.co
f6e6629d98 fixing include path in osx_version.mm 2014-08-14 11:35:30 -07:00
Mike Arpaia
3161e8cfeb Merge pull request #48 from facebook/firewall 
Virtual table for Apple's application level firewall
 2014-08-14 11:33:53 -07:00
mike@arpaia.co
1a381e0feb Virtual tables for Apple's application level firewall 2014-08-14 11:33:20 -07:00
mike@arpaia.co
2311022e7f moving cocoa backports to core/osx 2014-08-13 23:20:58 -07:00
mike@arpaia.co
826f9d9905 adding an example of what happens when you pt::ptree::get something that doesn't exist 2014-08-13 12:12:24 -07:00
mike@arpaia.co
7d1ce83183 fixing the unit test in filesystem 2014-08-13 11:55:29 -07:00
Mike Arpaia
5f9a24202f Merge pull request #42 from facebook/kexts 
Loaded kernel extensions vtable
 2014-08-13 11:49:48 -07:00
mike@arpaia.co
e2bd07008d [kextstat] osquery virtual table which uses the Core Foundation APIs to 
expose kernel extension information.

For information about memory managament in Core Foudnation, see:
https://developer.apple.com/library/ios/documentation/CoreFoundation/Conceptual/CFMemoryMgmt/Concepts/Ownership.html#//apple_ref/doc/uid/20001148-103029
 2014-08-13 11:48:53 -07:00
Mike Arpaia
702d53af10 Merge pull request #47 from facebook/system_version 
osx_version table which exposes the major, minor and patch version of the operating system
 2014-08-13 11:44:14 -07:00
Mike Arpaia
609f0bbf07 Merge pull request #46 from facebook/plist_parsing 
property list parsing with native C++ data types
 2014-08-13 11:43:27 -07:00
mike@arpaia.co
b65f96d666 osx_version table which exposes the major, minor and patch version of 
the operating system
 2014-08-13 11:02:17 -07:00
mike@arpaia.co
3b85618ae0 property list parsing with native C++ data types 2014-08-13 11:00:28 -07:00
Teddy Reed
1b6ef08611 Silencing various compiler errors for goto statements. 2014-08-13 08:56:39 -07:00
Mike Arpaia
25ecc35a98 Merge pull request #44 from facebook/vtable_nvram 
[vtable_nvram] Added NVRAM variables vtable (name, variable type, value).
 2014-08-12 18:09:31 -07:00
Teddy Reed
83dc09bca3 [vtable_nvram] Various code cleanups 2014-08-12 11:43:38 -07:00
Teddy Reed
1888150596 [vtable_nvram] Added NVRAM variables vtable (name, variable type, value). 2014-08-12 00:02:38 -07:00