Commit Graph

107 Commits

Author SHA1 Message Date
Teddy Reed
70e3c190bb Easier build host-based sync 2015-05-05 15:15:45 -07:00
Teddy Reed
893f678403 Linting and asan fixups 2015-05-04 11:00:21 -07:00
Teddy Reed
be65922569 Fast tests 2015-04-27 09:40:31 -07:00
Teddy Reed
13d1ff031b Add rpm_package_files table 2015-04-25 01:18:55 -07:00
mike@arpaia.co
233f672655 Request template classes
As discussed in the comments of #961. Included is an HTTP transport
(which works for HTTPS also) and a JSON serializer.
2015-04-13 10:32:56 -07:00
Teddy Reed
2b20d3dde0 Merge yara subscribers 2015-04-03 00:48:13 -07:00
Wesley Shields
a9644d22c2 Implement YARA table.
Currently only for OS X, will port to others soon.

Also need to add tests.

Remove old comment and add loading message.

Implement YARA table for Linux.

Use mask properly.

Use the various masks to specify the kinds of events we are interested
in. This removes the need to do the dirty "DELETED" check when the event
fires.

Make getYARAFiles return a const map.

Switch to LOG(WARNING) and emit error number.

Add vim .swp files to .gitignore.

Add yara_utils.(c|h).

Start to condense common code between the Linux and Darwin YARA tables
into a yara_utils.h. Right now it includes a function to compile rules
and store the results back in the map, indexed by category. It also has
the callback used by YARA when a rule is processed. I can not move much
more than that for the row creation code because the structures used in
the event callback are slightly different.

Include a better error message.

The errors are still printed by the compiler callback, but this will
allow my future work to return a Status from the event initialization to
print a useful message in summary.

Make Subscriber init() return Status.

Each EventSubscriber::init() now returns a Status. If the init() fails
for any reason the EventSubscriber is still stored but the failure is
tracked.

EventSubscribers now have a state member, which represents the current
state of the subscriber. The current supported states are:
uninitialized, running, paused, failed. Currently the only meaningful
ones are running and failed, but I put paused in there as a
forward-looking feature.

Subscriptions now have a subscriber_name member. This is used in
EventPublisherPlugin::fire() as a lookup to get the EventSubscriber and
check the state. If the EventSubscriber is not running the event will
not fire.

Only the EventSubscribers on OS X are using this. I'll do the Linux
implementation next.

Chase the init() changes to Linux.

This brings the Linux YARA table in line with the OS X one.

Require a EventSubscriberID when creating a subscription.

Now that Subscriptions are "tied" to EventSubscribers you must create a
Subscription with the name of the Subscriber it is for. This is because
when the event fires the list of Subscriptions is walked and the name is
used to lookup the EventSubscriber and make sure it is in the running
state.

Fix various tests.

Some tests would fire an event with only a Subscription, which is no
longer a valid thing to do. For these tests an EventSubscription is
created and registered in the EventFactory.

When Subscriptions are created pass the name of the EventSubscriber to
them. In some cases where no event is ever fired it is fine to pass a
bogus name.

Fix inotify tests.

Move a test down so the class is defined and make sure to create an
EventSubscriber and use it properly.

Add support for yara to provision.sh.

Right now this grabs yara 3.3.0 and applies the patch to fix min() and max(),
which is commit fc4696c8b725be1ac099d340359c8d550d116041 in the yara repo.

This has been tested under Ubuntu 14.04 only.

Remove NOMINMAX.

This is no longer necessary after the patch was backported to 3.3.0.

Revert "Add support for yara to provision.sh."

This reverts commit a8bd371498c0979f070adeff23d05571882ac3f1.

Use vendored YARA code in third-party.

This switches to using the YARA code contained in third-party, including
the patch to fix min/max macros.

Fix mismerge.

Remove unused function after merge.

Well, soon to be unused as soon as I fix up the Linux YARA table. ;)

Chase config changes.

Make the Linux YARA table use ConfigDataInstance along with files() and
yaraFiles().
2015-04-03 00:47:39 -07:00
Teddy Reed
14a09cc6f2 Change schedule to a map, splay on config update 2015-03-24 16:28:49 -07:00
Teddy Reed
4440b2f791 Renamed osx_version to os_version, include Linux versions 2015-03-15 16:07:49 -07:00
Theodore M. Reed
4803b441a2 Move preprocessor defines before compile flags 2015-03-06 12:11:21 -08:00
Teddy Reed
d1b045d588 Add libosquery as a dependency for the testing utils 2015-03-05 09:26:22 -08:00
Teddy Reed
95a9716e02 Remove shell tools from daemon 2015-03-04 23:21:16 -08:00
Teddy Reed
0673900837 Registry modules 2015-03-04 20:33:10 -08:00
Teddy Reed
99beceaef6 Switch lazy=active concept for registry setup 2015-03-04 18:51:41 -08:00
Teddy Reed
41ab6f3161 Organizing osquery python testing
Move /osquery/python_tests/* to /tools/tests
Move test_extensions process controls to test_base module
Use test_base.Testing to implement each module's main()
  - This applies a default argparse with --build
  - test_base.ARGS is the argparse-parsed namespace
  - Use test_base.ARGS.build for the platform-specific dir
Move WatchdogTests to /tools/tests/test_watchdog.py
2015-03-02 16:23:22 -08:00
Teddy Reed
a6bc9d6d97 Merge pull request #804 from theopolis/network_settings
Add sysctl (system_controls) table
2015-03-02 16:01:39 -08:00
Teddy Reed
be9218ecf1 Add sysctl (system_control) table 2015-03-01 18:51:33 -07:00
Zachary Wasserman
eb778fa361 Add Python integration testing to CTest.
Here we create a new CMake macro for adding python integration tests,
as well as a wrapper for easy testing of osqueryi. There is a PoC test
of the time table.
2015-02-27 10:10:26 -08:00
Teddy Reed
a29addba61 Extensions integrations testing 2015-02-22 22:56:18 -07:00
Zachary Wasserman
1f450fb1ef Merge pull request #710 from zwass/distributed
POC for client side of distributed queries.
2015-02-13 14:25:52 -08:00
Zachary Wasserman
79034111a5 POC for client side of distributed queries.
This introduces the notion of a DistributedQueryHandler that uses a "provider" to read/write requests and results to and from the master. The full flow is exercised via integration tests, and unit tests for each component.

It is intended to foster discussion around this client side interface, as well as provide a base to build from.
2015-02-13 13:01:02 -08:00
Teddy Reed
aa078895d3 CentOS7 clang without fortify
1. _FORTIFY_SOURCE=1 will cause readlink/recv to hang when using
heap-allocated target buffers.
2. Install boost/rocksdb/thrift using source, similar to CentOS6.5
3. Remove boost::regex, prefer extended std::regex without static
link to boost_regex.
2015-02-13 12:47:30 -08:00
Teddy Reed
d2b18c05c9 Add watcher profiles 2015-02-09 12:38:50 -08:00
Teddy Reed
4f10a35f80 Adding thrift extension API 2015-02-06 09:40:49 -08:00
Teddy Reed
ed9bae29b7 Organizing headers/build for SDK 2015-02-03 14:59:32 -08:00
Teddy Reed
ab08bc76a8 Towards a new registry 2015-02-01 02:20:09 -07:00
Teddy Reed
38a757c7f0 Merge pull request #673 from theopolis/fork
Adding a watcher/worker model for osqueryd
2015-01-30 19:09:55 -08:00
Javier Marcos
c0398e2cef Different packages for different ubuntus 2015-01-30 14:55:28 -08:00
Teddy Reed
8fd56417fd Adding a watcher/worker model for osqueryd 2015-01-26 01:22:50 -07:00
mike@arpaia.co
b4a2ca1afa moving config and plist to prefixed directory 2015-01-22 11:07:19 -08:00
Teddy Reed
c5cbf992ad Remove installed unwind headers 2015-01-10 20:38:31 -07:00
mike@arpaia.co
a0a404acc1 removing the dependency on unwind
Moving glog to third-party so that we can custom compile it so that
we no longer have the dependency on libunwind. #578
2015-01-10 13:02:30 -07:00
Teddy Reed
18d93d8cbc Building DEB/RPM package dependencies 2015-01-09 12:24:54 -08:00
Teddy Reed
a4e236e16a Simpler OSX package building 2015-01-07 20:01:33 -08:00
Teddy Reed
45ee10f162 More complete make package 2015-01-07 16:07:19 -08:00
Teddy Reed
27541d4260 [Fix #574] Undef DEBUG for apt-pkg for make debug 2015-01-06 06:53:42 -08:00
Norm MacLennan
38447838db merging upstream cmake changes 2015-01-05 17:43:07 -05:00
Teddy Reed
d2cea32644 Use CMake find_library for dependencies 2015-01-05 08:32:05 -08:00
Teddy Reed
914ae37a72 Move CMakeLibs and valgrind supp file 2014-12-31 08:32:23 -08:00
Teddy Reed
d7653c77e7 Support 'make libosquery' for a wrappable so/dylib 2014-12-27 23:14:34 -08:00
Teddy Reed
7d260d3c05 Cleanup cmake files 2014-12-27 22:55:08 -08:00
Teddy Reed
94811f3ee8 Removed 'core' tables as a build dependency 2014-12-25 12:46:59 -08:00
Teddy Reed
e4b60e883a Variable amalgamation output filename 2014-12-23 21:53:59 -07:00
Teddy Reed
b2dca55539 Build leaner libosquery, allow control over spec/impl 2014-12-23 20:07:12 -08:00
Theodore M. Reed
01005c72b3 Moved crontab out of utility 2014-12-23 14:39:59 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
Theodore M. Reed
7b0640e4eb Move table link dependencies into tables CMakeLists 2014-12-23 14:37:00 -08:00
Teddy Reed
5bd8d9ac37 Use static openssl libs to support thrift 0.9.x 2014-12-16 01:15:58 -08:00
Teddy Reed
f4a226f4cf Merge pull request #533 from theopolis/static_build_osx
Link the brew dependencies statically on OSX
2014-12-09 14:03:54 -08:00
Teddy Reed
2fae6c0d7c Link the brew dependencies statically on OSX 2014-12-09 13:40:53 -08:00