Starting in glibc 2.25, the macros `major` and `minor` were moved
from `<sys/types.h>` to `<sys/sysmacros.h>`, to stop leaking these
common words into the global namespace of those including <stdlib.h>
https://sourceware.org/bugzilla/show_bug.cgi?format=multiple&id=19239
The macros MAJOR_IN_MKDEV and MAJOR_IN_SYSMACROS would be defined if
necessary by autoconfig, and put in `config.h`. But osquery build
uses CMake instead of autotools, with a git-committed `config.h`.
This generally is all right across Ubuntu variations, as an automake
for one will likely make a config.h that works on others. However
the glibc change makes a "one-size-fits-all-Ubuntu" config impossible.
This mirrors detection done by autoconf/headers.m4 as CMake code.
It is a relatively simple patch, which unblocks building of librpm
on (K)ubuntu 20 while still working on Ubuntu 18.
Change the counter behavior so only when a differential results is
calculated the counter increments. With this new behavior the counter
represents the order in which differentials results should be replayed
to recreate state at a point in time.
Add support for processing KILL, TKILL and TGKILL syscalls. The first
message of the SYSCALL message type is handled in a similar way as
EXECVE as the structure is more or less the same.
Three additional fields are parsed from the message which are "ses"
(session of the process), "comm" (the command that was executed, eg: the
script name in case of a /bin/bash invoke) and "tty" (the controlling
terminal for the process). These fields will not be published though
since the table schema doesn't support it at the moment.
The above feature is activated using the
--audit_allow_kill_process_events=true
Sample columns:
```
"columns": {
"atime": "1589007635",
"auid": "4294967295",
"btime": "0",
"cmdline": "",
"ctime": "1587237608",
"cwd": "",
"egid": "1000",
"euid": "1000",
"fsgid": "1000",
"fsuid": "1000",
"gid": "1000",
"mode": "0755",
"mtime": "1586904788",
"owner_gid": "",
"owner_uid": "",
"parent": "4781",
"path": "/home/USERNAME/code-server-3.1.1-linux-x86_64/node",
"pid": "4795",
"sgid": "1000",
"suid": "1000",
"syscall": "kill",
"time": "1589052835",
"uid": "1000",
"uptime": "26902"
}
```
Note that the TGKILL syscall is recommended to not be used from the
linux manpages.
The goal is to have less inter-dependency within osquery components.
This is the first of several changes that take small steps towards a
simpler dependency graph.
Later we can revisit the directory structure to see if we can convey
what components are intended to be widely used and what components
are specialized.
Add a description to the function preparing the targets carrying the
main compiler and linker flags.
Convert CMake default flags to the ones we use, instead of overriding
them later via targets.
This can also avoid having us use the wrong CRT on Windows if we forget to link
against osquery_cxx_settings.
Reduce the "overriding <flagX> with <flagY>" messages on Windows by
removing the warning level from the default flags, and adding that
to the specific osquery_<c|cxx>_settings target, so that non internal
targets can choose their own level.
Minor cleanups
Fixosquery/osquery#6509
