The goal is to have less inter-dependency within osquery components.
This is the first of several changes that take small steps towards a
simpler dependency graph.
Later we can revisit the directory structure to see if we can convey
what components are intended to be widely used and what components
are specialized.
This was determined to be the wrong approach to adding simple
killswitches. The intent was to quickly flip on/off features. It was
not widely adopted due to the dependencies killswitching has.
A different approach is to implement the same functions with something
simple like filesystem flags.
Summary:
Add log_numerics_as_numbers flag.
Internal SQLite query has method that returns QueryDataTyped (instead of QueryData), which are boost::variant<string, double, long long>.
Ints are encoded as such if and only if new log_numerics_as_numbers flag is set to true.
Reviewed By: fmanco
Differential Revision: D13778323
fbshipit-source-id: 7d7bb31781486f63fcc088cd479d3b6f255a5cb4
Summary: Add query monitoring without specifying the scheme. It will help us in the simpler aggregation.
Reviewed By: marekcirkos
Differential Revision: D14280109
fbshipit-source-id: d70971c9ebe1e15c66f36e1490b7d8e198a68a7a
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5452
As suggested in another diff, this diff updates the language we use to describe the osquery licensing terms. We are changing all instances of
//This source code is licensed as defined on the LICENSE file found in the root directory of this source tree.//
to
//This source code is licensed in accordance with the terms specified in the LICENSE file found in the root directory of this source tree.//
We accomplish this with a codemod:
$ codemod -md xplat/osquery/oss --extensions cpp,h,in,py,sh,mm,ps1 "(.\s+)This source code is licensed as defined on the LICENSE file found in the(.*)root directory of this source tree\." "\1This source code is licensed in accordance with the terms specified in\2the LICENSE file found in the root directory of this source tree."
Reviewed By: fmanco
Differential Revision: D14131290
fbshipit-source-id: 52c90da342263e2a80f5a678ecd760c19cf7513e
Summary:
Initial steps to separate plugins from the rest of osquery. On the long run separating plugins will provide more build flexibility such that we can have configurable builds that include only the bits and pieces we actually need per deployment. Reducing the attack surface, possibility of supply chain attacks, binary size, etc.
Move config and config_parser plugins
Reviewed By: marekcirkos
Differential Revision: D14119102
fbshipit-source-id: 0bc956398b3829c6f1013b38ebba2f0fc1071a93
Summary: Removing flag which was declared but never used. enable_monitor
Reviewed By: marekcirkos
Differential Revision: D13958265
fbshipit-source-id: 3a812330950b101abdbd83ada4afd5b262cabd26
Summary: For some monitoring, we need to include machine identity. Two example, I found is hostname or similar hostnames schema name.
Reviewed By: SAlexandru
Differential Revision: D13880705
fbshipit-source-id: e1d0238f4981adad1554d73f0ef6e5ef65a98c33
Summary: profiler file contained the CodeProfiler class, which is a bit odd. Thanks alecx
Reviewed By: akindyakov
Differential Revision: D13861320
fbshipit-source-id: 11d711fd1d15830d4cce0be084cc6da3b1c6589c
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: SAlexandru
Differential Revision: D13854471
fbshipit-source-id: 181e7e19fcfb5d57a779cea6a2804eda09dc5a91
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: mkareta
Differential Revision: D13854389
fbshipit-source-id: 35ba80813d98371dd36a83ec32aad677f24aa6eb
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
Summary: As discussed in [an old PR](37ffdf8a48 (r213278358)) this is of questionable benefit and will get complicated when we change to typed values, so dropping.
Reviewed By: guliashvili
Differential Revision: D13631227
fbshipit-source-id: ada9b5434297d8c1c4b3e3855fe595faf5937bf6
* Simple solution to reduce drift time in loop of scheduled queries #4301
based on measuring time of loop step and reduce sleep time on it.
* Change schedule time drift compensation policy
Sleep less time or do not sleep at all if there is non-zero accumulated drift.
Also new flag [schedule_max_drift] was added to make it configurable.
* Add test to check time drift accumulation and fix up code according review comments
When setting up alerts for differential logs data you might want to skip the
initial added records. counter can be used to identify if the added records
are all records from initial query of if they are new records. For initial
query results that includes all records counter will be "0". For subsequent
query executions counter will be incremented by 1. When epoch changes, counter
will be reset back to "0".
