valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
988 Commits 2 Branches 109 Tags 25 MiB
3984b8268f
Commit Graph

988 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sean Williams
3984b8268f Merge branch 'linux-camb' of github.com:facebook/osquery into linux-camb 2014-12-09 01:50:47 +00:00
Sean Williams
341fbc3b53 -Conform to new table function signature 
-Add proper include and fix brackets on macro
-Let osquery core do the integer cast for syscall_addr_modified
-Fix misc cruft
 2014-12-09 01:47:51 +00:00
Sean Williams
1b89e07287 Let osquery core do the integer cast for syscall_addr_modified 2014-12-09 01:36:21 +00:00
Sean Williams
1fe8ce89c5 Add proper include and fix brackets on macro 2014-12-09 00:27:08 +00:00
Sean Williams
f192722ef2 Conform to new table function signature 2014-12-09 00:06:48 +00:00
Sean Williams
b51ccd83cb Merge branch 'linux-camb' of github.com:facebook/osquery into linux-camb 
Conflicts:
	include/osquery/kernel/linux/sysfs.h
	osquery/kernel/linux/hash.c
	osquery/kernel/linux/main.c
 2014-12-09 00:02:42 +00:00
Sean Williams
48bf3192e1 kernel_integrity vtable to use camb 2014-12-08 23:58:33 +00:00
Sean Williams
cd5bedbb0e Remove hooking of init module: it should really go in an LSM proper; also fix Makefile when SMAP is not specified 2014-12-08 23:58:32 +00:00
Sean Williams
c979656cc9 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:58:08 +00:00
Sean Williams
7a81544ac0 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:58:07 +00:00
mike@arpaia.co
376b292c57 removing trailing content 2014-12-08 23:54:56 +00:00
mike@arpaia.co
c49286dd96 new headers 2014-12-08 23:54:18 +00:00
mike@arpaia.co
c6f14b9776 moving to top-level kernel directory 2014-12-08 23:52:34 +00:00
Sean Williams
d2bde43331 Fix a couple bugs; cleanup unused code/includes 2014-12-08 23:47:30 +00:00
Sean Williams
05ce70f871 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:30 +00:00
Sean Williams
6ad17759d8 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
Sean Williams
218f74ae80 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
mike@arpaia.co
ece9d4fa00 removing trailing content 2014-12-08 23:47:26 +00:00
mike@arpaia.co
1ce1e17902 new headers 2014-12-08 23:47:25 +00:00
mike@arpaia.co
5b80664c5e moving to top-level kernel directory 2014-12-08 23:47:25 +00:00
Sean Williams
279d55e49d Fix a couple bugs; cleanup unused code/includes 2014-12-08 23:47:24 +00:00
Sean Williams
0953b17e93 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:24 +00:00
mike@arpaia.co
e260007f04 Change exit(-1) to exit(EXIT_FAILURE) 2014-12-08 10:40:10 -08:00
Teddy Reed
fb5048596c Merge pull request #527 from theopolis/fix_linux_processes_cmdline 
Replace linux cmdline tokens with spaces
 2014-12-07 18:11:07 -08:00
Teddy Reed
f8cc579d36 Fix json results clear 2014-12-07 15:53:37 -07:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
a0866c0972 Merge pull request #524 from theopolis/events_expiry 
Events expiry
 2014-12-06 19:52:16 -08:00
Teddy Reed
b77f469752 Merge pull request #526 from theopolis/json-output 
Add -json output mode for shell
 2014-12-06 19:52:06 -08:00
Teddy Reed
19695d40aa Add expiration to events 2014-12-06 18:28:03 -07:00
Teddy Reed
78ecc73d81 Add -json output mode for shell 2014-12-06 18:22:48 -07:00
Sean Williams
16a1cbf563 kernel_integrity vtable to use camb 2014-12-06 23:36:50 +00:00
Sean Williams
0b1b1f5b72 Merge branch 'linux-camb' of github.com:facebook/osquery into linux-camb 
Conflicts:
	osquery/kernel/linux/Makefile
	osquery/kernel/linux/main.c
 2014-12-06 12:54:02 -08:00
Sean Williams
f651254bc5 Remove hooking of init module: it should really go in an LSM proper; also fix Makefile when SMAP is not specified 2014-12-06 12:47:59 -08:00
Sean Williams
c74c972e1d Update CONTRIBUTING.md 2014-12-06 12:35:02 -08:00
Sean Williams
9c513c20e7 Update CONTRIBUTING.md 2014-12-06 12:34:19 -08:00
Teddy Reed
7b16e45f55 Improve pubsub unittests 2014-12-05 16:18:05 -07:00
Teddy Reed
76597aa25f Merge pull request #522 from theopolis/make_pkg_simple 
Add -s flag to OSX package script
 2014-12-04 09:46:03 -08:00
Teddy Reed
f3ab333cf1 Add -s flag to OSX package script 2014-12-04 09:33:04 -08:00
Teddy Reed
bd64fb4619 Merge pull request #519 from theopolis/better_includes2 
Codemod to improve include search paths for includes
 2014-12-03 17:40:06 -08:00
Teddy Reed
b7765a6af0 Codemod to improve include search paths for includes 2014-12-03 15:31:09 -08:00
Teddy Reed
400199f05e Merge pull request #518 from theopolis/better_includes 
Codemod to improve include search paths
 2014-12-03 15:29:23 -08:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
119eb37731 Simple template functions 2014-12-02 21:02:50 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Teddy Reed
7ad06d856d Merge pull request #514 from eastebry/fix_hostIdentifier_typo 
Fixed typo in getHostIdentifier
 2014-12-02 19:34:35 -08:00