* deb_packages: Fix include order issue
* bpf_socket_events, bpf_process_events: Initial implementation
* BPF: Add process tracking to process events, remove sockets_event
* CMake: Upgrade the C++ standard to C++17
* BPF: Improve initial system state snapshot and event collection
* BPF: Add tests for SystemStateTracker
* BPF: Add tests for BPFEventPublisher
* BPF: Refactor, add tests for ProcessContextFactory
* Refactor: Improve initial scan/event handling, fix openat
* BPF: Improve event ordering
* BPF: Fix test issue in BPFEventPublisher::processOpenAt
* BPF: Mark WIP functions as deprecated
* BPF: Improve tests
* BPF: Add back bpf_socket_events and connect() support
* BPF: Add Netlink addr support, add bind()
* BPF: Add accept/accept4 support
* BPF: Add tests for BPFEventPublisher::processOpenat2Event
* BPF: Add remaining tests for BPFEventPublisher
* BPF: Add configuration flags for memory management
* BPF: Add cmdline support to ProcessContextFactory
* BPF: Add additional tests
* BPF: Add unit test for SystemStateTracker::accept
* BPF: Update cwd handling
* BPF: Add tests for bpf_socket_events
* BPF: Add tests for bpf_process_events
* BPF: Add json_cmdline hidden column to bpf_process_events
* BPF: Update all copyright headers
* BPF: Add syscall duration in socket_events/process_events
* BPF: Code review changes
* BPF: Update ebpfpub to the latest version
* BPF: Removed unused functions
* BPF: Code review changes
Add whitespace around namespaces
* BPF: Revert header changes in rot13.cpp
* BPF: Code review changes
Rename the bpf_ntime column in bpf_socket_events/bpf_process_events
to ntime and make it the last visible column
* BPF: Code review changes
Update the dependencies for the BPF tests
* BPF: Code review changes
Update the dependencies for the BPF table tests
* BPF: Code review changes
Update how characters are appended to strings in the
system state tracker class
* BPF: Code review changes
Update the string -> integer conversion utilities in the
process context factory class.
* BPF: Hide failed exec syscalls from bpf_process_events results
* BPF: Do not log an error for invalid sockaddr structures
* BPF: Code review changes
Remove clang-format ignore block
* BPF: Code review changes
Update log messages in the BPFEventPublisher class
* BPF: Code review changes
Remove clang-format ignore block around the function tracer
descriptors
* BPF: Code review changes
Document the IFilesystem interface
* BPF: Code review changes
Document the IProcessContextFactory interface
* BPF: Code review changes
Document the ISystemStateTracker interface
CMake ignores the sysroot when testing the support of PIE,
so the link test fails when it tries to check for PIE support
and decides that it's not supported.
Therefore we tell CMake that PIE is supported when using the
osquery-toolchain and leave the automatic test for other toolchains.
Temporarily disable PIE on executables built with the
osquery-toolchain libFuzzer, since it has not been compiled with PIE/PIC
support.
Add a description to the function preparing the targets carrying the
main compiler and linker flags.
Convert CMake default flags to the ones we use, instead of overriding
them later via targets.
This can also avoid having us use the wrong CRT on Windows if we forget to link
against osquery_cxx_settings.
Reduce the "overriding <flagX> with <flagY>" messages on Windows by
removing the warning level from the default flags, and adding that
to the specific osquery_<c|cxx>_settings target, so that non internal
targets can choose their own level.
Minor cleanups
Fixosquery/osquery#6509
We have ported all platforms to use the source layer.
The facebook layer is not needed anymore since we build everything from source now,
the same is for the transitional source_migration layer.
Minor cleanups about the recently removed python modules.
By using RPM-DEFAULT and DEB-DEFAULT as package names,
CPack leaves the naming of the packages to the underlying
packaging tools which will use the standard naming format.
- Add the possibility of running table logic inside a container
namespace, so that's possible to query it instead of the host.
Needs minor modifications to each table logic and how they use logging.
In practice it works by having a pid_with_namespace column, which should
contain pids that are in the same mount namespace of the container one
wants to query.
The worker receives that column as a constraint, prepares two unnamed
pipes for read/write communications with the future child, then forks
into a new process.
While the parent sends a query job to the just created child and then waits
for results, the child receives the job, takes all the values given in the
pid_with_namespace constraint, retrieves the fd of the mount namespace
under "/proc/<constraint pid>/ns/mnt", then switches to it.
Finally it runs the table logic, sending the results back to the parent
through the pipe with a JSON message.
Important to note that the logging in the table logic is not GLOG
directly, because in the child this is in an unknown state; a custom
logging system that resembles glog and that takes advantage of the
existing communication channel is used to send the messages in JSON
format to the parent, which will take care to forward to GLOG.
- Add FLAGS_keep_container_worker_open so that the process used for
accessing a container is kept open, until the queries are for the same
table; when the table changes, the process will be closed
and a new one created.
This is off by default, which means that a new process will be always
created.
- Implemented a way to run tests that require root separated
from the others.
The OSQUERY_BUILD_ROOT_TESTS has been added to requests such tests to
be built.
To run only tests which require a normal user, one has to use
`ctest -LE "root-required"`, while `sudo ctest -L "root-required"`
to run those who need root.
PR: osquery/osquery#6209
Do not set CPACK_WIX_SKIP_PROGRAM_FOLDER to true and a specific install path,
this will break the Program Files folder drive resolution
to the system drive, and instead will enable the ROOTDRIVE logic
which chooses the disk with the most space available.
Fixesosquery/osquery#6314Fixesosquery/osquery#6342
- Restore the ability of osquery to log to the Windows Event Log.
- Restore the information normally shown on the Details tab
of the Properties of the osquery executable.
- Add and refactor utility functions to parse and transform
the osquery version, needed by the Windows resource files
and packaging.
CMake 3.16 doesn't set Python3_EXECUTABLE as cache variable anymore,
it has changed to _Python3_EXECUTABLE which is for internal use.
The module returns Python3_EXECUTABLE as a local variable,
so we share that value through a new custom cache variable,
OSQUERY_PYTHON_EXECUTABLE.
test_base.py received several fixes and now supports and requires
a custom folder where to find the config files that the tests need.
It has been also updated to use Python 3.
Fixed the gen_api function in genapi.py missing the path to the spec
file when evaluating blacklisted tables.
Co-Authored-By: SS <sahil.suneja@trailofbits.com>
This is to have better separation between them and the python tests.
BUCK files have been updated accordingly.
Changes to the internal generateCopyFileTarget function were needed.
The function now supports a base folder to be set so that the regex or file path
is appended to that base path, without having it included in the destination.
It will also not use a library target anymore, but a custom one so
that's possible to set properties with custom names.
Use only one copy target to copy test config files instead of having
multiple that overlaps.
It may give issues when copying and tests in the end will need all of
them.
Removed the restriction for the Python version to be >= 3.6 but < 3.8.
Now it has to be >=3.5, lower versions are EOL.
Removed the search for Python2 too since nothing uses it anymore.
Fixesosquery/osquery#6079
This is needed by some third party libraries and
when using Ninja on Windows.
CMake complains that it cannot find the internal variable
for CMAKE_ASM_MASM_COMPILE_OBJECT if it's not active for the whole
project.
This commit creates a new osquery/main/harnesses directory and moves fuzz-config there.
It removes OSQUERY_FUZZ for a new option OSQUERY_ENABLE_FUZZER_SANITIZERS
It creates a new option OSQUERY_ENABLE_ADDRESS_SANITIZER
The following behaviors are intended:
OSQUERY_BUILD_TESTS=ON will build the fuzzing harness. This configuration is not
intended for fuzzing purposes. OSQUERY_ENABLE_FUZZER_SANITIZERS=ON will also build
the fuzzing harness. However if this variable is true, it also requires
OSQUERY_ENABLE_ADDRESS_SANITIZER=ON and either CMAKE_BUILD_TYPE=Release or
RelWithDebInfo This configuration is actually intended for fuzzing.
* Fix packaging regression on Windows
Component variables should be set only for Linux and macOS,
otherwise on Windows the internal WiX IDs change and the
WiX fragment patch won't work.
Cleanup the version patch component, since WiX doesn't support
version components that are not digits.
* Add the rpm package to the CI Dockerfile, to test rpm packaging
* Fix TGZ generation on other platforms
* Add dpkg-dev and file packages to the CI Dockerfile
They are needed for creating DEB debug packages.
* Add a packaging steps to the CI
Set TGZ as a default packaging system when one cannot detected.
Fix generatePackageTarget indentation.
This enables a component install for DEB (only). This is required in
CMake version 3.17.0 (planned) and lower to produce a debuginfo version.
One side-effect is we have to gate the stripping for DEB.
This defines a new CMake option: OSQUERY_FUZZ, which appends compiler
and linker flags for libFuzzer to be effective.
There is one example harness that will fuzz config parsing.
