Commit Graph

403 Commits

Author SHA1 Message Date
Nick Anderson
7c90823a0c Upgrade LLVM to 3.8.1 on Linux (#2436) (#2435) 2016-09-02 14:53:04 -07:00
yying
d347c847e1 Support for extensions (#2363) 2016-08-31 16:45:06 -07:00
Teddy Reed
65dd56e113 Introduce table 'attributes' (#2431) 2016-08-31 15:32:20 -07:00
Teddy Reed
d6e20279d8 Use LOG(INFO) and set INFO as default logging mode (#2420)
This is fairly important, it changes the default mode for what status
events are logged to INFO. It had been set to WARNING and INFO was relatively
unused.

This also removes expected support for RocksDB 'in-memory' databases.
If a shell-user requests a database via CLI flags it will now work.
2016-08-31 15:09:01 -07:00
Teddy Reed
132fa3a753 Display flags in alphabetical order (#2407) 2016-08-24 17:44:16 +01:00
Teddy Reed
1b75972181 [Fix #2387] Attempt to create user's osquery homedir (#2395) 2016-08-17 17:27:46 -07:00
Teddy Reed
f3f605e26a Introduce a PLATFORM_MASK and isPlatform (#2334)
Along with the platform defines and platform string defines provided by
CMake to the build, add a PLATFORM_MASK define.

Use this define as a platform-type mask with the PlatformType enum.
2016-08-09 20:27:42 -07:00
yying
50487c6880 Changes to make pidfile work on Windows (#2297) 2016-07-28 16:04:34 -07:00
yying
2fb3797c53 Changes to support building a osquery Windows service. (#2278) 2016-07-22 13:29:37 -07:00
Teddy Reed
c22f6147ea Move OSQUERY_HOME into core and use as filesystem config default (#2275) 2016-07-21 13:28:23 -07:00
Teddy Reed
6df4c8c4d4 The watcher process should apply memory limits to itself (#2263) 2016-07-21 12:33:14 -07:00
Zachary Wasserman
f1f00cec2b Enable DB in osqueryi when --database_path specified (#2268)
Prior to this change, both --disable_database=false and --database_path had to
be specified together. Now, if the user specifies --database_path the database
is enabled automatically.
2016-07-20 17:44:50 -07:00
artemdinaburg
78e1cf7ab4 Transition __attribute__((constructor)) to a more platform independent approach (#2233) 2016-07-14 14:19:33 -07:00
Teddy Reed
45530c0496 Slight performance improvments (#2242) 2016-07-12 19:16:50 -07:00
Teddy Reed
7f304a0934 Various fixups and best practices (#2237) 2016-07-11 09:45:57 -07:00
Teddy Reed
48cb4d555d Add systemLog API (#2229)
This includes a minor SDK refactor as it move quite a few specialized
functions and facilities from core.h into system.h. There was a breaking point
for needing to frequently update core includes.

The new logger systemLog function allows a call site to bypass logging config
and write a line to the OS logger (aka syslog).
2016-07-07 15:16:28 -07:00
Teddy Reed
1f9739eed4 [Fix #2203] Restore extension respawn limits to 20s (#2207) 2016-06-30 17:53:05 -07:00
Teddy Reed
753c023640 Fix milli/micro conversion when waiting for active plugins (#2205) 2016-06-30 13:31:32 -07:00
artemdinaburg
5292100c22 Use vector.data() to get internal vector buffers (#2204) 2016-06-30 12:32:26 -07:00
Teddy Reed
47e1a5ba74 Use noexcept boost::filesystem overloads (#2195) 2016-06-27 16:39:04 -07:00
Teddy Reed
c8c67c455a Simplify watchdog limits configuration (#2173) 2016-06-19 23:27:16 -07:00
Nick Anderson
cf30388705 Moved test_utils to it's own directory out of core. Updated references (#2154) 2016-06-09 10:49:26 -07:00
Teddy Reed
91b34010df Allow table specs to use multiple row indexes (#2146) 2016-06-07 17:13:48 -07:00
Teddy Reed
763f4e9437 Use SQLite 3.14.0 to support LIKE and EQUALS (#2137)
This commit bumps the third-party SQLite to the 3.14.0 pre-release (18:59).
With 3.14.0 the LIKE and EQUALS constraint operators may be mixed within a
query. Previously these would fail to produce a valid set.

As part of the support, each virtual table should choose to bypass rowid-based
deduplication using the new "WITHOUT ROWID" create table epilog. This will
be appended to the schema if the table defines a PRIMARY KEY using index=True.
2016-06-06 09:36:53 -07:00
yying
5f81cd9e2b Filesystem Abstractions - Code and Unit Tests (#2119)
* Implemented filesystem operations abstraction code
* Added filesystem operations abstraction unit tests
* Modified CMake configurations to support the building of the abstraction code and unit tests
2016-05-31 12:20:38 -07:00
Teddy Reed
10664a4945 Add --ephemeral for daemons and disable shell events (#2111)
This changes several initialization steps:
- The daemon (and shell, though not needed) have a new --ephemeral flag.
- Events are now disabled in the shell by default, use --nodisable_events to
  re-enable.
- RocksDB-based backing storage is now disabled in the shell by default.

The --ephemeral flag for the daemon is disabled by default and will allow
skipping configuration and database path sanity, and skipping pidfile checks.
This is intended to be used when debugging or monitoring the daemon process.

To make the RocksDB backing storage feature usage very clear we introduce a new
flag: --disable_database. The shell sets this to true unless overridden in
a flagfile or via command line arguments.
2016-05-20 08:39:04 -07:00
Teddy Reed
c4acfe89e5 Introduce table aliases (#2104) 2016-05-19 09:40:43 -07:00
Teddy Reed
b28c4d8d0f Introduce table options (#2101)
Table options includes a change to the Registry::call API for TablePlugins.
When requesting route information or the 'columns' action, a new 'op' key is included.
2016-05-18 12:23:52 -07:00
yying
26ad131c38 Building osquery unit tests on Windows 10 (#2100)
Integrated process abstraction code into more locations
Defined new macros for abstracting across various platforms
Added GLOG_NO_ABBREVIATED_SEVERITIES for glog to support Windows
Fixed some minor CMake issues involving thrift
Updated gflags package; reflecting change in provision script
Preparing CMake config files for WIN32 support
2016-05-17 12:39:11 -07:00
yying
15d1455957 Process Operations - osquery/core Integration (#2087)
This integrates the process abstraction operations within osquery core.
2016-05-13 19:47:45 -07:00
Teddy Reed
3813f09abb Clean up host identifier UUID access (#2092)
When selecting UUID as the host identifier the client follows:
- If host_identifier is set to hostname, return the hostname
- If UUID check a static UUID container
- If empty request the UUID from the backing storage, RocksDB
- If empty use the Apple hardware UUID or generate a UUID
- If the Apple UUID request fails generate a UUID

When no UUID is available in the backing store save the new UUID.
2016-05-12 08:40:37 -07:00
yying
63c0258aec Abstracted platform specific process operations into a common interface. (#2069)
Added Windows support for process operations.
Added unit tests for process abstraction code for POSIX and Windows.
Modified CMake config files to support building the new code and unit tests.
2016-05-11 14:16:32 -07:00
Teddy Reed
947799d28e Introduce within-query caching (#2077)
This adds a new optimization feature that allows expensive tables to cache
their results between JOINs. Consider JOINing a list of open sockets, for each
process, then requesting to hash each process path. This query may hash
the same path multiple times.

Within-query caching allows the hash table to respond with the previous
result of the hash request as long as the requested computation was the result
of a single query. Subsequent queries will perform subsequent hashing.
2016-05-09 10:32:33 -07:00
Teddy Reed
5a56805970 Introduce --utc flag to convert all calendar UNIX times to UTC (#2064)
Beginning in version 1.8.0 all time uses will converge on an osquery-provided
getUnixTime() API call that returns, by default, UNIX time integers converted
to UTC/GMT. The 'time' table will respond with the parsed time for the
configuration. If the timezone is not UTC then osquery is using localtime.

This configuration option will affect the 'unix_time' response in the 'time'
table. Because of this configurable-effect the table is extended to include
'local_time' which is always the system local UNIX time.
2016-05-03 13:00:31 -07:00
Teddy Reed
2a350afb10 Merge pull request #1974 from theopolis/sane_logging_disable
[Fix #1973] Improve logging/extensions relays
2016-03-27 01:00:16 -07:00
Teddy Reed
b9194026db [Fix #1973] Improve logging/extensions relays 2016-03-27 00:43:02 -07:00
Zachary Wasserman
0eff0f2f4e Collection of doc fixes
- Minor fix in creating tables documentation
- Fix docs for join
- Add note about config paths
- Update events docs
- Fix link to query packs
2016-03-25 14:12:41 -07:00
Teddy Reed
d2d1431061 Move dispatcher to public API 2016-03-21 15:27:51 -07:00
Teddy Reed
27f4754e5e [Fix #1928] Reorder deps installs to build all with clang 2016-03-20 19:15:44 -07:00
Teddy Reed
ebb0ab30ce Fix shell's --profile switch 2016-03-20 16:05:13 -07:00
Teddy Reed
15a998e54f Use the default shutdown flow within extensions 2016-03-20 01:45:49 -07:00
Teddy Reed
c62a0f41b6 Various cleanups 2016-03-18 10:40:07 -07:00
Teddy Reed
0ba2861cf9 [Fix #1920] Detach thread before joining/clearing (terminate) 2016-03-13 12:15:18 -07:00
Teddy Reed
3de52846d0 Remove boost::thread 2016-03-11 11:50:44 -08:00
Teddy Reed
5f8fa32e21 [Fix #1901] Tear down TLS server runner 2016-03-07 09:38:37 -08:00
Teddy Reed
afd17f8134 1. Reorganize RocksDB database handle into a plugin
2. Introduce a SQLite-based database plugin
3. Refactor database usage to include local 'fast-calls'
4. Introduce an 'ephemeral' database plugin for testing (like a mock)
2016-03-06 20:40:16 -08:00
Teddy Reed
08a1d852a2 Add CXXFLAGS to deps build 2016-02-22 22:12:06 -08:00
Teddy Reed
9c42ba51b3 Merge pull request #1858 from theopolis/sqlite_3.11
Bump sqlite to 3.11.0
2016-02-21 23:35:01 -08:00
Teddy Reed
9a54af29ce Bump sqlite to 3.11.0 2016-02-21 22:40:37 -08:00
Teddy Reed
8dc0fc1c95 Consolidate string/text conversions outside of API 2016-02-12 11:38:15 -08:00
Baraa Hamodi
21c2237eca [osquery] Update copyright headers to new format. 2016-02-11 11:48:58 -08:00
Teddy Reed
48a1adf77b Allow extensions autoloading in osqueryi 2016-02-10 10:20:23 -08:00
Teddy Reed
02eb57fc47 Merge pull request #1832 from theopolis/pack_valid
Valid bool in packs for shard/plaform/version checking
2016-02-06 20:29:55 -08:00
Teddy Reed
a2754a01ef Valid bool in packs for shard/plaform/version checking 2016-02-06 17:54:56 -08:00
Teddy Reed
1deee80bf2 Merge pull request #1829 from theopolis/dispatcher_refactor
Refactor dispatcher shutdown logic
2016-02-05 15:17:05 -08:00
Teddy Reed
7f37304c77 Refactor dispatcher shutdown logic 2016-02-05 01:29:42 -08:00
Teddy Reed
b91dc379b3 Handle restricted home directories 2016-02-04 13:43:24 -08:00
Teddy Reed
87ea41c6ec Improve TLS logger performance 2016-01-21 10:43:15 -08:00
Teddy Reed
51fd73c449 Assure dropTo can be used safely consecutively 2015-12-14 21:27:00 -08:00
Teddy Reed
fbc8fb92dc Allow --config_dump with watcher 2015-12-14 16:19:37 -08:00
Teddy Reed
a99b62a31d Preserve atime and mtime by default for readFile 2015-12-11 22:18:45 -08:00
Teddy Reed
59750ec87d Speed up file hashing 2015-12-11 00:36:16 -08:00
Teddy Reed
309944c586 Configuration triggered publisher reconfiguration 2015-12-08 14:03:35 -08:00
Teddy Reed
02c2b37a5d Merge pull request #1709 from theopolis/expire_results
[Fix #1694] Expire results for 'old' scheduled queries
2015-12-07 14:01:44 -08:00
Teddy Reed
12716496aa [Fix #1694] Expire results for 'old' scheduled queries 2015-12-07 12:23:43 -08:00
Teddy Reed
b88d6816f3 Additional TSK tables 2015-12-07 08:36:22 -08:00
Teddy Reed
fef53fa0d0 Add config and database dumping to stdout 2015-12-06 11:01:26 -08:00
Teddy Reed
f57968e0f6 Use a static 'binary' name for Glog 2015-11-27 11:27:09 -08:00
Teddy Reed
2bad9d6a74 Changes to suport node-based configs 2015-11-24 14:44:56 -08:00
Teddy Reed
35129a7af7 [#1665, #1615] Refactor user-based tables to act uniformly 2015-11-24 12:46:25 -08:00
Teddy Reed
e1d7511600 Remove column type string representations 2015-11-14 15:57:30 -08:00
Teddy Reed
c2be670806 Table results caching
1. Table implementations (spec files) can mark the table as 'cachable'.
2. Cached results depend on the shortest/quickest interval of scheduled
queries that act on results of the table.
3. The table API generator blocks caching on index/additional/required
table column options.
2015-11-14 15:57:23 -08:00
Teddy Reed
4c2319f8dd Add GID to PrivilegeDropper 2015-11-08 01:03:08 -08:00
Teddy Reed
57e8ef2ab3 [#1546] Add computer_name to system_info and extend to Linux 2015-11-04 10:31:16 -08:00
Teddy Reed
edea3d6edd [Fix #1626] Add schedule blacklist and protect DBHandle 2015-11-03 20:50:22 -08:00
Teddy Reed
15215cdbc0 Add persistent splays 2015-11-02 14:10:04 -08:00
Teddy Reed
425e5e5596 Change the watcher limits to default=loose 2015-11-02 10:57:01 -08:00
Teddy Reed
5233d7dcf8 Add start time to osquery_info, remove md5/path 2015-11-02 10:57:01 -08:00
Teddy Reed
a1a9131174 Optimize socket_events and Linux users 2015-11-02 10:37:56 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Teddy Reed
09e4e3c42e Expand the scope of permissions dropping 2015-10-30 09:56:33 -07:00
Teddy Reed
8ca2925ef0 [Fix #1583] Require osqueryd to have R/W access to RocksDB 2015-10-27 16:09:24 -07:00
Teddy Reed
b8087a1b26 Fix readFile TOCTOU error 2015-10-26 01:21:05 -07:00
Robert C. Seacord
09481d0381 Fixed some type problems, casting away const, integer types, old style casts, etc. 2015-10-21 20:56:58 +00:00
Robert C. Seacord
e57828aac3 changes for integer sign problems 2015-10-17 00:18:35 +00:00
Robert C. Seacord
acb2f6f628 eliminating diagnostics, mostly for comparisons between signed and unsigned operations 2015-10-16 16:10:37 +00:00
Teddy Reed
201fbabb28 [Fix #1559] Allow boost.filesystem incorrect LC_CTYPE 2015-10-13 09:55:44 -07:00
Teddy Reed
689ae4c865 Minor nits around distributed CLIs 2015-10-02 11:33:50 -07:00
Teddy Reed
5890901c00 Add state, group, and nice to processes 2015-09-24 13:11:46 -07:00
Teddy Reed
97ca0e627a [#1488] Stop OS X event publishers with SIGINT 2015-09-21 22:02:27 -07:00
Teddy Reed
c51d214ddd Scheduled query success tracking 2015-09-16 23:31:07 -07:00
Mike Arpaia
dc6e395b77 Only log to warning if the config can't be read by the daemon
fix #1504
2015-09-16 10:54:38 -07:00
Teddy Reed
7852c356ec Merge pull request #1494 from theopolis/signals
[#1488] Use signal handlers for teardown and reloading
2015-09-15 16:14:40 -07:00
Teddy Reed
7c2a625ef2 Use signal handlers for teardown and reloading 2015-09-14 16:57:00 -07:00
Scott Piper
5e7d0d6a37 Added system_info table 2015-09-09 10:26:16 -07:00
Mike Arpaia
aaa03a1058 Distributed queries client-side 2015-09-08 13:33:48 -07:00
Mike Arpaia
de58353131 Config MD5 a bit more deterministic
```
$ ./build/darwin/osquery/osqueryi --config_path=/asdfasdfadfs
E0903 11:45:02.050308 1990836992 init.cpp:370] Error reading config: config file does not exist
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> .all osquery_info
           pid = 33700
       version = 1.5.2-43-gb06fa92
    config_md5 =
  config_valid = 0
   config_path = /asdfasdfadfs
    extensions = active
build_platform = darwin
  build_distro = 10.10
osquery> .exit

$ ./build/darwin/osquery/osqueryi
osquery> .mode line
osquery> .all osquery_info
           pid = 33781
       version = 1.5.2-43-gb06fa92
    config_md5 = 8a432ac93d3de080c62d77ba99b89783
  config_valid = 1
   config_path = /var/osquery/osquery.conf
    extensions = active
build_platform = darwin
  build_distro = 10.10
osquery> .exit
```
2015-09-03 22:03:40 -07:00
Teddy Reed
bb2b5f594b Static analysis cleanups, static libmagic 2015-09-02 16:55:20 -07:00
Mike Arpaia
a140333441 [fix #1390] query pack re-org
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.

The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.

Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.

For more information, refer to #1390, the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:

```json
{
  "options": {
    "enable_monitor": "true"
  },
  "packs": {
    "core_os_monitoring": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "kernel_modules": {
              "query": "SELECT name, size FROM kernel_modules;",
              "interval": 600
          },
          "system_controls": {
              "query": "SELECT * FROM system_controls;",
              "interval": 600,
              "snapshot": true,
          },
          "usb_devices": {
              "query": "SELECT * FROM usb_devices;",
              "interval": 600
          }
        }
    },
    "osquery_internal_info": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "info": {
              "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
              "interval": 60,
              "snapshot": true
          },
          "registry": {
              "query": "SELECT * FROM osquery_registry;",
              "interval": 600,
              "snapshot": true
          },
          "schedule": {
              "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
              "interval": 60,
              "snapshot": true
          }
        }
    }
  }
}
```

The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.

Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
2015-09-02 10:56:26 -07:00
Teddy Reed
0e16f56c8d Add 'hidden' flags to customize TLS plugins 2015-08-28 12:57:53 -07:00