valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,168 Commits 2 Branches 109 Tags 25 MiB
44e03bada9
Commit Graph

101 Commits

Author SHA1 Message Date
Teddy Reed
f6d077cbf7
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-18 16:04:06 -08:00
Mitchell Grenier
a73233263b Renaming the key_events table to user_interaction_events and adding mouse down (#3951) 2017-11-21 23:43:52 -08:00
Mitchell Grenier
c3a2171ebc Tighten up the event tapping code (#3917) 2017-11-09 13:21:22 -08:00
Mitchell Grenier
beca5e68e9 Require root permissions to start the event tapping framework (#3849) 2017-11-01 07:31:50 -07:00
Mitchell Grenier
9ab7233f7e Fixes a small data race in disk arbitration (#3841) 2017-10-16 17:55:11 -07:00
Mitchell Grenier
cd88cecc9a Publisher and Table for Event Tap Capture (KeyDown) (#3829) 2017-10-16 13:07:24 -07:00
Teddy Reed
205da3c698 rocksdb: Implement a 'backup' and recover feature for RocksDB (#3635) 2017-09-01 22:31:03 -07:00
uptycs-nishant
5a92d2c7f0 Implementing exclude paths for FIM (#3530) 2017-08-19 19:59:23 -07:00
Vishwa Shah
c54c6e6c0e corrected size in block_devices on darwin, linux (#3539) 2017-08-07 19:21:18 -07:00
Mitchell Grenier
b22a403bf1 OpenBSM Events (#3503) 2017-08-07 16:02:16 -07:00
Mitchell Grenier
e577a76b9b macOS - Listeners on folders that throw mount events (#3506) 2017-08-03 18:09:04 -07:00
Mitchell Grenier
7801ac6dce Add mount to fsevents (#3480) 2017-07-20 09:44:38 -07:00
Teddy Reed
9ba0edb4bb darwin: Improve disk_events add detection (#3332) 2017-05-26 10:38:26 -07:00
Teddy Reed
f54a974ff6 events: Fix locking around FSEvents (#2966) 2017-02-03 22:57:38 -08:00
Jonathan Lee
a1de136c1a Change logging level in certain cases (#2896) 2017-01-31 08:07:42 -08:00
Teddy Reed
0e9733f94c Simplify Registry and plugin concepts (#2887) 2017-01-07 12:21:35 -08:00
Aditya Srivastava
ef4f8af3b8 Issue #2651 : Changed all NULLs to nullptrs (#2657) 2016-10-21 11:20:28 -07:00
Teddy Reed
1c4d6397fa OS X IOKit utilities refactor to allow SKIP_TABLES (#2335) 2016-08-09 20:49:56 -07:00
Teddy Reed
870c5bd9f9 Clean up verbose logging for OS X kernel extension (#2276) 2016-07-21 14:29:17 -07:00
Nick Anderson
cf30388705 Moved test_utils to it's own directory out of core. Updated references (#2154) 2016-06-09 10:49:26 -07:00
Teddy Reed
866ff13fc3 Fix OS X kernel extension autoload (#2151) 2016-06-08 11:14:36 -07:00
Teddy Reed
15a998e54f Use the default shutdown flow within extensions 2016-03-20 01:45:49 -07:00
Teddy Reed
d7c2f88289 Enhance publisher resource locking on OS X 2016-03-18 16:14:15 -07:00
ilovezfs
52e7d55600 IOKitLib.h not IOKitlib.h 
As with all other appearances of IOKitLib.h in the osquery sources, use
the capitalization "IOKitLib.h" not "IOKitlib.h" to avoid build failure
on case-sensitive file systems.
 2016-03-15 09:43:11 -07:00
Teddy Reed
0ba2861cf9 [Fix #1920] Detach thread before joining/clearing (terminate) 2016-03-13 12:15:18 -07:00
Teddy Reed
59274e59c6 Remove boost::thread from fsevents tests 2016-03-12 00:30:05 -08:00
Teddy Reed
3de52846d0 Remove boost::thread 2016-03-11 11:50:44 -08:00
Teddy Reed
897b2225b1 Add fstests and reduce SQLite scope 2016-02-23 17:09:02 -08:00
Baraa Hamodi
21c2237eca [osquery] Update copyright headers to new format. 2016-02-11 11:48:58 -08:00
Teddy Reed
4031e299bb Cleanup/stabilize file_events-related APIs 2016-02-10 22:50:38 -08:00
Teddy Reed
db3782bc7f Do not add (self) events for FSEvents 2015-12-16 13:32:39 -08:00
Teddy Reed
31dfad2515 Fix unhelpful subscriber verbose error for process_file_events 2015-12-14 15:09:52 -08:00
Teddy Reed
9d394065e3 [#1636] Add simple sharding to packs and pack queries 2015-12-10 10:01:53 -08:00
Teddy Reed
9f79d74c60 Add canary path on empty FSEvents subscription set 2015-12-09 00:14:08 -08:00
Teddy Reed
309944c586 Configuration triggered publisher reconfiguration 2015-12-08 14:03:35 -08:00
Teddy Reed
6602a59b7d Change EventSubscriber API to include subscription references 2015-12-07 22:22:04 -08:00
Teddy Reed
b7650e5291 Remove passwd_changes and user_data from event callbacks 2015-12-07 17:47:38 -08:00
Teddy Reed
6748fdb024 Rewrite OS X hardware events to use IOKit proper 2015-11-21 19:31:05 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Teddy Reed
b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux. 
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
 2015-10-27 15:13:02 -07:00
Teddy Reed
97ca0e627a [#1488] Stop OS X event publishers with SIGINT 2015-09-21 22:02:27 -07:00
Teddy Reed
333f2ce8c8 [#1506] Silent kext loading messages from syslog 2015-09-16 13:13:56 -07:00
Teddy Reed
b57040db60 Add osquery_events table to track pubsub stats 2015-09-03 15:10:53 -07:00
Teddy Reed
2813d3ab87 Add a Linux audit event publisher 2015-09-03 08:45:02 -07:00
Javier Marcos
74be3d1da0 Removing dots at the end of log entries 2015-08-28 16:50:44 -07:00
Michael O'Farrell
eaf7de08df Added loading of kernel. 2015-07-30 14:36:46 -07:00
Teddy Reed
7c330f0bf8 [Fix #1369] Limit IOKit HID events 2015-07-23 11:52:23 -07:00
Teddy Reed
8eaf389010 Optimize event publisher database namespace lookups. 
Previously, event publishers used a canonicalized 'type' name for async callbacks.
This type was used to lookup the publisher plugin in the registry as well as for backing store namespacing.
The type is still used but subscribers, which made heavy used of the lookup, store the value locally.
This prevents unneeded publisher plugin allocation when adding events.
 2015-07-19 17:10:42 -07:00
Teddy Reed
ab56011881 Apply FIM pattern matching to inotify 2015-07-07 18:18:45 -07:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00