Commit Graph

5379 Commits

Author SHA1 Message Date
scoders-tob
4743cb9420
regex engine replacement: boost -> std (#6236)
Replace regex engine with std

Fixes issue #6061

Co-authored-by: scoders <sahil@cs.toronto.edu>
2020-02-13 11:52:37 -05:00
Alessandro Gario
498d64e9eb
http_client: Improve certificate verification (#6197) 2020-02-12 14:45:12 -08:00
Drake Aronhalt
da4bfd4762
mdls table implementation (#4825)
Created mdls table which mimics the functionality of the mdls command in macOS. Table allows osquery to retrieve key/value pairs from spotlight metadata.
2020-02-11 09:15:00 -08:00
Teddy Reed
d393d12f5c
Refactor and simplify shutdown logic (#6144)
The windows documentation mentions that ExitThread should not be
used in C++ code. When debugging these exit flows I saw exceptions
when running dtors.

When reviewing the shutdown code for Windows and POSIX there was a
lot of complexity. This change allows any part of code to request
a shutdown and simplifies the response.

We should expect the main thread to call ::waitForShutdown.
The exception is the shell, which waits in a repl.
2020-02-10 20:26:45 -05:00
Teddy Reed
9b1e2787ef
tables: Use basic TLS options within the curl table (#6044) 2020-02-10 11:48:58 -08:00
Teddy Reed
6935e91401 carver: Fix bug where carve returns empty files for hidden files (#6183)
Fix bug where carve returns empty files for hidden files

Co-Authored-By: Ryan Wilson <ryantimwilson@fb.com>
2020-02-08 11:18:28 -05:00
Zachary Wasserman
c296693bd5
Add community_id_v1 hash function to SQLite (#6211)
Implements the Community ID hash that will allow correlating network connections detected by osquery with other tools that support the standard (Zeek, Suricata, etc.).
2020-02-08 11:16:30 -05:00
Antoinette
0184ce69d4
Updated documentation for profile.py in performance-safety.md (#6232)
Updated performance-safety.md to include details about profile.py and it's output. The changes also include information about how profile.py sets the thresholds that appear in the script output.
2020-02-08 11:14:30 -05:00
Stefano Bonicatti
9a99c6b4c0
Add sccache to the Windows job (#6231)
* Add sccache to the Windows job

Also fix debug symbols on googletest,
so that it doesn't try to create a separate pdb.

* Fix uploading the submodule cache

sccache needs its cache to be uploaded as normal files,
not with a tar, otherwise the cache when extracted
will contain extraneous files and folders (PaxHeader).
The Files mode though by default ignores the .git folder,
so we have to use the .artifactignore file to unignore it,
and we have to copy in the cached path for the cache task to see it.
2020-02-06 16:07:58 +01:00
puffyCid
c722c68478
Expand SSH tables to support Windows (#6161) 2020-02-05 15:13:55 -05:00
Fritz
713c93fa29
Add Windows support to firefox_addons table (#6200) 2020-02-05 15:11:08 -05:00
scoders-tob
3f60071784
fixing extension test linking (#6219) 2020-02-05 15:10:03 -05:00
Stefano Bonicatti
9f30fd3f57
Fix heap buffer overflow in callDoubleFunc and powerFunc (#6225)
sqlite3_result_error() third parameter is the length
of the string of the second parameter, not the error code.

We set that to -1, which means that the length of the string
will be taken using strlen().

Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18694
2020-02-05 15:09:09 -05:00
scoders-tob
ccffaf7d8a
replacing boost::regex with std::regex for SQL StringExtensions (#6227) 2020-02-05 15:08:45 -05:00
Stefano Bonicatti
68ee6a2c67
Add git submodule db to the Azure Pipelines cache (#6229)
This will speed up the CMake configure phase since
it won't have to download the submodules data each time
through git, which is slower than downloading it
as an Azure Pipeline cache.
2020-02-05 19:42:37 +01:00
Stefano Bonicatti
283d0ab631
Fix boost process and asio build on Windows (#6222)
When using Boost.Process on Windows with Boost.Asio for async_pipe,
the build fails because Asio requires BOOST_ASIO_WINDOWS define
to enable access to async_pipe.

This only partially solves the issue since it's necessary that
Asio users will also include the "sdkddkver.h" header
before the "boost/asio.hpp" header to properly define
_WIN32_WINNT_WIN7, used by osquery.
2020-02-05 15:25:31 +01:00
kumarak
79f755c161
CMake: Fix the Boost.org iostreams module (#6199) 2020-02-04 21:21:02 +01:00
Stefano Bonicatti
36f9807b9c
Fix build without tests enabled (#6224) 2020-02-03 22:01:13 +01:00
Stefano Bonicatti
d0b42a98e2
Fix all TLS tests and framework (#6170) 2020-02-03 07:50:25 -08:00
Jack Casey
ccd8a6897b
Fix 404 url in osquery-sdk.md (#6220) 2020-01-31 08:56:53 -08:00
Zachary Wasserman
d7ac675d27
Update build files to include windows_optional_features table (#6207)
The table was added without the proper updates to the build files, so it is not built into the binary.
2020-01-31 09:36:39 -05:00
William Woodruff
3f70f94b0a
events/windows: Prevent overly eager old name record handling (#6208)
This fixes the verbosity observed in #5371 (review):

A quick summary: FileReferenceNumber doesn't have an operator== for integers, but C++ gets clever and implicitly provides one because of the FileReferenceNumber(DWORDLONG) constructor. This ends up providing the wrong implicit comparison behavior, resulting in the branch below always being taken (and consequently erroring, since no old name record is actually present). This fix changes the comparison to drive_letter, which will always be compared correctly and will only be 0U in the case we want to test.
2020-01-31 09:34:44 -05:00
Zachary Wasserman
0de84e0937
Fix description for prometheus_metrics table (#6217) 2020-01-30 18:11:48 -05:00
William Woodruff
3c64d802eb
services, startup_items: More intelligent expansion (#6153)
* utils/system: (Windows) Add expandEnvString

Wraps the ExpandEnvironmentStrings function.

* windows/startup_items: Expand environment variables in paths

* windows/env: Fix variable

windows/env: Fix function call

* windows/startup_items: Use assign instead of operator=

windows/startup_items: Make a copy of the path

* utils/system: Add command-line splitting function

* windows/startup_items: Refactor path parsing

windows/startup_items: Fix optional dereference

* utils/system: Fix include, parameter

* windows/env: Missing c_str()

* windows/startup_items: Remove const

windows/startup_items: Avoid splitting paths with spaces

windows/startup_items: Invert file check

Saves us an allocation in some cases.

* windows/startup_items: Add note

* windows/services: Expand env vars in module_path

* windows/env: Explicitly initialize argc

CommandLineToArgvW *should* set this in every case that matters,
but it doesn't hurt to be explicit.

* tables, utils: clang-format, CMake updates

system/env: clang-format

windows/env: Include shellapi

utils: Add Windows env tests

tests/windows: splitArgs test

tests/windows: Fix include

(buck) utils: Bring in WINDOWS constant

(build): Fix deps

(buck) utils: Use osquery_target

tests/env: Fix variable

tests/env: Don't try to compare a vector

tests/env: Use WINDIR instead of PATH

tests/env: More interesting split test

windows/env: Bugfix, use derefs

windows/env: clang-format

tests/env: Use optional::get()

tests/env: Check for optional truthyness

* utils/env: Add verbose logging to env expansion

* utils/system: Include logger instead of core

Fixup buck build.

* (build) utils/system: Specify errno dep

* (buck) utils/system: Also specify errno dep
2020-01-30 10:55:05 -08:00
Samuel Keeley
3afdb9d553
Add blacklisted column to osquery_schedule query (#6196)
As added in #4004, this column is very valuable and should be surfaced here.
2020-01-30 09:20:43 -08:00
Stefano Bonicatti
d9d0a21b6b
Add some more information about formatting (#6202) 2020-01-29 10:09:06 -08:00
Teddy Reed
fcb6e263db
fuzzing: Reduce sqlquery false positives (#6189)
This applies some query restrictions similar to the SQLite harnesses.
Examples include restricting the impact of ``randomblob(N)``.
2020-01-29 13:37:06 +01:00
Stefano Bonicatti
041d6e93be
thirdparty_boost_asio should depend on thirdparty_openssl (#6203)
Also added a way to programmatically specify a non Boost third-party dependency
to Boost header only libraries.
2020-01-29 13:35:39 +01:00
Alessandro Gario
abc6695c96
apparmor_profiles: New table that presents active AppArmor profiles (#6138) 2020-01-29 01:13:08 +01:00
Stefano Bonicatti
ab47c6db6f Fix format folder exclusion and format check self test (#6201) 2020-01-27 14:21:38 -08:00
Alessandro Gario
8d9059f914
selinux_settings: New table that presents effective SELinux settings (#6118)
* selinux_settings: New table that presents effective SELinux settings

* selinux_settings: Use the SELinux root path from the mounted fs

The code that was originally directly implemented inside the
`mounts` table has been moved outside so that it can be reused
by the selinux_settings table.

This also updates the code to use getmntent_r instead of getmntent.
2020-01-27 15:03:52 +01:00
Brad Thompson
0b2aa61a7d Create HVCI table for Windows Device Guard (#5426) 2020-01-23 20:57:03 -08:00
Teddy Reed
afaaac6d18
tests: Improve flakyness of test_processes_memory_cpu (#6182)
Co-authored-by: Marek Cirkos <marekcirkos@users.noreply.github.com>
2020-01-18 19:03:59 -05:00
Stefano Bonicatti
0d779a7160 Fix format_check.py failing on Windows with Python 3.7 (#6188)
- The output from the git subprocess has to be decoded from bytes
  to str before passing it as an argument of a new subprocess.

- Use the python interpreter of the current script to run git-clang-format.py.
2020-01-18 15:39:01 -05:00
Teddy Reed
b1a55c31ea
tests: Improve hash table integration tests (#6184)
Co-Authored-By: Ryan Wilson <ryantimwilson@fb.com>
2020-01-18 15:38:32 -05:00
Ateeq Sharfuddin
60172a3774 fix: UTF-8<->UTF-16 conversion for windows; issue #6160 (#6187) 2020-01-18 15:37:48 -05:00
calve
600f21dcfb flags: Implement enable_tables (#6150)
Adds an ``--enable_tables`` CLI flag to specify a limited set of
tables to expose. This is the contrary of ``--disable_tables``.
2020-01-17 18:59:20 -05:00
Teddy Reed
b8eacfa1f8
toolchain: Add CMake options for linking (#6112) 2020-01-16 23:09:35 -05:00
Ateeq Sharfuddin
2303e1bbd0 Fix Issue#6173: Update WmiRequest constructor to wstring from BSTR (#6175) 2020-01-16 23:05:16 -05:00
scoders-tob
b150367967 Adding process_open_pipes table (#6142) 2020-01-16 20:55:48 -05:00
Teddy Reed
fce0059c5e
config: Fix JSON format assumptions in file_paths parser (#6159) 2020-01-16 20:50:54 -05:00
Stefano Bonicatti
86cd9ec520 Fix flaky LoggerTests.test_logger_log_status (#6171)
Logging happens after getting the current time,
so the time check should be inverted.
2020-01-15 19:54:33 -05:00
João Godinho
a6ffa37c6c Add missing validation to fix last table (#6147)
* Fix: Allow `DEAD_PROCESS` in `last` table

* Test: Add test for `last` table
2020-01-15 00:50:44 +01:00
Teddy Reed
5047015535
website: Update the website specs formatting code genapi (#6124) 2020-01-12 01:44:46 -05:00
Brendan Shaklovitz
382d8dab48 Add docs to show that config_dump flag exits (#6136) 2020-01-12 01:44:02 -05:00
scoders-tob
6c9f8e30b0 adding docker image layers table (#6154) 2020-01-12 01:43:28 -05:00
Stefano Bonicatti
46430df8c5 Restore WEL logger plugin (#6164)
- Restore the ability of osquery to log to the Windows Event Log.
- Restore the information normally shown on the Details tab
of the Properties of the osquery executable.
- Add and refactor utility functions to parse and transform
  the osquery version, needed by the Windows resource files
  and packaging.
2020-01-12 01:42:44 -05:00
Stefano Bonicatti
2d3f612af0 Fix boost process basic_ipstream build (#6167)
The move assignment operator of boost::basic_ipstream is bugged.
It has been fixed on upstream in commit
ca994c1972
which is not on any stable build, so we will patch boost with that commit.
2020-01-12 01:38:54 -05:00
Stefano Bonicatti
ed03df0df8 Make Boost winapi available to all platforms (#6166) 2020-01-12 01:35:26 -05:00
William Woodruff
c18f5bc75c windows/bitlocker_info: Fetch WMI method results (#6155)
Retrieves version, in-progress encryption status, and the lock
status for each BitLocker-encrypted volume via WMI methods.
2020-01-06 18:19:26 +01:00