Created mdls table which mimics the functionality of the mdls command in macOS. Table allows osquery to retrieve key/value pairs from spotlight metadata.
The windows documentation mentions that ExitThread should not be
used in C++ code. When debugging these exit flows I saw exceptions
when running dtors.
When reviewing the shutdown code for Windows and POSIX there was a
lot of complexity. This change allows any part of code to request
a shutdown and simplifies the response.
We should expect the main thread to call ::waitForShutdown.
The exception is the shell, which waits in a repl.
Implements the Community ID hash that will allow correlating network connections detected by osquery with other tools that support the standard (Zeek, Suricata, etc.).
sqlite3_result_error() third parameter is the length
of the string of the second parameter, not the error code.
We set that to -1, which means that the length of the string
will be taken using strlen().
Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18694
This fixes the verbosity observed in #5371 (review):
A quick summary: FileReferenceNumber doesn't have an operator== for integers, but C++ gets clever and implicitly provides one because of the FileReferenceNumber(DWORDLONG) constructor. This ends up providing the wrong implicit comparison behavior, resulting in the branch below always being taken (and consequently erroring, since no old name record is actually present). This fix changes the comparison to drive_letter, which will always be compared correctly and will only be 0U in the case we want to test.
* utils/system: (Windows) Add expandEnvString
Wraps the ExpandEnvironmentStrings function.
* windows/startup_items: Expand environment variables in paths
* windows/env: Fix variable
windows/env: Fix function call
* windows/startup_items: Use assign instead of operator=
windows/startup_items: Make a copy of the path
* utils/system: Add command-line splitting function
* windows/startup_items: Refactor path parsing
windows/startup_items: Fix optional dereference
* utils/system: Fix include, parameter
* windows/env: Missing c_str()
* windows/startup_items: Remove const
windows/startup_items: Avoid splitting paths with spaces
windows/startup_items: Invert file check
Saves us an allocation in some cases.
* windows/startup_items: Add note
* windows/services: Expand env vars in module_path
* windows/env: Explicitly initialize argc
CommandLineToArgvW *should* set this in every case that matters,
but it doesn't hurt to be explicit.
* tables, utils: clang-format, CMake updates
system/env: clang-format
windows/env: Include shellapi
utils: Add Windows env tests
tests/windows: splitArgs test
tests/windows: Fix include
(buck) utils: Bring in WINDOWS constant
(build): Fix deps
(buck) utils: Use osquery_target
tests/env: Fix variable
tests/env: Don't try to compare a vector
tests/env: Use WINDIR instead of PATH
tests/env: More interesting split test
windows/env: Bugfix, use derefs
windows/env: clang-format
tests/env: Use optional::get()
tests/env: Check for optional truthyness
* utils/env: Add verbose logging to env expansion
* utils/system: Include logger instead of core
Fixup buck build.
* (build) utils/system: Specify errno dep
* (buck) utils/system: Also specify errno dep
* selinux_settings: New table that presents effective SELinux settings
* selinux_settings: Use the SELinux root path from the mounted fs
The code that was originally directly implemented inside the
`mounts` table has been moved outside so that it can be reused
by the selinux_settings table.
This also updates the code to use getmntent_r instead of getmntent.
- Restore the ability of osquery to log to the Windows Event Log.
- Restore the information normally shown on the Details tab
of the Properties of the osquery executable.
- Add and refactor utility functions to parse and transform
the osquery version, needed by the Windows resource files
and packaging.
While there may be many implicit includes within the code base,
these specifically show up when trying to use different compilers.
These changes are a nice-to-have.
We do not need an explicit INDEX column for ADDITIONAL to work.
If the ADDITIONAL option is set the constraint should be passed
into the virtual table context.
This is to have better separation between them and the python tests.
BUCK files have been updated accordingly.
Changes to the internal generateCopyFileTarget function were needed.
The function now supports a base folder to be set so that the regex or file path
is appended to that base path, without having it included in the destination.
It will also not use a library target anymore, but a custom one so
that's possible to set properties with custom names.
Use only one copy target to copy test config files instead of having
multiple that overlaps.
It may give issues when copying and tests in the end will need all of
them.
* Summary:
This adds tests for the windows and darwin conversions strings helper
classes. Darwin currently has tests, but they are not hooked up and
being run. Windows does not have tests, this adds two simple unit tests
against the logic for our string conversions.
Test Plan:
Ran the tests.
