valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 18:33:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,470 Commits 2 Branches 109 Tags 25 MiB
5370fef950
Commit Graph

763 Commits

Author SHA1 Message Date
Teddy Reed
5370fef950 Merge pull request #1678 from theopolis/audit_user_events 
[#1497] Add user_events table based on audit user-type messages
 2015-11-23 21:31:37 -08:00
Teddy Reed
07fd718e00 Add user_events table based on audit user-type messages 2015-11-23 18:13:31 -08:00
Teddy Reed
08c7911eb7 Merge pull request #1655 from theopolis/iokit_events 
Rewrite OS X hardware events to use IOKit proper
 2015-11-21 19:45:10 -08:00
Teddy Reed
6748fdb024 Rewrite OS X hardware events to use IOKit proper 2015-11-21 19:31:05 -08:00
Teddy Reed
7ca7974dfb Merge pull request #1668 from cdown/f/freebsd_uid 
freebsd process table: Fix EUID/EGID to not use saved IDs
 2015-11-21 11:19:36 -08:00
Teddy Reed
283f7c6d59 Fix clang analyze failures in signature table 2015-11-21 09:56:19 -08:00
Chris Down
d4d87a69ce freebsd process table: Fix EUID/EGID to not use saved IDs 
It's not totally clear why saved IDs were used here. There is some precident in
sigar (https://github.com/hyperic/sigar), where they also use the saved UID,
but me and @wxsBSD are not really sure why. Maybe it's because kinfo_proc feels
different than similar structs on other Unices.

Fixes #1662.
 2015-11-21 02:52:06 -08:00
Teddy Reed
8425010874 Merge pull request #1664 from stripe/andrew-better-homebrew 
Determine Homebrew Cellar from binary
 2015-11-20 16:06:30 -08:00
Andrew Dunham
161f8b9fd0 Determine Homebrew Cellar from binary 
We look at the location of the Homebrew binary `brew` on disk, and use
the real path (i.e. path with all symlinks resolved) from that binary to
determine the Cellar.  This behavior mirrors that of Homebrew itself.
 2015-11-20 15:15:18 -08:00
Teddy Reed
9ae53f2158 Merge pull request #1663 from cdown/f/saved_ids 
Add saved UIDs and GIDs to process table
 2015-11-20 14:35:20 -08:00
Teddy Reed
5cd040eb35 Merge pull request #1667 from theopolis/add_hash_check 
Use a noexcept method of directory checking for hash
 2015-11-20 14:24:43 -08:00
Teddy Reed
a72fa19536 Use a noexcept method of directory checking for hash 2015-11-20 13:32:56 -08:00
Teddy Reed
a673a793fe Merge pull request #1659 from PickmanSec/knownhosts 
Added known_hosts table
 2015-11-20 12:46:13 -08:00
Teddy Reed
16247f10e8 Merge pull request #1624 from PickmanSec/master 
added authorized_keys table
 2015-11-19 09:10:59 -08:00
Chris Down
39bdec4c8d Add saved UIDs and GIDs to process table 2015-11-18 16:44:07 -08:00
Michael George
dde59f8c18 Added known_hosts file 
added known_hosts table
 2015-11-17 12:38:19 -08:00
Michael George
a649bf6733 Added authorized_keys table 
Fixed mislabled variable from line parsing

Update authorized_keys.cpp

Update authorized_keys.cpp

Check if line is empty
 2015-11-16 10:36:24 -08:00
Andrew Dunham
a0932105f6 Refactor how we determine the OS version in the signature table 2015-11-11 11:34:15 -08:00
Teddy Reed
aa4973a1b3 Merge pull request #1644 from stripe/andrew-add-timezone 
Add timezone field to time table
 2015-11-10 16:41:39 -08:00
Teddy Reed
daee71919a Merge pull request #1642 from stripe/andrew-add-codesign 
Add a `signature` table on Darwin
 2015-11-10 16:23:16 -08:00
Andrew Dunham
0ae380297f Add timezone field to time table 2015-11-10 15:17:49 -08:00
Andrew Dunham
dea93c8aa5 Add a signature table on Darwin 
This table allows verifying the signature of files (or bundles) on
Darwin.  It also provides the signing identifier that is a part of the
signature.
 2015-11-10 13:21:18 -08:00
Teddy Reed
0a6d334f27 Fix missed nullptr checks in wifi 2015-11-10 01:01:12 -08:00
Teddy Reed
57e8ef2ab3 [#1546] Add computer_name to system_info and extend to Linux 2015-11-04 10:31:16 -08:00
Teddy Reed
084ccaf080 Use default blank value for startup_items Alias 2015-11-03 22:58:00 -08:00
Teddy Reed
cd4de8023f Merge pull request #1630 from theopolis/fix_1626 
[Fix #1626] Add schedule blacklist and protect DBHandle
 2015-11-03 21:05:29 -08:00
Teddy Reed
edea3d6edd [Fix #1626] Add schedule blacklist and protect DBHandle 2015-11-03 20:50:22 -08:00
Teddy Reed
5aa225d4c3 Merge pull request #1619 from sharvilshah/wifi 
Implement wifi_networks tables for OS X
 2015-11-02 16:11:21 -08:00
Teddy Reed
15215cdbc0 Add persistent splays 2015-11-02 14:10:04 -08:00
Teddy Reed
5233d7dcf8 Add start time to osquery_info, remove md5/path 2015-11-02 10:57:01 -08:00
Teddy Reed
75bfcddc31 Merge pull request #1622 from theopolis/faster_sockets 
Faster socket_events on Linux
 2015-11-02 10:56:37 -08:00
Teddy Reed
a1a9131174 Optimize socket_events and Linux users 2015-11-02 10:37:56 -08:00
Teddy Reed
50550e607a Build and provision edits for FreeBSD CI 2015-11-02 01:47:09 -08:00
Sharvil Shah
9a6d6d1293 Implement wifi_networks tables for OS X 
If the option of remembering known Wi-Fi networks is enabled on a system,
they are persisted to disk as a preferences property list file.
This table is populated by parsing that file.
 2015-11-01 16:53:51 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Teddy Reed
97a6521445 Merge pull request #1614 from theopolis/drop_around_files 
Expand the scope of permissions dropping
 2015-10-30 17:07:04 -07:00
Teddy Reed
09e4e3c42e Expand the scope of permissions dropping 2015-10-30 09:56:33 -07:00
Michael George
fb545bb85e added sh_history 2015-10-29 10:53:04 -07:00
Teddy Reed
db58ec5e44 Only emit process events for 0-status execve 2015-10-27 17:12:23 -07:00
Teddy Reed
b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux. 
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
 2015-10-27 15:13:02 -07:00
Teddy Reed
654830cf11 Merge pull request #1594 from rcseacord/additional-sign-fixes 
eliminated some warnings from Clang 3.7 analyze mode
 2015-10-23 13:03:54 -03:00
Robert C. Seacord
09481d0381 Fixed some type problems, casting away const, integer types, old style casts, etc. 2015-10-21 20:56:58 +00:00
Robert C. Seacord
1d9695ac31 eliminated some warnings from Clang 3.7 analyze mode 2015-10-21 06:02:58 +00:00
Teddy Reed
7ba87a88bb Merge pull request #1585 from rcseacord/additional-sign-fixes 
Additional sign fixes
 2015-10-19 11:25:18 -07:00
Teddy Reed
8214dd1309 Merge pull request #1584 from theopolis/fix_1580 
[Fix #1580] Handle exceptions in linux process_memory_map
 2015-10-19 09:28:16 -07:00
Teddy Reed
f891503cd9 Merge pull request #1577 from nemith/dpkg 
Support for newer versions of libdpkg
 2015-10-19 09:24:37 -07:00
Teddy Reed
bc50c053fb Remove boolean type-columns from file in favor of 'type' 2015-10-17 12:16:54 -07:00
Robert C. Seacord
e57828aac3 changes for integer sign problems 2015-10-17 00:18:35 +00:00
Teddy Reed
3cc7984cc2 [Fix #1580] Handle exceptions in linux process_memory_map 2015-10-16 16:59:23 -07:00
Robert C. Seacord
acb2f6f628 eliminating diagnostics, mostly for comparisons between signed and unsigned operations 2015-10-16 16:10:37 +00:00