valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 18:33:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,030 Commits 2 Branches 109 Tags 25 MiB
58ec6415d3
Commit Graph

634 Commits

Author SHA1 Message Date
Teddy Reed
b7549e09ca SMBIOS parsing on Linux using mem 2015-01-20 15:10:19 -08:00
Teddy Reed
b7852650c2 SMBIOS structure tables for OSX 2015-01-20 15:06:34 -08:00
Teddy Reed
7b0f7f3c49 Rename ACPI length to size 2015-01-20 15:06:34 -08:00
Teddy Reed
64d82388e4 Update the md5 hashing callsites 2015-01-20 14:52:07 -08:00
Teddy Reed
11237d2397 Merge pull request #644 from theopolis/md5_macros 
Use API macro for hash algorithms
 2015-01-20 14:33:55 -08:00
Teddy Reed
a2d9236478 Use API macro for hash algorithms 2015-01-20 14:24:49 -08:00
Mike Arpaia
4937e5cd2e Merge pull request #641 from theopolis/iokit_registry 
Separate IOKit devicetree from registry
 2015-01-20 13:31:24 -08:00
Zachary Wasserman
ee798cdde7 Use sizeof with memcpy and memset 
I'd like to make sure we use expressions of sizeof to relate buffer
sizes to memcpy and memset. This should make modifying the code less
error prone.

Conflicts:
	osquery/tables/system/darwin/nvram.cpp
 2015-01-20 12:36:36 -08:00
Mitchell Grenier
053fcc28ef More minor changes to address marpias requests 2015-01-20 12:13:10 -08:00
Mitchell Grenier
b8b1837bd6 Replaced loop with auto iterator, eliminating need to dereference 2015-01-20 12:13:10 -08:00
Mitchell Grenier
d2fe1826ae Minor code change and clang-format 2015-01-20 12:13:10 -08:00
Mitchell Grenier
34e6bd45c3 Addressed @marpia s changes 2015-01-20 12:13:10 -08:00
Mitchell Grenier
b9c477080f NFS Table for darwin systems. 
Currently table readonly field is a string, this may change in the future to an
integer to stay consistent with other parts of osquery.
 2015-01-20 12:13:09 -08:00
Teddy Reed
416198732a Merge pull request #631 from jedi22/sha-hashs 
Added SHA1 and SHA256 in Hash Table
 2015-01-20 11:24:43 -08:00
Teddy Reed
716aa41c15 Separate IOKit devicetree from registry 2015-01-20 11:15:20 -08:00
Teddy Reed
5f8eccb3f3 Remove gotos from linux routes 2015-01-19 18:06:34 -08:00
Teddy Reed
8475522e76 Remove goto/sprintf from NVRAM parsing 2015-01-19 17:10:40 -08:00
Teddy Reed
066b7d78d9 Add basic acpi_tables hashing to Linux 2015-01-17 23:02:14 -08:00
Teddy Reed
09ce5099b2 Merge pull request #632 from theopolis/osx_boot_info 
OSX IOKit registry and ACPI table data
 2015-01-17 17:56:51 -08:00
Teddy Reed
1df958c583 ACPI tables for OSX 2015-01-15 21:37:02 -08:00
Mitchell Grenier
e6e722dd17 Modifed config.cpp to not use the old MD5 implementation 2015-01-15 17:40:42 -08:00
Mitchell Grenier
570c6a32f3 Moved hashing functions into core. #include<osquery/hash.h> 2015-01-15 17:16:05 -08:00
Mitchell Grenier
c13a0e79a5 Most hashing stuff working though rerun bug is still plaguing the queries 2015-01-15 15:06:30 -08:00
Teddy Reed
803204a9dd iokit_registry table 2015-01-15 12:53:46 -08:00
mike@arpaia.co
aef517a29e Fix for #628 2015-01-15 12:11:25 -08:00
Teddy Reed
4db7c90758 Merge pull request #608 from theopolis/linux_ports 
Moved socket_inode on Linux to process_open_files
 2015-01-13 14:54:35 -08:00
Teddy Reed
a709a34220 Merge pull request #605 from theopolis/fix_599 
[Fix #599] Rename kextstat->kernel_extensions
 2015-01-13 14:53:32 -08:00
Teddy Reed
ac0f2f96e4 Split OSX process_open_files into files/sockets 2015-01-13 11:05:54 -08:00
Teddy Reed
f0eec6fbe3 Adding listening_ports to Linux 2015-01-13 09:51:40 -08:00
Teddy Reed
bb6f313c6c Moved socket_inode on Linux to process_open_files 2015-01-13 08:26:47 -08:00
Teddy Reed
6deeba39c9 Merged Linux/OSX interfaces implementation 2015-01-11 01:39:16 -07:00
Teddy Reed
6dfc5d88f4 Added interfaces to Linux 2015-01-11 00:42:23 -07:00
Teddy Reed
a2cc1c85ea [Fix #599] Rename kextstat->kernel_extensions 2015-01-11 00:38:03 -07:00
Teddy Reed
45ee10f162 More complete make package 2015-01-07 16:07:19 -08:00
Teddy Reed
2ad15763e2 Provide example config, improve pid check 2015-01-07 15:22:50 -08:00
Teddy Reed
dbb7050376 Merge pull request #575 from theopolis/fix_574 
[Fix #574] Undef DEBUG for apt-pkg for make debug
 2015-01-06 07:29:02 -08:00
Teddy Reed
27541d4260 [Fix #574] Undef DEBUG for apt-pkg for make debug 2015-01-06 06:53:42 -08:00
Teddy Reed
f865647d0c [Fix #545] Simpler socket_info parsing in process_open_files 2015-01-06 06:23:48 -08:00
Norm MacLennan
7a6eb8255a renaming apt sources gen function 2015-01-05 18:02:55 -05:00
Norm MacLennan
38447838db merging upstream cmake changes 2015-01-05 17:43:07 -05:00
Teddy Reed
d2cea32644 Use CMake find_library for dependencies 2015-01-05 08:32:05 -08:00
Norm MacLennan
a6b769b6f4 a table to show apt package sources 2015-01-04 19:44:45 -05:00
Norm MacLennan
cf08d605f0 code review changes and adding revision field 2015-01-02 13:30:04 -05:00
Norm MacLennan
18f40b0952 fixing compatibility issues with 1204 dpkg version 2015-01-01 18:58:00 -05:00
Norm MacLennan
dd4a9d9d74 merging cmake changes for distro-specific tables 2014-12-31 13:06:54 -05:00
Teddy Reed
ed00c95dca Support centos/ubuntu-specific tables 2014-12-31 09:38:18 -08:00
Teddy Reed
914ae37a72 Move CMakeLibs and valgrind supp file 2014-12-31 08:32:23 -08:00
Norm MacLennan
beff9471f8 resolve merge conflict with upstream 2014-12-30 18:21:00 -05:00
Norm MacLennan
0191f1de29 resurrect the deb_packages table 2014-12-30 17:24:49 -05:00
Sean Williams
c54a568af3 Merge pull request #528 from facebook/linux-camb 
Initial linux kernel instrumentation bits
 2014-12-29 14:20:54 -08:00
Teddy Reed
8c6e45e9b5 Fix ca_certs memory leak 2014-12-25 12:49:45 -08:00
Teddy Reed
94811f3ee8 Removed 'core' tables as a build dependency 2014-12-25 12:46:59 -08:00
Teddy Reed
e4b60e883a Variable amalgamation output filename 2014-12-23 21:53:59 -07:00
Theodore M. Reed
b2be1fa383 Whole link tests and refactor flags_test 2014-12-23 20:38:16 -08:00
Teddy Reed
b2dca55539 Build leaner libosquery, allow control over spec/impl 2014-12-23 20:07:12 -08:00
Theodore M. Reed
01005c72b3 Moved crontab out of utility 2014-12-23 14:39:59 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
Theodore M. Reed
7b0640e4eb Move table link dependencies into tables CMakeLists 2014-12-23 14:37:00 -08:00
Teddy Reed
ff7ca1e800 Merge pull request #557 from theopolis/xprotect_results 
OSX results of XProtect hits
 2014-12-18 13:04:08 -08:00
mike@arpaia.co
b9f732c31f Updating the license comment to be the correct open source header 
As per t5494224, all of the license headers in osquery needed to be updated
to reflect the correct open source header style.
 2014-12-18 10:52:55 -08:00
Teddy Reed
6a6851c4bc Merge pull request #544 from theopolis/events_2.0 
Events 2.0
 2014-12-17 20:17:02 -08:00
Teddy Reed
888f74de36 OSX results of XProtect hits 2014-12-17 18:35:01 -08:00
Teddy Reed
4453806dce Remove raw pattern from XProtect 2014-12-17 14:46:53 -08:00
Teddy Reed
7602d17de9 Move base64Decode from ca_certs testing to conversions 2014-12-17 14:03:52 -08:00
Teddy Reed
fefe6de824 OSX XProtect siganture DB as virtual table 2014-12-16 21:35:26 -08:00
Teddy Reed
8c38492b2a Add XProtect vtable to OSX 2014-12-16 17:59:07 -08:00
Teddy Reed
d5c5253bbc Add osquery_flags vtable 2014-12-16 02:07:50 -08:00
Teddy Reed
b5535256e6 [Fix #546] Rename md5 to config_md5 and add config_path to osquery_info 2014-12-16 01:52:02 -08:00
Teddy Reed
4425bed23e Merge pull request #504 from Anubisss/master 
Adding a table which maps services from /etc/services.
 2014-12-16 01:23:05 -08:00
Teddy Reed
6de14466db Events 2.0 using pbr 2014-12-15 11:55:05 -08:00
Teddy Reed
fcdf49d17f WIP migrating Linux Events 2014-12-15 00:43:28 -08:00
Teddy Reed
17efa0b3d6 Migrate subscribers on OSX 2014-12-15 00:25:28 -08:00
Teddy Reed
c1e37b73fb Non-static event type and name IDs 2014-12-14 18:03:41 -08:00
anuka
fa95ff09d8 Some fix for etc_services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-12-14 22:14:00 +01:00
anuka
375c837b74 Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Teddy Reed
00c88a19bc Add timeout to netlink socket read 2014-12-12 17:50:47 -08:00
Teddy Reed
acccfa94e2 IOKit HID events and OSX hardware_events table 2014-12-11 18:06:08 -08:00
Teddy Reed
7b56fa605d PCI/USB parity 2014-12-10 19:51:18 -08:00
Teddy Reed
a75fa3bf11 Merge pull request #538 from theopolis/improve_usb 
Improve usb_devices on OSX
 2014-12-10 19:51:08 -08:00
mike@arpaia.co
8f8bc6b772 osquery_info table 2014-12-10 18:38:41 -08:00
Teddy Reed
b08ad3cb14 Check USB property for CFString type 2014-12-10 09:12:12 -08:00
Teddy Reed
f29e0c17ca Update ca_certs_tests to use moved OSX conversions 2014-12-10 01:59:13 -08:00
Teddy Reed
4644c5e19b Simple usb_devices updates 2014-12-10 01:52:02 -08:00
Teddy Reed
7ba4fb31dd Merge pull request #536 from theopolis/suid_fix 
Suid fix
 2014-12-10 01:19:48 -08:00
Teddy Reed
0b5083bd0e Improve usb_devices on OSX 2014-12-10 01:17:24 -08:00
Teddy Reed
ab8df11818 Add filesystem_error catching and remove suid_bin from BL 2014-12-09 20:13:39 -08:00
Teddy Reed
9a9de67b93 Restrict suid_bin to common search paths 2014-12-09 16:38:14 -08:00
Teddy Reed
192224977d Add small delay if NL read = 0 2014-12-09 16:02:25 -08:00
Teddy Reed
22c9664ae1 [Fix #530] Continue to read from NL socket 2014-12-09 15:49:40 -08:00
Sean Williams
341fbc3b53 -Conform to new table function signature 
-Add proper include and fix brackets on macro
-Let osquery core do the integer cast for syscall_addr_modified
-Fix misc cruft
 2014-12-09 01:47:51 +00:00
Sean Williams
48bf3192e1 kernel_integrity vtable to use camb 2014-12-08 23:58:33 +00:00
Teddy Reed
2ebbbf6f98 Linux udev events 2014-12-08 14:13:47 -08:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Teddy Reed
d885bf420d Port manual/filesystem to file using constraints 2014-12-02 12:37:26 -08:00
Wesley Shields
2504c06feb Implement signed columns for users and groups. 
Fixes #475.
 2014-12-01 11:52:13 -05:00
Teddy Reed
3ec6b473dd [Fix #498] Remove default catch in quaratine 2014-11-30 22:01:31 -07:00
Teddy Reed
13c8277bb4 Add query constraints to logged_in_users 2014-11-29 22:40:11 -08:00
Teddy Reed
e33443d354 clang-format on feature-predicate updates 2014-11-29 22:36:07 -08:00
Teddy Reed
76780aa6f0 Improve OSX apps table 2014-11-29 22:36:07 -08:00
Teddy Reed
b1cf8f1e61 Improve and use constraints for various OSX tables 2014-11-29 22:36:07 -08:00
Teddy Reed
3fa2442e25 Rename/improve bash_history to shell_history 2014-11-29 22:36:07 -08:00
Teddy Reed
56014b9c31 Moving tables definitions into core/tables.cpp 2014-11-29 22:36:06 -08:00
Teddy Reed
b18068f114 Improve kextstat/startup_items code and perf 2014-11-29 22:36:06 -08:00
Theodore M. Reed
8ab1863790 Predicate constraints for FreeBSD 2014-11-29 22:36:06 -08:00
Teddy Reed
59367b41af Predicate constraints for Linux 2014-11-29 22:36:06 -08:00
Teddy Reed
b4be08a702 Updating table generators to use QueryContext 2014-11-29 22:36:05 -08:00
Teddy Reed
cd8413d483 Organizing affinity types into tables. 2014-11-29 22:36:05 -08:00
Teddy Reed
2b1cd4eee3 Towards predicate constraint checking 2014-11-29 22:36:05 -08:00
Teddy Reed
750cc807cf Merge pull request #493 from wxsBSD/issue_9 
Implement logged_in_users.
 2014-11-29 22:22:10 -08:00
anuka
0a280f6546 Adding a table which maps services from /etc/services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-11-29 17:06:34 +01:00
mike@arpaia.co
fdcea6daa7 manual fix to spacing issue 2014-11-25 09:08:00 -08:00
mike@arpaia.co
8f50cae3aa clang-format on the codebase 
Periodic clang-format run.
 2014-11-25 09:05:16 -08:00
Wesley Shields
7abc9f75f2 Implement logged_in_users. 
Fixes #9.
 2014-11-22 23:49:37 -05:00
Teddy Reed
4de3c8a0cf Fix memory leaks in USB Devices for OSX 2014-11-22 18:04:47 -08:00
Nick
acad6d8e8d Added USB device support for Mac (Linux coming next) 2014-11-22 17:42:56 -08:00
Wesley Shields
059403eac4 Merge branch 'master' into macros 
Conflicts:
	osquery/tables/system/darwin/processes.cpp
 2014-11-22 15:12:21 -05:00
Teddy Reed
1caba72c30 Remove 'host' from OS X route types #483 2014-11-21 10:59:25 -08:00
Teddy Reed
44181b7aeb Add basic support for unsigned long long int 2014-11-21 10:32:56 -08:00
Teddy Reed
1961921d95 Pull process_open_files out of processes.cpp and reduce logging 2014-11-20 17:19:04 -08:00
Teddy Reed
a84c20a468 Merge pull request #472 from theopolis/cleanup-inode-tables 
Cleanup inode table implementations and unblacklist.
 2014-11-19 17:04:23 -08:00
Teddy Reed
b2debf509a Cleanup inode table implementations and unblacklist 2014-11-19 16:56:48 -08:00
Teddy Reed
9a6a69a224 Merge pull request #469 from theopolis/logging-nits 
Move expected errors to info log
 2014-11-19 14:54:32 -08:00
Mike Arpaia
ac70916719 Merge pull request #434 from lwhsu/freebsd-build 
FreeBSD support of build infrastructure
 2014-11-19 09:23:17 -08:00
Teddy Reed
bc9a5ed3b4 Move expected errors to info log 2014-11-19 09:03:58 -08:00
mike@arpaia.co
ee15228819 fixing naming of columns in tests 2014-11-18 17:43:16 -08:00
Wesley Shields
9cf662cca0 More explicit usage of macros. 2014-11-18 19:40:14 -05:00
Wesley Shields
550bf15c74 First pass at macro usage in tables. 2014-11-18 19:25:34 -05:00
Li-Wen Hsu
4f8006ad02 Add dummy table implementations for FreeBSD 2014-11-19 05:07:59 +08:00
Mike Arpaia
3c243e02f2 Merge pull request #463 from facebook/mounts-unified 
Unified mounts spec
 2014-11-18 11:32:17 -08:00
Teddy Reed
12a5daa225 Change user_name, group_name to username, groupname 2014-11-18 10:48:47 -08:00
mike@arpaia.co
ecb8e474a4 Unified mounts spec 2014-11-18 10:46:48 -08:00
Li-Wen Hsu
6c55b51c53 Merge branch 'master' into freebsd-build 
Conflicts:
	osquery/core/system.cpp
	tools/provision.sh
 2014-11-19 01:50:38 +08:00
Teddy Reed
7287ad5e63 Fix process free regression for libprocps 2014-11-17 16:52:20 -08:00
Mike Goffin
57faad63fa Merge branch 'master' into mounts_table 2014-11-17 15:03:50 -05:00
Mike Goffin
2ce6882317 Format fixes. 
- ran clang-format.
- lowercased column names for table.
- removed include for boost as it's no longer being used.
 2014-11-17 15:02:33 -05:00
Teddy Reed
1116d6a928 Merge pull request #438 from theopolis/feature-arp-table 
arp_cache vtable for OSX and Linux
 2014-11-17 11:36:46 -08:00
Mike Goffin
0b4e382e96 Merge branch 'master' into mounts_table 2014-11-17 13:46:59 -05:00
Mike Goffin
6cddf4ad39 Mounts table for Darwin. 
Associated with #255, this adds Mounts table support for Darwin.
 2014-11-17 13:43:59 -05:00
Wesley Shields
c764226b77 Use INTEGER macro. 
This makes the code match the example at:

https://github.com/facebook/osquery/wiki/creating-a-new-table
 2014-11-17 13:30:46 -05:00
Teddy
968f8027e6 Cleaner arp_table->arp_cache on Linux/OSX 2014-11-17 02:37:15 -08:00
Teddy Reed
ee015343f9 Simplify arp, move to arp_table 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
65c4ed4a7d Fix boost split on linux to remove sscanf 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
2b32673445 Some fixes: 
- clang-format on code
- NULL -> nullptr
- some (char *) changed in std::string favour
- Removed a memory leak.
- Moved struct inside the table namespace
 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
778951d6a4 Remove osx dependency on system() call to get arp information 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
c7fc2cee22 rename vtable field arp->mac 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
4f524abbea arp vtable different implementation in osx and linux 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
413d6f068b Change fgetln (osx specific) in favour of getline (both osx and linux) 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
1843d80660 arp vtable with ip, arp and interface where it was seen 2014-11-16 19:49:40 -08:00
mike@arpaia.co
bfceaf8453 blacklisting port_inode and socket_inode 
port_inode and socket_inode have caused a few issues lately and, as of
right now, they both have open issues against them. For the time being,
I'm going to blacklist them. When the tables are production-ready, we
can re-add them back in to the base linux build.
 2014-11-16 09:42:57 -08:00
Li-Wen Hsu
ea7b617a7c No utmpxname() under FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
a102a3273e Include proper headers for FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
e49537c8fa Add libraries and settings for FreeBSD 2014-11-16 01:41:50 +08:00
Teddy Reed
a1898ef03b Check tables row vector size before access 2014-11-14 15:18:25 -08:00
Teddy Reed
02841f5e7f Add kernel userland-API inet_diag header 2014-11-14 01:42:34 -08:00
Teddy Reed
565bce3c07 Fix unwind exception catching 2014-11-14 01:42:00 -08:00
Vincent Mauge
632151d56a Set ouput_bit to 0 instead of cast error 2014-11-12 22:02:04 -08:00
Teddy Reed
0d8b9d3eaa Use SQLite types 2014-11-12 11:07:24 -08:00
Teddy Reed
525a3b79a0 Tons of new build features 
* The OS/DISTRO are available as defines when writing tables:
  UBUNTU, UBUNTU_14_04, UBUNTU_12_04
  CENTOS, CENTOS_6_6
  DARWIN, DARWIN_10_10, DARWIN_10_9
* The table generation tooling now grabs virtual tables templates
  from ./osquery/tables/templates/<name>.cpp.in.
* The table generation tooling will detect reserved column names.
* suid_bin uses the new UBUNTU to restrict calls to root (fix #362).
 2014-11-12 00:57:47 -08:00
Teddy Reed
8e408f987e Table spec documentation examples 2014-11-11 11:26:11 -08:00
Teddy Reed
050e942d11 Support USE_BLACKLIST=1 to remove tables from release 2014-11-10 13:30:38 -08:00
Abe Stanway
811d98c595 free(linkname) and no more 'self' 2014-11-10 15:02:31 -05:00
Abe Stanway
30149a70f9 Updated 2014-11-10 15:02:31 -05:00
Abe Stanway
322fde0121 Socket_inode and port_inode tables to map PIDs->ports via netlink inet_diag 
Example query:
```
SELECT port.local_port,
       port.remote_port,
       port.local_ip,
       port.remote_ip,
       socket.pid,
       process.name,
       process.cmdline
       process.path
       FROM socket_inode AS socket
       JOIN port_inode AS port
       ON socket.inode = port.inode
       INNER JOIN processes AS process
       ON socket.pid = process.pid;
```
 2014-11-10 15:02:31 -05:00
Teddy Reed
86d2ac208b Use leaks for OSX memory leak profiling 2014-11-10 11:34:17 -08:00
Mike Arpaia
3245e5a6cd Merge pull request #394 from wizzat/process_args 
Add cmdline to darwin
 2014-11-10 13:20:47 -05:00
Teddy Reed
19aa99583e Linux processes vtable use freeproc 2014-11-10 10:12:47 -08:00
Mark Roberts
dc1684fca7 Add cmdline to darwin 2014-11-10 09:36:17 -08:00
Teddy Reed
b0ff403d3d Fixing librpm API usage leaks 2014-11-10 01:48:07 -08:00
Teddy Reed
b77406b122 [Fix #367] Check RPMTAG class before cast 2014-11-09 02:07:49 -08:00
Teddy Reed
078d4cf7d2 Refector shell flags/versioning 2014-11-08 20:27:28 -08:00
Veres Lajos
afc82c722f typo fixes - https://github.com/vlajos/misspell_fixer 2014-11-07 22:18:02 +00:00
Alexander Polyakov
00dbf282a6 / is not always readable 2014-11-07 01:00:58 +03:00
Alexander Polyakov
c0d827f534 Add euid / egid to process table 
(not tested on darwin)
 2014-11-06 01:35:52 +03:00
mike@arpaia.co
05cfff81c8 clang-format 2014-11-04 11:42:30 -08:00
mike@arpaia.co
896a4f2957 generic users function and some general cleanups 2014-11-04 11:40:54 -08:00
Zachary Wasserman
0b30b9f692 Add basic Mac startup items vtable 2014-11-04 11:40:54 -08:00
Alexander Polyakov
a60230af5e linux/processes: fix infinite loop, throw away workaround 2014-11-04 15:31:35 +03:00
Teddy Reed
03034780f1 Add note about blocking process_env as non-su 2014-11-03 23:46:47 -08:00
Teddy Reed
ea3880eefb Merge pull request #354 from wizzat/graceful_envs 
Graceful envs
 2014-11-03 23:43:04 -08:00
Mike Arpaia
37734bc5a4 Merge pull request #351 from LTD-Beget/blockdev_table 
Blockdev table for linux
 2014-11-03 22:29:35 -08:00
Mark Roberts
5780fffa22 Potential Linux fix, pending boost::filesystem::path fix on master. Issue #323 2014-11-03 20:39:51 -08:00
Alexander Polyakov
cbc2139047 block_devices: trim spaces around model and vendor 2014-11-04 05:00:24 +03:00
Teddy Reed
dc77df602e [format] Cleanup various PRs not run through clang-format 2014-11-03 17:57:01 -08:00
Mark Roberts
176af65fb5 Remove logging of permissions error when running as non-root user on OSX 
Issue #323
 2014-11-03 17:29:22 -08:00
Mike Arpaia
01944a3bb7 Merge pull request #352 from LTD-Beget/pci_devices_crash 
pci_devices: udev_device_get_property_values() can return NULL
 2014-11-03 15:17:03 -08:00
Alexander Polyakov
95aeaba024 pci_devices: unref things after use 2014-11-04 01:48:42 +03:00
Alexander Polyakov
1ce1424d01 Add braces 2014-11-04 01:21:02 +03:00
Alexander Polyakov
e3364ac34c Add braces 2014-11-04 01:13:49 +03:00
Mike Arpaia
a9e636af9f Merge pull request #349 from facebook/329 
Ensuring that listening_ports results are unique
 2014-11-03 14:08:04 -08:00
Alexander Polyakov
f96180e926 pci_devices: udev_device_get_property_values() can return NULL 2014-11-03 23:56:59 +03:00
Alexander Polakov
274e037527 Blockdev table for linux 2014-11-03 23:39:14 +03:00
mike@arpaia.co
75ded8b881 Ensuring that listening_ports results are unique 2014-11-03 12:03:57 -08:00
Akshay Dixit
c99c08c607 changed comments to // from /* , char* to std::string consts, and ran clang-format on the file 2014-11-02 21:09:04 -07:00
Akshay Dixit
cb1bf1c305 cleaned up pci_devices.cpp 2014-11-02 21:09:04 -07:00
Akshay Dixit
6c418507e6 renamed lspci to pci_devices and specified it linux only 2014-11-02 21:09:04 -07:00
Akshay Dixit
afd9d5e160 changed lspci to be a linux only virtual table, and added udev dependency to provisions.sh 2014-11-02 21:07:35 -07:00
Akshay Dixit
7896e7f78e added lspci virtual table and libudev dependencies 2014-11-02 21:03:43 -07:00
Teddy Reed
37b8336a1f Silence parentheses warnings in linux/mounts 2014-11-02 01:42:04 -08:00
Alexander Polyakov apolyakov@beget.ru
fd5ed3bc19 Rename dir to path 2014-11-02 01:09:24 +03:00
Alexander Polyakov apolyakov@beget.ru
fa81e54e27 Fix indentation, no functional change 2014-11-02 00:36:56 +03:00
Alexander Polyakov
58716d6cfa Mounts table for linux 2014-11-01 16:12:56 +03:00
Teddy Reed
eb240ac527 RPM table and more robust Linux building 2014-10-31 21:59:10 -07:00
castrapel
2557bac3d4 RPM Package listing is now working 2014-10-31 16:52:58 -07:00
castrapel
a51f97871f Adding RPM functionality for CentOS packages (Not working in EL6 due to older rpm-devel) 2014-10-31 16:52:58 -07:00
Teddy Reed
fd8f5782ab Merge pull request #308 from facebook/lsof 
Darwin lsof
 2014-10-31 16:32:30 -07:00
Mark Roberts
675dc308b9 Fix possible errors with getProcPath and getProcName 2014-10-31 16:07:09 -07:00
Pablo S. Torralba
42c73897bf Some minor stetic changes to keep the code clean 2014-10-31 14:27:15 -07:00
Mark Roberts
534999b396 Whitespace 2014-10-31 13:49:25 -07:00
Pablo S. Torralba
366274504b Feedback fixes to clean the code a bit 2014-10-31 13:44:00 -07:00
Mark Roberts
f38bcd390e Add file_type to process_open_files 2014-10-31 11:13:35 -07:00
Pablo S. Torralba
a6e04efdd7 Add quarantine vtable for OSX 
The tables reports:
- path: The file in quarantine
- creator: The application that created the file

Example:
osquery> select * from quarantine limit 10;

+----------------------------------------------------------------------------+---------------+
| path                                                                       | creator       |
+----------------------------------------------------------------------------+---------------+
| /Applications/Adium.app                                                    | Google Chrome |
| /Applications/Adium.app/Contents                                           | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature                            | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature/CodeResources              | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks                                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium          | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers        | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources      | Google Chrome |
+----------------------------------------------------------------------------+---------------+

Fixes issue #231
 2014-10-31 06:10:51 -07:00
Mark Roberts
3cf5aa4bae Add lsof for #28 functionality to Darwin, refactor to use shared infra for process_envs 2014-10-31 03:28:14 -07:00
yetanotherhacker
8cee7e0b3c Spelling fixes in comments and output. 2014-10-30 04:27:00 -04:00
Teddy Reed
4ed61ff868 Merge pull request #288 from vmauge/NewLongType 
Add new long type and migrate some vtables
 2014-10-29 23:12:52 -07:00
Vincent Mauge
07bd114107 Change users table to used new long long int type for uid and gid 
It is now possible to do a proper order on uid or gid, ie:
SELECT * FROM users ORDER BY uid;
 2014-10-29 18:57:12 -07:00
Vincent Mauge
755d8c198e Change groups table to used new long long int type for gid 
It is now possible to do a proper order on gid, ie:
SELECT * FROM groups ORDER BY gid;
 2014-10-29 18:57:00 -07:00
Mike Arpaia
0f037d4082 Merge pull request #283 from facebook/fix_sockaddr_inc 
Fix #277, add socket.h to interfaces on darwin
 2014-10-29 17:41:36 -07:00
Teddy Reed
cd74544208 Fix #277, add socket.h to interfaces on darwin 2014-10-29 16:44:17 -07:00
Mark Roberts
0867c2b547 Add process_envs table for OSX and Linux for issue #99 2014-10-29 03:45:26 -07:00
Teddy Reed
39f866387f [vtables] CPUID asm call feature information 2014-10-29 03:09:34 -07:00
Teddy Reed
1f1b38976a Merge pull request #261 from facebook/crontab 
[vtables] Crontab parsing for system/users
 2014-10-29 02:52:11 -07:00
Teddy Reed
6db0c67555 Merge pull request #269 from vmauge/suidbin 
Add suid_bin vtable
 2014-10-29 02:30:29 -07:00
Teddy Reed
8a9374d6e3 [vtables] Support linux crontab vars 2014-10-29 02:24:00 -07:00
Teddy Reed
94c64d80ce Merge pull request #267 from facebook/kernel_modules 
[vtables] Linux kernel modules from procfs
 2014-10-29 02:03:46 -07:00
Vincent Mauge
471d5faaa0 Add suid_bin vtable 
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
	* S for suid bin
	* G for guid bin

Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path                                                                                               | unix_user | unix_group    | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps"                                                                                          | root      | wheel         | S           |
| "/bin/rcp"                                                                                         | root      | wheel         | S           |
| "/Users/vmauge/suid_test"                                                                          | vmauge    | 999           | SG          |
| "/usr/bin/at"                                                                                      | root      | wheel         | S           |
| "/usr/bin/atq"                                                                                     | root      | wheel         | S           |
| "/usr/bin/atrm"                                                                                    | root      | wheel         | S           |
| "/usr/bin/batch"                                                                                   | root      | wheel         | S           |
| "/usr/bin/crontab"                                                                                 | root      | wheel         | S           |
| "/usr/bin/ipcs"                                                                                    | root      | wheel         | S           |
| "/usr/bin/lockfile"                                                                                | root      | mail          | G           |
| "/usr/bin/login"                                                                                   | root      | wheel         | S           |
| "/usr/bin/newgrp"                                                                                  | root      | wheel         | S           |
| "/usr/bin/procmail"                                                                                | root      | mail          | G           |
| "/usr/bin/quota"                                                                                   | root      | wheel         | S           |
| "/usr/bin/rlogin"                                                                                  | root      | wheel         | S           |
| "/usr/bin/rsh"                                                                                     | root      | wheel         | S           |
| "/usr/bin/su"                                                                                      | root      | wheel         | S           |
| "/usr/bin/sudo"                                                                                    | root      | wheel         | S           |
| "/usr/bin/top"                                                                                     | root      | wheel         | S           |
| "/usr/bin/wall"                                                                                    | root      | tty           | G           |
| "/usr/bin/write"                                                                                   | root      | tty           | G           |
| "/usr/sbin/postdrop"                                                                               | root      | _postdrop     | G           |
| "/usr/sbin/postqueue"                                                                              | root      | _postdrop     | G           |
| "/usr/sbin/rpc.net"                                                                                | root      | wheel         | S           |
| "/usr/sbin/rpcset"                                                                                 | root      | wheel         | S           |
| "/usr/sbin/traceroute"                                                                             | root      | wheel         | S           |
| "/usr/sbin/traceroute6"                                                                            | root      | wheel         | S           |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+

This commit fixes issue #253.
 2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e [vtables] Rename homebrew files, some cleanup 2014-10-29 00:34:55 -07:00
Teddy Reed
c1991e94e5 [vtables] Add user crons and use files 2014-10-29 00:28:19 -07:00
Martin Majlis
d645dfc257 Initial implementation for the homebrew table. 2014-10-28 21:03:56 -07:00
Teddy Reed
9abcbcd485 [vtables] Linux kernel modules from procfs 2014-10-28 21:01:51 -07:00
Martin Majlis
e8eb1e222f Reformating the code with clang-formatter. 2014-10-28 19:43:13 -07:00
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9 Merge pull request #228 from facebook/bash_history_table 
Adding virtual table bash_history, for linux and darwin
 2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534 updating comment 2014-10-27 16:34:00 -04:00
Mike Arpaia
a5f7dc1aa3 Merge pull request #247 from facebook/time-types 
time types
 2014-10-27 12:47:52 -04:00
mike@arpaia.co
2ba54f5211 time types 2014-10-27 09:13:21 -04:00
Teddy Reed
53afc6b8b2 Merge pull request #240 from facebook/event_logs 
Change log formatting to individual events
 2014-10-26 14:53:58 -07:00
Javier Marcos
c8c3363455 Changed logic to ignore when history file is not found (expected) 2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e Refactoring and added column for history file, also more history files supported 2014-10-24 20:29:23 -07:00
Teddy Reed
84e8718d62 Merge pull request #238 from facebook/unify_routes 
[vtable] Unify routes table for OSX/Linux
 2014-10-24 17:08:16 -07:00
Teddy Reed
a82792b3f7 Log results as events 2014-10-24 17:05:17 -07:00
Teddy Reed
3d7c8b5684 [vtable] Unify routes table for OSX/Linux 2014-10-24 12:34:18 -07:00
Javier Marcos
bf3cd15c91 Final fix for the allocation problem 2014-10-23 17:17:50 -07:00
Javier Marcos
f69913938f Bad memory leak with OpenDirectory and pwd/grp.h code 2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Javier Marcos
bf1ffb1537 Removing old code for generating virtual tables 2014-10-13 21:58:26 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
Javier Marcos
b3208bab70 Errors handled, shit is on fire 2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e only index if it's not nullptr 2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02 cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959 Making sure we do not add duplicated users 2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
d09e6037dd Fixing infinite loop adding mutex 2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873 Install package depending on arch and better comments 2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5 Adding support to build osquery in centos 6.5 2014-10-08 03:45:56 +00:00
Teddy Reed
2063252f73 [vtable] Fix warning for process in-condition assignment 2014-10-04 13:29:17 -07:00
Teddy Reed
5e6be33767 Merge pull request #199 from facebook/unify_processes 
[vtable] Parity with OSX/Linux processes table
 2014-10-03 17:30:47 -07:00
Teddy Reed
69607c7b32 [vtable] Parity with OSX/Linux processes table 2014-10-03 16:24:11 -07:00
Mike Arpaia
1d062bb038 Merge pull request #185 from facebook/ubuntu12_precise_build_support 
Adding support to build in Ubuntu 12
 2014-10-03 12:57:25 -07:00
Teddy Reed
c553a59745 [events] Use pub/sub diction for events 2014-10-03 11:30:51 -07:00
Teddy Reed
1e36b494b4 [events] Rename MonitorContext to SubscriptionContext 2014-10-03 08:26:41 -07:00
Teddy Reed
b2474b49eb [events] Renamed EventType to EventPublisher 2014-10-03 08:14:36 -07:00
Teddy Reed
e77ae22fe2 [events] Rename EventModule to EventSubscriber 2014-10-03 08:08:06 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
Javier Marcos
7c1afd1558 Adding support to build in Ubuntu 12 2014-10-02 17:58:56 +00:00
mike@arpaia.co
2348460ca4 Revert "Support for Ubuntu 12, precise" 
This reverts commit ed0e051eba.
 2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba Support for Ubuntu 12, precise 2014-10-02 01:24:23 +00:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
mike@arpaia.co
627821abc1 Periodic clang-format 2014-09-21 14:29:28 -07:00
mike@arpaia.co
b5ee19f49f Removing the osquery::db namespace 2014-09-21 14:27:09 -07:00
Teddy Reed
9516bf8fd7 Regressions from core NS removal, linux includes 2014-09-17 10:29:22 -06:00
mike@arpaia.co
de426754d9 moving fs to the global namespace 2014-09-15 11:47:52 -07:00
mike@arpaia.co
ad9b0bb5c1 Doxyfile, for docs 2014-09-13 15:18:26 -07:00
Mike Arpaia
db0f0105dd Revert "Skip tests when making 'fast'" 2014-09-09 21:37:08 -07:00
mike@arpaia.co
c9fafc00d3 using '#pragma once' instead of '#ifndef HEADER' 
let's start using #pragma once for our headers. it's less lines of code,
clang supports it, headers become more movable, etc. it's all around a
better plan.
 2014-09-09 18:54:53 -07:00
mike@arpaia.co
cec7b33afb removing unused header includes 2014-09-09 18:43:41 -07:00
Teddy Reed
2e150ef8a9 Skip tests when making 'fast' 2014-09-09 16:25:22 -07:00
mike@arpaia.co
df1332277d clang-format 2014-09-09 16:14:54 -07:00
Teddy Reed
825b50f932 [vtables] Routes table for Linux 2014-09-09 16:07:36 -07:00
Teddy Reed
bfba3d491d Merge pull request #117 from facebook/linux-processes-vtable 
[vtables] Processes table for Linux (procps3)
 2014-09-09 14:43:26 -07:00
Teddy Reed
2bcd89d70f [vtables] Adding cmdline, path to Linux processes 2014-09-09 10:59:16 -07:00
Mike Arpaia
d6699bd0fe Adding header files to CMakeLists.txt so that other build tools can perform better introspection into the codebase. 2014-09-09 10:53:59 -07:00
mike@arpaia.co
8fcad82b35 periodic clang-format 2014-09-09 00:56:27 -07:00
Teddy Reed
c6a7e86b18 [vtables] Processes table for Linux (procps3) 2014-09-08 22:42:17 -07:00
mike@arpaia.co
c72d069689 vagrant and make deps on linux 2014-09-08 19:24:23 -07:00
Teddy Reed
7e470747b4 Moving sublibs to single libosquery 2014-09-08 01:58:29 -07:00
Teddy Reed
e23e7bdab8 Merge pull request #102 from facebook/linux-build 
Changes for Linux (Ubuntu 14.04) build
 2014-09-05 14:52:35 -07:00