When run alone, using --gtest_filter to select the specific test,
it throws an exception because the tables are not registered.
It also wrongly checks for the query rows number to be >= 0 and then
proceeds to access the first one.
A new Windows VM has been recently deployed that moves the
Python 2 installation, Windows Buck builds are now failing.
Support the old and new path for Python 2 and
support multiple minor versions of python instead of hardcoding one.
It does not look like the EC2 tables are available on Windows
(due to spec-file configuration).
Please see https://osquery.io/schema/3.3.2#ec2_instance_tags
This removes the EC2 library linking requirement until we revisit this
feature.
Add OSQUERY_VERSION cache variable to force the version to be set at
that value.
Add OSQUERY_VERSION_AUTODECTED cache variable to show the osquery
version that has been detected through git
Add OSQUERY_VERSION_SUFFIX cache variable to append its value to the
final version, if the version was autodected.
Add OSQUERY_VERSION_INTERNAL variable to globally store the final
osquery version, to be used in other CMake scripts.
Add OSQUERY_VERSION_COMPONENTS variable to globally store the components
of the final osquery version. Currently used by the packaging system.
Modify overwrite_cache_variable so that's possible to specify the type.
The version is always autodetected using "git describe --tags --always --dirty"
and OSQUERY_VERSION_SUFFIX is appended to it, unless OSQUERY_VERSION is manually set.
Incorporates suggestions by @directionless.
CMake part of osquery/osquery#5615
The Wix configuration sets the service as _critical_. As I understand it, this means failures to start osquery, are considered startup failures, and will trigger a reboot. As there are occasional windows bugs causing a failure to start, this seems unfortunate. I think hit someone on slack today
This PR changes that to _normal_
Docs are http://wixtoolset.org/documentation/manual/v3/xsd/wix/serviceinstall.html
* Initial implementation
* Use case insensitive comparisons for all service names
Fixes a bug where certificates for services that correspond to Local Service or
Network Service may not have their sids appear correctly. This is because the
services table is inconsistent with its user_account column.
* Make service name cache query-local
Previously, the service name cache existed for the lifetime of the
osquery process, which made it susceptible to stale reads if a service
restarted under a different user during osquery's lifetime. Now the
cache is created for each query. Also refactor it to directly map to the
sid, rather than the account name, which removes the need to translate
from account name to sid every row.
* Fix reference to destroyed object
Previously, getCurrentUserInfo took a reference to data from a local
vector, whose data is free'd after the function. This refactors the code
to use a unique_ptr (similar to how getSidFromUsername) does it.
* Add an option to avoid generating debug symbols
A new option, OSQUERY_NO_DEBUG_SYMBOLS, has been added
to avoid generating debug symbols when building in Debug or RelWithDebInfo.
This is especially needed on the CI where the disk size is limited
and symbols are not necessary, because we cannot directly access
processes to debug them.
* Enable Debug builds on the CI
Enabled Debug builds on macOS and Linux; a special job has been created
to represent the combined build status of Release and Debug builds.
Also format the other long cmakeArgs line so that there's one argument
per line.
* Run Docker as privileged also in Debug builds
* Simplify azure pipelines configuration
Use strategy and matrix to avoid repeating the script
for Release and Debug builds.
The code was failing on Windows because the '\Windows\%' pattern
is relative and presumes that the Windows folder is on the same
drive (C:\) as the test process.
This might not be true, so we find where precisely is the Windows
directory and use the full path to it as a pattern.
The failing test checks that were testing the equal and LIKE operator
have been moved to a new test, test_table_constraints, since they
are not related to joins.
The table it tests has several issues, it doesn't properly check
for errors in several places and returns unexpected values in
the columns.
Moreover the code could also be improved to make testing possible
without passing through SQL queries, by separating the part
that uses WMI queries from the conversion to row results.
Fix UsersTest.test_sanity on Windows.
uid and gid were returned as int (while they normally are unsigned int)
and converted to signed integers in the table row.
This is wrong because beyond uid and gid not being ints,
they are taken from the RID part of the SID which in some cases,
like for a Service SID, it can have a value higher than then maximum
value of an int, so in the end the number shown in table is negative.
Now they are returned as uint32_t and converted as BIGINTs for the table
that uses them.
Fix other functions return values and conversions depending on the meaning of
the value.
On Windows stick to its specific types where possible.
Convert CRLF to LF on some of the files modified.
Fix ebpfTests.sysEbpf_null_attr, ebpfTests.sysEbpf_create_map,
ebpfMapTests.int_key_int_value, ebpfMapTests.int_key_struct_value
by running Docker as privileged on Azure Pipelines.
Docker is used only to get a new distribution running, it's not used
for any security purpose, so there's no point in limiting it.
Calling GetLastError() will not return the error code for the Windows registry APIs,
since they return a LSTATUS value which already the error code.
This also fixes the RegistryTablesTest.test_registry_non_existing_key
test case which was incorrectly expecting success when querying
for a non-existent registry key.
Ported from https://github.com/osql/osql/pull/50
Some IDE require that the headers are assigned to a target, so they know
which TU uses them and also that they are part of the project.
The option ADD_HEADERS_AS_SOURCES has been added, if it's ON,
we assign those headers as INTERFACE sources of the target that publish
them.
This is a hotfix to let the prepare_for_ide target work on Windows and
macOS, avoiding to download libudev that it's not needed and
doesn't exist for those platforms.
In theory for all the third-party libraries that do not exist for a
platform we should have an INTERFACE library as a substitute,
instead of avoiding to define any target.
We wait to do this change, because we are going to refactor how
dependencies are downloaded and imported.
Apparently there's a bug in the visualization of the logs,
where color codes eat characters.
So we disable tests colored output until a fix on Azure Pipelines appears.
Formatting a bit more consistently the yaml file.
Originally the separation existed because there were multiple branches,
and only one of them was protected by PRs.
So broken commits could land and differentiating from broken build
or tests was useful.
This is not true anymore and PRs checks are per pipeline, not per job,
so the separation wouldn't make a difference.
Only define BOOST_ASIO_DISABLE_STD_STRING_VIEW.
We shouldn't define BOOST_ASIO_HAS_STD_STRING_VIEW,
because even if we define BOOST_ASIO_DISABLE_STD_STRING_VIEW
the first define will actually enable parts of code that will use string_view.
This won't work on Windows and in general, string_view should not be
used unless compiling with C++17.
The hack has been also added to a test that was previously missed.
Taken from osql-experimental.
- Change CMake code license to the one present in osquery right now
- Package metadata doesn't mention Trail of Bits or osql anymore
- Set specific ACLs for the osqueryd on Windows when packaging
- Remove LLVM_INSTALL_PATH support on macOS, since we are using AppleClang
- Remove OSQUERY_SOURCE_DIR variable need and source in a submodule support
- Add targets format_check and format to check code formatting and
format it with clang-format
- Do not warn about not using Clang on macOS when using AppleClang
This adds a codeowners file. The intent here, is to provide a route to opening up more people to vet and approve commits. Committers should be added to the [osquery/osquery-committers](https://github.com/orgs/osquery/teams/osquery-committers) team. This will grant them write permissions, and cause them to be notified on PRs.
We will need to _additionally_ toggle the codeowners button in master branch protections.
This does _not_ provided a clearly visible audit trail for who has been added to `osquery-committers` or a process for doing that.
Fixes: https://github.com/osquery/foundation/issues/1
