valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,145 Commits 2 Branches 109 Tags 25 MiB
6bd6fce8f5
Commit Graph

629 Commits

Author SHA1 Message Date
Mike Arpaia
a028b15858 Merge pull request #449 from facebook/config-splay 
Add a splay of 10% to scheduled queries so that they don't stack
 2014-11-17 19:09:50 -08:00
mike@arpaia.co
81ace6a890 adding some better logging 2014-11-17 19:08:51 -08:00
mike@arpaia.co
c56b663261 pidfile for osqueryd 
close #442
 2014-11-17 18:42:36 -08:00
Teddy Reed
7287ad5e63 Fix process free regression for libprocps 2014-11-17 16:52:20 -08:00
mike@arpaia.co
f8c27bde85 Add a splay of 10% to scheduled queries so that they don't stack 
close #446
 2014-11-17 14:19:09 -08:00
Mike Goffin
57faad63fa Merge branch 'master' into mounts_table 2014-11-17 15:03:50 -05:00
Mike Goffin
2ce6882317 Format fixes. 
- ran clang-format.
- lowercased column names for table.
- removed include for boost as it's no longer being used.
 2014-11-17 15:02:33 -05:00
mike@arpaia.co
715e10a738 Change glog max log size to 10MB 
close #444
 2014-11-17 11:39:35 -08:00
Teddy Reed
1116d6a928 Merge pull request #438 from theopolis/feature-arp-table 
arp_cache vtable for OSX and Linux
 2014-11-17 11:36:46 -08:00
mike@arpaia.co
f707253537 close #445 2014-11-17 11:29:14 -08:00
Mike Goffin
0b4e382e96 Merge branch 'master' into mounts_table 2014-11-17 13:46:59 -05:00
Mike Goffin
6cddf4ad39 Mounts table for Darwin. 
Associated with #255, this adds Mounts table support for Darwin.
 2014-11-17 13:43:59 -05:00
Wesley Shields
c764226b77 Use INTEGER macro. 
This makes the code match the example at:

https://github.com/facebook/osquery/wiki/creating-a-new-table
 2014-11-17 13:30:46 -05:00
Teddy
968f8027e6 Cleaner arp_table->arp_cache on Linux/OSX 2014-11-17 02:37:15 -08:00
Teddy Reed
ee015343f9 Simplify arp, move to arp_table 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
65c4ed4a7d Fix boost split on linux to remove sscanf 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
2b32673445 Some fixes: 
- clang-format on code
- NULL -> nullptr
- some (char *) changed in std::string favour
- Removed a memory leak.
- Moved struct inside the table namespace
 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
778951d6a4 Remove osx dependency on system() call to get arp information 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
c7fc2cee22 rename vtable field arp->mac 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
4f524abbea arp vtable different implementation in osx and linux 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
413d6f068b Change fgetln (osx specific) in favour of getline (both osx and linux) 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
1843d80660 arp vtable with ip, arp and interface where it was seen 2014-11-16 19:49:40 -08:00
Li-Wen Hsu
397f2f80f3 It seems that CPack supports only Linux packages for now 2014-11-17 04:45:58 +08:00
Li-Wen Hsu
c00074e117 linux/inotify_tests.cpp is Linux only 2014-11-17 04:27:45 +08:00
Li-Wen Hsu
bb87fe3b55 Correct "FreeBSD" case 2014-11-17 04:23:48 +08:00
mike@arpaia.co
bfceaf8453 blacklisting port_inode and socket_inode 
port_inode and socket_inode have caused a few issues lately and, as of
right now, they both have open issues against them. For the time being,
I'm going to blacklist them. When the tables are production-ready, we
can re-add them back in to the base linux build.
 2014-11-16 09:42:57 -08:00
Li-Wen Hsu
1ad47bbafb Make room for FreeBSD events 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
7822d06774 No <uuid/uuid.h> under FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
ea7b617a7c No utmpxname() under FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
a102a3273e Include proper headers for FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
e49537c8fa Add libraries and settings for FreeBSD 2014-11-16 01:41:50 +08:00
Teddy Reed
a1898ef03b Check tables row vector size before access 2014-11-14 15:18:25 -08:00
Teddy Reed
02841f5e7f Add kernel userland-API inet_diag header 2014-11-14 01:42:34 -08:00
Teddy Reed
565bce3c07 Fix unwind exception catching 2014-11-14 01:42:00 -08:00
Teddy Reed
0c675b23f2 Fix testing (only requireInstance) for DBHandle once 2014-11-13 09:33:13 -08:00
Vincent Mauge
632151d56a Set ouput_bit to 0 instead of cast error 2014-11-12 22:02:04 -08:00
Teddy Reed
153cc7208f More control over logging 2014-11-12 18:19:22 -07:00
Teddy Reed
aa933491d2 Merge pull request #416 from theopolis/hack_fix_386 
[Fix #386] This is a hack to fix Ubuntu unwinding
 2014-11-12 16:43:18 -08:00
Teddy Reed
b419c79791 [Fix #386] This is a hack to fix Ubuntu unwinding 2014-11-12 17:12:37 -07:00
mike@arpaia.co
a8832482b3 implementation for #360 2014-11-12 16:51:14 -05:00
mike@arpaia.co
b423286297 failing test 2014-11-12 16:30:18 -05:00
Teddy Reed
0d8b9d3eaa Use SQLite types 2014-11-12 11:07:24 -08:00
Teddy Reed
525a3b79a0 Tons of new build features 
* The OS/DISTRO are available as defines when writing tables:
  UBUNTU, UBUNTU_14_04, UBUNTU_12_04
  CENTOS, CENTOS_6_6
  DARWIN, DARWIN_10_10, DARWIN_10_9
* The table generation tooling now grabs virtual tables templates
  from ./osquery/tables/templates/<name>.cpp.in.
* The table generation tooling will detect reserved column names.
* suid_bin uses the new UBUNTU to restrict calls to root (fix #362).
 2014-11-12 00:57:47 -08:00
Teddy Reed
8e408f987e Table spec documentation examples 2014-11-11 11:26:11 -08:00
mike@arpaia.co
88bec43d8a removing superfluous nullptr checks. close #404 2014-11-11 11:17:28 -05:00
Bryan Eastes
ec081c9a54 Added --host_identifier option 
Conflicts:
	osquery/core/system.cpp
 2014-11-10 16:41:13 -05:00
Teddy Reed
8b1af689db Blacklist is now on by default 2014-11-10 13:30:38 -08:00
Teddy Reed
050e942d11 Support USE_BLACKLIST=1 to remove tables from release 2014-11-10 13:30:38 -08:00
Abe Stanway
811d98c595 free(linkname) and no more 'self' 2014-11-10 15:02:31 -05:00
Abe Stanway
30149a70f9 Updated 2014-11-10 15:02:31 -05:00
Abe Stanway
322fde0121 Socket_inode and port_inode tables to map PIDs->ports via netlink inet_diag 
Example query:
```
SELECT port.local_port,
       port.remote_port,
       port.local_ip,
       port.remote_ip,
       socket.pid,
       process.name,
       process.cmdline
       process.path
       FROM socket_inode AS socket
       JOIN port_inode AS port
       ON socket.inode = port.inode
       INNER JOIN processes AS process
       ON socket.pid = process.pid;
```
 2014-11-10 15:02:31 -05:00
Teddy Reed
86d2ac208b Use leaks for OSX memory leak profiling 2014-11-10 11:34:17 -08:00
Mike Arpaia
3245e5a6cd Merge pull request #394 from wizzat/process_args 
Add cmdline to darwin
 2014-11-10 13:20:47 -05:00
Teddy Reed
19aa99583e Linux processes vtable use freeproc 2014-11-10 10:12:47 -08:00
Mark Roberts
dc1684fca7 Add cmdline to darwin 2014-11-10 09:36:17 -08:00
mike@arpaia.co
bd4d1dfc0f Removing superfluous logging from DBHandle. close #387 2014-11-10 12:15:35 -05:00
Teddy Reed
bc05f5de78 Merge pull request #383 from theopolis/fix_rpm_packages 
[Fix #367] Check RPMTAG class before cast
 2014-11-10 01:59:13 -08:00
Teddy Reed
b0ff403d3d Fixing librpm API usage leaks 2014-11-10 01:48:07 -08:00
Teddy Reed
b2e806e453 Merge pull request #384 from ga2arch/stringstream 
read the file directly into a stringstream buffer
 2014-11-09 13:30:22 -08:00
Gabriele Carrettoni
77b521ce7b read the file directly into a stringstream buffer 2014-11-09 16:57:35 +01:00
Teddy Reed
b77406b122 [Fix #367] Check RPMTAG class before cast 2014-11-09 02:07:49 -08:00
Teddy Reed
84cc45a366 SQLite DBfile not needed 2014-11-09 01:01:17 -08:00
Teddy Reed
f7667ec440 Remove Threads requirement, cleanup flags 2014-11-09 00:00:57 -08:00
Teddy Reed
078d4cf7d2 Refector shell flags/versioning 2014-11-08 20:27:28 -08:00
Teddy Reed
62d6472cfe Rethinking some build improvements 2014-11-08 19:28:35 -08:00
Gabriele Carrettoni
848bd4d96e use unique_ptr instead of raw pointer 2014-11-09 02:23:19 +01:00
Veres Lajos
afc82c722f typo fixes - https://github.com/vlajos/misspell_fixer 2014-11-07 22:18:02 +00:00
Alexander Polyakov
00dbf282a6 / is not always readable 2014-11-07 01:00:58 +03:00
Alexander Polyakov
78af7dd885 Catch exception in pathExists 
boost::filesystem::exists() throws
 2014-11-07 00:20:22 +03:00
Alexander Polyakov
c0d827f534 Add euid / egid to process table 
(not tested on darwin)
 2014-11-06 01:35:52 +03:00
mike@arpaia.co
05cfff81c8 clang-format 2014-11-04 11:42:30 -08:00
mike@arpaia.co
896a4f2957 generic users function and some general cleanups 2014-11-04 11:40:54 -08:00
Zachary Wasserman
0b30b9f692 Add basic Mac startup items vtable 2014-11-04 11:40:54 -08:00
Alexander Polyakov
a60230af5e linux/processes: fix infinite loop, throw away workaround 2014-11-04 15:31:35 +03:00
Teddy Reed
03034780f1 Add note about blocking process_env as non-su 2014-11-03 23:46:47 -08:00
Teddy Reed
ea3880eefb Merge pull request #354 from wizzat/graceful_envs 
Graceful envs
 2014-11-03 23:43:04 -08:00
Teddy Reed
2f6369ad99 Fix boost filesystem path for inotify 2014-11-03 23:37:45 -08:00
Mike Arpaia
37734bc5a4 Merge pull request #351 from LTD-Beget/blockdev_table 
Blockdev table for linux
 2014-11-03 22:29:35 -08:00
Mark Roberts
5780fffa22 Potential Linux fix, pending boost::filesystem::path fix on master. Issue #323 2014-11-03 20:39:51 -08:00
Alexander Polyakov
cbc2139047 block_devices: trim spaces around model and vendor 2014-11-04 05:00:24 +03:00
Teddy Reed
dc77df602e [format] Cleanup various PRs not run through clang-format 2014-11-03 17:57:01 -08:00
Mark Roberts
176af65fb5 Remove logging of permissions error when running as non-root user on OSX 
Issue #323
 2014-11-03 17:29:22 -08:00
Mike Arpaia
01944a3bb7 Merge pull request #352 from LTD-Beget/pci_devices_crash 
pci_devices: udev_device_get_property_values() can return NULL
 2014-11-03 15:17:03 -08:00
Alexander Polyakov
95aeaba024 pci_devices: unref things after use 2014-11-04 01:48:42 +03:00
mike@arpaia.co
92381f2009 unbreaking master 2014-11-03 14:28:34 -08:00
Alexander Polyakov
1ce1424d01 Add braces 2014-11-04 01:21:02 +03:00
Alexander Polyakov
e3364ac34c Add braces 2014-11-04 01:13:49 +03:00
Mike Arpaia
a9e636af9f Merge pull request #349 from facebook/329 
Ensuring that listening_ports results are unique
 2014-11-03 14:08:04 -08:00
Mike Arpaia
3fd0645c07 Merge pull request #350 from zwass/filesystem_path 
Refactor osquery::fileystem to use boost::filesystem::path rather than std::string
 2014-11-03 14:00:19 -08:00
Alexander Polyakov
f96180e926 pci_devices: udev_device_get_property_values() can return NULL 2014-11-03 23:56:59 +03:00
Alexander Polakov
274e037527 Blockdev table for linux 2014-11-03 23:39:14 +03:00
mike@arpaia.co
dfc206035c using std::find instead of manual iteration 2014-11-03 12:14:14 -08:00
Zachary Wasserman
c559f0e1d2 Refactor osquery::fileystem to use boost::filesystem::path rather than std::string 2014-11-03 12:08:46 -08:00
mike@arpaia.co
75ded8b881 Ensuring that listening_ports results are unique 2014-11-03 12:03:57 -08:00
Zachary Wasserman
07c8671ede Use relative path from argv[0] 2014-11-03 11:24:38 -08:00
Zachary Wasserman
e658aa5b65 Add test for plist with binary 2014-11-03 11:24:38 -08:00
Zachary Wasserman
66ceec0de3 Fix Plist parsing of binary blobs 2014-11-03 11:24:38 -08:00
Akshay Dixit
c99c08c607 changed comments to // from /* , char* to std::string consts, and ran clang-format on the file 2014-11-02 21:09:04 -07:00
Akshay Dixit
cb1bf1c305 cleaned up pci_devices.cpp 2014-11-02 21:09:04 -07:00
Akshay Dixit
6c418507e6 renamed lspci to pci_devices and specified it linux only 2014-11-02 21:09:04 -07:00
Akshay Dixit
afd9d5e160 changed lspci to be a linux only virtual table, and added udev dependency to provisions.sh 2014-11-02 21:07:35 -07:00
Akshay Dixit
7896e7f78e added lspci virtual table and libudev dependencies 2014-11-02 21:03:43 -07:00
Teddy Reed
1abbe7478a Merge pull request #332 from vmauge/depends_gentable 
Add dependency to gentable.py
 2014-11-02 17:50:07 -08:00
Vincent Mauge
b18dcaa7cb Add dependency to gentable.py 
With this commit, a change to gentable.py will trigger
the regeneration of cpp code for each table.
 2014-11-02 17:00:47 -08:00
Teddy Reed
24b7be320c Fix #328, add gflags defines for shell-internal flags 2014-11-02 15:40:35 -08:00
Teddy Reed
37b8336a1f Silence parentheses warnings in linux/mounts 2014-11-02 01:42:04 -08:00
Teddy Reed
287bbc06a8 Merge pull request #316 from LTD-Beget/mounts 
Mounts table for linux
 2014-11-02 01:37:00 -08:00
Larz Conwell
a0d7533c96 Closes #319, Install libraries and headers. 2014-11-02 00:08:11 -04:00
Alexander Polyakov apolyakov@beget.ru
fd5ed3bc19 Rename dir to path 2014-11-02 01:09:24 +03:00
Alexander Polyakov apolyakov@beget.ru
fa81e54e27 Fix indentation, no functional change 2014-11-02 00:36:56 +03:00
Alexander Polyakov
58716d6cfa Mounts table for linux 2014-11-01 16:12:56 +03:00
Teddy Reed
eb240ac527 RPM table and more robust Linux building 2014-10-31 21:59:10 -07:00
castrapel
2557bac3d4 RPM Package listing is now working 2014-10-31 16:52:58 -07:00
castrapel
a51f97871f Adding RPM functionality for CentOS packages (Not working in EL6 due to older rpm-devel) 2014-10-31 16:52:58 -07:00
Teddy Reed
fd8f5782ab Merge pull request #308 from facebook/lsof 
Darwin lsof
 2014-10-31 16:32:30 -07:00
Mark Roberts
675dc308b9 Fix possible errors with getProcPath and getProcName 2014-10-31 16:07:09 -07:00
Mike Arpaia
fba9d1143b Merge pull request #310 from facebook/quarantine 
Add quarantine vtable for OSX
 2014-10-31 15:35:47 -07:00
Pablo S. Torralba
42c73897bf Some minor stetic changes to keep the code clean 2014-10-31 14:27:15 -07:00
Mark Roberts
534999b396 Whitespace 2014-10-31 13:49:25 -07:00
Pablo S. Torralba
366274504b Feedback fixes to clean the code a bit 2014-10-31 13:44:00 -07:00
Mark Roberts
f38bcd390e Add file_type to process_open_files 2014-10-31 11:13:35 -07:00
Teddy Reed
0604b3a5e0 Fix 301, pragma cols pretty print 2014-10-31 10:19:49 -07:00
Pablo S. Torralba
a6e04efdd7 Add quarantine vtable for OSX 
The tables reports:
- path: The file in quarantine
- creator: The application that created the file

Example:
osquery> select * from quarantine limit 10;

+----------------------------------------------------------------------------+---------------+
| path                                                                       | creator       |
+----------------------------------------------------------------------------+---------------+
| /Applications/Adium.app                                                    | Google Chrome |
| /Applications/Adium.app/Contents                                           | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature                            | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature/CodeResources              | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks                                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium          | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers        | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources      | Google Chrome |
+----------------------------------------------------------------------------+---------------+

Fixes issue #231
 2014-10-31 06:10:51 -07:00
Mark Roberts
3cf5aa4bae Add lsof for #28 functionality to Darwin, refactor to use shared infra for process_envs 2014-10-31 03:28:14 -07:00
Teddy Reed
bcca0824b0 Fix memset/memcpy for pretty print in osqueryi 2014-10-30 18:07:32 -07:00
Teddy Reed
1554bf3295 Fix #290, add permissions to osqueryd logging 2014-10-30 15:03:05 -07:00
yetanotherhacker
8cee7e0b3c Spelling fixes in comments and output. 2014-10-30 04:27:00 -04:00
Teddy Reed
4ed61ff868 Merge pull request #288 from vmauge/NewLongType 
Add new long type and migrate some vtables
 2014-10-29 23:12:52 -07:00
Vincent Mauge
07bd114107 Change users table to used new long long int type for uid and gid 
It is now possible to do a proper order on uid or gid, ie:
SELECT * FROM users ORDER BY uid;
 2014-10-29 18:57:12 -07:00
Vincent Mauge
755d8c198e Change groups table to used new long long int type for gid 
It is now possible to do a proper order on gid, ie:
SELECT * FROM groups ORDER BY gid;
 2014-10-29 18:57:00 -07:00
Mike Arpaia
0f037d4082 Merge pull request #283 from facebook/fix_sockaddr_inc 
Fix #277, add socket.h to interfaces on darwin
 2014-10-29 17:41:36 -07:00
Teddy Reed
cd74544208 Fix #277, add socket.h to interfaces on darwin 2014-10-29 16:44:17 -07:00
Scott Robinson
e57bfac5fb Fix a small typo. 2014-10-30 08:25:25 +11:00
Mark Roberts
3b90184da3 Fix clang format error 2014-10-29 10:43:32 -07:00
Mark Roberts
0867c2b547 Add process_envs table for OSX and Linux for issue #99 2014-10-29 03:45:26 -07:00
Teddy Reed
39f866387f [vtables] CPUID asm call feature information 2014-10-29 03:09:34 -07:00
Teddy Reed
1f1b38976a Merge pull request #261 from facebook/crontab 
[vtables] Crontab parsing for system/users
 2014-10-29 02:52:11 -07:00
Teddy Reed
6db0c67555 Merge pull request #269 from vmauge/suidbin 
Add suid_bin vtable
 2014-10-29 02:30:29 -07:00
Teddy Reed
8a9374d6e3 [vtables] Support linux crontab vars 2014-10-29 02:24:00 -07:00
Teddy Reed
94c64d80ce Merge pull request #267 from facebook/kernel_modules 
[vtables] Linux kernel modules from procfs
 2014-10-29 02:03:46 -07:00
Vincent Mauge
471d5faaa0 Add suid_bin vtable 
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
	* S for suid bin
	* G for guid bin

Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path                                                                                               | unix_user | unix_group    | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps"                                                                                          | root      | wheel         | S           |
| "/bin/rcp"                                                                                         | root      | wheel         | S           |
| "/Users/vmauge/suid_test"                                                                          | vmauge    | 999           | SG          |
| "/usr/bin/at"                                                                                      | root      | wheel         | S           |
| "/usr/bin/atq"                                                                                     | root      | wheel         | S           |
| "/usr/bin/atrm"                                                                                    | root      | wheel         | S           |
| "/usr/bin/batch"                                                                                   | root      | wheel         | S           |
| "/usr/bin/crontab"                                                                                 | root      | wheel         | S           |
| "/usr/bin/ipcs"                                                                                    | root      | wheel         | S           |
| "/usr/bin/lockfile"                                                                                | root      | mail          | G           |
| "/usr/bin/login"                                                                                   | root      | wheel         | S           |
| "/usr/bin/newgrp"                                                                                  | root      | wheel         | S           |
| "/usr/bin/procmail"                                                                                | root      | mail          | G           |
| "/usr/bin/quota"                                                                                   | root      | wheel         | S           |
| "/usr/bin/rlogin"                                                                                  | root      | wheel         | S           |
| "/usr/bin/rsh"                                                                                     | root      | wheel         | S           |
| "/usr/bin/su"                                                                                      | root      | wheel         | S           |
| "/usr/bin/sudo"                                                                                    | root      | wheel         | S           |
| "/usr/bin/top"                                                                                     | root      | wheel         | S           |
| "/usr/bin/wall"                                                                                    | root      | tty           | G           |
| "/usr/bin/write"                                                                                   | root      | tty           | G           |
| "/usr/sbin/postdrop"                                                                               | root      | _postdrop     | G           |
| "/usr/sbin/postqueue"                                                                              | root      | _postdrop     | G           |
| "/usr/sbin/rpc.net"                                                                                | root      | wheel         | S           |
| "/usr/sbin/rpcset"                                                                                 | root      | wheel         | S           |
| "/usr/sbin/traceroute"                                                                             | root      | wheel         | S           |
| "/usr/sbin/traceroute6"                                                                            | root      | wheel         | S           |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+

This commit fixes issue #253.
 2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e [vtables] Rename homebrew files, some cleanup 2014-10-29 00:34:55 -07:00
Teddy Reed
c1991e94e5 [vtables] Add user crons and use files 2014-10-29 00:28:19 -07:00
Martin Majlis
d645dfc257 Initial implementation for the homebrew table. 2014-10-28 21:03:56 -07:00
Teddy Reed
9abcbcd485 [vtables] Linux kernel modules from procfs 2014-10-28 21:01:51 -07:00
Martin Majlis
e8eb1e222f Reformating the code with clang-formatter. 2014-10-28 19:43:13 -07:00
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Teddy Reed
47d1f13966 Using Cpp03 to remove double right angle brackets 2014-10-27 17:56:55 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9 Merge pull request #228 from facebook/bash_history_table 
Adding virtual table bash_history, for linux and darwin
 2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534 updating comment 2014-10-27 16:34:00 -04:00
Teddy Reed
0a1925200e Clean flags usage in daemon/shell and dbhandle 2014-10-27 12:09:35 -07:00
Teddy Reed
6d50d762ce Changing flag infra, reducing config testing, adding debug macro 2014-10-27 10:30:02 -07:00
Teddy Reed
16c1fa68ba Merge pull request #246 from facebook/db_handle_problems 
Fix permissions on DB handle
 2014-10-27 10:27:07 -07:00
Teddy Reed
991cbdfb00 Fix permissions on DB handle 2014-10-27 10:05:08 -07:00
Mike Arpaia
a5f7dc1aa3 Merge pull request #247 from facebook/time-types 
time types
 2014-10-27 12:47:52 -04:00
mike@arpaia.co
2ba54f5211 time types 2014-10-27 09:13:21 -04:00
Teddy Reed
53afc6b8b2 Merge pull request #240 from facebook/event_logs 
Change log formatting to individual events
 2014-10-26 14:53:58 -07:00
Teddy Reed
67dce20974 Log event results as a flat map 2014-10-26 10:18:26 -07:00
Teddy Reed
2346fa00d5 Merge pull request #243 from facebook/fix_100p 
[events] Fix SCNetwork runloop thrashing
 2014-10-25 16:41:57 -07:00
Teddy Reed
9d6efc83b8 [events] Fix SCNetwork runloop thrashing 2014-10-25 07:01:57 -07:00
Javier Marcos
c8c3363455 Changed logic to ignore when history file is not found (expected) 2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e Refactoring and added column for history file, also more history files supported 2014-10-24 20:29:23 -07:00
Teddy Reed
84e8718d62 Merge pull request #238 from facebook/unify_routes 
[vtable] Unify routes table for OSX/Linux
 2014-10-24 17:08:16 -07:00
Teddy Reed
a82792b3f7 Log results as events 2014-10-24 17:05:17 -07:00
Teddy Reed
3d7c8b5684 [vtable] Unify routes table for OSX/Linux 2014-10-24 12:34:18 -07:00
Teddy Reed
35aeb1e87d Merge pull request #237 from facebook/dual_build 
Build into platform-specific build dirs
 2014-10-24 09:24:11 -07:00
Javier Marcos
bf3cd15c91 Final fix for the allocation problem 2014-10-23 17:17:50 -07:00
Teddy Reed
1598892ab1 Fix Ubuntu build issues (proc/bz2/z) 2014-10-23 16:27:43 -07:00
Teddy Reed
5b2510784e Build into platform-specific build dirs 2014-10-23 14:39:15 -07:00
Javier Marcos
f69913938f Bad memory leak with OpenDirectory and pwd/grp.h code 2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Teddy Reed
21a0fd1aec Merge pull request #207 from facebook/scnetwork_publisher 
[events] OSX SCNetwork Publisher
 2014-10-16 16:27:35 -07:00
Javier Marcos
bf1ffb1537 Removing old code for generating virtual tables 2014-10-13 21:58:26 -07:00
Javier Marcos
c2f4453749 Merge pull request #213 from facebook/last_access_linux 
Adding support for last vtable in linux
 2014-10-13 19:07:59 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
mike@arpaia.co
ce5d53e169 fixing the shell text [skip ci] 2014-10-13 17:23:20 -07:00
Javier Marcos
b3208bab70 Errors handled, shit is on fire 2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e only index if it's not nullptr 2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02 cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959 Making sure we do not add duplicated users 2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
d09e6037dd Fixing infinite loop adding mutex 2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873 Install package depending on arch and better comments 2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5 Adding support to build osquery in centos 6.5 2014-10-08 03:45:56 +00:00
Teddy Reed
55ef15fa3d [events] OSX SCNetwork Publisher 2014-10-07 16:00:28 -07:00
Teddy Reed
ded0717e94 [events] Additional INotify tests 2014-10-07 12:27:25 -07:00
Teddy Reed
8213e7dcbc [events] Improve inotify 2014-10-06 14:37:44 -07:00
Teddy Reed
37352f862a [events] Formatting from name changes 2014-10-04 13:29:17 -07:00
Teddy Reed
2063252f73 [vtable] Fix warning for process in-condition assignment 2014-10-04 13:29:17 -07:00
mike@arpaia.co
99f5052d15 cleaning up deploy materials 2014-10-03 22:34:59 -07:00
Teddy Reed
b5352729af Merge pull request #198 from facebook/inotify_tests 
[events] Stabilize INotify event tests
 2014-10-03 17:59:20 -07:00
Teddy Reed
5e6be33767 Merge pull request #199 from facebook/unify_processes 
[vtable] Parity with OSX/Linux processes table
 2014-10-03 17:30:47 -07:00
Teddy Reed
a36117670b Revert "disabling inotify_tests" 2014-10-03 17:02:00 -07:00
Teddy Reed
25aee56af9 [events] Stabilize INotify event tests 2014-10-03 17:01:32 -07:00
Teddy Reed
69607c7b32 [vtable] Parity with OSX/Linux processes table 2014-10-03 16:24:11 -07:00
mike@arpaia.co
96986773b3 disabling inotify_tests 2014-10-03 14:21:50 -07:00
mike@arpaia.co
660ef01777 iostream in shell 2014-10-03 13:48:31 -07:00
mike@arpaia.co
c118e7a1f8 iostream 2014-10-03 13:48:31 -07:00
Mike Arpaia
1d062bb038 Merge pull request #185 from facebook/ubuntu12_precise_build_support 
Adding support to build in Ubuntu 12
 2014-10-03 12:57:25 -07:00
Teddy Reed
b37785e665 Merge pull request #195 from facebook/events_pubsub 
Events pubsub
 2014-10-03 11:50:37 -07:00
Teddy Reed
c553a59745 [events] Use pub/sub diction for events 2014-10-03 11:30:51 -07:00
Teddy Reed
1e36b494b4 [events] Rename MonitorContext to SubscriptionContext 2014-10-03 08:26:41 -07:00
Teddy Reed
b2474b49eb [events] Renamed EventType to EventPublisher 2014-10-03 08:14:36 -07:00
Teddy Reed
e77ae22fe2 [events] Rename EventModule to EventSubscriber 2014-10-03 08:08:06 -07:00
Teddy Reed
368ab483a7 Merge pull request #184 from facebook/fsevents 
[events] Fleshing out OSX FSEvent framework
 2014-10-03 07:54:17 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
mike@arpaia.co
d1e2ee1241 glog logger plugin 2014-10-02 19:44:45 -07:00
Javier Marcos
7f5d1eee8c Fixes broken build in Mac OSX 2014-10-02 16:30:29 -07:00
Javier Marcos
06b35c45f0 Adding support to build in Ubuntu 12 2014-10-02 16:30:29 -07:00
mike@arpaia.co
569545648d lz4 2014-10-02 14:51:18 -07:00
mike@arpaia.co
2348460ca4 Revert "Support for Ubuntu 12, precise" 
This reverts commit ed0e051eba.
 2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba Support for Ubuntu 12, precise 2014-10-02 01:24:23 +00:00
mike@arpaia.co
764619c849 Adding a function to read tomcat configs from disk 2014-09-30 19:59:52 -07:00
Mike Arpaia
3fb8c8a5d4 Merge pull request #183 from facebook/tomcat-users 
Adding a function to parse the Tomcat users XML file
 2014-09-30 19:51:54 -07:00
mike@arpaia.co
196ec880ab Adding a function to parse the Tomcat users XML file 
This is apart of a bigger, better virtual table idea that @carnal0wnage
had.
 2014-09-30 19:49:38 -07:00
Teddy Reed
bf8209ca90 Merge pull request #182 from facebook/events_docs 
[events] Added remaining doxy comments
 2014-09-30 15:00:08 -07:00
Teddy Reed
ef044c4a72 [events] Added remaining doxy comments 2014-09-30 12:50:14 -07:00
Teddy Reed
6eb9c5fd44 EventFactory, Dispatcher as singletons 2014-09-29 20:47:24 -07:00
Teddy Reed
588f1198f3 Merge pull request #174 from facebook/passwd_changes_vtable 
[events] Events lifecycle complete, passwd_changes vtable
 2014-09-26 21:13:52 -07:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
0c783ebf0a Migrating internal usage of osquery::query to osquery::SQL 2014-09-26 00:34:56 -07:00
mike@arpaia.co
7076aa813c SQL class for executing queries 
implements #141
 2014-09-26 00:28:18 -07:00
mike@arpaia.co
636ced854f Pretty shell results 
Example:

```
osquery> select name, program || program_arguments as executable from launchd limit 5;

+----------------------------------+-------------------------------------------------------------------------------+
| name                             | executable                                                                    |
+----------------------------------+-------------------------------------------------------------------------------+
| bootps.plist                     | /usr/libexec/bootpd                                                           |
| com.apple.afpfs_afpLoad.plist    | /System/Library/Filesystems/AppleShare/afpLoad                                |
| com.apple.afpfs_checkafp.plist   | /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp |
| com.apple.AirPlayXPCHelper.plist | /usr/libexec/AirPlayXPCHelper                                                 |
| com.apple.airport.wps.plist      | /usr/libexec/wps                                                              |
+----------------------------------+-------------------------------------------------------------------------------+
osquery> .tables
  => alf
  => alf_exceptions
  => alf_explicit_auths
  => alf_services
  => apps
  => ca_certs
  => etc_hosts
  => interface_addresses
  => interface_details
  => kextstat
  => last
  => launchd
  => listening_ports
  => nvram
  => osx_version
  => processes
  => routes
  => time
```
 2014-09-25 21:39:07 -07:00
Abe Stanway
663e6756d7 Add libboost_regex.a 2014-09-25 19:18:47 +00:00
mike@arpaia.co
0387fde8b8 Adding permissions check around setting default log directory #130 2014-09-25 10:26:39 -07:00
Mike Arpaia
e1fa406096 Merge pull request #165 from facebook/travis 
travis
 2014-09-24 18:06:32 -07:00
mike@arpaia.co
135dd0dbe4 TravisCI configuration 2014-09-24 18:05:33 -07:00
Teddy Reed
8aaecefec0 Merge branch 'master' of github.com:facebook/osquery into events_updates 2014-09-24 13:55:42 -07:00
Teddy Reed
9220da7e3d [events] Registry integration 2014-09-24 12:43:14 -07:00
mike@arpaia.co
5f4108c503 Moving all boost smart pointers to std smart pointers 2014-09-24 10:54:59 -07:00
Teddy Reed
9a2d299424 [events] Events and registry coordination 2014-09-24 10:46:37 -07:00
mike@arpaia.co
d7546de036 Relocatable build 
Making it such that osquery doesn't need to be built in the repo "build"
subdirectory. gentable.py now accepts a positional argument which
indicates the output (which is calculated by cmake) so they don't have
to agree on a destination ahead of time.
 2014-09-24 01:58:12 -07:00
mike@arpaia.co
466df023ef makefile cleanups 2014-09-23 22:06:32 -07:00
mike@arpaia.co
91efb3963f moving packages subdir to deploy 2014-09-23 21:37:55 -07:00
mike@arpaia.co
cc9aa5d73b clang-format 2014-09-23 20:31:12 -07:00
mike@arpaia.co
6b25a216c9 periodic clang-format 2014-09-23 20:15:41 -07:00
mike@arpaia.co
7ca879215f moving things from Makefile to CMake 2014-09-23 20:12:53 -07:00
mike@arpaia.co
9dc4c50fe4 moving generated tables to build subdir 2014-09-23 18:44:42 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
Mike Arpaia
65bc860fb8 Merge pull request #157 from facebook/deb 
Deb package creation for Ubuntu
 2014-09-23 17:03:50 -07:00
mike@arpaia.co
e973c856c6 Deb package creation for Ubuntu 
I used CPack to generate deb package files from the CMake "install"
target. What this means is, whatever would get installed my "make
install" will get installed by the deb.

"make package" on ubuntu will generate a file named: `osquery-$VERSION-$DISTRO.$ARCH.deb`

Consider the following example:

```
root@vagrant-ubuntu-trusty-64:/vagrant/build# dpkg --info osquery-0.0.1-trusty.amd64.deb
 new debian package, version 2.0.
 size 11311330 bytes: control archive=350 bytes.
     207 bytes,     9 lines      control
     102 bytes,     2 lines      md5sums
 Package: osquery
 Version: 0.0.1
 Section: devel
 Priority: optional
 Architecture: amd64
 Installed-Size: 43369
 Maintainer: marpaia@fb.com
 Description: osquery is an operating system instrumentation toolchain.
```
 2014-09-23 17:03:30 -07:00
Teddy Reed
974a53dd98 Merge pull request #155 from facebook/events_modules 
Events modules and basic INotifyEventType
 2014-09-23 13:01:59 -07:00
Teddy Reed
94953df90e [events] Flesh out inotify eventtype 2014-09-23 13:01:03 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
mike@arpaia.co
1e774e50bf static build on OS X and Linux 2014-09-22 19:27:19 -07:00