Summary: Removing flag which was declared but never used. enable_monitor
Reviewed By: marekcirkos
Differential Revision: D13958265
fbshipit-source-id: 3a812330950b101abdbd83ada4afd5b262cabd26
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5422
We were just de-prioritizing type of queries not constraining required columns. However, when the query is just useless without specific constraint, sqlite suggestion is to return SQLITE_CONSTRAINT status.
Reviewed By: marekcirkos
Differential Revision: D13964562
fbshipit-source-id: ee0e5f8baf9abbf83c34f7a39d2b5bd705cbac6d
Summary:
Fixed crash in virtual tables that occurs after following steps:
1. sqlite opens VT with xCreate
2. during query executions invokes xFilter with multiple tables
3. Few tables accumulated in affectedTables
4. xDestroy called before finishing query (last step of query execution)
5. query execution finished, SQL instance try to cleanup affected tables, but they were already destroyed by xDestory
This is only hotfix for this crash and this code base require full memory management review in future
Reviewed By: SAlexandru
Differential Revision: D13917015
fbshipit-source-id: 15396e47e4c4e592cf30608a783bc80d560c776f
Summary:
This diff adds Xcode support for osquery.
Part of this diff will be reverted in future after adding prebuilt library and platform deps support to buck.
To use it you need to build osquery in debug mode and then run buck with following flags:
--config osquery.xcode=true --config project.ide=xcode
Reviewed By: SAlexandru
Differential Revision: D13903315
fbshipit-source-id: 4d131964d7a61236f25d917dc060a2f3c3d782bc
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5412
Now on different platforms column `start_time` in `processes` table means different things. On Linux it is seconds since system boot, but it works correct only for some platforms, because the number of clock ticks per second was hardcoded. On windows it was abs unix time in seconds since Epoch. On macos it is a time in milliseconds (may be?) since system boot. On freeBSD as far as I can see it an abs time since boot, but also I'm not sure.
In order to make it consistent for all OS we changed to more convenient format - absolute time since Epoch. This commit is about macos.
Reviewed By: marekcirkos
Differential Revision: D13918625
fbshipit-source-id: eacb297358b36ce72cb0d5a7d9171553688ab2a3
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5414
Now on different platforms column `start_time` in `processes` table means different things. On Linux it is seconds since system boot, but it works correct only for some platforms, because the number of clock ticks per second was hardcoded. On windows it was abs unix time in seconds since Epoch. On macos it is a time in milliseconds (may be?) since system boot. On freeBSD as far as I can see it an abs time since boot, but also I'm not sure.
In order to make it consistent for all OS we changed to more convenient format - absolute time since Epoch. This commit is about Linux. Next diffs going to be about Darwin and freeBSD.
Reviewed By: guliashvili
Differential Revision: D13918626
fbshipit-source-id: a9cf0570dc6ac9fa125bc8233e9965c4e01566a6
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5417
Hash multimap based joiner with ability to perform clean up old unpaired events from time to time.
Part of a linux tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: SAlexandru
Differential Revision: D13761675
fbshipit-source-id: f4b17cbeed495b2a9e6616a005f001963849875e
Summary: For some monitoring, we need to include machine identity. Two example, I found is hostname or similar hostnames schema name.
Reviewed By: SAlexandru
Differential Revision: D13880705
fbshipit-source-id: e1d0238f4981adad1554d73f0ef6e5ef65a98c33
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5408
Move out c++ enums to std::string conversion function from
osquery/utils/error.h to separate module. To be able to use it somewhere else.
Reviewed By: guliashvili
Differential Revision: D13896772
fbshipit-source-id: 0a9f6327d5b2f115ce688446a67677879411eb1f
Summary: before this diff osqueryd was relying on linker order to use right main function, since gtest also contains main function
Reviewed By: guliashvili
Differential Revision: D13897622
fbshipit-source-id: d260b7496f513c7052f4db87c8e7ff9300493671
Summary:
This PR is the result of the discussion in a previous PR (#5348) after we determined account_policy_data was the wrong place for the column.
Add `is_hidden` column to the users and groups tables in macOS. `is_hidden` is populated by looking for the `dsAttrTypeNative:IsHidden` attribute in the OpenDirectory record for the user/group if the value is `1`, `True`, or `Yes` is_hidden is 1. If the value is anything else it's set to 0. Invalid values have the same affect as the attribute not existing at all.
The `dsAttrTypeNative:IsHidden` attribute controls whether a user account is is visible in the preferences panel similar to having a uid < 500.
One test failed when running buck test:
```
====STANDARD OUT====
tests/integration/tables/helper.cpp:159: Failure
Value of: boost::get<CustomCheckerType>(validator)(value)
Actual: false
Expected: true
Custom validator of the column "mask" with value "" failed
```
This also fails when I ran the test on the current experimental branch as well.
Important to note I had to remove the optimization on both the user and group tables that just called `getpwnam` if the query specified the `uid` or `gid` since the struct returned doesn't contain the `IsHidden` attribute. I'm not sure if or how much this will affect performance since I wasn't able to get the profiling to work with the new version (very likely I'm just doing it incorrectly).
Pull Request resolved: https://github.com/facebook/osquery/pull/5368
Differential Revision: D13862375
Pulled By: akindyakov
fbshipit-source-id: 1fec88a6ba71884f7e611e1d96ea00630c5be655
Summary: profiler file contained the CodeProfiler class, which is a bit odd. Thanks alecx
Reviewed By: akindyakov
Differential Revision: D13861320
fbshipit-source-id: 11d711fd1d15830d4cce0be084cc6da3b1c6589c
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: SAlexandru
Differential Revision: D13854471
fbshipit-source-id: 181e7e19fcfb5d57a779cea6a2804eda09dc5a91
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: mkareta
Differential Revision: D13854389
fbshipit-source-id: 35ba80813d98371dd36a83ec32aad677f24aa6eb
Summary: ScheduledQuery was declared both in query.h and in scheduled_query.h. Let's keep scheduled_query.h only.
Reviewed By: mkareta
Differential Revision: D13859371
fbshipit-source-id: 241b948d21fe619be360037a4e2e52a833a23b2b
Summary: In the interest of making changes smaller, I'm replicating stuff around QueryData to QueryDataTyped in intermediate commits. I'll come back and remove stuff that's no longer used when subsequent changes eliminate use of them.
Reviewed By: guliashvili
Differential Revision: D13741994
fbshipit-source-id: de0b00ddb0ad4b344d68ce799fe9fac759bb6199
Summary: Also it causes debug failure on unchecked Expected when status is not ok
Reviewed By: mkareta
Differential Revision: D13859377
fbshipit-source-id: 596410350cb91d469dc0a19f0e8eec558e8627bd
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5398
The file moved to a different location.
Reviewed By: marekcirkos
Differential Revision: D13817331
fbshipit-source-id: 6bd3947894daa712edae84b71502af997947b9b0
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5390
to eliminate the effect of dropping privileges in other threads causing poll-ing EINTR errors in thrift.
According to ref to [bugzilla.redhat](https://bugzilla.redhat.com/show_bug.cgi?id=473907) in case of changing privileges `glibc` sends SIGRT_1 to other threads which lead to poll be interrupted. On posix we can not have different credentials for thread of one process. Therefore the solution is either to do not use dropping privileges for the whole osquery process or patch all usages of poll in thrift code. I like first option more because playing with permissions of the whole `osqueryd` can cause unpredicted interferences between threads. For instance the same table can provide different results because some other thread dropping and regaining privileges at the same time.
So, the solution for now I'd like to suggest is remove dropping privileges from safe places like reading files with known hostnames or shell history files. And because we can not interact with apt/rpm/yum databases as root and should drop to none user for it I'd suggest to increase the number of attempts to poll in case of EINTR. It can significantly eliminate the problem for now.
To address the problem in issue: [#5326](https://github.com/facebook/osquery/issues/5326)
Thanks fmanco for the help to investigate this problem.
Reviewed By: fmanco
Differential Revision: D13781886
fbshipit-source-id: 4b1f2b7d20c925cc19ba79cc0a2906b65e815c0b
Summary: We went with 'long' rather than 'int64_t' in the JSON serialization methods that were added, so change our variant type to match
Reviewed By: marekcirkos
Differential Revision: D13675340
fbshipit-source-id: 1ccde4ce9f651fe68db968b367507aa67823c74f
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5385
Left shift with >= 31 steps was done to integer type. Using unisgned long long(1ULL) instead of the int (1).
Reviewed By: fmanco
Differential Revision: D13751355
fbshipit-source-id: 4564b33e2d26a0cb459ee86d180c0af492fa1f43
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5373
I made wrapper for the syscall perf_event_open to isolate syscall code definition and use `Expected<>` as a return value.
Reviewed By: mkareta
Differential Revision: D13622565
fbshipit-source-id: 616080a64376d4b042629513ad715b1d2458b8a2
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5370
Handler to enable event with certain type, get an id of the event and make sure it will be disables afterwards.
Part of a linux `syscalls` tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: mkareta
Differential Revision: D13621388
fbshipit-source-id: 8adfbe3cc1d87f70538851c5036eae51c93bede8
Summary:
This adds support for the `#includedir` and `#include` directives to the `sudoers` table, making `sudoers` behave more like the actual `sudo` rule parser:
* When an `includefile` directive is encountered, the referenced file will be parsed using the same rules as the top-level sudoers file.
* When an `includedir` directive is encountered, the referenced directory will be listed and each valid file within (i.e., each file *not* containing a `.` and *not* ending with `~`) will be parsed using the same rules as the top-level sudoers file.
* An additional `source` column tracks the file that provides the row's rule.
* Like `sudoers(5)`, nesting is limited to 128 individual files, with directory inclusions being counted once for each file they contain.
Pull Request resolved: https://github.com/facebook/osquery/pull/5350
Differential Revision: D13717394
Pulled By: akindyakov
fbshipit-source-id: 9659526f21e82c712c495caa80775b15d7e47e37
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5354
eBPF system call osquery wrapper with Expected as a return value and function to check if functionality is supported by current kernel.
Blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: mkareta
Differential Revision: D13607442
fbshipit-source-id: 58be84a86aba3fe5e33ca5ab15418976fd36107c
