Teddy Reed
de19f0b6c2
tables: Replace apt_sources with crude string parsing ( #4034 )
2018-01-07 00:26:27 -08:00
Nick Anderson
85133d8ad0
tables: adding windows table for KVA and speculative exec info ( #4027 )
2018-01-05 10:53:02 -08:00
Dave Kukfa
6ddbdc0fea
tables: Implemented Windows crashes table ( #3696 )
2017-12-28 21:09:10 -08:00
Teddy Reed
33ab8b6e5d
config: Inspect blacklisted queries ( #4004 )
2017-12-17 19:25:42 -08:00
Reed Loden
6b6723110f
tables: Add linux shadow table ( #3902 )
2017-11-28 00:51:44 -08:00
Mike Myers
b79c0e2621
Local Groups table for Windows ( #3855 )
2017-11-27 23:51:47 -08:00
Nick Anderson
6068d61068
tables: adding intel_me_info virtual table on Windows ( #3960 )
2017-11-27 11:26:08 -08:00
Teddy Reed
1cedf8d573
tables: Add basic Intel ME table returning version ( #3956 )
2017-11-22 00:39:18 -08:00
Mitchell Grenier
a73233263b
Renaming the key_events table to user_interaction_events and adding mouse down ( #3951 )
2017-11-21 23:43:52 -08:00
Nick Anderson
1239c8ccc5
tables: expanding windows programs table to encompass apps without GUID ( #3945 )
2017-11-20 08:21:21 -08:00
Nick Anderson
3d7f7cf037
tables: adding type column to users table to differentiate local users ( #3946 )
2017-11-20 08:21:06 -08:00
Babatunde Micheal Okutubo
9fd2be038c
Virtual table: Iptables port feature #3621 ( #3897 )
2017-11-08 18:02:44 -08:00
Teddy Reed
5245f7bcf3
tables: Refactor ssl_cert into curl_certificate ( #3903 )
2017-11-01 07:30:22 -07:00
Teddy Reed
8597db5f11
tables: Move the curl table to all platforms ( #3904 )
2017-10-31 23:44:46 -07:00
Nick Anderson
573cf5fc11
tables: porting the ssl cert to Windows ( #3894 )
2017-10-30 22:46:45 -07:00
Nick Anderson
b1355c4441
tables: Adding a Named Pipes table for Windows ( #3893 )
2017-10-30 22:46:28 -07:00
Babatunde Micheal Okutubo
ff1ae545e8
tables: SSL cert table for posix #3811 ( #3839 )
2017-10-28 13:28:17 -07:00
Nick Anderson
45bafdbe51
tables: adding windows physical disk perfmon table ( #3865 )
2017-10-22 13:56:54 -07:00
Samuel Keeley
58af0b7477
Add version to usb_devices table ( #3840 )
2017-10-17 07:59:56 -07:00
Mitchell Grenier
cd88cecc9a
Publisher and Table for Event Tap Capture (KeyDown) ( #3829 )
2017-10-16 13:07:24 -07:00
Alessandro Gario
e888f3e8e8
tables: Authenticode verification support for Windows ( #3716 )
2017-10-14 00:09:27 -07:00
uptycs-nishant
d2576e576b
[ Fix #3699 ] Reporting mode as octal string ( #3825 )
2017-10-13 21:26:07 -07:00
Garret Reece
0615372d02
Implement a logical_drives table for windows ( #3818 )
2017-10-13 20:35:54 -07:00
Teddy Reed
0104cd1b76
fuzz: Use example queries as input to make fuzz ( #3795 )
2017-10-06 08:45:49 -07:00
Jason Meller
02bbd83ce3
Add last_opened_time to apps table ( #3715 )
2017-09-21 19:18:35 -07:00
Nick Anderson
2520edca73
tables: porting python_packages to Windows ( #3702 )
2017-09-16 16:40:43 -07:00
Nick Anderson
fa78d5db01
[ Fix #3683 ] Setting interface id for interface_addresses ( #3684 )
2017-09-13 16:30:30 -07:00
Teddy Reed
812dbc5080
[ Fix #2400 ] Use PackageKit to enumerate packages ( #3685 )
2017-09-12 21:59:55 -07:00
Teddy Reed
83f8a4e92c
preferences: Report both Current Host and Any Host ( #3681 )
2017-09-12 21:57:50 -07:00
Teddy Reed
8dc4268761
kernel: Disable kernel support by default ( #3672 )
2017-09-09 16:48:39 -07:00
Atyansh Jaiswal
68b1de153d
tables: Adding posix curl virtual table ( #3596 )
2017-08-30 15:24:05 -07:00
Nick Anderson
3c782051eb
tables: adding chocolatey packages virtual table ( #3612 )
2017-08-27 11:21:04 -07:00
Mike Myers
906104564c
Add examples of Windows registry virtual table ( #3597 )
2017-08-22 17:28:56 -07:00
Nick Anderson
8bb1e40d27
tables: porting the process_memory_map table to windows ( #3587 )
2017-08-21 21:47:45 -07:00
Nick Anderson
b42b3d677e
tables: adding scheduled action to windows scheduled tasks table ( #3543 )
2017-08-09 09:54:39 -07:00
Thomas Maurice
a41ff4117f
linux usb_devices: add the class, subclass and protocol information ( #3542 )
2017-08-08 12:17:29 -07:00
Vishwa Shah
c54c6e6c0e
corrected size in block_devices on darwin, linux ( #3539 )
2017-08-07 19:21:18 -07:00
Mitchell Grenier
b22a403bf1
OpenBSM Events ( #3503 )
2017-08-07 16:02:16 -07:00
Nick Anderson
b4316a57a0
tables: Adding certificates virtual table for windows ( #3498 )
2017-08-07 09:08:53 -07:00
Seshu Pasam
32ad42aea0
EC2 instance metadata implementation. ( #3502 )
2017-08-03 17:54:17 -07:00
Teddy Reed
7ca18f5a32
audit: Add cwd to process_events on Linux ( #3525 )
2017-08-03 08:21:15 -07:00
Seshu Pasam
6495f14828
EC2 instance tags implementation. ( #3507 )
2017-08-02 13:40:59 -07:00
Teddy Reed
0b0c5febd1
tables: Add device_firmware to darwin ( #3499 )
2017-08-02 09:48:09 -07:00
Jason Meller
8ba9a54daa
tables: Implement sharing_preferences table for Darwin ( #3509 )
2017-08-02 09:30:35 -07:00
Jason Meller
c4010bd306
tables: Implement shared folders table for Darwin ( #3510 )
2017-08-01 20:33:57 -07:00
Jason Meller
b9fbf583d0
Darwin: Add gatekeeper tables ( #3461 )
2017-07-27 10:51:31 -07:00
Rohit Varkey Thankachan
3cd26ac48c
Add collisions to the interface_details table ( #3491 )
2017-07-24 13:51:50 -07:00
Teddy Reed
a9799a9426
Allow caching for tables with indexes and additionals ( #3472 )
2017-07-18 00:08:38 -07:00
Teddy Reed
dacfbd4584
Separate preferences from plist and add user-concept ( #3455 )
2017-07-02 18:28:59 -07:00
Teddy Reed
99675fdbb2
audit: Increase speed when using socket_events ( #3449 )
2017-07-02 17:18:40 -07:00
ryanheffernan
cf50143e69
Adding autoexec table for Windows ( #3444 )
2017-06-27 13:48:21 -07:00
ryanheffernan
80acd105f5
IE Extensions table for Windows - Browser Helper Objects ( #3436 )
2017-06-27 10:50:36 -07:00
Teddy Reed
617314c7df
tables: Add flags to interface_details ( #3439 )
2017-06-25 14:12:01 -07:00
Allan Liu
256d113a74
Linux software RAID table ( #3304 )
2017-06-21 21:58:37 -07:00
Teddy Reed
c81c815f75
tables: Add symlink column to file table ( #3390 )
2017-06-18 14:42:40 -07:00
Rohit Varkey Thankachan
6b211a19ad
cpu_time on macos ( #3392 )
2017-06-18 14:28:07 -07:00
Teddy Reed
dae221e331
virtual tables: Allow tables to use an 'extended' schema ( #3416 )
2017-06-18 14:27:18 -07:00
Teddy Reed
4f7abe963d
Allow up to 64k rpm_package_files ( #3402 )
2017-06-13 13:22:55 -07:00
Rohit Varkey Thankachan
dfb6d84112
Load Averages on POSIX systems using getloadavg ( #3396 )
2017-06-10 15:25:20 -07:00
ryanheffernan
80aaed8b05
[ Fix #3313 ] Adding driver version + adding malloc/pointer safety to drivers table ( #3319 )
2017-06-05 09:06:49 -07:00
Mitchell Grenier
739d910a2c
Fix #1546 Add local host name ( #3370 )
2017-06-02 16:15:50 -07:00
Rohit Varkey Thankachan
081ea9e76d
Virtual memory statistics for darwin ( #3368 )
2017-05-31 12:00:44 -07:00
lxcode
8b7b37bf4f
Add table for FreeBSD kernel modules. ( #3328 )
2017-05-26 15:10:59 -07:00
Teddy Reed
9ba0edb4bb
darwin: Improve disk_events add detection ( #3332 )
2017-05-26 10:38:26 -07:00
Mitchell Grenier
6065c26f1d
Make all descriptions use periods consistently. ( #3324 )
2017-05-25 12:43:58 -07:00
ryanheffernan
05b7b80891
Refactor Windows interface_addresses table to use win32 API and report accurate netmasks. ( #3297 )
2017-05-23 14:58:11 -07:00
Mitchell Grenier
0f76810699
Fix temperature sorting ( #3308 )
2017-05-23 09:15:34 -07:00
Seshu Pasam
0cb7c3cc3e
Fix spec file names and added missing version in packs ( #3289 )
2017-05-20 00:42:17 -07:00
lxcode
9b803d78d7
FreeBSD: Fix os_version, add pkgng package table ( #3278 )
2017-05-12 14:11:01 -07:00
ryanheffernan
c279342226
Allow querying Windows Registry by 'path' column ( #3270 )
2017-05-11 10:29:59 -07:00
Seshu Pasam
4cfb31452c
Docker support ( #3241 )
2017-05-05 09:53:12 -07:00
Teddy Reed
4372785d5d
Refactor build logic to allow optional: yara, tsk, lldpd ( #3226 )
2017-04-28 13:45:41 -07:00
ryanheffernan
0458abc453
Split Startup items 'path' column into 'path' and 'args'
2017-04-27 23:56:08 -04:00
lxcode
03a9798b7e
FreeBSD: add functional routes.cpp, unblacklist modules ( #3225 )
2017-04-27 16:34:31 -07:00
Robin Breathe
cbc34c44fe
Darwin: Add channel column to wifi_status and wifi_survey tables ( #3221 )
2017-04-26 14:41:24 -07:00
Gregory Heimbuecher
c5fd96cdf3
Fix #2838 : Adds the event_taps table to Darwin ( #3188 )
2017-04-21 15:55:12 -07:00
Mitchell Grenier
d5f002d447
Adding a table for Time Machine Backup Destinations ( #3177 )
2017-04-20 19:15:29 -07:00
Nick Anderson
13524f8833
Adding file carving feature to osquery ( #3038 )
2017-04-20 19:00:26 -07:00
Dan Sedlacek
13aef1fb73
Windows Network Routes ( #3040 )
2017-04-19 20:03:20 -07:00
Teddy Reed
90078f15ea
events: Add hidden EID to all events tables ( #3159 )
2017-04-14 08:20:20 -07:00
Nick Anderson
6a90db47be
Adding the Windows Scheduled Tasks virtual table ( #3153 )
2017-04-13 07:53:49 -07:00
Teddy Reed
b3ee6c9a8d
tables: Fix table metadata when constraints are used ( #3151 )
2017-04-12 21:48:28 -07:00
ryanheffernan
f32ceb306b
Adding Windows Startup Info Table ( #3137 )
2017-04-05 15:14:28 -07:00
ryanheffernan
da427ab6c0
[ Fix #3138 ] Adding index on 'key' column of Windows Registry table ( #3139 )
2017-04-05 13:02:36 -06:00
ryanheffernan
c91b905091
Allowing OR clause in registry virtual table ( #3136 )
2017-04-04 15:43:06 -07:00
Teddy Reed
7b6e4c7a27
audit: Optimize user_events and add auid ( #3120 )
2017-03-31 08:30:45 -07:00
Rubab-Syed
92e545e6bf
Python packages ( #3089 )
2017-03-26 00:03:10 -07:00
mnmnc
a63cf1344e
Minor description correction ( #3096 )
2017-03-22 15:55:13 -07:00
Teddy Reed
69bb69fd6d
events: Inspect schedule and improve tests ( #3087 )
2017-03-20 22:03:09 -07:00
ryanheffernan
5671bb720b
Refactoring Windows Registry table to be more like the file table ( #3073 )
2017-03-17 12:47:11 -07:00
Allan Liu
0cf0c3b428
lldp_neighbors: posix table spec and table implementation ( #2957 )
2017-02-28 10:02:13 -08:00
Allan Liu
3c3d649b1e
Prometheus Metrics table ( #2925 )
2017-02-26 21:59:51 -08:00
Nick Anderson
e961fc850e
Adding the Windows event log publisher ( #2937 )
2017-02-02 17:05:58 -08:00
Mike Arpaia
2ad1d8839f
Introduce two new host identifier options ( #2944 )
2017-01-27 17:56:50 -08:00
Samuel Keeley
743580f208
Add country_code to wifi_status and wifi_survey tables. ( #2940 )
2017-01-25 10:20:39 -08:00
Dan Sedlacek
1d604fc1af
[windows] arp_cache virtual table ( #2839 )
2017-01-10 19:09:46 -08:00
Nick Anderson
0307ec3f3a
Adding the windows logged_in_users virtual table ( #2891 )
2017-01-08 13:19:09 -08:00
Jonathan Lee
383e07e5be
[ Fix #2734 ] Remove OpenSSL link dependency for osquery core ( #2750 )
2016-12-22 00:37:59 -08:00
Nick Anderson
7f5345ec7e
Adding process_open_ports and listening_sockets virtual tables to Windows ( #2760 )
2016-12-06 14:25:08 -08:00
Dan Sedlacek
0fb983fe9b
add quickfixengineering patches virtual table ( #2837 )
2016-12-03 16:17:16 -08:00
Mitchell Grenier
d01a6b148e
Adding a WiFi survey table ( #2794 )
2016-11-23 16:58:02 -08:00
Mitchell Grenier
02b52005e0
Adding a table for currently connected WiFi information ( #2793 )
...
* Adding a table for currently connected WiFi information
* make format
* make format
* make format
* make format
* reed changes
* format
2016-11-22 23:37:14 -08:00
trizt
1cf5ef5a8a
Add Gentoo as a build environment and portage tables ( #2638 )
2016-11-22 14:55:30 -08:00
Teddy Reed
93ce41b5e4
Rename augeas path column to node ( #2788 )
2016-11-20 14:13:55 -08:00
Serey Ty
148eb41e4e
add drop fields to interface details ( #2778 )
2016-11-19 12:11:25 -08:00
Jonathan Lee
b63b60e967
New table: sudoers ( #2686 )
2016-11-12 16:32:42 -05:00
Omer Katz
5b7655b96f
Add augeas table and libxml2 dependency ( #2181 )
2016-11-11 08:00:59 -08:00
Mohamed El-Shahawi
4935e84b17
Add virtual table: Windows Drivers ( #2675 )
2016-11-08 10:50:12 -08:00
Teddy Reed
df25f27efb
Prefer /etc/os-release for Linux os_version ( #2667 )
2016-10-22 16:58:32 -07:00
Michael McGrew
55d29505a3
Fix missing column in wmi_event_filters table ( #2625 )
2016-10-14 15:10:37 -07:00
Nick Anderson
208d2324d5
Extending chrome browser extension table to Windows ( #2619 )
2016-10-14 10:23:37 -07:00
Michael McGrew
21f797c811
add table for appcompat shims ( #2618 )
2016-10-13 13:31:05 -07:00
Mohamed El-Shahawi
a3e8bac776
Add virtual table: Windows services ( #2600 )
2016-10-12 09:10:05 -07:00
Nick Anderson
616d9f5953
Adding support for Windows platform_info table ( #2611 )
2016-10-12 09:01:32 -07:00
Mohamed El-Shahawi
498a040ee6
Add virtual table: Windows Kernel_info ( #2610 )
2016-10-11 17:46:26 -07:00
Michael McGrew
fa0e15ae10
Update wmi_cli_event_consumers with correct columns ( #2608 )
2016-10-10 18:49:37 -07:00
Stephen Lester
0a02532b99
[ Fixes #2594 ] windows: Implement the etc_services table ( #2595 )
2016-10-06 14:06:44 -07:00
Mohamed El-Shahawi
c83afe01d6
Add virtual table: Windows etc_protocols ( #2590 )
2016-10-04 19:08:27 -07:00
Mohamed El-Shahawi
c446746a3a
Add virtual table os_version for windows ( #2586 )
2016-10-03 12:06:05 -07:00
lambda-conjecture
e33002e922
Change memory_info fields to BIGINT to handle 4G and larger sizes ( #2584 )
2016-10-02 18:12:35 -07:00
Teddy Reed
b895c6a988
Reduce several INFO logs to VLOGs and increase size-INTEGERs to BIGINT ( #2559 )
2016-09-28 12:38:35 -07:00
Michael McGrew
0473043c3a
Rename programs table to correct file name ( #2537 )
2016-09-27 14:41:24 -07:00
Nick Anderson
3a351ebf43
Adding windows system_info virtual table ( #2521 )
2016-09-26 11:08:57 -07:00
Nick Anderson
8fd1ba9004
Adding the windows users virtual table ( #2506 )
2016-09-24 18:18:40 -07:00
Nick Anderson
e167619bfa
Adding kernel panics table ( #2488 )
2016-09-23 19:04:50 -07:00
Teddy Reed
bcd90070ae
Remove time-override for events add API ( #2508 )
...
This will remove the use of current time for syslog.time and introduce
a new column called 'datetime'.
Events now uses an "optimize_id" alongside "optimize" to prevent returning
colliding events added within the same second as the previous genTable call.
2016-09-23 16:46:02 -07:00
Michael McGrew
30c17885ad
New windows tables ( #2451 )
2016-09-23 14:33:44 -07:00
Zachary Wasserman
9701c55d96
Add active
column to osquery_packs
table ( #2475 )
2016-09-19 13:00:11 -07:00
Teddy Reed
df1e3b9481
Add make fuzz ( #2458 )
2016-09-13 20:37:31 -07:00
Teddy Reed
c7ee4f9ca4
Add librpm build and RPM tables ( #2456 )
2016-09-12 22:43:36 -07:00
Teddy Reed
65dd56e113
Introduce table 'attributes' ( #2431 )
2016-08-31 15:32:20 -07:00
Teddy Reed
05a795d80a
Count subscriber events correctly in osquery_events ( #2419 )
...
This also changes the osquery_events API by renaming restarts to refreshes.
2016-08-29 06:57:24 -07:00
Teddy Reed
9824e6bd58
Rename phys_footprint to total_size and add threads ( #2412 )
2016-08-29 06:56:38 -07:00
Teddy Reed
89b1b6f3ff
Fix Linux memory_map printing and use IOMEM instead ( #2416 )
2016-08-29 06:54:10 -07:00
Nick Anderson
e6d4f36ebb
Adding etc_hosts virtual table to windows ( #2381 )
2016-08-24 17:02:14 +01:00
Michael McGrew
a14961d868
Minor fixes to cb_info table ( #2399 )
2016-08-22 23:29:22 +01:00
Michael McGrew
a0e83466d2
Add table for pulling back carbon black sensor info ( #2377 )
2016-08-16 21:56:29 -07:00
Nick Anderson
9786b0efed
Adding the windows registry virtual table ( #2356 )
2016-08-16 12:37:53 -07:00
Teddy Reed
a227c0cf3b
Fix dep_packages and apply to all Linux ( #2373 )
2016-08-15 22:11:01 -07:00
Teddy Reed
f88d404e6d
Add 'type' to logged_in_users ( #2343 )
2016-08-12 22:09:57 -07:00
Teddy Reed
7c1ecc6871
Brew-based build redesign ( #2251 )
2016-07-31 11:32:31 -07:00
nerddotcat
e015c132f6
Added memory_info table for Linux ( #2282 )
2016-07-27 15:20:07 -07:00
Teddy Reed
6fc0ddb31d
Add watcher column to osquery_info ( #2261 )
2016-07-21 13:07:24 -07:00
nerddotcat
ebf3ae378d
added ssh_keys table for id_rsa files. ( #2245 )
2016-07-19 09:21:01 -07:00
artemdinaburg
bede048323
Merge posix/windows processes table into single entity ( #2220 )
2016-07-05 21:18:14 -07:00
artemdinaburg
d4a3fe2452
Windows Daemon/Shell: Initial support for Windows tables ( #2182 )
...
Preparation for Windows Tables. We need a Windows process table so that the daemon will run
2016-06-23 16:04:11 -07:00
Teddy Reed
866ff13fc3
Fix OS X kernel extension autoload ( #2151 )
2016-06-08 11:14:36 -07:00
Teddy Reed
91b34010df
Allow table specs to use multiple row indexes ( #2146 )
2016-06-07 17:13:48 -07:00
Teddy Reed
763f4e9437
Use SQLite 3.14.0 to support LIKE and EQUALS ( #2137 )
...
This commit bumps the third-party SQLite to the 3.14.0 pre-release (18:59).
With 3.14.0 the LIKE and EQUALS constraint operators may be mixed within a
query. Previously these would fail to produce a valid set.
As part of the support, each virtual table should choose to bypass rowid-based
deduplication using the new "WITHOUT ROWID" create table epilog. This will
be appended to the schema if the table defines a PRIMARY KEY using index=True.
2016-06-06 09:36:53 -07:00
Teddy Reed
9d53a1c148
Rename time and environment columns for process_events ( #2096 )
2016-05-19 14:41:03 -07:00
Teddy Reed
c4acfe89e5
Introduce table aliases ( #2104 )
2016-05-19 09:40:43 -07:00
Teddy Reed
b28c4d8d0f
Introduce table options ( #2101 )
...
Table options includes a change to the Registry::call API for TablePlugins.
When requesting route information or the 'columns' action, a new 'op' key is included.
2016-05-18 12:23:52 -07:00
Teddy Reed
9c01d4a6e3
Add quicklook_cache to Darwin ( #2099 )
2016-05-13 23:49:10 -07:00
Nick Anderson
209900d5a8
Adding mobile device crash parsing and 'type' column to Crashes table ( #2076 )
...
This commit adds mobile device crashes to the list of crash logs parsed by the Crashes table as well as adding a lamdba to improve code reuse. The commit also adds a 'type' column to the table to indicate what kind of log this crash log was.
2016-05-06 13:14:06 -07:00
Nick Anderson
27fa7001c9
Renamed crash_log table. Small fixes to parsing behavior ( #2074 )
...
Renamed the crash_log table to crashes for future abstraction to other
operating systems. Also fixed how the table was parsing the most recent
stack trace and the registers. Register values are now all parsed into
one column 'registers', which will be a space delimited string of the
form:
register:value register:value ... register:value
in order to best allow for OS abstraction.
2016-05-06 09:18:06 -07:00
Teddy Reed
9011123f2d
Add local_timezone and datetime (ISO) to time table ( #2073 )
...
It is often helpful to know the local timezone of the machine. For this use
local_timezone, as the base timezone will use local or UTC depending on the
--utc flag. This will be default=UTC in osquery 1.8.0.
The datetime field is added to mimic ISO 8601, along with iso_8601.
The timestamp field remains as the time stamp used for logging (within osquery)
and commonly outside of osquery. The goal for adding multiple representations
is to allow joining/augmenting of other tables.
2016-05-05 23:05:51 -07:00
Teddy Reed
5a56805970
Introduce --utc flag to convert all calendar UNIX times to UTC ( #2064 )
...
Beginning in version 1.8.0 all time uses will converge on an osquery-provided
getUnixTime() API call that returns, by default, UNIX time integers converted
to UTC/GMT. The 'time' table will respond with the parsed time for the
configuration. If the timezone is not UTC then osquery is using localtime.
This configuration option will affect the 'unix_time' response in the 'time'
table. Because of this configurable-effect the table is extended to include
'local_time' which is always the system local UNIX time.
2016-05-03 13:00:31 -07:00
Nick Anderson
134c2750c2
Adding Crash Logs table for OS X ( #2027 )
...
Added a table that parses out some of the informaiton in the OS X logs
stored in /Library/Logs/DiagnosticReports as well as
/Users/<user>/Library/Logs/DiagnosticReports
2016-04-13 16:25:40 -07:00
Justin Gerace
8207feecd1
Add time column to shell_history table
...
* Add time column to shell_history table
* Add support for zsh timestamp format in shell_history table
2016-04-05 11:02:14 -07:00
Teddy Reed
c159ea7c71
Refactor install_history
2016-04-01 10:02:56 -07:00
Tim Zimmermann
5c47e2b91e
Add InstallHistory table
...
See #1922 .
2016-04-01 09:51:01 -07:00
Teddy Reed
c727b6d015
Merge pull request #1961 from zwass/syslog_events
...
Add syslog table for querying of rsyslog logs
2016-03-30 14:22:34 -07:00
Zachary Wasserman
98cdd3643f
Add linux syslog virtual table
...
This commit adds an event-based virtual table implementation for
querying the linux syslog. It introduces an event publisher that
attaches to a named pipe to ingest CSV formatted syslog forwarded from
rsyslogd. An event subscriber/virtual table makes these log lines
available for queries. Currently, no additional processing is done on
the input data besides parsing.
Using this table requires a properly configured rsyslogd. Documentation
for this configuration is forthcoming in the wiki.
2016-03-30 13:36:57 -07:00
Nick Anderson
7677494849
Treating the 'Disabled Plug-ins' as a folder as opposed to a plugin, and added a 'disabled' column to the table
2016-03-29 14:28:25 -07:00
Teddy Reed
eb76fc1860
Rename processes 'group' to 'pgroup'
2016-03-20 19:35:49 -07:00
Sereyvathana Ty
f912fca415
add cdhash, team_identifier, and authority to signature table
...
cdhash - code directory hash
(https://developer.apple.com/library/mac/documentation/Security/Conceptu
al/CodeSigningGuide/RequirementLang/RequirementLang.html)
team_identifier is a unique id of the app developer
authority is the common name of the signed certificate
2016-03-14 23:19:27 -07:00
Zachary Wasserman
1af6684019
Apple system log virtual table implementation
...
This adds a virtual table implementation for efficient querying of the
Apple System Log (ASL) store.
2016-03-14 12:19:03 -07:00
Daan De Meyer
d4737f9214
Create table called cpu_time for inspecting where the cpu cores spent time since the last system restart.
2016-03-08 15:14:06 +01:00
Joe Gallo
544ae37e9d
add fan name to fan speeds table
2016-03-03 19:44:53 -05:00
Teddy Reed
9c42ba51b3
Merge pull request #1858 from theopolis/sqlite_3.11
...
Bump sqlite to 3.11.0
2016-02-21 23:35:01 -08:00
Teddy Reed
9a54af29ce
Bump sqlite to 3.11.0
2016-02-21 22:40:37 -08:00
Teddy Reed
c1b2af92c3
[ Fix #1854 ] Unify power sensor tables
2016-02-21 16:02:58 -08:00
Teddy Reed
65be01d574
Merge pull request #1857 from kaizensoze/add-sensor-prefix
...
add sensor_ prefix to sensor-related tables
2016-02-20 18:29:30 -08:00
Joe Gallo
3cb18f9428
add powers table
2016-02-17 21:59:32 -05:00
Joe Gallo
3e5693d996
add sensor_ prefix to sensor-related tables
2016-02-17 01:05:36 -05:00
Joe Gallo
b8d32a74ec
add currents table
...
add smc genCurrent test
2016-02-13 16:09:14 -05:00
Teddy Reed
90d2ac4c76
Merge pull request #1839 from sharvilshah/uuid_all_the_things
...
[#1800 ] Add UUID to users and disk_encryption on Darwin
2016-02-10 16:01:48 -08:00
Sharvil Shah
daf7777b54
[ #1800 ] Adds uuid
and user_uuid
columns to the users
table and
...
`disk_encryption` table on Darwin, respectively.
2016-02-10 13:12:43 -08:00
Joe Gallo
36ca9f5664
add voltages table
2016-02-10 04:10:44 -05:00
Teddy Reed
f252431706
Add dns_resolvers table
2016-02-08 21:52:23 -08:00
Joe Gallo
66ed804eb6
add fan speeds table
2016-02-05 21:22:07 -05:00
Teddy Reed
a48109a226
Add developer_id to safari_extensions
2016-02-03 23:46:52 -08:00
Teddy Reed
ccda460ba0
Rename 'temps' temperatures, add constraints
2016-02-03 08:49:22 -08:00
Joe Gallo
3c6134c1fa
add temperature sensors table
...
Extract temperature-related data from smc_keys table for table dedicated
to temperature sensors.
2016-02-02 23:57:55 -05:00
Sharvil Shah
8cb7ee71bf
Report on System Integrity Protection
2016-01-21 21:28:13 -08:00
Teddy Reed
b358d8029e
[ #1778 ] Add hardware/board info for Linux
2016-01-20 10:01:49 -08:00
Sharvil Shah
819f95ccc6
Add currently authenticated FileVault user (if available) to disk_encryption on Darwin
2016-01-19 15:46:39 -08:00
Teddy Reed
5295904624
Add an smc_keys table for OS X
2016-01-11 11:51:55 -08:00
Teddy Reed
6a1b08c4fe
Use key_strength to support ECC
2016-01-05 18:48:34 -08:00
Teddy Reed
e311a47774
Add key_size to certificates table
2016-01-05 11:34:57 -08:00
Teddy Reed
4af9d8d61c
Add certificate issuer and self_signed columns
2015-12-17 19:36:31 -08:00
Teddy Reed
70face8ac2
Add platform_info table for UEFI/ROM details
2015-12-12 01:55:14 -08:00
Teddy Reed
a99b62a31d
Preserve atime and mtime by default for readFile
2015-12-11 22:18:45 -08:00
Teddy Reed
718ff77864
Extend fields of file_events
2015-12-11 10:26:36 -08:00
Teddy Reed
98eb6a5055
Reorganize file_events into process_file_events
2015-12-11 00:58:22 -08:00
Teddy Reed
9d394065e3
[ #1636 ] Add simple sharding to packs and pack queries
2015-12-10 10:01:53 -08:00
Teddy Reed
b7650e5291
Remove passwd_changes and user_data from event callbacks
2015-12-07 17:47:38 -08:00
Teddy Reed
b88d6816f3
Additional TSK tables
2015-12-07 08:36:22 -08:00
Teddy Reed
373ce339dc
TSK integration and example tables
2015-12-04 11:08:51 -08:00
Teddy Reed
ccff0c8c18
[ Fix #1686 ] Add 'subject' and 'signing_algorithm' to certificates
2015-11-29 18:32:13 -08:00
Teddy Reed
2e57869d34
Merge pull request #1681 from theopolis/fix_1665
...
[#1665 , #1615 ] Refactor user-based tables to act uniformly
2015-11-24 13:07:28 -08:00
Teddy Reed
35129a7af7
[ #1665 , #1615 ] Refactor user-based tables to act uniformly
2015-11-24 12:46:25 -08:00
Teddy Reed
5370fef950
Merge pull request #1678 from theopolis/audit_user_events
...
[#1497 ] Add user_events table based on audit user-type messages
2015-11-23 21:31:37 -08:00
Teddy Reed
07fd718e00
Add user_events table based on audit user-type messages
2015-11-23 18:13:31 -08:00
Teddy Reed
08c7911eb7
Merge pull request #1655 from theopolis/iokit_events
...
Rewrite OS X hardware events to use IOKit proper
2015-11-21 19:45:10 -08:00
Teddy Reed
6748fdb024
Rewrite OS X hardware events to use IOKit proper
2015-11-21 19:31:05 -08:00
Teddy Reed
9ae53f2158
Merge pull request #1663 from cdown/f/saved_ids
...
Add saved UIDs and GIDs to process table
2015-11-20 14:35:20 -08:00
Teddy Reed
a673a793fe
Merge pull request #1659 from PickmanSec/knownhosts
...
Added known_hosts table
2015-11-20 12:46:13 -08:00
Teddy Reed
16247f10e8
Merge pull request #1624 from PickmanSec/master
...
added authorized_keys table
2015-11-19 09:10:59 -08:00
Chris Down
39bdec4c8d
Add saved UIDs and GIDs to process table
2015-11-18 16:44:07 -08:00
Michael George
dde59f8c18
Added known_hosts file
...
added known_hosts table
2015-11-17 12:38:19 -08:00
Michael George
a649bf6733
Added authorized_keys table
...
Fixed mislabled variable from line parsing
Update authorized_keys.cpp
Update authorized_keys.cpp
Check if line is empty
2015-11-16 10:36:24 -08:00
Teddy Reed
cef8f59054
Merge pull request #1639 from theopolis/cache
...
Table results caching
2015-11-14 16:22:24 -08:00
Teddy Reed
c2be670806
Table results caching
...
1. Table implementations (spec files) can mark the table as 'cachable'.
2. Cached results depend on the shortest/quickest interval of scheduled
queries that act on results of the table.
3. The table API generator blocks caching on index/additional/required
table column options.
2015-11-14 15:57:23 -08:00
Teddy Reed
aa4973a1b3
Merge pull request #1644 from stripe/andrew-add-timezone
...
Add timezone field to time table
2015-11-10 16:41:39 -08:00
Andrew Dunham
0ae380297f
Add timezone field to time table
2015-11-10 15:17:49 -08:00
Andrew Dunham
dea93c8aa5
Add a signature
table on Darwin
...
This table allows verifying the signature of files (or bundles) on
Darwin. It also provides the signing identifier that is a part of the
signature.
2015-11-10 13:21:18 -08:00
Teddy Reed
57e8ef2ab3
[ #1546 ] Add computer_name to system_info and extend to Linux
2015-11-04 10:31:16 -08:00
Teddy Reed
5aa225d4c3
Merge pull request #1619 from sharvilshah/wifi
...
Implement wifi_networks tables for OS X
2015-11-02 16:11:21 -08:00
Teddy Reed
15215cdbc0
Add persistent splays
2015-11-02 14:10:04 -08:00
Teddy Reed
5233d7dcf8
Add start time to osquery_info, remove md5/path
2015-11-02 10:57:01 -08:00
Teddy Reed
75bfcddc31
Merge pull request #1622 from theopolis/faster_sockets
...
Faster socket_events on Linux
2015-11-02 10:56:37 -08:00
Teddy Reed
a1a9131174
Optimize socket_events and Linux users
2015-11-02 10:37:56 -08:00
Teddy Reed
50550e607a
Build and provision edits for FreeBSD CI
2015-11-02 01:47:09 -08:00
Sharvil Shah
9a6d6d1293
Implement wifi_networks tables for OS X
...
If the option of remembering known Wi-Fi networks is enabled on a system,
they are persisted to disk as a preferences property list file.
This table is populated by parsing that file.
2015-11-01 16:53:51 -08:00
Teddy Reed
b81b6de6ae
This refactors a bit of config/packs and adds a socket_events table to Linux.
...
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.
A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
2015-10-27 15:13:02 -07:00
Teddy Reed
bc50c053fb
Remove boolean type-columns from file in favor of 'type'
2015-10-17 12:16:54 -07:00
Teddy Reed
6b16720039
Fix kernel_info on OS X, remove md5
2015-10-11 11:43:42 -07:00
Teddy Reed
5890901c00
Add state, group, and nice to processes
2015-09-24 13:11:46 -07:00
Teddy Reed
65162e7239
Merge pull request #1501 from sharvilshah/sysinfo_updates
...
Update system_info table to include CPU type, CPU cores and total memory
2015-09-14 20:02:56 -04:00
Teddy Reed
944e3de206
Merge pull request #1496 from theopolis/events_table
...
[#1487 ] Add osquery_events table to track pubsub stats
2015-09-14 15:27:35 -04:00
Sharvil Shah
28143f64f0
Update system_info table: adds CPU type, CPU cores and total memory.
...
This change adds following columns to `system_info` table:
cpu_type, cpu_subtype, cpu_brand, cpu_physical_cores,
cpu_logical_cores, physical_memory, hardware_model
Here's an example output of those columns:
```
cpu_type = x86_64h
cpu_subtype = Intel x86-64h Haswell
cpu_brand = Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz
cpu_physical_cores = 4
cpu_logical_cores = 8
physical_memory = 17179869184
hardware_model = MacBookPro11,3
```
2015-09-10 14:44:48 -07:00
Scott Piper
5e7d0d6a37
Added system_info table
2015-09-09 10:26:16 -07:00
Mike Arpaia
de58353131
Config MD5 a bit more deterministic
...
```
$ ./build/darwin/osquery/osqueryi --config_path=/asdfasdfadfs
E0903 11:45:02.050308 1990836992 init.cpp:370] Error reading config: config file does not exist
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> .all osquery_info
pid = 33700
version = 1.5.2-43-gb06fa92
config_md5 =
config_valid = 0
config_path = /asdfasdfadfs
extensions = active
build_platform = darwin
build_distro = 10.10
osquery> .exit
$ ./build/darwin/osquery/osqueryi
osquery> .mode line
osquery> .all osquery_info
pid = 33781
version = 1.5.2-43-gb06fa92
config_md5 = 8a432ac93d3de080c62d77ba99b89783
config_valid = 1
config_path = /var/osquery/osquery.conf
extensions = active
build_platform = darwin
build_distro = 10.10
osquery> .exit
```
2015-09-03 22:03:40 -07:00
Teddy Reed
b57040db60
Add osquery_events table to track pubsub stats
2015-09-03 15:10:53 -07:00
Teddy Reed
2813d3ab87
Add a Linux audit event publisher
2015-09-03 08:45:02 -07:00
Teddy Reed
7a15d25796
[ Fix #1492 ] Fix firefox key counting and spec typo
2015-09-02 19:50:36 -07:00
Mike Arpaia
a140333441
[ fix #1390 ] query pack re-org
...
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.
The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.
Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.
For more information, refer to #1390 , the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:
```json
{
"options": {
"enable_monitor": "true"
},
"packs": {
"core_os_monitoring": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"kernel_modules": {
"query": "SELECT name, size FROM kernel_modules;",
"interval": 600
},
"system_controls": {
"query": "SELECT * FROM system_controls;",
"interval": 600,
"snapshot": true,
},
"usb_devices": {
"query": "SELECT * FROM usb_devices;",
"interval": 600
}
}
},
"osquery_internal_info": {
"version": "1.4.5",
"discovery": [
"select pid from processes where name like '%osqueryd%';"
],
"queries": {
"info": {
"query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
"interval": 60,
"snapshot": true
},
"registry": {
"query": "SELECT * FROM osquery_registry;",
"interval": 600,
"snapshot": true
},
"schedule": {
"query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
"interval": 60,
"snapshot": true
}
}
}
}
}
```
The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.
Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
2015-09-02 10:56:26 -07:00
Teddy Reed
776de9c4d1
Merge pull request #1477 from theopolis/table_xp_meta
...
XProtect meta virtual table and safari_extensions column additions
2015-08-30 21:31:35 -07:00
Teddy Reed
906d19927f
[ #1418 ] Use libarchive to parse Safari extension bundles
2015-08-29 23:59:41 -07:00
Javier Marcos
086ab40f83
Merge pull request #1473 from javuto/this_is_real_magic
...
Adding magic table to check for libmagic data
2015-08-28 14:03:10 -07:00
Javier Marcos
1a50977a23
Adding magic table to check for libmagic data
2015-08-28 12:49:46 -07:00
Teddy Reed
2433d9e06c
[ #1418 ] Include XProtect's meta list of plugin versions, and blacklisted extensions
2015-08-28 11:46:21 -07:00
Teddy Reed
3c114c3439
[ Fix #1453 ] Use second precision for process start times
2015-08-27 15:47:06 -07:00
Michael O'Farrell
5d0e4be6a1
Merge pull request #1335 from mofarrell/kernel-file-events
...
Added kernel file access events.
2015-07-31 15:22:11 -07:00
Michael O'Farrell
9f2b318778
Added kernel file access events.
2015-07-31 15:06:46 -07:00
Teddy Reed
dc82ffa636
Add optional environment variable whitelist to process_events
2015-07-30 16:05:11 -07:00
Michael O'Farrell
93a65eaf04
Merge pull request #1400 from mofarrell/process-events-env-arg
...
Adding environment variables and arguments for process events.
2015-07-27 17:54:06 -07:00
Michael O'Farrell
3f87d5832f
Adding environment variables and arguments for process events.
2015-07-27 15:48:47 -07:00
Wesley Shields
698e226b80
Add tags and strings columns to YARA tables.
...
When strings match they will be populated into the "strings" column of
the table. The format is identifier:offset.
When a matching rule has tags defined the tags will be put into the
"tags" column of the table in a comma separated list.
2015-07-27 08:20:24 -04:00