valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,333 Commits 2 Branches 109 Tags 25 MiB
7fbb7ef48e
Commit Graph

432 Commits

Author SHA1 Message Date
Teddy Reed
e4b60e883a Variable amalgamation output filename 2014-12-23 21:53:59 -07:00
Theodore M. Reed
b2be1fa383 Whole link tests and refactor flags_test 2014-12-23 20:38:16 -08:00
Teddy Reed
b2dca55539 Build leaner libosquery, allow control over spec/impl 2014-12-23 20:07:12 -08:00
Theodore M. Reed
01005c72b3 Moved crontab out of utility 2014-12-23 14:39:59 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
Theodore M. Reed
7b0640e4eb Move table link dependencies into tables CMakeLists 2014-12-23 14:37:00 -08:00
Teddy Reed
ff7ca1e800 Merge pull request #557 from theopolis/xprotect_results 
OSX results of XProtect hits
 2014-12-18 13:04:08 -08:00
mike@arpaia.co
b9f732c31f Updating the license comment to be the correct open source header 
As per t5494224, all of the license headers in osquery needed to be updated
to reflect the correct open source header style.
 2014-12-18 10:52:55 -08:00
Teddy Reed
6a6851c4bc Merge pull request #544 from theopolis/events_2.0 
Events 2.0
 2014-12-17 20:17:02 -08:00
Teddy Reed
888f74de36 OSX results of XProtect hits 2014-12-17 18:35:01 -08:00
Teddy Reed
4453806dce Remove raw pattern from XProtect 2014-12-17 14:46:53 -08:00
Teddy Reed
7602d17de9 Move base64Decode from ca_certs testing to conversions 2014-12-17 14:03:52 -08:00
Teddy Reed
fefe6de824 OSX XProtect siganture DB as virtual table 2014-12-16 21:35:26 -08:00
Teddy Reed
8c38492b2a Add XProtect vtable to OSX 2014-12-16 17:59:07 -08:00
Teddy Reed
d5c5253bbc Add osquery_flags vtable 2014-12-16 02:07:50 -08:00
Teddy Reed
b5535256e6 [Fix #546] Rename md5 to config_md5 and add config_path to osquery_info 2014-12-16 01:52:02 -08:00
Teddy Reed
4425bed23e Merge pull request #504 from Anubisss/master 
Adding a table which maps services from /etc/services.
 2014-12-16 01:23:05 -08:00
Teddy Reed
6de14466db Events 2.0 using pbr 2014-12-15 11:55:05 -08:00
Teddy Reed
fcdf49d17f WIP migrating Linux Events 2014-12-15 00:43:28 -08:00
Teddy Reed
17efa0b3d6 Migrate subscribers on OSX 2014-12-15 00:25:28 -08:00
Teddy Reed
c1e37b73fb Non-static event type and name IDs 2014-12-14 18:03:41 -08:00
anuka
fa95ff09d8 Some fix for etc_services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-12-14 22:14:00 +01:00
anuka
375c837b74 Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Teddy Reed
00c88a19bc Add timeout to netlink socket read 2014-12-12 17:50:47 -08:00
Teddy Reed
acccfa94e2 IOKit HID events and OSX hardware_events table 2014-12-11 18:06:08 -08:00
Teddy Reed
7b56fa605d PCI/USB parity 2014-12-10 19:51:18 -08:00
Teddy Reed
a75fa3bf11 Merge pull request #538 from theopolis/improve_usb 
Improve usb_devices on OSX
 2014-12-10 19:51:08 -08:00
mike@arpaia.co
8f8bc6b772 osquery_info table 2014-12-10 18:38:41 -08:00
Teddy Reed
b08ad3cb14 Check USB property for CFString type 2014-12-10 09:12:12 -08:00
Teddy Reed
f29e0c17ca Update ca_certs_tests to use moved OSX conversions 2014-12-10 01:59:13 -08:00
Teddy Reed
4644c5e19b Simple usb_devices updates 2014-12-10 01:52:02 -08:00
Teddy Reed
7ba4fb31dd Merge pull request #536 from theopolis/suid_fix 
Suid fix
 2014-12-10 01:19:48 -08:00
Teddy Reed
0b5083bd0e Improve usb_devices on OSX 2014-12-10 01:17:24 -08:00
Teddy Reed
ab8df11818 Add filesystem_error catching and remove suid_bin from BL 2014-12-09 20:13:39 -08:00
Teddy Reed
9a9de67b93 Restrict suid_bin to common search paths 2014-12-09 16:38:14 -08:00
Teddy Reed
192224977d Add small delay if NL read = 0 2014-12-09 16:02:25 -08:00
Teddy Reed
22c9664ae1 [Fix #530] Continue to read from NL socket 2014-12-09 15:49:40 -08:00
Sean Williams
341fbc3b53 -Conform to new table function signature 
-Add proper include and fix brackets on macro
-Let osquery core do the integer cast for syscall_addr_modified
-Fix misc cruft
 2014-12-09 01:47:51 +00:00
Sean Williams
48bf3192e1 kernel_integrity vtable to use camb 2014-12-08 23:58:33 +00:00
Teddy Reed
2ebbbf6f98 Linux udev events 2014-12-08 14:13:47 -08:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Teddy Reed
d885bf420d Port manual/filesystem to file using constraints 2014-12-02 12:37:26 -08:00
Wesley Shields
2504c06feb Implement signed columns for users and groups. 
Fixes #475.
 2014-12-01 11:52:13 -05:00
Teddy Reed
3ec6b473dd [Fix #498] Remove default catch in quaratine 2014-11-30 22:01:31 -07:00
Teddy Reed
13c8277bb4 Add query constraints to logged_in_users 2014-11-29 22:40:11 -08:00
Teddy Reed
e33443d354 clang-format on feature-predicate updates 2014-11-29 22:36:07 -08:00
Teddy Reed
76780aa6f0 Improve OSX apps table 2014-11-29 22:36:07 -08:00
Teddy Reed
b1cf8f1e61 Improve and use constraints for various OSX tables 2014-11-29 22:36:07 -08:00
Teddy Reed
3fa2442e25 Rename/improve bash_history to shell_history 2014-11-29 22:36:07 -08:00
Teddy Reed
56014b9c31 Moving tables definitions into core/tables.cpp 2014-11-29 22:36:06 -08:00
Teddy Reed
b18068f114 Improve kextstat/startup_items code and perf 2014-11-29 22:36:06 -08:00
Theodore M. Reed
8ab1863790 Predicate constraints for FreeBSD 2014-11-29 22:36:06 -08:00
Teddy Reed
59367b41af Predicate constraints for Linux 2014-11-29 22:36:06 -08:00
Teddy Reed
b4be08a702 Updating table generators to use QueryContext 2014-11-29 22:36:05 -08:00
Teddy Reed
cd8413d483 Organizing affinity types into tables. 2014-11-29 22:36:05 -08:00
Teddy Reed
2b1cd4eee3 Towards predicate constraint checking 2014-11-29 22:36:05 -08:00
Teddy Reed
750cc807cf Merge pull request #493 from wxsBSD/issue_9 
Implement logged_in_users.
 2014-11-29 22:22:10 -08:00
anuka
0a280f6546 Adding a table which maps services from /etc/services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-11-29 17:06:34 +01:00
mike@arpaia.co
fdcea6daa7 manual fix to spacing issue 2014-11-25 09:08:00 -08:00
mike@arpaia.co
8f50cae3aa clang-format on the codebase 
Periodic clang-format run.
 2014-11-25 09:05:16 -08:00
Wesley Shields
7abc9f75f2 Implement logged_in_users. 
Fixes #9.
 2014-11-22 23:49:37 -05:00
Teddy Reed
4de3c8a0cf Fix memory leaks in USB Devices for OSX 2014-11-22 18:04:47 -08:00
Nick
acad6d8e8d Added USB device support for Mac (Linux coming next) 2014-11-22 17:42:56 -08:00
Wesley Shields
059403eac4 Merge branch 'master' into macros 
Conflicts:
	osquery/tables/system/darwin/processes.cpp
 2014-11-22 15:12:21 -05:00
Teddy Reed
1caba72c30 Remove 'host' from OS X route types #483 2014-11-21 10:59:25 -08:00
Teddy Reed
44181b7aeb Add basic support for unsigned long long int 2014-11-21 10:32:56 -08:00
Teddy Reed
1961921d95 Pull process_open_files out of processes.cpp and reduce logging 2014-11-20 17:19:04 -08:00
Teddy Reed
a84c20a468 Merge pull request #472 from theopolis/cleanup-inode-tables 
Cleanup inode table implementations and unblacklist.
 2014-11-19 17:04:23 -08:00
Teddy Reed
b2debf509a Cleanup inode table implementations and unblacklist 2014-11-19 16:56:48 -08:00
Teddy Reed
9a6a69a224 Merge pull request #469 from theopolis/logging-nits 
Move expected errors to info log
 2014-11-19 14:54:32 -08:00
Mike Arpaia
ac70916719 Merge pull request #434 from lwhsu/freebsd-build 
FreeBSD support of build infrastructure
 2014-11-19 09:23:17 -08:00
Teddy Reed
bc9a5ed3b4 Move expected errors to info log 2014-11-19 09:03:58 -08:00
mike@arpaia.co
ee15228819 fixing naming of columns in tests 2014-11-18 17:43:16 -08:00
Wesley Shields
9cf662cca0 More explicit usage of macros. 2014-11-18 19:40:14 -05:00
Wesley Shields
550bf15c74 First pass at macro usage in tables. 2014-11-18 19:25:34 -05:00
Li-Wen Hsu
4f8006ad02 Add dummy table implementations for FreeBSD 2014-11-19 05:07:59 +08:00
Mike Arpaia
3c243e02f2 Merge pull request #463 from facebook/mounts-unified 
Unified mounts spec
 2014-11-18 11:32:17 -08:00
Teddy Reed
12a5daa225 Change user_name, group_name to username, groupname 2014-11-18 10:48:47 -08:00
mike@arpaia.co
ecb8e474a4 Unified mounts spec 2014-11-18 10:46:48 -08:00
Li-Wen Hsu
6c55b51c53 Merge branch 'master' into freebsd-build 
Conflicts:
	osquery/core/system.cpp
	tools/provision.sh
 2014-11-19 01:50:38 +08:00
Teddy Reed
7287ad5e63 Fix process free regression for libprocps 2014-11-17 16:52:20 -08:00
Mike Goffin
57faad63fa Merge branch 'master' into mounts_table 2014-11-17 15:03:50 -05:00
Mike Goffin
2ce6882317 Format fixes. 
- ran clang-format.
- lowercased column names for table.
- removed include for boost as it's no longer being used.
 2014-11-17 15:02:33 -05:00
Teddy Reed
1116d6a928 Merge pull request #438 from theopolis/feature-arp-table 
arp_cache vtable for OSX and Linux
 2014-11-17 11:36:46 -08:00
Mike Goffin
0b4e382e96 Merge branch 'master' into mounts_table 2014-11-17 13:46:59 -05:00
Mike Goffin
6cddf4ad39 Mounts table for Darwin. 
Associated with #255, this adds Mounts table support for Darwin.
 2014-11-17 13:43:59 -05:00
Wesley Shields
c764226b77 Use INTEGER macro. 
This makes the code match the example at:

https://github.com/facebook/osquery/wiki/creating-a-new-table
 2014-11-17 13:30:46 -05:00
Teddy
968f8027e6 Cleaner arp_table->arp_cache on Linux/OSX 2014-11-17 02:37:15 -08:00
Teddy Reed
ee015343f9 Simplify arp, move to arp_table 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
65c4ed4a7d Fix boost split on linux to remove sscanf 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
2b32673445 Some fixes: 
- clang-format on code
- NULL -> nullptr
- some (char *) changed in std::string favour
- Removed a memory leak.
- Moved struct inside the table namespace
 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
778951d6a4 Remove osx dependency on system() call to get arp information 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
c7fc2cee22 rename vtable field arp->mac 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
4f524abbea arp vtable different implementation in osx and linux 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
413d6f068b Change fgetln (osx specific) in favour of getline (both osx and linux) 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
1843d80660 arp vtable with ip, arp and interface where it was seen 2014-11-16 19:49:40 -08:00
mike@arpaia.co
bfceaf8453 blacklisting port_inode and socket_inode 
port_inode and socket_inode have caused a few issues lately and, as of
right now, they both have open issues against them. For the time being,
I'm going to blacklist them. When the tables are production-ready, we
can re-add them back in to the base linux build.
 2014-11-16 09:42:57 -08:00
Li-Wen Hsu
ea7b617a7c No utmpxname() under FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
a102a3273e Include proper headers for FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
e49537c8fa Add libraries and settings for FreeBSD 2014-11-16 01:41:50 +08:00
Teddy Reed
a1898ef03b Check tables row vector size before access 2014-11-14 15:18:25 -08:00
Teddy Reed
02841f5e7f Add kernel userland-API inet_diag header 2014-11-14 01:42:34 -08:00
Teddy Reed
565bce3c07 Fix unwind exception catching 2014-11-14 01:42:00 -08:00
Vincent Mauge
632151d56a Set ouput_bit to 0 instead of cast error 2014-11-12 22:02:04 -08:00
Teddy Reed
0d8b9d3eaa Use SQLite types 2014-11-12 11:07:24 -08:00
Teddy Reed
525a3b79a0 Tons of new build features 
* The OS/DISTRO are available as defines when writing tables:
  UBUNTU, UBUNTU_14_04, UBUNTU_12_04
  CENTOS, CENTOS_6_6
  DARWIN, DARWIN_10_10, DARWIN_10_9
* The table generation tooling now grabs virtual tables templates
  from ./osquery/tables/templates/<name>.cpp.in.
* The table generation tooling will detect reserved column names.
* suid_bin uses the new UBUNTU to restrict calls to root (fix #362).
 2014-11-12 00:57:47 -08:00
Teddy Reed
8e408f987e Table spec documentation examples 2014-11-11 11:26:11 -08:00
Teddy Reed
050e942d11 Support USE_BLACKLIST=1 to remove tables from release 2014-11-10 13:30:38 -08:00
Abe Stanway
811d98c595 free(linkname) and no more 'self' 2014-11-10 15:02:31 -05:00
Abe Stanway
30149a70f9 Updated 2014-11-10 15:02:31 -05:00
Abe Stanway
322fde0121 Socket_inode and port_inode tables to map PIDs->ports via netlink inet_diag 
Example query:
```
SELECT port.local_port,
       port.remote_port,
       port.local_ip,
       port.remote_ip,
       socket.pid,
       process.name,
       process.cmdline
       process.path
       FROM socket_inode AS socket
       JOIN port_inode AS port
       ON socket.inode = port.inode
       INNER JOIN processes AS process
       ON socket.pid = process.pid;
```
 2014-11-10 15:02:31 -05:00
Teddy Reed
86d2ac208b Use leaks for OSX memory leak profiling 2014-11-10 11:34:17 -08:00
Mike Arpaia
3245e5a6cd Merge pull request #394 from wizzat/process_args 
Add cmdline to darwin
 2014-11-10 13:20:47 -05:00
Teddy Reed
19aa99583e Linux processes vtable use freeproc 2014-11-10 10:12:47 -08:00
Mark Roberts
dc1684fca7 Add cmdline to darwin 2014-11-10 09:36:17 -08:00
Teddy Reed
b0ff403d3d Fixing librpm API usage leaks 2014-11-10 01:48:07 -08:00
Teddy Reed
b77406b122 [Fix #367] Check RPMTAG class before cast 2014-11-09 02:07:49 -08:00
Teddy Reed
078d4cf7d2 Refector shell flags/versioning 2014-11-08 20:27:28 -08:00
Veres Lajos
afc82c722f typo fixes - https://github.com/vlajos/misspell_fixer 2014-11-07 22:18:02 +00:00
Alexander Polyakov
00dbf282a6 / is not always readable 2014-11-07 01:00:58 +03:00
Alexander Polyakov
c0d827f534 Add euid / egid to process table 
(not tested on darwin)
 2014-11-06 01:35:52 +03:00
mike@arpaia.co
05cfff81c8 clang-format 2014-11-04 11:42:30 -08:00
mike@arpaia.co
896a4f2957 generic users function and some general cleanups 2014-11-04 11:40:54 -08:00
Zachary Wasserman
0b30b9f692 Add basic Mac startup items vtable 2014-11-04 11:40:54 -08:00
Alexander Polyakov
a60230af5e linux/processes: fix infinite loop, throw away workaround 2014-11-04 15:31:35 +03:00
Teddy Reed
03034780f1 Add note about blocking process_env as non-su 2014-11-03 23:46:47 -08:00
Teddy Reed
ea3880eefb Merge pull request #354 from wizzat/graceful_envs 
Graceful envs
 2014-11-03 23:43:04 -08:00
Mike Arpaia
37734bc5a4 Merge pull request #351 from LTD-Beget/blockdev_table 
Blockdev table for linux
 2014-11-03 22:29:35 -08:00
Mark Roberts
5780fffa22 Potential Linux fix, pending boost::filesystem::path fix on master. Issue #323 2014-11-03 20:39:51 -08:00
Alexander Polyakov
cbc2139047 block_devices: trim spaces around model and vendor 2014-11-04 05:00:24 +03:00
Teddy Reed
dc77df602e [format] Cleanup various PRs not run through clang-format 2014-11-03 17:57:01 -08:00
Mark Roberts
176af65fb5 Remove logging of permissions error when running as non-root user on OSX 
Issue #323
 2014-11-03 17:29:22 -08:00
Mike Arpaia
01944a3bb7 Merge pull request #352 from LTD-Beget/pci_devices_crash 
pci_devices: udev_device_get_property_values() can return NULL
 2014-11-03 15:17:03 -08:00
Alexander Polyakov
95aeaba024 pci_devices: unref things after use 2014-11-04 01:48:42 +03:00
Alexander Polyakov
1ce1424d01 Add braces 2014-11-04 01:21:02 +03:00
Alexander Polyakov
e3364ac34c Add braces 2014-11-04 01:13:49 +03:00
Mike Arpaia
a9e636af9f Merge pull request #349 from facebook/329 
Ensuring that listening_ports results are unique
 2014-11-03 14:08:04 -08:00
Alexander Polyakov
f96180e926 pci_devices: udev_device_get_property_values() can return NULL 2014-11-03 23:56:59 +03:00
Alexander Polakov
274e037527 Blockdev table for linux 2014-11-03 23:39:14 +03:00
mike@arpaia.co
75ded8b881 Ensuring that listening_ports results are unique 2014-11-03 12:03:57 -08:00
Akshay Dixit
c99c08c607 changed comments to // from /* , char* to std::string consts, and ran clang-format on the file 2014-11-02 21:09:04 -07:00
Akshay Dixit
cb1bf1c305 cleaned up pci_devices.cpp 2014-11-02 21:09:04 -07:00
Akshay Dixit
6c418507e6 renamed lspci to pci_devices and specified it linux only 2014-11-02 21:09:04 -07:00