* deb_packages: Fix include order issue
* bpf_socket_events, bpf_process_events: Initial implementation
* BPF: Add process tracking to process events, remove sockets_event
* CMake: Upgrade the C++ standard to C++17
* BPF: Improve initial system state snapshot and event collection
* BPF: Add tests for SystemStateTracker
* BPF: Add tests for BPFEventPublisher
* BPF: Refactor, add tests for ProcessContextFactory
* Refactor: Improve initial scan/event handling, fix openat
* BPF: Improve event ordering
* BPF: Fix test issue in BPFEventPublisher::processOpenAt
* BPF: Mark WIP functions as deprecated
* BPF: Improve tests
* BPF: Add back bpf_socket_events and connect() support
* BPF: Add Netlink addr support, add bind()
* BPF: Add accept/accept4 support
* BPF: Add tests for BPFEventPublisher::processOpenat2Event
* BPF: Add remaining tests for BPFEventPublisher
* BPF: Add configuration flags for memory management
* BPF: Add cmdline support to ProcessContextFactory
* BPF: Add additional tests
* BPF: Add unit test for SystemStateTracker::accept
* BPF: Update cwd handling
* BPF: Add tests for bpf_socket_events
* BPF: Add tests for bpf_process_events
* BPF: Add json_cmdline hidden column to bpf_process_events
* BPF: Update all copyright headers
* BPF: Add syscall duration in socket_events/process_events
* BPF: Code review changes
* BPF: Update ebpfpub to the latest version
* BPF: Removed unused functions
* BPF: Code review changes
Add whitespace around namespaces
* BPF: Revert header changes in rot13.cpp
* BPF: Code review changes
Rename the bpf_ntime column in bpf_socket_events/bpf_process_events
to ntime and make it the last visible column
* BPF: Code review changes
Update the dependencies for the BPF tests
* BPF: Code review changes
Update the dependencies for the BPF table tests
* BPF: Code review changes
Update how characters are appended to strings in the
system state tracker class
* BPF: Code review changes
Update the string -> integer conversion utilities in the
process context factory class.
* BPF: Hide failed exec syscalls from bpf_process_events results
* BPF: Do not log an error for invalid sockaddr structures
* BPF: Code review changes
Remove clang-format ignore block
* BPF: Code review changes
Update log messages in the BPFEventPublisher class
* BPF: Code review changes
Remove clang-format ignore block around the function tracer
descriptors
* BPF: Code review changes
Document the IFilesystem interface
* BPF: Code review changes
Document the IProcessContextFactory interface
* BPF: Code review changes
Document the ISystemStateTracker interface
The instruction doesn't exist on other processors, and while there
might be ways to retrieve the equivalent information, none directly
matches the x86 "cpuid". This takes out the table completely on
non-x86_64 architectures.
Co-Authored-By: Benjamin Herrenschmidt <benh@kernel.crashing.org>
The PR adds an on-demand version of the Windows events log table that can return the WEL entries from an arbitrary event provider. It supports selective filtering based on additional query parameters. An example query:
```
osquery> select * from windows_events_vtable where channel = 'Application' and eventid = 1000;
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| channel | datetime | task | level | provider_name | provider_guid | eventid | recordid | keywords | data | pid | tid |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| Application | 2020-07-22T03:19:32.617052900Z | 0 | 4 | Microsoft-Windows-LoadPerf | {122EE297-BB47-41AE-B265-1CA8D1886D40} | 1000 | -1 | 0x8000000000000000 | {"UserData":{"EventXML":"","binaryData":"EC2C0000BC2D0000ED2C0000BD2D0000","binaryDataSize":"16","param1":"WmiApRpl","param2":"WmiApRpl"}} | 5824 | 5828 |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
```
* Windows events: Complete rewrite, implementing tests
* Windows events: Convert the 'keywords' column to TEXT
Since SQLite does not support unsigned 64-bit integers, this changes
the 'keywords' column type to TEXT.
This is for consistency with the decisions taken
for PR osquery/osquery#6413 and osquery/osquery#6414.
We also update the integration test helper to accept custom constraints,
in the case the table has required columns.
