Added the OSQUERY_BUILD_AWS option due to
oss-fuzz CI failing to build the AWS EC2 library,
due to its high requirement of memory.
The fuzzers do not gain much from having these tables enabled,
moreover this can be used during development
to avoid building a possibly unneeded table.
Done some minor cleanups to remove logic duplication
and enable ec2 integration tests on all the platforms
that supports them.
Due to a bug present in CPack provided with CMake
version 3.18.0 and higher on RPM packages generation,
add a check which fails the configuration
if a version with the bug is found.
Provide a way to ignore the check by setting
OSQUERY_IGNORE_CMAKE_MAX_VERSION_CHECK=TRUE.
* deb_packages: Fix include order issue
* bpf_socket_events, bpf_process_events: Initial implementation
* BPF: Add process tracking to process events, remove sockets_event
* CMake: Upgrade the C++ standard to C++17
* BPF: Improve initial system state snapshot and event collection
* BPF: Add tests for SystemStateTracker
* BPF: Add tests for BPFEventPublisher
* BPF: Refactor, add tests for ProcessContextFactory
* Refactor: Improve initial scan/event handling, fix openat
* BPF: Improve event ordering
* BPF: Fix test issue in BPFEventPublisher::processOpenAt
* BPF: Mark WIP functions as deprecated
* BPF: Improve tests
* BPF: Add back bpf_socket_events and connect() support
* BPF: Add Netlink addr support, add bind()
* BPF: Add accept/accept4 support
* BPF: Add tests for BPFEventPublisher::processOpenat2Event
* BPF: Add remaining tests for BPFEventPublisher
* BPF: Add configuration flags for memory management
* BPF: Add cmdline support to ProcessContextFactory
* BPF: Add additional tests
* BPF: Add unit test for SystemStateTracker::accept
* BPF: Update cwd handling
* BPF: Add tests for bpf_socket_events
* BPF: Add tests for bpf_process_events
* BPF: Add json_cmdline hidden column to bpf_process_events
* BPF: Update all copyright headers
* BPF: Add syscall duration in socket_events/process_events
* BPF: Code review changes
* BPF: Update ebpfpub to the latest version
* BPF: Removed unused functions
* BPF: Code review changes
Add whitespace around namespaces
* BPF: Revert header changes in rot13.cpp
* BPF: Code review changes
Rename the bpf_ntime column in bpf_socket_events/bpf_process_events
to ntime and make it the last visible column
* BPF: Code review changes
Update the dependencies for the BPF tests
* BPF: Code review changes
Update the dependencies for the BPF table tests
* BPF: Code review changes
Update how characters are appended to strings in the
system state tracker class
* BPF: Code review changes
Update the string -> integer conversion utilities in the
process context factory class.
* BPF: Hide failed exec syscalls from bpf_process_events results
* BPF: Do not log an error for invalid sockaddr structures
* BPF: Code review changes
Remove clang-format ignore block
* BPF: Code review changes
Update log messages in the BPFEventPublisher class
* BPF: Code review changes
Remove clang-format ignore block around the function tracer
descriptors
* BPF: Code review changes
Document the IFilesystem interface
* BPF: Code review changes
Document the IProcessContextFactory interface
* BPF: Code review changes
Document the ISystemStateTracker interface
We have ported all platforms to use the source layer.
The facebook layer is not needed anymore since we build everything from source now,
the same is for the transitional source_migration layer.
Minor cleanups about the recently removed python modules.
- Update libarchive to build from source on Windows and macOS
- Update yara to build from source on macOS
- Update librdkafka to build from source on macOS
- Build librdkafka with SSL and SASL_SCRAM support on Linux
- Update librpm to 4.15.1 to support the newer openssl
- Update libxml2 to build from source on Windows and macOS
- Update lzma to build from source on Windows and macOS
- Use ICU library not only for boost but libxml2 too
- Implement a workaround to have Buck builds still compile
with the old openssl version
- Restore the ability of osquery to log to the Windows Event Log.
- Restore the information normally shown on the Details tab
of the Properties of the osquery executable.
- Add and refactor utility functions to parse and transform
the osquery version, needed by the Windows resource files
and packaging.
CMake utility functions(generateOsqueryExtensionGroup,addOsqueryExtensioni{Ex},
addOsqueryModule) to add extensions.
Updates the boost library submodules needed for extensions build.
Use cache variable(OSQUERY_EXTENSION_GROUP_NAME) for the grouping of extensions
and fix the linkage with osquery interface library.
Instead of moving a patched submodule from source to build directory,
we copy it and then hard reset the submodule to its original HEAD.
Minor message change when a library fails to be imported.
- Always link to libc++abi.a, dl and rt.
- Add OSQUERY_TOOLCHAIN_SYSROOT option which should contain
the path to the sysroot where the portable compiler and its libraries are in.
- Fix OpenSSL build with custom toolchain.
- Always include the custom toolchain cmake.
Unfortunately system name detection is done when project() is called
which is also when compiler detection is done, and we need the compiler
to be set before that, so we always include the cmake file.
- Do not use getrandom syscall in Boost, for glibc < 2.25 support.
- Remove usage of secure_getenv and getauxval in librpm.
- Update CI to use the toolchain.
- Reflect changes in the docs.
Add a way to compile third-party libraries from source instead of downloading prebuilt ones.
Each library source code is downloaded with git into a submodule at configure time,
in response to the find_package(library_name) CMake call,
except for OpenSSL where the official source archive is used.
Each submodule is attached to a release tag on its own upstream repository.
All the libraries are built using CMake directly, except for OpenSSL which uses a formula system,
which permits to build libraries with a separate build system
when there's no easy way to integrate it directly with CMake.
This new dependency system determines which library is fetched from where using the concept of "layers".
Currently we have three of them: source, formula, facebook,
where the last layer represents the pre-built libraries.
The provided order will be used when looking for libraries.
A system to patch submodule source code has been added and it's currently used with googletest, libudev and util-linux.
Patches should be put under libraries/cmake/source/<library name>/patches/<submodule>,
where <submodule> is often one and is "src", but in other cases, like AWS,
there are multiple with a more specific name.
If for whatever reason the submodule cloning or the patching fails,
the submodule has to be unregistered and its folder should be cleared.
This should be achievable with "git submodule deinit -f <submodule path>"
Following some other changes on existing functionality:
- Changed the CMake variable BUILD_TESTING to OSQUERY_BUILD_TESTS
to avoid enabling tests on third party libraries.
Due to an issue with glog the BUILD_TESTING variable
will be always forced to OFF.
- Moved compiler and linker flags to their own file cmake/flags.cmake
- Moved all the third-party CMakeLists.txt used for pre-built libraries under libraries/cmake/facebook
- Added the --exclude-folders option to tools/format-check.py and tools/git-clang-format.py,
so that it's possible to ignore any third party library source code.
- The format and format_check target use the new --exclude-folders option
to exclude libraries/cmake/source from formatting.
- The test and osquery binaries are properly compiled with PIE (osquery/osquery#5611)
Co-authored-by: Stefano Bonicatti <stefano.bonicatti@gmail.com>
Co-authored-by: Teddy Reed <teddy@casualhacking.io>
Taken from osql-experimental.
- Change CMake code license to the one present in osquery right now
- Package metadata doesn't mention Trail of Bits or osql anymore
- Set specific ACLs for the osqueryd on Windows when packaging
- Remove LLVM_INSTALL_PATH support on macOS, since we are using AppleClang
- Remove OSQUERY_SOURCE_DIR variable need and source in a submodule support
- Add targets format_check and format to check code formatting and
format it with clang-format
- Do not warn about not using Clang on macOS when using AppleClang
* Add LIBRARY_PATH environment variable to sync.sh so that "make sync" works as expected to find libraries
needed to link. Added 2nd parameter (libraries path) to CMakeList.txt when calling sync.sh
* Revert database CMakeLists.txt change - as was for testing
* Add indentation to sync.sh
* Fix indentation on tool/sync.sh
