yetanotherhacker
8cee7e0b3c
Spelling fixes in comments and output.
2014-10-30 04:27:00 -04:00
Mark Roberts
0867c2b547
Add process_envs table for OSX and Linux for issue #99
2014-10-29 03:45:26 -07:00
Teddy Reed
39f866387f
[vtables] CPUID asm call feature information
2014-10-29 03:09:34 -07:00
Teddy Reed
6db0c67555
Merge pull request #269 from vmauge/suidbin
...
Add suid_bin vtable
2014-10-29 02:30:29 -07:00
Teddy Reed
94c64d80ce
Merge pull request #267 from facebook/kernel_modules
...
[vtables] Linux kernel modules from procfs
2014-10-29 02:03:46 -07:00
Vincent Mauge
471d5faaa0
Add suid_bin vtable
...
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
* S for suid bin
* G for guid bin
Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path | unix_user | unix_group | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps" | root | wheel | S |
| "/bin/rcp" | root | wheel | S |
| "/Users/vmauge/suid_test" | vmauge | 999 | SG |
| "/usr/bin/at" | root | wheel | S |
| "/usr/bin/atq" | root | wheel | S |
| "/usr/bin/atrm" | root | wheel | S |
| "/usr/bin/batch" | root | wheel | S |
| "/usr/bin/crontab" | root | wheel | S |
| "/usr/bin/ipcs" | root | wheel | S |
| "/usr/bin/lockfile" | root | mail | G |
| "/usr/bin/login" | root | wheel | S |
| "/usr/bin/newgrp" | root | wheel | S |
| "/usr/bin/procmail" | root | mail | G |
| "/usr/bin/quota" | root | wheel | S |
| "/usr/bin/rlogin" | root | wheel | S |
| "/usr/bin/rsh" | root | wheel | S |
| "/usr/bin/su" | root | wheel | S |
| "/usr/bin/sudo" | root | wheel | S |
| "/usr/bin/top" | root | wheel | S |
| "/usr/bin/wall" | root | tty | G |
| "/usr/bin/write" | root | tty | G |
| "/usr/sbin/postdrop" | root | _postdrop | G |
| "/usr/sbin/postqueue" | root | _postdrop | G |
| "/usr/sbin/rpc.net" | root | wheel | S |
| "/usr/sbin/rpcset" | root | wheel | S |
| "/usr/sbin/traceroute" | root | wheel | S |
| "/usr/sbin/traceroute6" | root | wheel | S |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
This commit fixes issue #253 .
2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e
[vtables] Rename homebrew files, some cleanup
2014-10-29 00:34:55 -07:00
Martin Majlis
d645dfc257
Initial implementation for the homebrew table.
2014-10-28 21:03:56 -07:00
Teddy Reed
9abcbcd485
[vtables] Linux kernel modules from procfs
2014-10-28 21:01:51 -07:00
Teddy Reed
6e60612520
Using clang-format 3.5
2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9
Merge pull request #228 from facebook/bash_history_table
...
Adding virtual table bash_history, for linux and darwin
2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534
updating comment
2014-10-27 16:34:00 -04:00
Javier Marcos
c8c3363455
Changed logic to ignore when history file is not found (expected)
2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e
Refactoring and added column for history file, also more history files supported
2014-10-24 20:29:23 -07:00
Teddy Reed
a82792b3f7
Log results as events
2014-10-24 17:05:17 -07:00
Javier Marcos
bf3cd15c91
Final fix for the allocation problem
2014-10-23 17:17:50 -07:00
Javier Marcos
f69913938f
Bad memory leak with OpenDirectory and pwd/grp.h code
2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab
Adding virtual table bash_history, for linux and darwin
2014-10-22 15:21:05 -07:00
Javier Marcos
06792db7f0
Adding support for last in linux
2014-10-13 18:19:08 -07:00
Javier Marcos
b3208bab70
Errors handled, shit is on fire
2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0
Adding groups vtable and refactoring users
2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e
only index if it's not nullptr
2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02
cleaning up some memory leak supps
2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959
Making sure we do not add duplicated users
2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a
OMG memory leaks
2014-10-09 18:08:31 -07:00
Javier Marcos
d09e6037dd
Fixing infinite loop adding mutex
2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da
Adding vtable for users
2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873
Install package depending on arch and better comments
2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5
Adding support to build osquery in centos 6.5
2014-10-08 03:45:56 +00:00
Teddy Reed
2063252f73
[vtable] Fix warning for process in-condition assignment
2014-10-04 13:29:17 -07:00
Javier Marcos
7c1afd1558
Adding support to build in Ubuntu 12
2014-10-02 17:58:56 +00:00
mike@arpaia.co
2348460ca4
Revert "Support for Ubuntu 12, precise"
...
This reverts commit ed0e051eba
.
2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba
Support for Ubuntu 12, precise
2014-10-02 01:24:23 +00:00
mike@arpaia.co
627821abc1
Periodic clang-format
2014-09-21 14:29:28 -07:00
mike@arpaia.co
b5ee19f49f
Removing the osquery::db namespace
2014-09-21 14:27:09 -07:00
Teddy Reed
9516bf8fd7
Regressions from core NS removal, linux includes
2014-09-17 10:29:22 -06:00
mike@arpaia.co
de426754d9
moving fs to the global namespace
2014-09-15 11:47:52 -07:00
mike@arpaia.co
ad9b0bb5c1
Doxyfile, for docs
2014-09-13 15:18:26 -07:00
mike@arpaia.co
cec7b33afb
removing unused header includes
2014-09-09 18:43:41 -07:00
mike@arpaia.co
df1332277d
clang-format
2014-09-09 16:14:54 -07:00
Teddy Reed
bfba3d491d
Merge pull request #117 from facebook/linux-processes-vtable
...
[vtables] Processes table for Linux (procps3)
2014-09-09 14:43:26 -07:00
Teddy Reed
2bcd89d70f
[vtables] Adding cmdline, path to Linux processes
2014-09-09 10:59:16 -07:00
mike@arpaia.co
8fcad82b35
periodic clang-format
2014-09-09 00:56:27 -07:00
Teddy Reed
c6a7e86b18
[vtables] Processes table for Linux (procps3)
2014-09-08 22:42:17 -07:00
Teddy Reed
e23e7bdab8
Merge pull request #102 from facebook/linux-build
...
Changes for Linux (Ubuntu 14.04) build
2014-09-05 14:52:35 -07:00
Teddy Reed
4ffd184eaf
Changes for Linux (Ubuntu 14.04) build
2014-09-05 10:58:58 -07:00
Javier Marcos
344ca31f26
Adding last
virtual table
2014-09-04 16:42:18 -07:00
mike@arpaia.co
66a2a6fdec
Fix performance issue with the disk serializer
...
This is the issue noted in #76 . Keeping all historical results of
queries in the HistoricalQueryResults struct makes serializing and
deserializing those structs very, very slow as time goes on. By only
storing the last execution of the query, we keep the performance
constant, but we kill the feature where osquery can rebuild timelines
without accessing logs. After talking it over, we decided that this
isn't actually that big of a deal because, if you really wanted to
rebuild the old data, you should be able to process the logs, similarly
to bin log replication in MySQL.
2014-09-02 13:13:12 -07:00
mike@arpaia.co
2b08ba60e3
Fixing #67
...
Escaping spaces in the Program field of the launchd table since it
represents a path
2014-09-02 12:22:12 -07:00
mike@arpaia.co
6498f45924
renaming the cacerts table to ca_certs
2014-09-01 18:46:16 -07:00
Teddy Reed
c653e0b1be
[vtable_nvram] Fixing type description memory leak, and re-org
2014-09-01 18:32:49 -07:00
mike@arpaia.co
3b05ffb97d
breaking out objective-c tables such that they use arc
2014-08-30 03:19:16 -07:00
mike@arpaia.co
194127bf08
more memory leak fixed
2014-08-26 16:27:33 -07:00
mike@arpaia.co
648303b1a0
CFReleasing options_dict
2014-08-26 14:58:22 -07:00
mike@arpaia.co
6279f5cb96
setting property to null in the event that the property type is unknown
2014-08-26 14:58:10 -07:00
mike@arpaia.co
3d3271a625
kextstat allocation clarity
2014-08-26 13:34:08 -07:00
mike@arpaia.co
fbc37d9399
clang-format on objective-c++ files
2014-08-19 20:18:49 -07:00
Teddy Reed
444cea0649
[vtable_cacerts] New CA certificates table.
2014-08-19 13:47:09 -07:00
mike@arpaia.co
3760e4cce5
Apple virtual table for LaunchAgents and LaunchDaemons
2014-08-15 13:46:09 -07:00
mike@arpaia.co
9973335e49
OS X virtual tables for currently installed applications
2014-08-15 12:58:19 -07:00
mike@arpaia.co
e723306c13
Ran clang-format across the codebase
2014-08-15 12:29:51 -07:00
mike@arpaia.co
f6e6629d98
fixing include path in osx_version.mm
2014-08-14 11:35:30 -07:00
Mike Arpaia
3161e8cfeb
Merge pull request #48 from facebook/firewall
...
Virtual table for Apple's application level firewall
2014-08-14 11:33:53 -07:00
mike@arpaia.co
1a381e0feb
Virtual tables for Apple's application level firewall
2014-08-14 11:33:20 -07:00
mike@arpaia.co
2311022e7f
moving cocoa backports to core/osx
2014-08-13 23:20:58 -07:00
Mike Arpaia
5f9a24202f
Merge pull request #42 from facebook/kexts
...
Loaded kernel extensions vtable
2014-08-13 11:49:48 -07:00
mike@arpaia.co
e2bd07008d
[kextstat] osquery virtual table which uses the Core Foundation APIs to
...
expose kernel extension information.
For information about memory managament in Core Foudnation, see:
https://developer.apple.com/library/ios/documentation/CoreFoundation/Conceptual/CFMemoryMgmt/Concepts/Ownership.html#//apple_ref/doc/uid/20001148-103029
2014-08-13 11:48:53 -07:00
Mike Arpaia
702d53af10
Merge pull request #47 from facebook/system_version
...
osx_version table which exposes the major, minor and patch version of the operating system
2014-08-13 11:44:14 -07:00
mike@arpaia.co
b65f96d666
osx_version table which exposes the major, minor and patch version of
...
the operating system
2014-08-13 11:02:17 -07:00
Teddy Reed
1b6ef08611
Silencing various compiler errors for goto statements.
2014-08-13 08:56:39 -07:00
Teddy Reed
83dc09bca3
[vtable_nvram] Various code cleanups
2014-08-12 11:43:38 -07:00
Teddy Reed
1888150596
[vtable_nvram] Added NVRAM variables vtable (name, variable type, value).
2014-08-12 00:02:38 -07:00
mike@arpaia.co
968a8a8355
forward declarations in table files
2014-08-07 13:14:06 -07:00
mike@arpaia.co
b048b699d4
a zwass special, unordered_set::find
2014-08-06 15:24:08 -07:00
mike@arpaia.co
64bf1db2fe
more intelligent sizing of data structures
2014-08-06 15:17:51 -07:00
mike@arpaia.co
5a4517cfe6
removing range based for loop for pids and removing memsets for chars
2014-08-06 15:02:14 -07:00
mike@arpaia.co
a5edef6782
string::length instead of strlen
2014-08-06 14:13:37 -07:00
mike@arpaia.co
5863fb2948
unordered set
2014-08-06 14:09:37 -07:00
mike@arpaia.co
9cb52eb1e1
unordered_map and better logic around on_disk
2014-08-06 14:07:19 -07:00
mike@arpaia.co
e6a38a2b71
num_pids lower case and comment on negative pids
2014-08-06 13:58:23 -07:00
mike@arpaia.co
b0863e1af5
reorder of headers
2014-08-05 18:16:27 -07:00
mike@arpaia.co
32808d5830
moving processes table into systems dir
2014-08-05 18:14:32 -07:00