Commit Graph

1706 Commits

Author SHA1 Message Date
Teddy Reed
8947dac232 [Fix #1814] Various fixes for Linux inotify 2016-02-03 17:00:41 -08:00
Teddy Reed
ccda460ba0 Rename 'temps' temperatures, add constraints 2016-02-03 08:49:22 -08:00
Teddy Reed
fe3766796c Use '/rom' path for OS X platform_info 2016-02-03 08:31:57 -08:00
Teddy Reed
08ca034f02 Merge pull request #1808 from kaizensoze/add-temps-table
add temperature sensors table
2016-02-02 21:52:40 -08:00
Joe Gallo
3c6134c1fa add temperature sensors table
Extract temperature-related data from smc_keys table for table dedicated
to temperature sensors.
2016-02-02 23:57:55 -05:00
Teddy Reed
dd64d1df0d Use ROM iokit ID instead of name 2016-02-02 13:27:47 -08:00
Teddy Reed
5394fe62ec Add debug_package for OS X 2016-02-01 16:51:43 -08:00
Teddy Reed
724ca51e16 Lower severity of failed publishers 2016-02-01 16:42:21 -08:00
Teddy Reed
71d6107f83 Document logger_mode flag takes decimal values 2016-02-01 11:10:30 -08:00
Teddy Reed
f05cc345d3 Add an events_max limit for event buffering 2016-02-01 08:38:58 -08:00
Teddy Reed
b138c0be86 Fix constraint index checking on Linux 2016-01-27 11:38:06 -08:00
Teddy Reed
3951cac18f Merge pull request #1797 from sharvilshah/sip_nvram_fix_default_case
SIP config: handle default case when IOKit key is not set
2016-01-26 21:44:48 -08:00
Teddy Reed
e58f96572f Merge pull request #1796 from theopolis/better_constraints
Reduce complexity of SQLite constraints tracking
2016-01-22 15:45:02 -08:00
Sharvil Shah
f0e69204bc IOKit key csr-active-config not found is the default state and not an error 2016-01-22 12:02:35 -08:00
Teddy Reed
d43bc9f06f Reduce complexity of SQLite constraints tracking 2016-01-22 12:00:04 -08:00
Teddy Reed
f1c37f3ea8 Merge pull request #1794 from theopolis/tls_features
Add and document TLS debug features
2016-01-22 09:18:14 -08:00
Teddy Reed
95c4d733cc Add and document TLS debug features 2016-01-22 08:59:07 -08:00
Teddy Reed
7e983dc568 Merge pull request #1780 from sharvilshah/rootless
Report on System Integrity Protection
2016-01-21 23:59:26 -08:00
Sharvil Shah
1f1f0215f1 Create copy of UUID data so that we have a value and not a reference before releasing the properties 2016-01-21 23:20:24 -08:00
Sharvil Shah
8cb7ee71bf Report on System Integrity Protection 2016-01-21 21:28:13 -08:00
Teddy Reed
e6408e21f9 Add max log size for TLS logger of 1M per line 2016-01-21 10:43:15 -08:00
Teddy Reed
87ea41c6ec Improve TLS logger performance 2016-01-21 10:43:15 -08:00
Teddy Reed
7728915651 Merge pull request #1786 from theopolis/add_1778
[#1778] Add hardware/board info for Linux
2016-01-20 19:12:53 -08:00
Teddy Reed
b9117b17a1 [Fix #1788] Use an array for the 'data' key in TLS logs 2016-01-20 11:59:14 -08:00
Teddy Reed
b358d8029e [#1778] Add hardware/board info for Linux 2016-01-20 10:01:49 -08:00
Teddy Reed
9e4b1cc22c Merge pull request #1776 from sharvilshah/filevault_updates
Add currently authenticated FileVault user
2016-01-19 18:11:18 -08:00
Sharvil Shah
819f95ccc6 Add currently authenticated FileVault user (if available) to disk_encryption on Darwin 2016-01-19 15:46:39 -08:00
Teddy Reed
1a12b41d76 Promote 10.11 to default darwin package builder 2016-01-16 15:47:26 -08:00
Teddy Reed
30b1627038 Merge pull request #1771 from theopolis/improve_tls
Improve TLS logging memory
2016-01-15 00:50:56 -08:00
Teddy Reed
d6e91c81e9 Improve TLS logging memory 2016-01-15 00:22:31 -08:00
Teddy Reed
ec119f852f Merge pull request #1766 from sharvilshah/wifi_plist_parsing_fix
[Fix #1760] Fix wifi_networks for OS X 10.9
2016-01-14 00:58:09 -08:00
Sharvil Shah
826643adf8 [Fix #1760] wifi_networks now takes into account slight differences b/w OS X 10.9 and later 2016-01-13 22:52:52 -08:00
Teddy Reed
c117967d07 Restrict verbose warnings to osquery code 2016-01-13 09:26:51 -08:00
Teddy Reed
18528e7750 Merge pull request #1761 from theopolis/fix_benchmarks
Unify build script and fix EVENTS benchmarks
2016-01-12 18:11:24 -08:00
Teddy Reed
832c3cfcce Unify build script and fix EVENTS benchmarks 2016-01-12 17:09:52 -08:00
Teddy Reed
f4b8c1b0f3 Merge pull request #1756 from theopolis/pack_files
Allow packs to add file_path categories
2016-01-12 12:42:21 -08:00
Teddy Reed
eea7d67402 Merge pull request #1757 from theopolis/smc_keys
Add an smc_keys table for OS X
2016-01-11 18:08:33 -08:00
Teddy Reed
5295904624 Add an smc_keys table for OS X 2016-01-11 11:51:55 -08:00
Teddy Reed
51346313fc Require either static/dynamic link of cpp-netlib 2016-01-09 14:36:12 -08:00
Teddy Reed
21b3af199e Allow packs to add file_path categories 2016-01-08 17:59:19 -08:00
Teddy Reed
7c38cf17d9 Add support for make packages on Debian 2016-01-07 23:50:31 -08:00
secretsquirrel
4224c9fdc0 adding strict codesigning checks 2016-01-07 00:01:46 -05:00
Teddy Reed
6a1b08c4fe Use key_strength to support ECC 2016-01-05 18:48:34 -08:00
Teddy Reed
e311a47774 Add key_size to certificates table 2016-01-05 11:34:57 -08:00
Teddy Reed
360ac54688 Remove num_levels explicit definition for RocksDB 2015-12-21 15:27:34 -08:00
Teddy Reed
5824b891d3 Only discovery SMBIOS tables once on Linux 2015-12-19 20:40:05 -08:00
Teddy Reed
75f545c16b Merge pull request #1698 from theopolis/single_line_logger
[#1518] Only emit a single line for each logString
2015-12-18 00:32:56 -08:00
Teddy Reed
c2b78faa09 Merge pull request #1740 from theopolis/events_improvements
Fix double event subscriber select
2015-12-17 22:32:57 -08:00
Teddy Reed
ef5ee380b3 Merge pull request #1739 from theopolis/certificate_issuer
Add certificate issuer and self_signed columns
2015-12-17 22:30:43 -08:00
Teddy Reed
12329b1592 Merge pull request #1738 from theopolis/fix_1736
[Fix #1736] Do not cache TLS node key within enroll plugin
2015-12-17 22:28:48 -08:00
Teddy Reed
4af9d8d61c Add certificate issuer and self_signed columns 2015-12-17 19:36:31 -08:00
Teddy Reed
c4f3db1613 Fix double event subscriber select 2015-12-17 19:23:26 -08:00
Teddy Reed
41b5ca545f [Fix #1736] Do not cache TLS node key within enroll plugin 2015-12-17 16:44:30 -08:00
Teddy Reed
f9faf0bea7 [Fix #1735] Limit OPENED and access-related events 2015-12-17 15:42:32 -08:00
Teddy Reed
c5766da6d0 [#1518] Only emit a single line for each logString 2015-12-16 16:42:55 -08:00
Teddy Reed
5a66d5b838 Move RocksDB logs to INFO 2015-12-16 14:36:12 -08:00
Teddy Reed
db3782bc7f Do not add (self) events for FSEvents 2015-12-16 13:32:39 -08:00
Teddy Reed
3004df5a50 Use custom logger for RocksDB 2015-12-15 20:49:33 -08:00
Teddy Reed
2ec5d34291 Bump non-OS X TSK builds to 4.2.0 2015-12-14 23:43:08 -08:00
Teddy Reed
51fd73c449 Assure dropTo can be used safely consecutively 2015-12-14 21:27:00 -08:00
Teddy Reed
fbc8fb92dc Allow --config_dump with watcher 2015-12-14 16:19:37 -08:00
Teddy Reed
63d12789b4 Fix regression in file content predicate refactor 2015-12-14 15:24:55 -08:00
Teddy Reed
31dfad2515 Fix unhelpful subscriber verbose error for process_file_events 2015-12-14 15:09:52 -08:00
Teddy Reed
e6a474a6f1 Fix Debian os_version detection 2015-12-14 15:09:40 -08:00
Teddy Reed
cfb44fdf09 Fix incorrect size of pointer in device_ tables
Limit max number of device_files to 10k
2015-12-14 15:09:34 -08:00
Teddy Reed
92719e7b48 Add OSX platform_info 2015-12-12 03:29:17 -08:00
Teddy Reed
70face8ac2 Add platform_info table for UEFI/ROM details 2015-12-12 01:55:14 -08:00
Teddy Reed
fdfe5f4d3f Add support for Linux SMBIOS/DMI EFI structure parsing 2015-12-11 23:18:04 -08:00
Teddy Reed
a99b62a31d Preserve atime and mtime by default for readFile 2015-12-11 22:18:45 -08:00
Teddy Reed
718ff77864 Extend fields of file_events 2015-12-11 10:26:36 -08:00
Teddy Reed
c6e9f0e321 Merge pull request #1724 from theopolis/faster_hashing
Speed up file hashing
2015-12-11 08:59:06 -08:00
Teddy Reed
98eb6a5055 Reorganize file_events into process_file_events 2015-12-11 00:58:22 -08:00
Teddy Reed
59750ec87d Speed up file hashing 2015-12-11 00:36:16 -08:00
Teddy Reed
1a1b07b5c6 Merge pull request #1716 from theopolis/pack_shards
[#1636] Add simple sharding to packs and pack queries
2015-12-10 17:37:57 -08:00
Lex Neva
e9c183d962 DRY for inotify event mask (we missed IN_MOVE) 2015-12-10 16:00:02 -05:00
Teddy Reed
9d394065e3 [#1636] Add simple sharding to packs and pack queries 2015-12-10 10:01:53 -08:00
Teddy Reed
675d1d2267 [Fix #1714] Restore balance to the DOUBLE force 2015-12-09 17:28:30 -08:00
Teddy Reed
4129c6b191 Add 'AggStep0' to OpCode type discovery
Closes: #1699
2015-12-09 01:53:40 -08:00
Teddy Reed
9f79d74c60 Add canary path on empty FSEvents subscription set 2015-12-09 00:14:08 -08:00
Teddy Reed
fe234f8f96 Merge pull request #1711 from theopolis/fix_refresh_config
Fix quick regression with config refresh runner
2015-12-08 16:11:37 -08:00
Teddy Reed
1436d9d73a Fix quick regression with config refresh runner 2015-12-08 15:53:19 -08:00
Teddy Reed
309944c586 Configuration triggered publisher reconfiguration 2015-12-08 14:03:35 -08:00
Teddy Reed
6602a59b7d Change EventSubscriber API to include subscription references 2015-12-07 22:22:04 -08:00
Teddy Reed
b7650e5291 Remove passwd_changes and user_data from event callbacks 2015-12-07 17:47:38 -08:00
Teddy Reed
02c2b37a5d Merge pull request #1709 from theopolis/expire_results
[Fix #1694] Expire results for 'old' scheduled queries
2015-12-07 14:01:44 -08:00
Teddy Reed
12716496aa [Fix #1694] Expire results for 'old' scheduled queries 2015-12-07 12:23:43 -08:00
Teddy Reed
b88d6816f3 Additional TSK tables 2015-12-07 08:36:22 -08:00
Teddy Reed
c020bb87b4 Merge pull request #1705 from theopolis/dump
[#1702] Add config and database dumping to stdout
2015-12-06 21:41:31 -08:00
Teddy Reed
24aa387eb0 Merge pull request #1696 from theopolis/node_invalid
[#1676] Clear node key on node_invalid
2015-12-06 17:10:12 -08:00
Teddy Reed
bfa0d617be Merge pull request #1679 from theopolis/support_multi_loggers
[#1648] Support multiple loggers
2015-12-06 15:00:32 -08:00
Teddy Reed
eeff5d0bf0 [#1676] Clear node key on node_invalid 2015-12-06 14:28:00 -08:00
Teddy Reed
9ebd292eb6 [#1648] Support multiple loggers 2015-12-06 11:10:10 -08:00
Teddy Reed
fef53fa0d0 Add config and database dumping to stdout 2015-12-06 11:01:26 -08:00
Teddy Reed
ad07e07879 Make chrome extension identifiers easier to extract 2015-12-04 11:50:13 -08:00
Teddy Reed
1acba4dfa6 Merge pull request #1700 from theopolis/tsk2
TSK integration and example tables
2015-12-04 11:26:03 -08:00
Teddy Reed
f687a84840 [Fix #1689] Remove C-style comments from config examples 2015-12-04 11:08:54 -08:00
Teddy Reed
373ce339dc TSK integration and example tables 2015-12-04 11:08:51 -08:00
Teddy Reed
e5bc6410ba Merge pull request #1697 from theopolis/fix_1660
[Fix #1660] Prevent spurious NETLINK recv retries
2015-12-02 23:56:39 -08:00
Teddy Reed
4dc6b9f0a3 [Fix #1660] Prevent spurious NETLINK recv retries 2015-12-02 23:33:20 -08:00
Teddy Reed
ffb5b7020e [Fix #1693, #1527] Add osquery-specific query planner output 2015-12-02 19:57:24 -08:00
Teddy Reed
ccff0c8c18 [Fix #1686] Add 'subject' and 'signing_algorithm' to certificates 2015-11-29 18:32:13 -08:00
Teddy Reed
f57968e0f6 Use a static 'binary' name for Glog 2015-11-27 11:27:09 -08:00
Teddy Reed
2bad9d6a74 Changes to suport node-based configs 2015-11-24 14:44:56 -08:00
Teddy Reed
2e57869d34 Merge pull request #1681 from theopolis/fix_1665
[#1665, #1615] Refactor user-based tables to act uniformly
2015-11-24 13:07:28 -08:00
Teddy Reed
35129a7af7 [#1665, #1615] Refactor user-based tables to act uniformly 2015-11-24 12:46:25 -08:00
Teddy Reed
204b16a946 Merge pull request #1675 from theopolis/planner_or
Fix constraints stacking
2015-11-24 12:25:15 -08:00
Teddy Reed
f2361bca21 Merge pull request #1680 from sharvilshah/clang_analyzer_fixes
Fix clang-analyzer warning
2015-11-24 07:04:06 -08:00
Sharvil Shah
4ac0e68c08 Fix clang-analyzer warning -- Use uint32_t instead of size_t for uniform_int_distribution 2015-11-24 00:56:37 -08:00
Teddy Reed
fe8b9246e9 Merge pull request #1673 from theopolis/replace_run_profile
[#1527] Add a --profile option to the shell, replace 'run'
2015-11-23 21:32:51 -08:00
Teddy Reed
5370fef950 Merge pull request #1678 from theopolis/audit_user_events
[#1497] Add user_events table based on audit user-type messages
2015-11-23 21:31:37 -08:00
Teddy Reed
07fd718e00 Add user_events table based on audit user-type messages 2015-11-23 18:13:31 -08:00
Teddy Reed
3221fbd9b3 Fix constraints stacking 2015-11-22 22:53:23 -08:00
Teddy Reed
a3a05e7e1e [#1527] Add a --profile option to the shell, replace 'run' 2015-11-21 22:45:40 -08:00
Teddy Reed
08c7911eb7 Merge pull request #1655 from theopolis/iokit_events
Rewrite OS X hardware events to use IOKit proper
2015-11-21 19:45:10 -08:00
Teddy Reed
6748fdb024 Rewrite OS X hardware events to use IOKit proper 2015-11-21 19:31:05 -08:00
Teddy Reed
7ca7974dfb Merge pull request #1668 from cdown/f/freebsd_uid
freebsd process table: Fix EUID/EGID to not use saved IDs
2015-11-21 11:19:36 -08:00
Teddy Reed
283f7c6d59 Fix clang analyze failures in signature table 2015-11-21 09:56:19 -08:00
Chris Down
d4d87a69ce freebsd process table: Fix EUID/EGID to not use saved IDs
It's not totally clear why saved IDs were used here. There is some precident in
sigar (https://github.com/hyperic/sigar), where they also use the saved UID,
but me and @wxsBSD are not really sure why. Maybe it's because kinfo_proc feels
different than similar structs on other Unices.

Fixes #1662.
2015-11-21 02:52:06 -08:00
Teddy Reed
8425010874 Merge pull request #1664 from stripe/andrew-better-homebrew
Determine Homebrew Cellar from binary
2015-11-20 16:06:30 -08:00
Andrew Dunham
161f8b9fd0 Determine Homebrew Cellar from binary
We look at the location of the Homebrew binary `brew` on disk, and use
the real path (i.e. path with all symlinks resolved) from that binary to
determine the Cellar.  This behavior mirrors that of Homebrew itself.
2015-11-20 15:15:18 -08:00
Teddy Reed
9ae53f2158 Merge pull request #1663 from cdown/f/saved_ids
Add saved UIDs and GIDs to process table
2015-11-20 14:35:20 -08:00
Teddy Reed
5cd040eb35 Merge pull request #1667 from theopolis/add_hash_check
Use a noexcept method of directory checking for hash
2015-11-20 14:24:43 -08:00
Teddy Reed
a72fa19536 Use a noexcept method of directory checking for hash 2015-11-20 13:32:56 -08:00
Teddy Reed
a673a793fe Merge pull request #1659 from PickmanSec/knownhosts
Added known_hosts table
2015-11-20 12:46:13 -08:00
Teddy Reed
9f5154eb4b Merge pull request #1652 from theopolis/better_types
Add a SQLite query planner for type detection
2015-11-19 09:11:26 -08:00
Teddy Reed
16247f10e8 Merge pull request #1624 from PickmanSec/master
added authorized_keys table
2015-11-19 09:10:59 -08:00
Chris Down
39bdec4c8d Add saved UIDs and GIDs to process table 2015-11-18 16:44:07 -08:00
Michael George
dde59f8c18 Added known_hosts file
added known_hosts table
2015-11-17 12:38:19 -08:00
Michael George
a649bf6733 Added authorized_keys table
Fixed mislabled variable from line parsing

Update authorized_keys.cpp

Update authorized_keys.cpp

Check if line is empty
2015-11-16 10:36:24 -08:00
Teddy Reed
98f212e7a9 Add a SQLite query planner for type detection 2015-11-15 13:56:16 -08:00
Teddy Reed
cef8f59054 Merge pull request #1639 from theopolis/cache
Table results caching
2015-11-14 16:22:24 -08:00
Teddy Reed
e1d7511600 Remove column type string representations 2015-11-14 15:57:30 -08:00
Teddy Reed
c2be670806 Table results caching
1. Table implementations (spec files) can mark the table as 'cachable'.
2. Cached results depend on the shortest/quickest interval of scheduled
queries that act on results of the table.
3. The table API generator blocks caching on index/additional/required
table column options.
2015-11-14 15:57:23 -08:00
Teddy Reed
7480003eb6 Merge pull request #1646 from stripe/andrew-refactor-signature
Refactor how we determine the OS version in the signature table
2015-11-11 14:18:48 -08:00
Teddy Reed
ee84f35632 Merge pull request #1645 from stripe/andrew-configure-perms
Allow setting the mode of log files
2015-11-11 13:46:24 -08:00
Andrew Dunham
4ccdcc7864 Allow setting the mode of log files
This also sets the appropriate flags in glog
2015-11-11 11:37:55 -08:00
Andrew Dunham
a0932105f6 Refactor how we determine the OS version in the signature table 2015-11-11 11:34:15 -08:00
Jaime
f7ee2437cf Removed result= in the Syslog plugin 2015-11-11 09:16:50 +01:00
Teddy Reed
aa4973a1b3 Merge pull request #1644 from stripe/andrew-add-timezone
Add timezone field to time table
2015-11-10 16:41:39 -08:00
Teddy Reed
daee71919a Merge pull request #1642 from stripe/andrew-add-codesign
Add a `signature` table on Darwin
2015-11-10 16:23:16 -08:00
Andrew Dunham
0ae380297f Add timezone field to time table 2015-11-10 15:17:49 -08:00
Andrew Dunham
dea93c8aa5 Add a signature table on Darwin
This table allows verifying the signature of files (or bundles) on
Darwin.  It also provides the signing identifier that is a part of the
signature.
2015-11-10 13:21:18 -08:00
Teddy Reed
c441de27aa Merge pull request #1643 from theopolis/fix_wifi_analysis
Fix missed nullptr checks in wifi
2015-11-10 12:56:45 -08:00
Teddy Reed
0a6d334f27 Fix missed nullptr checks in wifi 2015-11-10 01:01:12 -08:00
Teddy Reed
0d01a382b6 [Fix #1634] Add sys/stat to filesystem 2015-11-09 01:33:17 -08:00
Teddy Reed
988daeb9e6 Merge pull request #1635 from theopolis/drop_gid
Add GID to PrivilegeDropper
2015-11-09 00:05:51 -08:00
Teddy Reed
4c2319f8dd Add GID to PrivilegeDropper 2015-11-08 01:03:08 -08:00
Teddy Reed
18b1947e5b Config/Schedule should not populate in extensions 2015-11-06 09:52:10 -08:00
Teddy Reed
41ba637030 Linux inotify should accept non-glob dirs 2015-11-04 13:46:47 -08:00
Teddy Reed
b29168a7b7 Use a null DB for the run test binary 2015-11-04 10:39:40 -08:00
Teddy Reed
57e8ef2ab3 [#1546] Add computer_name to system_info and extend to Linux 2015-11-04 10:31:16 -08:00
Teddy Reed
2cf9e95fa1 Allow user-controlled FIFOs 2015-11-04 01:29:54 -08:00
Teddy Reed
084ccaf080 Use default blank value for startup_items Alias 2015-11-03 22:58:00 -08:00
Teddy Reed
7c70183a87 Merge pull request #1625 from theopolis/pack_delim
Add pack_delimiter option
2015-11-03 21:05:44 -08:00
Teddy Reed
cd4de8023f Merge pull request #1630 from theopolis/fix_1626
[Fix #1626] Add schedule blacklist and protect DBHandle
2015-11-03 21:05:29 -08:00
Teddy Reed
edea3d6edd [Fix #1626] Add schedule blacklist and protect DBHandle 2015-11-03 20:50:22 -08:00
Teddy Reed
15c4673c5a Add pack_delimiter option 2015-11-02 18:05:46 -08:00
Teddy Reed
7b270af6b2 Merge pull request #1623 from theopolis/simple_errors
Remove specific filenames from RocksDB IOErrors
2015-11-02 16:12:00 -08:00
Teddy Reed
5aa225d4c3 Merge pull request #1619 from sharvilshah/wifi
Implement wifi_networks tables for OS X
2015-11-02 16:11:21 -08:00
Teddy Reed
5728c93392 Remove specific filenames from RocksDB IOErrors 2015-11-02 15:12:52 -08:00
Teddy Reed
15215cdbc0 Add persistent splays 2015-11-02 14:10:04 -08:00
Teddy Reed
402490e75b Attempt to improve DB/query performance 2015-11-02 10:57:01 -08:00
Teddy Reed
6aae4c9aa0 Fix tests and shell escape errors (faults) 2015-11-02 10:57:01 -08:00
Teddy Reed
425e5e5596 Change the watcher limits to default=loose 2015-11-02 10:57:01 -08:00
Teddy Reed
5233d7dcf8 Add start time to osquery_info, remove md5/path 2015-11-02 10:57:01 -08:00
Teddy Reed
19427b1854 Add database benchmarks 2015-11-02 10:57:01 -08:00
Teddy Reed
75bfcddc31 Merge pull request #1622 from theopolis/faster_sockets
Faster socket_events on Linux
2015-11-02 10:56:37 -08:00
Teddy Reed
a1a9131174 Optimize socket_events and Linux users 2015-11-02 10:37:56 -08:00
Teddy Reed
50550e607a Build and provision edits for FreeBSD CI 2015-11-02 01:47:09 -08:00
Sharvil Shah
9a6d6d1293 Implement wifi_networks tables for OS X
If the option of remembering known Wi-Fi networks is enabled on a system,
they are persisted to disk as a preferences property list file.
This table is populated by parsing that file.
2015-11-01 16:53:51 -08:00
Teddy Reed
b97a2bcdb9 Merge pull request #1618 from theopolis/clang_addr_sanitize_3.7
Passing clang Address/Leak Sanitize version 3.7
2015-11-01 16:23:31 -08:00
Teddy Reed
6a07135648 Passing clang Address/Leak Sanitize version 3.7 2015-11-01 04:00:21 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Teddy Reed
97a6521445 Merge pull request #1614 from theopolis/drop_around_files
Expand the scope of permissions dropping
2015-10-30 17:07:04 -07:00
Teddy Reed
09e4e3c42e Expand the scope of permissions dropping 2015-10-30 09:56:33 -07:00
Teddy Reed
4ac9317f64 Merge pull request #1613 from theopolis/fix_1611
[Fix #1611] Prevent fs links in inotify path search
2015-10-29 23:47:28 -07:00
Teddy Reed
2cf7543181 [Fix #1611] Prevent fs links in inotify path search 2015-10-29 23:19:07 -07:00
Michael George
fb545bb85e added sh_history 2015-10-29 10:53:04 -07:00
Teddy Reed
db58ec5e44 Only emit process events for 0-status execve 2015-10-27 17:12:23 -07:00
Teddy Reed
a3067fcbb5 Fix auditd message parsing 2015-10-27 16:56:42 -07:00
Teddy Reed
689ec53a71 Merge pull request #1603 from theopolis/inotify_mod_only
[#1600] Put inotify into a mod-only watch mode
2015-10-27 16:53:59 -07:00
Teddy Reed
ba4eeb6a80 [#1600] Put inotify into a mod-only watch mode 2015-10-27 16:42:21 -07:00
Teddy Reed
8ca2925ef0 [Fix #1583] Require osqueryd to have R/W access to RocksDB 2015-10-27 16:09:24 -07:00
Teddy Reed
811d578739 Merge pull request #1599 from theopolis/socket_events
Refactor a bit of config and add socket_events table to Linux
2015-10-27 15:30:15 -07:00
Teddy Reed
b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux.
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
2015-10-27 15:13:02 -07:00
Teddy Reed
b8087a1b26 Fix readFile TOCTOU error 2015-10-26 01:21:05 -07:00
Teddy Reed
654830cf11 Merge pull request #1594 from rcseacord/additional-sign-fixes
eliminated some warnings from Clang 3.7 analyze mode
2015-10-23 13:03:54 -03:00
Robert C. Seacord
09481d0381 Fixed some type problems, casting away const, integer types, old style casts, etc. 2015-10-21 20:56:58 +00:00
Robert C. Seacord
1d9695ac31 eliminated some warnings from Clang 3.7 analyze mode 2015-10-21 06:02:58 +00:00
Robert C. Seacord
7a87be9ada more sign coversion errors 2015-10-20 06:08:01 +00:00
Robert C. Seacord
1d7877d120 remmoved fanitize compiler option 2015-10-20 02:51:57 +00:00
Teddy Reed
c0257aa7d1 Merge pull request #1589 from theopolis/fix_1578
[Fix #1578] Support OPENSSL_NO_SSV3
2015-10-19 11:25:46 -07:00
Teddy Reed
7ba87a88bb Merge pull request #1585 from rcseacord/additional-sign-fixes
Additional sign fixes
2015-10-19 11:25:18 -07:00
Teddy Reed
8214dd1309 Merge pull request #1584 from theopolis/fix_1580
[Fix #1580] Handle exceptions in linux process_memory_map
2015-10-19 09:28:16 -07:00
Teddy Reed
f891503cd9 Merge pull request #1577 from nemith/dpkg
Support for newer versions of libdpkg
2015-10-19 09:24:37 -07:00
Teddy Reed
00875988dc Use native OS X version as min ABI 2015-10-18 20:47:09 -07:00
Teddy Reed
2bd6398b53 [Fix #1578] Support OPENSSL_NO_SSV3 2015-10-18 20:47:06 -07:00
Teddy Reed
bc50c053fb Remove boolean type-columns from file in favor of 'type' 2015-10-17 12:16:54 -07:00
Robert C. Seacord
e57828aac3 changes for integer sign problems 2015-10-17 00:18:35 +00:00
Teddy Reed
3cc7984cc2 [Fix #1580] Handle exceptions in linux process_memory_map 2015-10-16 16:59:23 -07:00
Robert C. Seacord
acb2f6f628 eliminating diagnostics, mostly for comparisons between signed and unsigned operations 2015-10-16 16:10:37 +00:00
Robert C. Seacord
37b8e83a9e fixes for problems related to unsigned to signed integer comparisons 2015-10-16 16:10:36 +00:00
Robert C. Seacord
0a6a36485c redeclared i from int to size_t in two locatoins to eliminate several signed to unsigned comparisons 2015-10-16 16:10:36 +00:00
Teddy Reed
3f8cb14fbb Merge pull request #1579 from nemith/segv
Fix segfault on interfaces tables
2015-10-15 17:58:04 -07:00
Brandon Bennett
f683871653 Fix segfault on interfaces tables
getifaddrs(3) states that ifa_addr can be null. Check to make sure they are not null before accessing them
2015-10-15 16:53:14 -06:00
Brandon Bennett
65738a73c1 Support for newer versions of libdpkg
Libdpkg has some breaking changes in newer versions which prevented
compiling the deb_packages table on Ubuntu 15.04.  This change looks for
the libpkg version user pkg-config and adds some preprocessor magic to
support the newer versions.
2015-10-15 16:43:14 -06:00
Teddy Reed
3be0994933 [Fix #1570] Check for invalid apt sources
This fixes a crash identified by @endrazine.
When apt sources data in /etc/apt/sources.list or /etc/apt/sources.list.d/{*}.list contain invalid data/lines the cache_file.GetPkgCache(); call will fail and cache will be nullptr. Subsequent usage results in a SIGSEV.

To reproduce the fault try:

$ zzuf -I /etc/ -r 0.01:0.1 -s 0:1000 -v \
 ./build/trusty/osquery/osqueryi --registry_exceptions=true --verbose \
 "select count(*) from apt_sources"

Signed-off-by: Jonathan Brossard
2015-10-15 15:20:26 -07:00
Teddy Reed
201fbabb28 [Fix #1559] Allow boost.filesystem incorrect LC_CTYPE 2015-10-13 09:55:44 -07:00
Teddy Reed
4852e3525f Merge pull request #1550 from theopolis/ext_clean
Extension managers should clean extension sockets when starting
2015-10-12 13:36:10 -07:00
Teddy Reed
171bfecd20 Merge pull request #1552 from theopolis/glog_benchmark
Build Glog with OS X ABI, add SKIP_BENCHMARK
2015-10-12 13:35:45 -07:00
Teddy Reed
34717fda29 Merge pull request #1554 from mlw/fix-lingering-socket-fds
Close socket fds when finished with them
2015-10-12 13:32:52 -07:00
Matthew White
2446b22a5f Close socket fds when finished with them 2015-10-12 09:59:09 -07:00
Teddy Reed
b7a2d861bf Build Glog with OS X ABI, add SKIP_BENCHMARK 2015-10-11 14:37:49 -07:00
Teddy Reed
c7ff3dfb4f Merge pull request #1549 from theopolis/more_11
Bumb RocksDB to ERROR, fix OS X kernel_info, silence compile warnings
2015-10-11 20:39:56 +01:00
Teddy Reed
6b16720039 Fix kernel_info on OS X, remove md5 2015-10-11 11:43:42 -07:00
Teddy Reed
fb56646623 Restrict RocksDB log level to ERROR 2015-10-11 10:50:56 -07:00
Mike Arpaia
4d0cd46f42 Merge pull request #1539 from theopolis/nit_101
Minor nits around distributed CLIs
2015-10-09 14:55:05 -07:00
Teddy Reed
dbdf64ed6e Use better defines for 10.11 2015-10-08 07:22:48 -07:00
Teddy Reed
d5a7498881 Extension managers should clean extension sockets when starting 2015-10-08 06:47:23 -07:00
Teddy Reed
689ae4c865 Minor nits around distributed CLIs 2015-10-02 11:33:50 -07:00
Mike Arpaia
5789d889f4 Merge pull request #1538 from marpaia/discovery_queries
[fix #1536] Schedule iteration pass-by-reference
2015-09-30 15:50:05 -07:00
Mike Arpaia
65df593d33 [fix #1536] Schedule iteration pass-by-reference
There was a bug in the `osquery::Schedule` container object such that,
when the iteration through the schedule occured, pack objects were being
passed by value (copied) instead of passed by reference. Thus, the
discovery query would be executed, the object's cache would be updated,
and then the object would go out of scope and be destructed, thus
leaving the original object without ever having ran the discovery query.
This caused discovery queries to thrash. Bad times.

I added a new test so that we don't regress here as well as const'd a
few functions that should have been const in `osquery::Pack`.
2015-09-30 15:41:43 -07:00
Matthew White
25dbd33e1e Fixed bug when checking if config is valid 2015-09-30 10:50:28 -07:00
Teddy Reed
2a71162b0c Merge pull request #1534 from theopolis/glob_fix
Fix potential hang with recursive globbing
2015-09-28 18:06:53 -07:00
Teddy Reed
66888de80a Fix potential hang with recursive globbing 2015-09-28 17:50:25 -07:00
Teddy Reed
31b7966088 [Fix #1531] Use libarchive finish for safari_extension parsing 2015-09-28 17:33:42 -07:00
Teddy Reed
bbac2cf07f [#1529] Allow DB Readonly with RocksDB lite 2015-09-28 01:50:32 -07:00
Teddy Reed
64c18a70a9 Merge pull request #1525 from theopolis/process_adds
Add state, group, and nice to processes
2015-09-24 14:43:17 -07:00
Teddy Reed
5890901c00 Add state, group, and nice to processes 2015-09-24 13:11:46 -07:00
Teddy Reed
2d4150499a Merge pull request #1526 from theopolis/linux_sigs
[#1488] Shutdown Linux event publishers responsibly
2015-09-24 11:08:41 -07:00
Teddy Reed
bb65ec49ac [#1488] Shutdown Linux event publishers responsibly 2015-09-22 23:06:23 -07:00
Mike Arpaia
327a9bcdb1 Merge pull request #1522 from marpaia/startup_items
Include system startup items
2015-09-22 16:06:20 -07:00
Mike Arpaia
b09031adda Include system startup items
We were not parsing system startup items.
2015-09-22 15:50:55 -07:00
Teddy Reed
0b006f28c7 Merge pull request #1519 from theopolis/osx_events
[#1488] Stop OS X event publishers with SIGINT
2015-09-22 09:14:47 -07:00
Teddy Reed
97ca0e627a [#1488] Stop OS X event publishers with SIGINT 2015-09-21 22:02:27 -07:00
Mike Arpaia
4021a742df Merge pull request #1507 from jacknagz/os_version_rhel
RHEL os_version fix
2015-09-21 18:03:03 -07:00
Teddy Reed
284dac71de Write helpful DB access/open error to verbose log 2015-09-20 10:35:26 -07:00
Teddy Reed
946ab354ff Merge pull request #1517 from theopolis/fix_yara
Fix YARA sigfile caching
2015-09-20 10:34:29 -07:00
Teddy Reed
d042967f43 Fix YARA sigfile caching 2015-09-20 00:06:57 -07:00
Jack Naglieri
9c1e114728 Fix os_version table regex for REDHAT_BASED systems. Updating centos6/7 and freebsd10 Vagrant boxes. 2015-09-18 14:47:08 -07:00
Mike Arpaia
a0795f300b Merge pull request #1512 from theopolis/schedule_tracking
Scheduled query success tracking
2015-09-17 13:39:04 -07:00
Teddy Reed
c51d214ddd Scheduled query success tracking 2015-09-16 23:31:07 -07:00
Mike Arpaia
73045e4974 Moving packs to top level include directory
I could've swore that I did this already, but this moves
`include/osquery/config/packs.h` to `include/osquery/packs.h`.
2015-09-16 15:51:05 -07:00
Teddy Reed
333f2ce8c8 [#1506] Silent kext loading messages from syslog 2015-09-16 13:13:56 -07:00
Mike Arpaia
3d81223dfb Merge pull request #1508 from marpaia/distributed_test_fixes
Making distributed tests more awesome and less flaky
2015-09-16 12:05:51 -07:00
Mike Arpaia
dc6e395b77 Only log to warning if the config can't be read by the daemon
fix #1504
2015-09-16 10:54:38 -07:00
Mike Arpaia
41ef6798c6 Making distributed tests more awesome and less flaky
Distributed tests were failing every now and then because the test
plugin didn't implement retry's and the test server wasn't always
starting up fast enough. I fixed this by refactoring the tests to use
the real TLS plugin, which has retry logic. This required some mangling
of the configuration options, which should serve as a good reference as
well.
2015-09-16 10:36:34 -07:00
Teddy Reed
7852c356ec Merge pull request #1494 from theopolis/signals
[#1488] Use signal handlers for teardown and reloading
2015-09-15 16:14:40 -07:00
Teddy Reed
65162e7239 Merge pull request #1501 from sharvilshah/sysinfo_updates
Update system_info table to include CPU type, CPU cores and total memory
2015-09-14 20:02:56 -04:00
Teddy Reed
7c2a625ef2 Use signal handlers for teardown and reloading 2015-09-14 16:57:00 -07:00