If there are no tags in the current repository, this command will fail leaving the OSQUERY_BUILD_VERSION blank, and therefore breaking the package building process (and presumably other things too) due to the empty version flag. By adding the flag --always, this forces git to fallback to a commit id instead of returning nothing.
If osqueryd was killed and another process was started with osqueryd's
old pid before a new osqueryd could start, osqueryd would encounter a
bug where osqueryd would never start.
This executes an osquery query to the processes table to make sure that
the name of the process is "osqueryd". Of course, you could perhaps
denial of service osqueryd this way, but that would require root
filesystem access (assuming that the last version of osqueryd was
ran as root). Thoughts?
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.
File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)
The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.
File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)
The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
