valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,941 Commits 2 Branches 109 Tags 25 MiB
d6389dc64d
Commit Graph

1095 Commits

Author SHA1 Message Date
Mike Arpaia
503cf32522 Merge pull request #794 from marpaia/fix-785 
Adding warning text if the system is not configured
 2015-02-24 13:27:16 -08:00
mike@arpaia.co
5a5ec45bbb Adding warning text if the system is not configured 
See #785 for context. If you don't have a properly configured system,
osqueryd will print a convenient warning with instructions.
 2015-02-24 13:19:37 -08:00
Teddy Reed
148d7385f6 [Fix #792] Replace std::regex with string parsing gcc below 4.9 2015-02-24 13:19:27 -08:00
Teddy Reed
925deb8e74 [lints] Basic cpp linting 2015-02-24 03:47:12 -08:00
Teddy Reed
f173fb6e0a Working on sync using new non-macro decisions 2015-02-23 23:15:04 -08:00
Teddy Reed
ace433e49d Allow external calls from within registry 2015-02-23 21:35:54 -08:00
Teddy Reed
a29addba61 Extensions integrations testing 2015-02-22 22:56:18 -07:00
Teddy Reed
dd6283b6fe Merge pull request #779 from theopolis/events_strict 
Removed reinterpret plugin casts
 2015-02-19 17:56:59 -08:00
Teddy Reed
0f3adbbe24 Merge pull request #781 from theopolis/watcher_full_path 
Use full path for exec in watcher
 2015-02-19 17:02:46 -08:00
Teddy Reed
fa8dbf2b7f Use full path for exec in watcher 2015-02-19 16:00:12 -08:00
Teddy Reed
5334b9650a Merge pull request #775 from theopolis/sdk_build 
Building example extension with SDK
 2015-02-19 14:26:48 -08:00
Teddy Reed
247e57f2d6 Removed reinterpret plugin casts 2015-02-19 14:23:15 -08:00
Mitchell Grenier
182c69d4af Added ability to specify files to watch with wildcards 2015-02-19 12:43:23 -08:00
Teddy Reed
451ef686ed Building example extension with SDK 2015-02-18 20:11:00 -08:00
mike@arpaia.co
843fe3a302 syncing sdk with codemod and targets 2015-02-18 09:02:04 -08:00
Teddy Reed
8aefe1a110 Add thrift 'query' endpoint 
This allows extensions to execute SQL through the extensions API.
 2015-02-17 18:42:09 -08:00
Teddy Reed
16832ba72c Merge pull request #766 from theopolis/logs 
Improved logging control
 2015-02-17 16:37:50 -08:00
Teddy Reed
1f8dacec3c Add flag aliasing, logger/flag tests 2015-02-17 16:26:14 -08:00
Mitchell Grenier
dd01c67dcf Merge pull request #767 from jedi22/version_fix 
Added osquery version to .version because it makes sense
 2015-02-17 11:27:44 -08:00
Mitchell Grenier
e3a1c0638d Added osquery version to .version because it makes sense 2015-02-17 11:18:28 -08:00
Teddy Reed
fc64965c68 Fix ctor logger locking 2015-02-16 16:37:39 -08:00
Teddy Reed
6f155d63c5 Improve flag storage and printing 2015-02-16 16:26:06 -08:00
Teddy Reed
6994361f26 Improved logging control 2015-02-16 14:42:22 -08:00
Teddy Reed
3c36c4196b Merge pull request #731 from jedi22/wildcard_events 
Added parsing of extra data along with its addition to the osqueryconfig structure
 2015-02-15 19:16:54 -08:00
Teddy Reed
95dd2a808f Merge pull request #762 from theopolis/startup_items 
[Fix #758] Parse startup_items Alias data
 2015-02-15 16:33:39 -08:00
Teddy Reed
1ea06a9d15 [Fix #758] Parse startup_items Alias data 2015-02-13 17:40:02 -08:00
Mitchell Grenier
de5ac74fab All changes addressed 2015-02-13 16:52:11 -08:00
Teddy Reed
f162a20ee2 Merge pull request #759 from theopolis/fix_processes 
Fix getProcList indexing
 2015-02-13 14:58:39 -08:00
Teddy Reed
3246b346dc Fix getProcList indexing 2015-02-13 14:38:49 -08:00
Zachary Wasserman
1f450fb1ef Merge pull request #710 from zwass/distributed 
POC for client side of distributed queries.
 2015-02-13 14:25:52 -08:00
Zachary Wasserman
79034111a5 POC for client side of distributed queries. 
This introduces the notion of a DistributedQueryHandler that uses a "provider" to read/write requests and results to and from the master. The full flow is exercised via integration tests, and unit tests for each component.

It is intended to foster discussion around this client side interface, as well as provide a base to build from.
 2015-02-13 13:01:02 -08:00
Teddy Reed
aa078895d3 CentOS7 clang without fortify 
1. _FORTIFY_SOURCE=1 will cause readlink/recv to hang when using
heap-allocated target buffers.
2. Install boost/rocksdb/thrift using source, similar to CentOS6.5
3. Remove boost::regex, prefer extended std::regex without static
link to boost_regex.
 2015-02-13 12:47:30 -08:00
Mitchell Grenier
54ef2045e5 Made config a meyers singleton. Load should now only ever have to happen once 2015-02-13 12:32:54 -08:00
Teddy Reed
340dcd775a Add 'cwd', 'root' to processes 2015-02-12 18:05:10 -08:00
Teddy Reed
b7160aae72 Merge pull request #750 from theopolis/file_directory 
Allow file table to use a directory constraint
 2015-02-12 15:57:20 -08:00
Teddy Reed
584a326f63 Merge pull request #748 from theopolis/improve_processes 
[#721] Add pid constraint checking to darwin procs
 2015-02-12 15:57:15 -08:00
Teddy Reed
b7734dcd3e Allow file table to use a directory constraint 2015-02-12 15:44:39 -08:00
Teddy Reed
11323a1487 [#721] Add pid constraint checking to darwin procs 2015-02-12 11:32:29 -08:00
Javier Marcos
715f894c1c Fix for the CentOS 7 support 2015-02-11 22:07:25 -08:00
Mitchell Grenier
9dfcfc5725 Fast forwarded to current head 2015-02-11 19:47:30 -08:00
Mitchell Grenier
0448afbd91 Asynchronously resolve the wildcards of all the files we want to monitor 2015-02-11 19:35:57 -08:00
Mitchell Grenier
dca2f9d7bb Added parsing of extra data along with its addition to the osqueryconfig structure 
Added tests as well
 2015-02-11 19:35:57 -08:00
Teddy Reed
65e0da4790 Merge pull request #743 from theopolis/env_ele_apps 
Add environment/element to OS X apps
 2015-02-11 18:38:11 -08:00
Teddy Reed
2e0f99432f Add environment/element to OS X apps 2015-02-11 18:28:56 -08:00
Teddy Reed
7fbb7ef48e Add plist/file parsing similar to OS X defaults 2015-02-11 17:48:01 -08:00
Teddy Reed
5810a35cec Add a SQLiteDBManager 2015-02-11 15:27:45 -08:00
Teddy Reed
04fb33cbf2 Merge pull request #737 from theopolis/safe 
Safer compile flags
 2015-02-11 12:32:36 -08:00
Teddy Reed
7bab4a4706 Merge pull request #732 from theopolis/plist_defaults 
Added 'defaults' table called 'preferences'
 2015-02-11 12:03:23 -08:00
Teddy Reed
fd92f9cb4c Added 'defaults' table called 'preferences' 2015-02-11 11:39:25 -08:00
Teddy Reed
a59dcf01ee Add osquery_extensions table 2015-02-11 10:52:25 -08:00
Teddy Reed
2593e8f837 Add extensions status to osquery_info 2015-02-11 10:52:25 -08:00
Teddy Reed
9eeda1f02c Safer compile flags 2015-02-11 10:45:04 -08:00
Mitchell Grenier
4238eccdcd Adding test to make sure Apps table returns real data 2015-02-10 18:59:26 -08:00
Teddy Reed
74496c74d5 [Fix #733] Use directories instead of files in apps 2015-02-10 17:35:18 -08:00
Teddy Reed
7f7b2acd37 Merge pull request #728 from theopolis/pubs_as_runnables 
[Fix #704] Events sleep with dispatcher's interruptableSleep
 2015-02-10 13:06:16 -08:00
Teddy Reed
23864f220d [Fix #704] Events sleep with dispatcher's interruptableSleep 2015-02-10 12:51:26 -08:00
Teddy Reed
55dfdfcace Move lsperms into filesystem 2015-02-10 03:00:29 -07:00
Javier Marcos
9f5b819967 Adding description to columns 2015-02-09 20:13:11 -08:00
Javier Marcos
a3e004bb62 Adding description to columns 2015-02-09 18:18:22 -08:00
Teddy Reed
94f97b93e8 Fix symbol rename regression in processes 2015-02-09 14:04:39 -08:00
Teddy Reed
6cc9fa4c3e Merge pull request #720 from theopolis/memory_tables 
Add shared_memory, memory_maps, process_memory_map table to Linux
 2015-02-09 12:59:43 -08:00
Teddy Reed
4b07479c3d Merge pull request #719 from theopolis/file_stat 
Add stat details to file table
 2015-02-09 12:59:35 -08:00
Teddy Reed
d373aef0fa Merge pull request #716 from theopolis/fix_713 
[Fix #713] Do not abort if EM fails
 2015-02-09 12:59:28 -08:00
Teddy Reed
de868e6eb1 Merge pull request #715 from theopolis/more_descriptions 
Add more table descriptions for API generation
 2015-02-09 12:59:22 -08:00
Teddy Reed
4615019dd0 Merge pull request #711 from theopolis/harden_worker 
Harden watcher for more perf, use exec and watch from worker
 2015-02-09 12:59:14 -08:00
Teddy Reed
d2b18c05c9 Add watcher profiles 2015-02-09 12:38:50 -08:00
Teddy Reed
ca95e7c59a Add process_memory_map and remove path,name from process_envs 2015-02-09 01:37:59 -07:00
Teddy Reed
edc93fb81b Add Linux memory map table 2015-02-09 00:47:40 -07:00
Teddy Reed
653b3a19e5 Add shared_memory table to Linux 2015-02-08 21:32:30 -07:00
Teddy Reed
ff0da3dd19 Add stat details to file table 2015-02-08 20:41:31 -07:00
Teddy Reed
3548e7ea63 [Fix #713] Do not abort if EM fails 2015-02-08 19:05:36 -07:00
Teddy Reed
1252fa2663 Add more table descriptions for API generation 2015-02-08 18:40:35 -07:00
Teddy Reed
19998a001a Harden watcher for more perf, use exec and watch from worker 2015-02-08 00:06:44 -07:00
Javier Marcos
2383fb1f77 Merge pull request #712 from facebook/description_tables 
Addind all the missing descriptions for tables
 2015-02-06 19:23:08 -08:00
Javier Marcos
8bc0087bbc Addind all the missing descriptions for tables 2015-02-06 19:05:50 -08:00
Teddy Reed
c0be6faede Merge pull request #702 from theopolis/sdk_step2 
Adding thrift extension API
 2015-02-06 17:51:20 -08:00
Mitchell Grenier
4cf0fc859c Merge pull request #709 from jedi22/test_open_sockets 
Fixed open sockets on OS X
 2015-02-06 14:49:43 -08:00
Mitchell Grenier
898c0933e6 Fixed open sockets on OS X 
Minimal fix
 2015-02-06 14:41:38 -08:00
Teddy Reed
771887c27a Fix GTest/siginfo redefine by libthrift 2015-02-06 09:40:50 -08:00
Teddy Reed
7597e823c5 Fixing build RC, TestRunnable tests 2015-02-06 09:40:49 -08:00
Teddy Reed
993e2c4577 Changes to flags, extensions now loaded with shell/daemon 2015-02-06 09:40:49 -08:00
Teddy Reed
4f10a35f80 Adding thrift extension API 2015-02-06 09:40:49 -08:00
Mike Arpaia
88e211d686 Merge pull request #707 from theopolis/table_docs 
Adding table spec documentation
 2015-02-05 14:42:42 -08:00
Mitchell Grenier
f9d310a6c4 Adding in the tests for recursive filesystems resolutions 2015-02-05 11:04:02 -08:00
Mitchell Grenier
159b2add89 Merge pull request #689 from jedi22/letter_wild 
First iteration to support letter wilds in file paths
 2015-02-05 10:42:50 -08:00
Mitchell Grenier
bb855f4551 Adding last wildcarding component 2015-02-05 10:34:42 -08:00
Teddy Reed
eb55c9e83a Adding table spec documentation 2015-02-04 22:47:02 -07:00
Teddy Reed
ed9bae29b7 Organizing headers/build for SDK 2015-02-03 14:59:32 -08:00
Mike Arpaia
38369bb30f Update daemon.cpp 2015-02-03 14:27:17 -08:00
Mitchell Grenier
50eaccc40b Merge pull request #653 from jedi22/osx-xattr 
OS X Where From
 2015-02-03 11:55:35 -08:00
Mitchell Grenier
30e268b22b Can query for where a file came from using the OS X eXtended attributes 2015-02-03 11:34:29 -08:00
Zachary Wasserman
ac53637bcf Add getQueryColumns function to core 
This new getQueryColumns function allows us to determine what columns
will be returned by executing a given query. It is intended to be used
with the distributed query system, to determine a schema for the
results before sending the query.

Tested by unit tests. Also used valgrind and did not find errors that
looked related to this change (though there appear to be many errors
related to glog logging).
 2015-02-02 10:11:00 -08:00
Teddy Reed
b0a91e1058 Fixing threading assumptions for FSEvents runloop 2015-02-01 05:12:28 -07:00
Teddy Reed
e37b16ce2f Clang analyze fixups for Linux 2015-02-01 05:10:57 -07:00
Teddy Reed
5072b40997 Fix missing virtual destructors for event APIs 2015-02-01 04:32:18 -07:00
Teddy Reed
e4b369917b Unref udev monitor during events tearDown 2015-02-01 03:00:09 -07:00
Teddy Reed
f96b498ae3 Remove EventFactory::deregister... in favor of ::end 2015-02-01 02:20:09 -07:00
Teddy Reed
bd620853aa Verbose log when table row is missing a column 2015-02-01 02:20:09 -07:00
Teddy Reed
d39f1fae95 Minor registry documentation, using macros for create/add 2015-02-01 02:20:09 -07:00
Teddy Reed
ab1cb942a8 Fix typo in passwd subscriber, merge vtable tests 2015-02-01 02:20:09 -07:00
Teddy Reed
ab08bc76a8 Towards a new registry 2015-02-01 02:20:09 -07:00
Teddy Reed
ba3931cc1f Faster fstests using tmp structures 2015-02-01 02:11:46 -07:00
Teddy Reed
c4fb5d45ed Added make analyze (clang-analyze) and fixed output 2015-01-31 03:09:30 -08:00
Teddy Reed
38a757c7f0 Merge pull request #673 from theopolis/fork 
Adding a watcher/worker model for osqueryd
 2015-01-30 19:09:55 -08:00
Javier Marcos
c0398e2cef Different packages for different ubuntus 2015-01-30 14:55:28 -08:00
Zachary Wasserman
d840fb8896 Merge pull request #685 from zwass/status_enhancements 
Add useful operator implementations to Status
 2015-01-30 10:03:41 -08:00
Zachary Wasserman
5a2296b91b Add useful operator implementations to Status 2015-01-29 17:33:41 -08:00
Mitchell Grenier
dcfaeda4ca Merge pull request #674 from jedi22/filesystem_wild 
Adding recursive directory traversal functionality
 2015-01-29 17:28:35 -08:00
Mitchell Grenier
0ab10f9982 Added the ability to search through directories using wildcards 2015-01-29 17:18:39 -08:00
schettino72
f7357dd4b8 add column info to CREATE VIRTUAL TABLE statement. 2015-01-30 01:08:36 +08:00
schettino72
3a8df753e2 Add unit-test for TablePlugin::statement(). 2015-01-30 01:08:36 +08:00
Mitchell Grenier
0e7bf914a3 Removed 2 lines of code that didn't look like they were doing anything 2015-01-27 17:27:01 -08:00
Teddy Reed
a95c6f2b8b Merge pull request #679 from theopolis/force 
[FIx #676] Add --force option to osqueryd
 2015-01-27 16:11:12 -08:00
Teddy Reed
a9ede83446 [FIx #676] Add --force option to osqueryd 2015-01-27 16:00:39 -08:00
Mitchell Grenier
299bef0452 Fixing the last strcpy 2015-01-27 14:06:12 -08:00
Teddy Reed
74d38fa354 Merge pull request #675 from facebook/marpaia-patch-1 
Update init osquery to not overwrite the logging plugin
 2015-01-26 16:54:27 -08:00
Mike Arpaia
db24472539 Update init osquery to not overwrite the logging plugin 2015-01-26 10:44:27 -08:00
Teddy Reed
8fd56417fd Adding a watcher/worker model for osqueryd 2015-01-26 01:22:50 -07:00
Teddy Reed
72fcd44bf1 Fallback to /proc/net/ for open sockets in Linux 2015-01-25 18:44:10 -07:00
Teddy Reed
59b757c5d5 Adding block_devices to OSX 2015-01-23 13:47:20 -08:00
Teddy Reed
b3fa936156 Add kernel_info to OSX 2015-01-23 13:47:20 -08:00
Teddy Reed
22273b403d Adding kernel_info to Linux 2015-01-23 13:47:20 -08:00
mike@arpaia.co
b4a2ca1afa moving config and plist to prefixed directory 2015-01-22 11:07:19 -08:00
Teddy Reed
ee44764098 Add libglog to OBJCXX targets 2015-01-21 23:43:50 -07:00
Teddy Reed
22a91e2bb2 All libraries depend on the external project(s) 2015-01-21 21:35:16 -07:00
Teddy Reed
d912009569 Add unit testing to hashing 2015-01-21 16:24:40 -08:00
Teddy Reed
9c1faec090 Isolate glog include and depend on libglog for #652 2015-01-21 13:37:06 -08:00
Mike Arpaia
248f8b90e6 Merge pull request #657 from facebook/marpaia-patch-1 
static lock in config.cpp
 2015-01-21 13:33:35 -08:00
Mike Arpaia
8e677caaef Update config.cpp 2015-01-21 13:08:17 -08:00
mike@arpaia.co
10d5aabd36 config-check command in osqueryd 
This addresses #585
 2015-01-21 12:59:39 -08:00
Mike Arpaia
778789d74e Merge pull request #648 from marpaia/hash-docs 
hash.h documentation
 2015-01-20 16:04:32 -08:00
mike@arpaia.co
ba2e465472 migrating smbios to use new hash api 2015-01-20 15:54:00 -08:00
mike@arpaia.co
ecfe29282b hash.h documentation 
I added some doxygen docs for hash.h
 2015-01-20 15:36:53 -08:00
Teddy Reed
7e58691df0 Merge pull request #637 from theopolis/osx_smbios 
OSX/Linux SMBIOS tables
 2015-01-20 15:28:55 -08:00
Teddy Reed
b7549e09ca SMBIOS parsing on Linux using mem 2015-01-20 15:10:19 -08:00
mike@arpaia.co
b6eed30688 removing md5.h 2015-01-20 15:07:50 -08:00
Teddy Reed
6b6649bbd4 Adding mem to Linux filesystem lib 2015-01-20 15:06:34 -08:00
Teddy Reed
b7852650c2 SMBIOS structure tables for OSX 2015-01-20 15:06:34 -08:00
Teddy Reed
7b0f7f3c49 Rename ACPI length to size 2015-01-20 15:06:34 -08:00
Teddy Reed
64d82388e4 Update the md5 hashing callsites 2015-01-20 14:52:07 -08:00
Teddy Reed
11237d2397 Merge pull request #644 from theopolis/md5_macros 
Use API macro for hash algorithms
 2015-01-20 14:33:55 -08:00
Teddy Reed
a2d9236478 Use API macro for hash algorithms 2015-01-20 14:24:49 -08:00
Mike Arpaia
4937e5cd2e Merge pull request #641 from theopolis/iokit_registry 
Separate IOKit devicetree from registry
 2015-01-20 13:31:24 -08:00
Zachary Wasserman
ee798cdde7 Use sizeof with memcpy and memset 
I'd like to make sure we use expressions of sizeof to relate buffer
sizes to memcpy and memset. This should make modifying the code less
error prone.

Conflicts:
	osquery/tables/system/darwin/nvram.cpp
 2015-01-20 12:36:36 -08:00
Mitchell Grenier
053fcc28ef More minor changes to address marpias requests 2015-01-20 12:13:10 -08:00
Mitchell Grenier
b8b1837bd6 Replaced loop with auto iterator, eliminating need to dereference 2015-01-20 12:13:10 -08:00
Mitchell Grenier
d2fe1826ae Minor code change and clang-format 2015-01-20 12:13:10 -08:00
Mitchell Grenier
34e6bd45c3 Addressed @marpia s changes 2015-01-20 12:13:10 -08:00
Mitchell Grenier
b9c477080f NFS Table for darwin systems. 
Currently table readonly field is a string, this may change in the future to an
integer to stay consistent with other parts of osquery.
 2015-01-20 12:13:09 -08:00
Teddy Reed
416198732a Merge pull request #631 from jedi22/sha-hashs 
Added SHA1 and SHA256 in Hash Table
 2015-01-20 11:24:43 -08:00
Teddy Reed
716aa41c15 Separate IOKit devicetree from registry 2015-01-20 11:15:20 -08:00
Mitchell Grenier
8f407a1e8f Moving commits around for efficientcy 2015-01-20 10:49:58 -08:00
Teddy Reed
5f8eccb3f3 Remove gotos from linux routes 2015-01-19 18:06:34 -08:00
Teddy Reed
8475522e76 Remove goto/sprintf from NVRAM parsing 2015-01-19 17:10:40 -08:00
Teddy Reed
066b7d78d9 Add basic acpi_tables hashing to Linux 2015-01-17 23:02:14 -08:00
Teddy Reed
09ce5099b2 Merge pull request #632 from theopolis/osx_boot_info 
OSX IOKit registry and ACPI table data
 2015-01-17 17:56:51 -08:00
Teddy Reed
545a6b0930 Merge pull request #629 from marpaia/cmdline-whitespace-fix 
Fix for #628
 2015-01-17 17:51:06 -08:00
Mitchell Grenier
c1a1013e5a Minor code changes and namespacing 2015-01-16 12:03:23 -08:00
Teddy Reed
ba716712cf [Fix #630] Clear stacking index plans 2015-01-16 06:47:32 -08:00
Teddy Reed
1df958c583 ACPI tables for OSX 2015-01-15 21:37:02 -08:00
Mitchell Grenier
e6e722dd17 Modifed config.cpp to not use the old MD5 implementation 2015-01-15 17:40:42 -08:00
Mitchell Grenier
570c6a32f3 Moved hashing functions into core. #include<osquery/hash.h> 2015-01-15 17:16:05 -08:00
Mitchell Grenier
c13a0e79a5 Most hashing stuff working though rerun bug is still plaguing the queries 2015-01-15 15:06:30 -08:00
Teddy Reed
803204a9dd iokit_registry table 2015-01-15 12:53:46 -08:00
mike@arpaia.co
aef517a29e Fix for #628 2015-01-15 12:11:25 -08:00
Teddy Reed
663e481d9e [Fix #620] Add query plan estimates bias toward constraints 2015-01-13 21:17:15 -08:00
Teddy Reed
367709429e Treat IOKit HID failures as warnings 2015-01-13 17:25:11 -08:00
Teddy Reed
4db7c90758 Merge pull request #608 from theopolis/linux_ports 
Moved socket_inode on Linux to process_open_files
 2015-01-13 14:54:35 -08:00
Teddy Reed
a709a34220 Merge pull request #605 from theopolis/fix_599 
[Fix #599] Rename kextstat->kernel_extensions
 2015-01-13 14:53:32 -08:00
Teddy Reed
ac0f2f96e4 Split OSX process_open_files into files/sockets 2015-01-13 11:05:54 -08:00
Teddy Reed
f0eec6fbe3 Adding listening_ports to Linux 2015-01-13 09:51:40 -08:00
Teddy Reed
bb6f313c6c Moved socket_inode on Linux to process_open_files 2015-01-13 08:26:47 -08:00
Teddy Reed
376a438516 Moving splay to scheduler and adding config logging 2015-01-12 12:53:05 -08:00
Teddy Reed
84ef94ce9d Testing for table query constraints 2015-01-12 12:52:29 -08:00
Teddy Reed
465db46628 Fix shouldFire pubsub virtual 2015-01-11 19:51:54 -08:00
Teddy Reed
6deeba39c9 Merged Linux/OSX interfaces implementation 2015-01-11 01:39:16 -07:00
Teddy Reed
6dfc5d88f4 Added interfaces to Linux 2015-01-11 00:42:23 -07:00
Teddy Reed
a2cc1c85ea [Fix #599] Rename kextstat->kernel_extensions 2015-01-11 00:38:03 -07:00
Teddy Reed
c5cbf992ad Remove installed unwind headers 2015-01-10 20:38:31 -07:00
mike@arpaia.co
a0a404acc1 removing the dependency on unwind 
Moving glog to third-party so that we can custom compile it so that
we no longer have the dependency on libunwind. #578
 2015-01-10 13:02:30 -07:00
Teddy Reed
18d93d8cbc Building DEB/RPM package dependencies 2015-01-09 12:24:54 -08:00
Teddy Reed
a4e236e16a Simpler OSX package building 2015-01-07 20:01:33 -08:00
Teddy Reed
45ee10f162 More complete make package 2015-01-07 16:07:19 -08:00
Teddy Reed
2ad15763e2 Provide example config, improve pid check 2015-01-07 15:22:50 -08:00
Teddy Reed
dbb7050376 Merge pull request #575 from theopolis/fix_574 
[Fix #574] Undef DEBUG for apt-pkg for make debug
 2015-01-06 07:29:02 -08:00
Teddy Reed
27541d4260 [Fix #574] Undef DEBUG for apt-pkg for make debug 2015-01-06 06:53:42 -08:00
Teddy Reed
f865647d0c [Fix #545] Simpler socket_info parsing in process_open_files 2015-01-06 06:23:48 -08:00
Teddy Reed
df3029e880 [Fix #559] Detach event publisher threads when ending 2015-01-05 19:07:08 -08:00
Norm MacLennan
7a6eb8255a renaming apt sources gen function 2015-01-05 18:02:55 -05:00
Norm MacLennan
38447838db merging upstream cmake changes 2015-01-05 17:43:07 -05:00
Teddy Reed
a4e5e58ec0 Merge pull request #572 from theopolis/auto_dependency 
Use CMake find_library for dependencies
 2015-01-05 08:59:03 -08:00
Teddy Reed
d2cea32644 Use CMake find_library for dependencies 2015-01-05 08:32:05 -08:00
Teddy Reed
80276471c5 Add --daemonize option to osqueryd 2015-01-04 19:27:04 -08:00
Norm MacLennan
a6b769b6f4 a table to show apt package sources 2015-01-04 19:44:45 -05:00
Teddy Reed
86cce395ab [Fix #553] Move config JSON parsing into try 2015-01-03 23:12:28 -08:00
Teddy Reed
2cef8d6f9f Merge pull request #564 from maclennann/deb_packages 
deb_packages table
 2015-01-02 11:15:56 -08:00
Norm MacLennan
cf08d605f0 code review changes and adding revision field 2015-01-02 13:30:04 -05:00
Teddy Reed
9b0adcc47f [Fix #560] Improve config tests 2015-01-01 22:05:03 -08:00
Norm MacLennan
18f40b0952 fixing compatibility issues with 1204 dpkg version 2015-01-01 18:58:00 -05:00
Norm MacLennan
dd4a9d9d74 merging cmake changes for distro-specific tables 2014-12-31 13:06:54 -05:00
Teddy Reed
ed00c95dca Support centos/ubuntu-specific tables 2014-12-31 09:38:18 -08:00
Teddy Reed
914ae37a72 Move CMakeLibs and valgrind supp file 2014-12-31 08:32:23 -08:00
Norm MacLennan
beff9471f8 resolve merge conflict with upstream 2014-12-30 18:21:00 -05:00
Norm MacLennan
0191f1de29 resurrect the deb_packages table 2014-12-30 17:24:49 -05:00
Sean Williams
c54a568af3 Merge pull request #528 from facebook/linux-camb 
Initial linux kernel instrumentation bits
 2014-12-29 14:20:54 -08:00
Teddy Reed
2bf86ebda9 Merge pull request #562 from theopolis/plugins_refactor 
Plugins Refactor: Towards external plugins
 2014-12-29 13:37:03 -08:00
Teddy Reed
d7653c77e7 Support 'make libosquery' for a wrappable so/dylib 2014-12-27 23:14:34 -08:00
Teddy Reed
7d260d3c05 Cleanup cmake files 2014-12-27 22:55:08 -08:00
Teddy Reed
8c6e45e9b5 Fix ca_certs memory leak 2014-12-25 12:49:45 -08:00
Teddy Reed
94811f3ee8 Removed 'core' tables as a build dependency 2014-12-25 12:46:59 -08:00
Teddy Reed
e4b60e883a Variable amalgamation output filename 2014-12-23 21:53:59 -07:00
Theodore M. Reed
b2be1fa383 Whole link tests and refactor flags_test 2014-12-23 20:38:16 -08:00
Teddy Reed
b2dca55539 Build leaner libosquery, allow control over spec/impl 2014-12-23 20:07:12 -08:00
Theodore M. Reed
01005c72b3 Moved crontab out of utility 2014-12-23 14:39:59 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
Theodore M. Reed
7b0640e4eb Move table link dependencies into tables CMakeLists 2014-12-23 14:37:00 -08:00
Bryan Eastes
93cb303abc Merge branch 'master' of github.com:facebook/osquery into 520_pt_json_workaround 2014-12-20 18:24:33 -08:00
Bryan Eastes
5ad8d3ec55 Changes from CR 2014-12-20 18:19:33 -08:00
Sean Williams
9bb8efb9d9 Explicitly move out of osquery proper 2014-12-18 16:45:32 -08:00
Teddy Reed
ff7ca1e800 Merge pull request #557 from theopolis/xprotect_results 
OSX results of XProtect hits
 2014-12-18 13:04:08 -08:00
mike@arpaia.co
b9f732c31f Updating the license comment to be the correct open source header 
As per t5494224, all of the license headers in osquery needed to be updated
to reflect the correct open source header style.
 2014-12-18 10:52:55 -08:00
Teddy Reed
6a6851c4bc Merge pull request #544 from theopolis/events_2.0 
Events 2.0
 2014-12-17 20:17:02 -08:00
Teddy Reed
888f74de36 OSX results of XProtect hits 2014-12-17 18:35:01 -08:00
Teddy Reed
4453806dce Remove raw pattern from XProtect 2014-12-17 14:46:53 -08:00
Teddy Reed
7602d17de9 Move base64Decode from ca_certs testing to conversions 2014-12-17 14:03:52 -08:00
Teddy Reed
fefe6de824 OSX XProtect siganture DB as virtual table 2014-12-16 21:35:26 -08:00
Teddy Reed
8c38492b2a Add XProtect vtable to OSX 2014-12-16 17:59:07 -08:00
Teddy Reed
30a27798d5 osqueryd should announce to syslog when starting 2014-12-16 12:04:43 -08:00
Sean Williams
a236e9cf89 Add copyright header 2014-12-16 19:39:16 +00:00
Teddy Reed
d5c5253bbc Add osquery_flags vtable 2014-12-16 02:07:50 -08:00
Teddy Reed
b5535256e6 [Fix #546] Rename md5 to config_md5 and add config_path to osquery_info 2014-12-16 01:52:02 -08:00
Teddy Reed
b442ef0fd3 Merge pull request #548 from theopolis/support_any_brew_openssl 
Use static openssl libs to support thrift 0.9.x
 2014-12-16 01:23:25 -08:00
Teddy Reed
4425bed23e Merge pull request #504 from Anubisss/master 
Adding a table which maps services from /etc/services.
 2014-12-16 01:23:05 -08:00
Teddy Reed
5bd8d9ac37 Use static openssl libs to support thrift 0.9.x 2014-12-16 01:15:58 -08:00
Teddy Reed
dd2eaf248a Fixing Linux syntax errors and tests for Events 2.0 2014-12-15 16:47:09 -08:00
Teddy Reed
6de14466db Events 2.0 using pbr 2014-12-15 11:55:05 -08:00
Teddy Reed
fcdf49d17f WIP migrating Linux Events 2014-12-15 00:43:28 -08:00
Teddy Reed
17efa0b3d6 Migrate subscribers on OSX 2014-12-15 00:25:28 -08:00
Teddy Reed
fbd56663d9 Migrate fsevents to events 2.0 2014-12-14 22:17:38 -08:00
Teddy Reed
d927495209 Support casted subscribes 2014-12-14 21:20:20 -08:00
Teddy Reed
c1e37b73fb Non-static event type and name IDs 2014-12-14 18:03:41 -08:00
Teddy Reed
d2a93cf8c1 Remove EventSubscriber macros 2014-12-14 17:05:07 -07:00
anuka
fa95ff09d8 Some fix for etc_services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-12-14 22:14:00 +01:00
Teddy Reed
0d00e4b0e9 Remove EventPublisher macros 2014-12-14 04:43:31 -07:00
anuka
375c837b74 Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Teddy Reed
00c88a19bc Add timeout to netlink socket read 2014-12-12 17:50:47 -08:00
Sean Williams
4faa10eba0 Move non-external API header files back to src dir 2014-12-12 14:45:29 -08:00
Teddy Reed
cd20ed6b77 Prevent IOKitHID value subscriptions 2014-12-11 18:19:05 -08:00
Teddy Reed
acccfa94e2 IOKit HID events and OSX hardware_events table 2014-12-11 18:06:08 -08:00
Teddy Reed
7b56fa605d PCI/USB parity 2014-12-10 19:51:18 -08:00
Teddy Reed
a75fa3bf11 Merge pull request #538 from theopolis/improve_usb 
Improve usb_devices on OSX
 2014-12-10 19:51:08 -08:00
mike@arpaia.co
8f8bc6b772 osquery_info table 2014-12-10 18:38:41 -08:00
Teddy Reed
b08ad3cb14 Check USB property for CFString type 2014-12-10 09:12:12 -08:00
Teddy Reed
f29e0c17ca Update ca_certs_tests to use moved OSX conversions 2014-12-10 01:59:13 -08:00
Teddy Reed
4644c5e19b Simple usb_devices updates 2014-12-10 01:52:02 -08:00
Teddy Reed
7ba4fb31dd Merge pull request #536 from theopolis/suid_fix 
Suid fix
 2014-12-10 01:19:48 -08:00
Teddy Reed
0b5083bd0e Improve usb_devices on OSX 2014-12-10 01:17:24 -08:00
Bryan Eastes
bd97cb501a First draft of workaround for #520 2014-12-10 00:15:27 -08:00
Teddy Reed
ab8df11818 Add filesystem_error catching and remove suid_bin from BL 2014-12-09 20:13:39 -08:00
Teddy Reed
9a9de67b93 Restrict suid_bin to common search paths 2014-12-09 16:38:14 -08:00
Teddy Reed
192224977d Add small delay if NL read = 0 2014-12-09 16:02:25 -08:00
Teddy Reed
22c9664ae1 [Fix #530] Continue to read from NL socket 2014-12-09 15:49:40 -08:00
Teddy Reed
f4a226f4cf Merge pull request #533 from theopolis/static_build_osx 
Link the brew dependencies statically on OSX
 2014-12-09 14:03:54 -08:00
Teddy Reed
2fae6c0d7c Link the brew dependencies statically on OSX 2014-12-09 13:40:53 -08:00
Ari Rubinstein
27b6fb021e Force git to return something if tags aren't found 
If there are no tags in the current repository, this command will fail leaving the OSQUERY_BUILD_VERSION blank, and therefore breaking the package building process (and presumably other things too) due to the empty version flag.  By adding the flag --always, this forces git to fallback to a commit id instead of returning nothing.
 2014-12-09 09:52:36 -08:00
mike@arpaia.co
0846b6ddd5 Fixing pidfile creation bug 
If osqueryd was killed and another process was started with osqueryd's
old pid before a new osqueryd could start, osqueryd would encounter a
bug where osqueryd would never start.

This executes an osquery query to the processes table to make sure that
the name of the process is "osqueryd". Of course, you could perhaps
denial of service osqueryd this way, but that would require root
filesystem access (assuming that the last version of osqueryd was
ran as root). Thoughts?
 2014-12-08 23:52:38 -08:00
Sean Williams
341fbc3b53 -Conform to new table function signature 
-Add proper include and fix brackets on macro
-Let osquery core do the integer cast for syscall_addr_modified
-Fix misc cruft
 2014-12-09 01:47:51 +00:00
Sean Williams
48bf3192e1 kernel_integrity vtable to use camb 2014-12-08 23:58:33 +00:00
Sean Williams
cd5bedbb0e Remove hooking of init module: it should really go in an LSM proper; also fix Makefile when SMAP is not specified 2014-12-08 23:58:32 +00:00
Sean Williams
c979656cc9 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:58:08 +00:00
Sean Williams
7a81544ac0 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:58:07 +00:00
mike@arpaia.co
c6f14b9776 moving to top-level kernel directory 2014-12-08 23:52:34 +00:00
Sean Williams
d2bde43331 Fix a couple bugs; cleanup unused code/includes 2014-12-08 23:47:30 +00:00
Sean Williams
05ce70f871 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:30 +00:00
Sean Williams
6ad17759d8 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
Sean Williams
218f74ae80 Makefile more flexible; fix a few bugs; optionally naively hide module 2014-12-08 23:47:29 +00:00
mike@arpaia.co
1ce1e17902 new headers 2014-12-08 23:47:25 +00:00
mike@arpaia.co
5b80664c5e moving to top-level kernel directory 2014-12-08 23:47:25 +00:00
Sean Williams
279d55e49d Fix a couple bugs; cleanup unused code/includes 2014-12-08 23:47:24 +00:00
Sean Williams
0953b17e93 Detect some linux kernel tampering. initial branch; not yet complete 
-Download kernel headers, enter camb directory, and type 'make'
-New sysfs directory /sys/kernel/camb created with two files undearneath it:
syscall_addr_modified and text_segment_hash.

File `syscall_addr_modified` is either 1 or 0 representing whether the syscall function pointers were modified or not respectively.
File `text_segment_hash` is the current sha1 hash of the kernel's .text segment (excluding loaded modules)

The address range that camb currently hashes is subject to change because it's probably not comprehensive. However, it caught the rootkits that I've thrown at it, one of which is suterusu (https://github.com/mncoppola/suterusu).
 2014-12-08 23:47:24 +00:00
Teddy Reed
96d68ce98a Clean before building CI 2014-12-08 15:22:17 -08:00
Teddy Reed
2ebbbf6f98 Linux udev events 2014-12-08 14:13:47 -08:00
mike@arpaia.co
e260007f04 Change exit(-1) to exit(EXIT_FAILURE) 2014-12-08 10:40:10 -08:00
Teddy Reed
fb5048596c Merge pull request #527 from theopolis/fix_linux_processes_cmdline 
Replace linux cmdline tokens with spaces
 2014-12-07 18:11:07 -08:00
Teddy Reed
f8cc579d36 Fix json results clear 2014-12-07 15:53:37 -07:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
a0866c0972 Merge pull request #524 from theopolis/events_expiry 
Events expiry
 2014-12-06 19:52:16 -08:00
Teddy Reed
19695d40aa Add expiration to events 2014-12-06 18:28:03 -07:00
Teddy Reed
78ecc73d81 Add -json output mode for shell 2014-12-06 18:22:48 -07:00
Teddy Reed
7b16e45f55 Improve pubsub unittests 2014-12-05 16:18:05 -07:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
119eb37731 Simple template functions 2014-12-02 21:02:50 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Bryan Eastes
5eef747025 Fixed typo in getHostIdentifer 2014-12-02 14:09:37 -08:00
Teddy Reed
d885bf420d Port manual/filesystem to file using constraints 2014-12-02 12:37:26 -08:00
Teddy Reed
13fb05ab48 Move config member set back to end of ctor 2014-12-02 01:52:32 -08:00
Teddy Reed
366c646cb8 Merge pull request #507 from theopolis/config_options 
Read arguments/options from config
 2014-12-01 23:57:53 -08:00
Teddy Reed
f8e9750ea2 Merge pull request #508 from theopolis/workaround_422 
[Fix #422] Workaround for multiple selects
 2014-12-01 23:57:37 -08:00
Bryan Eastes
d2d021df24 Fixed small bug in getHostIdentifier method 2014-12-01 15:02:40 -08:00
Wesley Shields
2504c06feb Implement signed columns for users and groups. 
Fixes #475.
 2014-12-01 11:52:13 -05:00
Teddy Reed
fc69ccf22a [Fix #422] Workaround for multiple selects 2014-12-01 02:27:51 -07:00
Teddy Reed
43b4debd47 Read arguments/options from config 2014-12-01 02:05:46 -07:00
Teddy Reed
6a46513a08 Fix abrt in osqueryd as non-su 2014-11-30 22:36:55 -07:00
Teddy Reed
3ec6b473dd [Fix #498] Remove default catch in quaratine 2014-11-30 22:01:31 -07:00
Teddy Reed
13c8277bb4 Add query constraints to logged_in_users 2014-11-29 22:40:11 -08:00
Teddy Reed
e33443d354 clang-format on feature-predicate updates 2014-11-29 22:36:07 -08:00
Teddy Reed
76780aa6f0 Improve OSX apps table 2014-11-29 22:36:07 -08:00
Teddy Reed
b1cf8f1e61 Improve and use constraints for various OSX tables 2014-11-29 22:36:07 -08:00
Teddy Reed
3fa2442e25 Rename/improve bash_history to shell_history 2014-11-29 22:36:07 -08:00
Teddy Reed
56014b9c31 Moving tables definitions into core/tables.cpp 2014-11-29 22:36:06 -08:00
Teddy Reed
b18068f114 Improve kextstat/startup_items code and perf 2014-11-29 22:36:06 -08:00
Theodore M. Reed
8ab1863790 Predicate constraints for FreeBSD 2014-11-29 22:36:06 -08:00
Teddy Reed
59367b41af Predicate constraints for Linux 2014-11-29 22:36:06 -08:00
Teddy Reed
ba86d68e68 Rebuild generated files when templates change. 2014-11-29 22:36:06 -08:00
Teddy Reed
b4be08a702 Updating table generators to use QueryContext 2014-11-29 22:36:05 -08:00
Teddy Reed
cd8413d483 Organizing affinity types into tables. 2014-11-29 22:36:05 -08:00
Teddy Reed
2b1cd4eee3 Towards predicate constraint checking 2014-11-29 22:36:05 -08:00
Teddy Reed
750cc807cf Merge pull request #493 from wxsBSD/issue_9 
Implement logged_in_users.
 2014-11-29 22:22:10 -08:00
anuka
0a280f6546 Adding a table which maps services from /etc/services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-11-29 17:06:34 +01:00
mike@arpaia.co
e29e808358 build tooling 
adding build files for some random build systems
 2014-11-25 17:38:16 -08:00
Mike Arpaia
6eb2ffda55 Merge pull request #497 from facebook/host-ident-sig 
Refactoring getHostIdentifier and adding some extra logging
 2014-11-25 11:53:23 -06:00
mike@arpaia.co
fdcea6daa7 manual fix to spacing issue 2014-11-25 09:08:00 -08:00
mike@arpaia.co
5855dab22b fixing two missing semi-colon issues with clang-format 2014-11-25 09:05:16 -08:00
mike@arpaia.co
807b7c735f can't format filesystem_tests because of raw strings 2014-11-25 09:05:16 -08:00
mike@arpaia.co
8f50cae3aa clang-format on the codebase 
Periodic clang-format run.
 2014-11-25 09:05:16 -08:00
mike@arpaia.co
6f8ec8587c Refactoring getHostIdentifier and adding some extra logging 2014-11-25 08:47:32 -08:00
Wesley Shields
7abc9f75f2 Implement logged_in_users. 
Fixes #9.
 2014-11-22 23:49:37 -05:00
Teddy Reed
4de3c8a0cf Fix memory leaks in USB Devices for OSX 2014-11-22 18:04:47 -08:00
Nick
acad6d8e8d Added USB device support for Mac (Linux coming next) 2014-11-22 17:42:56 -08:00
Wesley Shields
059403eac4 Merge branch 'master' into macros 
Conflicts:
	osquery/tables/system/darwin/processes.cpp
 2014-11-22 15:12:21 -05:00
Teddy Reed
1caba72c30 Remove 'host' from OS X route types #483 2014-11-21 10:59:25 -08:00
Teddy Reed
44181b7aeb Add basic support for unsigned long long int 2014-11-21 10:32:56 -08:00
Teddy Reed
6fc014b390 Merge pull request #478 from theopolis/darwin_min_abi 
Support at least darwin/OSX 10.9+
 2014-11-20 18:10:39 -08:00
Teddy Reed
011c0f0d47 Support at least darwin/OSX 10.9+ 2014-11-20 18:02:38 -08:00
Teddy Reed
1961921d95 Pull process_open_files out of processes.cpp and reduce logging 2014-11-20 17:19:04 -08:00
Teddy Reed
a84c20a468 Merge pull request #472 from theopolis/cleanup-inode-tables 
Cleanup inode table implementations and unblacklist.
 2014-11-19 17:04:23 -08:00
Teddy Reed
b2debf509a Cleanup inode table implementations and unblacklist 2014-11-19 16:56:48 -08:00
Teddy Reed
9a6a69a224 Merge pull request #469 from theopolis/logging-nits 
Move expected errors to info log
 2014-11-19 14:54:32 -08:00
Mike Arpaia
ac70916719 Merge pull request #434 from lwhsu/freebsd-build 
FreeBSD support of build infrastructure
 2014-11-19 09:23:17 -08:00
Teddy Reed
bc9a5ed3b4 Move expected errors to info log 2014-11-19 09:03:58 -08:00
mike@arpaia.co
756f755aa4 fixing typo in config tests 2014-11-18 18:06:33 -08:00
mike@arpaia.co
ee15228819 fixing naming of columns in tests 2014-11-18 17:43:16 -08:00
Wesley Shields
9cf662cca0 More explicit usage of macros. 2014-11-18 19:40:14 -05:00
Wesley Shields
550bf15c74 First pass at macro usage in tables. 2014-11-18 19:25:34 -05:00
Li-Wen Hsu
1c275ea197 Use dynamic linking 2014-11-19 05:08:32 +08:00