Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5408
Move out c++ enums to std::string conversion function from
osquery/utils/error.h to separate module. To be able to use it somewhere else.
Reviewed By: guliashvili
Differential Revision: D13896772
fbshipit-source-id: 0a9f6327d5b2f115ce688446a67677879411eb1f
Summary: before this diff osqueryd was relying on linker order to use right main function, since gtest also contains main function
Reviewed By: guliashvili
Differential Revision: D13897622
fbshipit-source-id: d260b7496f513c7052f4db87c8e7ff9300493671
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5406
use new flag file for windows toolchain configuration
Reviewed By: mkareta
Differential Revision: D13859827
fbshipit-source-id: 7560c989e2590663d511b5b644ba6bc3c6b5e5f4
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5405
this should find where VS is installed and set the buck flags properly.
Have tested on my VM and the paths are ok. This only works for 2017 and newer (hopefully)
I'm not sure how future proof this is, Microsoft usually changes directory structures randomly.
Reviewed By: muffins
Differential Revision: D13762391
fbshipit-source-id: 894e6a6d5888e13ab646ca9cb4a0d604bcf53ee5
Summary:
This PR is the result of the discussion in a previous PR (#5348) after we determined account_policy_data was the wrong place for the column.
Add `is_hidden` column to the users and groups tables in macOS. `is_hidden` is populated by looking for the `dsAttrTypeNative:IsHidden` attribute in the OpenDirectory record for the user/group if the value is `1`, `True`, or `Yes` is_hidden is 1. If the value is anything else it's set to 0. Invalid values have the same affect as the attribute not existing at all.
The `dsAttrTypeNative:IsHidden` attribute controls whether a user account is is visible in the preferences panel similar to having a uid < 500.
One test failed when running buck test:
```
====STANDARD OUT====
tests/integration/tables/helper.cpp:159: Failure
Value of: boost::get<CustomCheckerType>(validator)(value)
Actual: false
Expected: true
Custom validator of the column "mask" with value "" failed
```
This also fails when I ran the test on the current experimental branch as well.
Important to note I had to remove the optimization on both the user and group tables that just called `getpwnam` if the query specified the `uid` or `gid` since the struct returned doesn't contain the `IsHidden` attribute. I'm not sure if or how much this will affect performance since I wasn't able to get the profiling to work with the new version (very likely I'm just doing it incorrectly).
Pull Request resolved: https://github.com/facebook/osquery/pull/5368
Differential Revision: D13862375
Pulled By: akindyakov
fbshipit-source-id: 1fec88a6ba71884f7e611e1d96ea00630c5be655
Summary: profiler file contained the CodeProfiler class, which is a bit odd. Thanks alecx
Reviewed By: akindyakov
Differential Revision: D13861320
fbshipit-source-id: 11d711fd1d15830d4cce0be084cc6da3b1c6589c
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: SAlexandru
Differential Revision: D13854471
fbshipit-source-id: 181e7e19fcfb5d57a779cea6a2804eda09dc5a91
Summary:
Split query name and pack name with the delimiter(dot) which should not accrue inside their names(instead of _ or -).
Also log things per pack name
Reviewed By: mkareta
Differential Revision: D13854389
fbshipit-source-id: 35ba80813d98371dd36a83ec32aad677f24aa6eb
Summary: ScheduledQuery was declared both in query.h and in scheduled_query.h. Let's keep scheduled_query.h only.
Reviewed By: mkareta
Differential Revision: D13859371
fbshipit-source-id: 241b948d21fe619be360037a4e2e52a833a23b2b
Summary: In the interest of making changes smaller, I'm replicating stuff around QueryData to QueryDataTyped in intermediate commits. I'll come back and remove stuff that's no longer used when subsequent changes eliminate use of them.
Reviewed By: guliashvili
Differential Revision: D13741994
fbshipit-source-id: de0b00ddb0ad4b344d68ce799fe9fac759bb6199
Summary: Also it causes debug failure on unchecked Expected when status is not ok
Reviewed By: mkareta
Differential Revision: D13859377
fbshipit-source-id: 596410350cb91d469dc0a19f0e8eec558e8627bd
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5398
The file moved to a different location.
Reviewed By: marekcirkos
Differential Revision: D13817331
fbshipit-source-id: 6bd3947894daa712edae84b71502af997947b9b0
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5396
Buckify new version of the sqlite.
Reviewed By: marekcirkos
Differential Revision: D13801135
fbshipit-source-id: 0acb5c90c962b114dc2a699cfe84f9264efae336
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5390
to eliminate the effect of dropping privileges in other threads causing poll-ing EINTR errors in thrift.
According to ref to [bugzilla.redhat](https://bugzilla.redhat.com/show_bug.cgi?id=473907) in case of changing privileges `glibc` sends SIGRT_1 to other threads which lead to poll be interrupted. On posix we can not have different credentials for thread of one process. Therefore the solution is either to do not use dropping privileges for the whole osquery process or patch all usages of poll in thrift code. I like first option more because playing with permissions of the whole `osqueryd` can cause unpredicted interferences between threads. For instance the same table can provide different results because some other thread dropping and regaining privileges at the same time.
So, the solution for now I'd like to suggest is remove dropping privileges from safe places like reading files with known hostnames or shell history files. And because we can not interact with apt/rpm/yum databases as root and should drop to none user for it I'd suggest to increase the number of attempts to poll in case of EINTR. It can significantly eliminate the problem for now.
To address the problem in issue: [#5326](https://github.com/facebook/osquery/issues/5326)
Thanks fmanco for the help to investigate this problem.
Reviewed By: fmanco
Differential Revision: D13781886
fbshipit-source-id: 4b1f2b7d20c925cc19ba79cc0a2906b65e815c0b
Summary:
Fix minor typo in description. Moved original PR (#5380) from master to experimental
Pull Request resolved: https://github.com/facebook/osquery/pull/5388
Differential Revision: D13781801
Pulled By: guliashvili
fbshipit-source-id: d57d5e45c1597c6d640dbf908a42ced4f4bbf54c
Summary: We went with 'long' rather than 'int64_t' in the JSON serialization methods that were added, so change our variant type to match
Reviewed By: marekcirkos
Differential Revision: D13675340
fbshipit-source-id: 1ccde4ce9f651fe68db968b367507aa67823c74f
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5385
Left shift with >= 31 steps was done to integer type. Using unisgned long long(1ULL) instead of the int (1).
Reviewed By: fmanco
Differential Revision: D13751355
fbshipit-source-id: 4564b33e2d26a0cb459ee86d180c0af492fa1f43
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5383
It is better supported and also allows us to generate Xcode project
Reviewed By: akindyakov
Differential Revision: D13761638
fbshipit-source-id: 4a1cec6106f5e427e23a85ccee9760579ec4d597
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5373
I made wrapper for the syscall perf_event_open to isolate syscall code definition and use `Expected<>` as a return value.
Reviewed By: mkareta
Differential Revision: D13622565
fbshipit-source-id: 616080a64376d4b042629513ad715b1d2458b8a2
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5370
Handler to enable event with certain type, get an id of the event and make sure it will be disables afterwards.
Part of a linux `syscalls` tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: mkareta
Differential Revision: D13621388
fbshipit-source-id: 8adfbe3cc1d87f70538851c5036eae51c93bede8
Summary:
This adds support for the `#includedir` and `#include` directives to the `sudoers` table, making `sudoers` behave more like the actual `sudo` rule parser:
* When an `includefile` directive is encountered, the referenced file will be parsed using the same rules as the top-level sudoers file.
* When an `includedir` directive is encountered, the referenced directory will be listed and each valid file within (i.e., each file *not* containing a `.` and *not* ending with `~`) will be parsed using the same rules as the top-level sudoers file.
* An additional `source` column tracks the file that provides the row's rule.
* Like `sudoers(5)`, nesting is limited to 128 individual files, with directory inclusions being counted once for each file they contain.
Pull Request resolved: https://github.com/facebook/osquery/pull/5350
Differential Revision: D13717394
Pulled By: akindyakov
fbshipit-source-id: 9659526f21e82c712c495caa80775b15d7e47e37
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5369
automatically select the appropriate config files based on the current platform and the flavor that was provided
Reviewed By: fmanco, guliashvili
Differential Revision: D13695981
fbshipit-source-id: acdb03bfe4e5d6a352e7a52d5b9812c0e1b05010
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5354
eBPF system call osquery wrapper with Expected as a return value and function to check if functionality is supported by current kernel.
Blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: mkareta
Differential Revision: D13607442
fbshipit-source-id: 58be84a86aba3fe5e33ca5ab15418976fd36107c
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5365
Rather than having two copies of the same implementation it would be better to just bridge it's implementation
Reviewed By: akindyakov
Differential Revision: D13684438
fbshipit-source-id: 3faf5ddfcc302b6e1e59613169905497d6e98504
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5366
Rather than having two copies of the same implementation it would be better to just bridge it's implementation
Reviewed By: akindyakov, fmanco
Differential Revision: D13684437
fbshipit-source-id: 95693317c7219ea1d0e0b94f604bd61c4e3a444f
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5364
Rather than having two copies of the same implementation it would be better to just bridge it's implementation
Reviewed By: akindyakov, fmanco
Differential Revision: D13671592
fbshipit-source-id: e8f9ebbaee587e4f28f63bef3561a84559c278ab
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5363
Rather than having two copies of the same implementation it would be better to just bridge it's implementation
Reviewed By: akindyakov, fmanco
Differential Revision: D13671460
fbshipit-source-id: d1b1b1097ede178d0d645a8ef886f8cecb9e302a
Summary:
This pull request is for the addition of examples under the functions in the SQL Additions sub title in the documentation. Specifically the introduction section of the documentation. The file that was changed was sql.md in the osquery/docs/wiki/introduction path. This is the addition I made:
- Added a minimalist drop down design under every subsection of new functions added. (ex. Math Functions like 'sqrt', 'log', ect.). This will allow for newcomers to the documentation to understand even deeper the new Sql added functions that the osquery team supplied, and how to use them in the actual program.
- Each added example tackles every function the osquery team listed in the documentation. Allowing for closer understanding of the functions.
Pull Request resolved: https://github.com/facebook/osquery/pull/5305
Reviewed By: guliashvili
Differential Revision: D13693267
Pulled By: fmanco
fbshipit-source-id: 9c3cd5b5950ce019f5ea5fc74f780f50a291ca71
