Summary:
While running `misspell` on a different codebase. I happened to notice that some misspellings in the osquery code base. So, I fixed them
Pull Request resolved: https://github.com/facebook/osquery/pull/5256
Reviewed By: guliashvili
Differential Revision: D13670897
Pulled By: fmanco
fbshipit-source-id: 5d33d858284955c376e8c3980acdf366d4edf3d3
Summary:
I had previously attempted to land a fix to the extra newline that was trailing on Windows Event Logs, but had failed. This actually fixes the extra newline, which I verified. I'd love to have unit tests for this, however we don't currently have any unit tests setup for Windows Event Logging.
Pull Request resolved: https://github.com/facebook/osquery/pull/5271
Differential Revision: D13690844
Pulled By: fmanco
fbshipit-source-id: b7447fe2f6e2313c8e7f8765d636f7999d2b5909
Summary:
The set accidentally missed Saturday and Sunday days of the week. This just adds them in.
Fixes#5297.
Pull Request resolved: https://github.com/facebook/osquery/pull/5298
Reviewed By: guliashvili
Differential Revision: D13690812
Pulled By: fmanco
fbshipit-source-id: 1859d32ad635d63548435fed8e9da131530be5ce
Summary:
Add support for listing atom packages on Linux and Mac. Shouldn't be a problem adding support for Windows, but have no way to test it right now.
Lists package name, version, description, package path, license and homepage (see test).
Reviewed By: fiorix
Differential Revision: D13636097
fbshipit-source-id: f38a57128cedde2d027a0205588c8b563e2b188c
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5342
This sort of enumeration is required to pass posix system errors with `Expected<>`
Reviewed By: mkareta, fmanco
Differential Revision: D13608306
fbshipit-source-id: 0b787b12fac915f097dc310b616df507772da455
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5343
Just a parser for the semantic version in string. I gonna use it later to parse kernel version from the `int uname()` result.
Reviewed By: guliashvili
Differential Revision: D13607313
fbshipit-source-id: d6d01fe220f242d3811406dcd63d609feb0d6688
Summary: Currently osquery extension uses old osquery core SDK. So does not know, types other than none, sum, min, max(Others were added later) . Let's revert profiler reporting type until new SDK is generated, so that I'm not blocked in rolling out the profiler.
Reviewed By: akindyakov
Differential Revision: D13654143
fbshipit-source-id: 07ded5c6a1bc85d5c2ed983e7a55f3fff9826980
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5335
It was reported that osquery eventing mechanism uses too much disk space. As daebeike found it, event expiring was failing in some cases to be executed.
More specifically, expiration check was supposed to run every time EVENTS_CHECKPOINT number of events where added. However, in between the checks for expiration more than EVENTS_CHECKPOINT events could be added and no expiration would be executed. I suppose, this behaviour would be easily reproducible under the high load
Reviewed By: fmanco
Differential Revision: D13565250
fbshipit-source-id: 78bbad3f7aded4beb9e5f42bafd9184e9c2f8efb
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5346
Let's define win32 api version only inside of buck files, but not in cpp header
Reviewed By: guliashvili
Differential Revision: D13635704
fbshipit-source-id: cd978661ed6f733950363c2ac261811045263ed2
Summary: Some tools does not support virtual headers namespaces and expect header path to match actual file path from project root. This diff will fix few namespaces in utils library
Reviewed By: guliashvili
Differential Revision: D13552878
fbshipit-source-id: 2a06f73550c69777bf73be73abdde297fe580583
Summary:
On C++17 `NODISCARD` maps to a `[[nodiscard]]` attribute, which must
appear at the start of the function signature.
Reviewed By: j-calvert, guliashvili
Differential Revision: D13627821
fbshipit-source-id: d308650cf0188141a4942f528b7ec91825a0c318
Summary: As discussed in [an old PR](37ffdf8a48 (r213278358)) this is of questionable benefit and will get complicated when we change to typed values, so dropping.
Reviewed By: guliashvili
Differential Revision: D13631227
fbshipit-source-id: ada9b5434297d8c1c4b3e3855fe595faf5937bf6
Summary:
Heroku's windmill project seems to have been removed from both Github and Heroku's site. This PR just deletes the paragraph referring to Windmill (and also deletes a space that was causing markdown to render **https://** incorrectly.)
Pull Request resolved: https://github.com/facebook/osquery/pull/5283
Differential Revision: D13625435
Pulled By: fmanco
fbshipit-source-id: 32e97f8db39d705924a6841b53f0d018e76ddb71
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit
converts the Darwin `processes` table to using the generated row types.
My march concludes here, but there's a lot of work yet to be done with
migrating other tables.
(Adapted from https://github.com/facebook/osquery/pull/5199)
Reviewed By: guliashvili
Differential Revision: D13438014
fbshipit-source-id: 0e8365f26fe95131fe53ba3491cf07899600e997
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit
introduces the code generation for said rows. Nothing uses it yet; see the
next commit for that.
(Adapted from https://github.com/facebook/osquery/pull/5199)
Reviewed By: guliashvili
Differential Revision: D13438017
fbshipit-source-id: 959a6e092aee38d33e1c6539cbe14b85172c0135
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit
changes `TableRow` to be an interface rather than simply an alias for `Row`.
Accordingly, `DynamicTableRow` becomes an implementation of that interface
backed by a `Row`. The few remaining pieces of code that treated `TableRow`s as
`Row`s now call methods on the `TableRow` interface. Subsequent commits will
add code generation for strongly-typed table-specific implementations of
`TableRow`.
(Adapted from https://github.com/facebook/osquery/pull/5198)
Reviewed By: guliashvili
Differential Revision: D13438015
fbshipit-source-id: 61d5547e878e519c9706f94f844aab9d3e553410
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit changes
much of the code that uses `TableRow`s to stop assuming that they're just `vector`s
by another name. (`TableRow` is on the way to becoming an interface with multiple
implementations.) They're now held in `unique_ptr`s (`TableRowHolder`). For cases
where we really want a `vector`-backed `TableRow` (mostly test code and extension
support), we have a factory function (`make_table_row`) and a helper class
(`DynamicTableRowHolder`) to make that smoother.
(Adapted from https://github.com/facebook/osquery/pull/5198)
Reviewed By: mkareta
Differential Revision: D13438016
fbshipit-source-id: 2de9ce46a64c0a067b5d3299c59bbe3ccacd4abe
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit introduces
a distinction between rows being returned from a table (`TableRows`) and as the
result of a query (`QueryData`). Right now the two are simply aliases for each other;
that will change shortly.
(Adapted from https://github.com/facebook/osquery/pull/5198)
Reviewed By: guliashvili
Differential Revision: D13438019
fbshipit-source-id: 6563fc8c372d9d6c4b05705943ddf39b42260feb
Summary:
Just a minor cosmetic change on docs, that changes the Splunk's sourcetype names to have colons instead of underscore as it is the preferred method for delimiting sourcetypes. Not sure if a test is needed for this actual docs change.
Pull Request resolved: https://github.com/facebook/osquery/pull/5338
Differential Revision: D13607572
Pulled By: fmanco
fbshipit-source-id: 95f255fb91b821b602a89c9dda3501fdba10fd1b
Summary:
Step towards completion of https://github.com/facebook/osquery/pull/4904
- Add boost variant (typed) counterparts for RowData, Row, and QueryData.
- Add a queryInternal to sqlite_util that returns QueryDataTyped.
- Replace the queryInternal that returns QueryData with one that's a simple wrapper around the new typed implementation.
Reviewed By: guliashvili
Differential Revision: D13586036
fbshipit-source-id: d1d9b56470fbfcfb5802de422f87d9b9d6da7fb7
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5332
malloc might return null and memcpy will crash in that case
Reviewed By: akindyakov
Differential Revision: D13517060
fbshipit-source-id: 261f493823974dcc40a40139094eb4a98cd24dec
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5331
Let's use attributes to prevent such mistakes (see previous diff in the stack)
Reviewed By: guliashvili
Differential Revision: D13504146
fbshipit-source-id: 7cab2dd345599b036fa2a27bf682f2a159fd1c08
Summary:
New text had 'joing' typo, OS X has been called macOS for several revisions of the operating system.
Please also note the CONTRIBUTING guidelines are out of date, but I have signed a CLA and believe this would be acceptable.
Pull Request resolved: https://github.com/facebook/osquery/pull/5321
Differential Revision: D13449990
Pulled By: fmanco
fbshipit-source-id: 5c0150d9ff9e68323ba111a05d34e1de4fcd3249
Summary:
Hand port of https://github.com/facebook/osquery/pull/5154 to the new build system
I'm moving toward generating constants for each column so that we
can do used column lookups without having to do a string set lookup,
but first I need to have the used columns information plumbed through
as a bitfield.
Once the code generation is in and all cases have been migrated to it,
I'll remove the string variants of `isColumnUsed`/`isAnyColumnUsed`.
Reviewed By: guliashvili
Differential Revision: D13423615
fbshipit-source-id: 6a2afe7dad42942610dfe0f6f55bcee4603a25af
Summary:
Manual port of https://github.com/facebook/osquery/pull/5153 to the new build system.
New methods to allow adding larger numeric types.
Reviewed By: guliashvili
Differential Revision: D13422612
fbshipit-source-id: 6b503553f05139351f803ea6fcc5c825e62c35ea
Summary:
This is a manual port of https://github.com/facebook/osquery/pull/5216 to the new build system.
This table allows you to fetch a list of running applications on OSX. Contains PID, Bundle ID and whether or not the application is in focus. (The latter can be used to figure out what application was being used at a given moment.)
Reviewed By: guliashvili
Differential Revision: D13422150
fbshipit-source-id: 236b28d9140a9a9062fb913815d0c9f1da21c8b5
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5318
This is most likely broken and is causing problems with some toolchains (e.g. clang on Ubuntu xenial).
Reviewed By: guliashvili
Differential Revision: D13415457
fbshipit-source-id: b4aa686913d3cfe6bb26089b0525144fae7cc928
Summary: These missing includes make the build fail with some toolchains.
Reviewed By: guliashvili
Differential Revision: D13414926
fbshipit-source-id: b9a7992e37751da81ec1f5a9055703bc1e3cc4bc
