Added the OSQUERY_BUILD_AWS option due to
oss-fuzz CI failing to build the AWS EC2 library,
due to its high requirement of memory.
The fuzzers do not gain much from having these tables enabled,
moreover this can be used during development
to avoid building a possibly unneeded table.
Done some minor cleanups to remove logic duplication
and enable ec2 integration tests on all the platforms
that supports them.
The instruction doesn't exist on other processors, and while there
might be ways to retrieve the equivalent information, none directly
matches the x86 "cpuid". This takes out the table completely on
non-x86_64 architectures.
Co-Authored-By: Benjamin Herrenschmidt <benh@kernel.crashing.org>
The PR adds an on-demand version of the Windows events log table that can return the WEL entries from an arbitrary event provider. It supports selective filtering based on additional query parameters. An example query:
```
osquery> select * from windows_events_vtable where channel = 'Application' and eventid = 1000;
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| channel | datetime | task | level | provider_name | provider_guid | eventid | recordid | keywords | data | pid | tid |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| Application | 2020-07-22T03:19:32.617052900Z | 0 | 4 | Microsoft-Windows-LoadPerf | {122EE297-BB47-41AE-B265-1CA8D1886D40} | 1000 | -1 | 0x8000000000000000 | {"UserData":{"EventXML":"","binaryData":"EC2C0000BC2D0000ED2C0000BD2D0000","binaryDataSize":"16","param1":"WmiApRpl","param2":"WmiApRpl"}} | 5824 | 5828 |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
```
This is for consistency with the decisions taken
for PR osquery/osquery#6413 and osquery/osquery#6414.
We also update the integration test helper to accept custom constraints,
in the case the table has required columns.
This simple helper takes a table name and
an already prepared rows map to add the container
columns, which are normally hidden, and call validate_rows on it.
We use this function in deb_packages, rpm_packages, npm_packages,
os_version integration tests.
