We currenty inclulde unistd_64.h which doesn't work on aarch64. Rather
add #ifdef's around it, let's just use unistd.h which should do the
right thing on all architectures.
Additionally remove the duplicate #include's from the .cpp files
CMake ignores the sysroot when testing the support of PIE,
so the link test fails when it tries to check for PIE support
and decides that it's not supported.
Therefore we tell CMake that PIE is supported when using the
osquery-toolchain and leave the automatic test for other toolchains.
Temporarily disable PIE on executables built with the
osquery-toolchain libFuzzer, since it has not been compiled with PIE/PIC
support.
The PR adds an on-demand version of the Windows events log table that can return the WEL entries from an arbitrary event provider. It supports selective filtering based on additional query parameters. An example query:
```
osquery> select * from windows_events_vtable where channel = 'Application' and eventid = 1000;
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| channel | datetime | task | level | provider_name | provider_guid | eventid | recordid | keywords | data | pid | tid |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| Application | 2020-07-22T03:19:32.617052900Z | 0 | 4 | Microsoft-Windows-LoadPerf | {122EE297-BB47-41AE-B265-1CA8D1886D40} | 1000 | -1 | 0x8000000000000000 | {"UserData":{"EventXML":"","binaryData":"EC2C0000BC2D0000ED2C0000BD2D0000","binaryDataSize":"16","param1":"WmiApRpl","param2":"WmiApRpl"}} | 5824 | 5828 |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
```
Starting in glibc 2.25, the macros `major` and `minor` were moved
from `<sys/types.h>` to `<sys/sysmacros.h>`, to stop leaking these
common words into the global namespace of those including <stdlib.h>
https://sourceware.org/bugzilla/show_bug.cgi?format=multiple&id=19239
The macros MAJOR_IN_MKDEV and MAJOR_IN_SYSMACROS would be defined if
necessary by autoconfig, and put in `config.h`. But osquery build
uses CMake instead of autotools, with a git-committed `config.h`.
This generally is all right across Ubuntu variations, as an automake
for one will likely make a config.h that works on others. However
the glibc change makes a "one-size-fits-all-Ubuntu" config impossible.
This mirrors detection done by autoconf/headers.m4 as CMake code.
It is a relatively simple patch, which unblocks building of librpm
on (K)ubuntu 20 while still working on Ubuntu 18.
Change the counter behavior so only when a differential results is
calculated the counter increments. With this new behavior the counter
represents the order in which differentials results should be replayed
to recreate state at a point in time.
Add support for processing KILL, TKILL and TGKILL syscalls. The first
message of the SYSCALL message type is handled in a similar way as
EXECVE as the structure is more or less the same.
Three additional fields are parsed from the message which are "ses"
(session of the process), "comm" (the command that was executed, eg: the
script name in case of a /bin/bash invoke) and "tty" (the controlling
terminal for the process). These fields will not be published though
since the table schema doesn't support it at the moment.
The above feature is activated using the
--audit_allow_kill_process_events=true
Sample columns:
```
"columns": {
"atime": "1589007635",
"auid": "4294967295",
"btime": "0",
"cmdline": "",
"ctime": "1587237608",
"cwd": "",
"egid": "1000",
"euid": "1000",
"fsgid": "1000",
"fsuid": "1000",
"gid": "1000",
"mode": "0755",
"mtime": "1586904788",
"owner_gid": "",
"owner_uid": "",
"parent": "4781",
"path": "/home/USERNAME/code-server-3.1.1-linux-x86_64/node",
"pid": "4795",
"sgid": "1000",
"suid": "1000",
"syscall": "kill",
"time": "1589052835",
"uid": "1000",
"uptime": "26902"
}
```
Note that the TGKILL syscall is recommended to not be used from the
linux manpages.
