valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,635 Commits 2 Branches 109 Tags 25 MiB
e1f0106710
Commit Graph

513 Commits

Author SHA1 Message Date
Teddy Reed
17efa0b3d6 Migrate subscribers on OSX 2014-12-15 00:25:28 -08:00
Teddy Reed
c1e37b73fb Non-static event type and name IDs 2014-12-14 18:03:41 -08:00
anuka
fa95ff09d8 Some fix for etc_services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-12-14 22:14:00 +01:00
anuka
375c837b74 Merge remote-tracking branch 'upstream/master' 2014-12-13 15:27:09 +01:00
Teddy Reed
00c88a19bc Add timeout to netlink socket read 2014-12-12 17:50:47 -08:00
Teddy Reed
acccfa94e2 IOKit HID events and OSX hardware_events table 2014-12-11 18:06:08 -08:00
Teddy Reed
7b56fa605d PCI/USB parity 2014-12-10 19:51:18 -08:00
Teddy Reed
a75fa3bf11 Merge pull request #538 from theopolis/improve_usb 
Improve usb_devices on OSX
 2014-12-10 19:51:08 -08:00
mike@arpaia.co
8f8bc6b772 osquery_info table 2014-12-10 18:38:41 -08:00
Teddy Reed
b08ad3cb14 Check USB property for CFString type 2014-12-10 09:12:12 -08:00
Teddy Reed
f29e0c17ca Update ca_certs_tests to use moved OSX conversions 2014-12-10 01:59:13 -08:00
Teddy Reed
4644c5e19b Simple usb_devices updates 2014-12-10 01:52:02 -08:00
Teddy Reed
7ba4fb31dd Merge pull request #536 from theopolis/suid_fix 
Suid fix
 2014-12-10 01:19:48 -08:00
Teddy Reed
0b5083bd0e Improve usb_devices on OSX 2014-12-10 01:17:24 -08:00
Teddy Reed
ab8df11818 Add filesystem_error catching and remove suid_bin from BL 2014-12-09 20:13:39 -08:00
Teddy Reed
9a9de67b93 Restrict suid_bin to common search paths 2014-12-09 16:38:14 -08:00
Teddy Reed
192224977d Add small delay if NL read = 0 2014-12-09 16:02:25 -08:00
Teddy Reed
22c9664ae1 [Fix #530] Continue to read from NL socket 2014-12-09 15:49:40 -08:00
Sean Williams
341fbc3b53 -Conform to new table function signature 
-Add proper include and fix brackets on macro
-Let osquery core do the integer cast for syscall_addr_modified
-Fix misc cruft
 2014-12-09 01:47:51 +00:00
Sean Williams
48bf3192e1 kernel_integrity vtable to use camb 2014-12-08 23:58:33 +00:00
Teddy Reed
2ebbbf6f98 Linux udev events 2014-12-08 14:13:47 -08:00
Teddy Reed
b890670be1 Replace linux cmdline tokens with spaces 2014-12-07 00:35:24 -07:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
20dee9c274 Merge pull request #515 from theopolis/faster_generator 
Towards simple table generation
 2014-12-03 12:57:09 -08:00
Teddy Reed
a50400d34f Merge pull request #510 from wxsBSD/issue_475 
Implement signed columns for users and groups.
 2014-12-03 12:46:02 -08:00
Teddy Reed
5d99dc0325 Use a single class for Table plugins 2014-12-03 12:43:55 -08:00
Teddy Reed
ebd77d47c4 Amalgamate generated tables 2014-12-03 02:02:11 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
Teddy Reed
f4337243ec Towards simple table generation 2014-12-02 20:36:46 -08:00
Teddy Reed
d885bf420d Port manual/filesystem to file using constraints 2014-12-02 12:37:26 -08:00
Wesley Shields
2504c06feb Implement signed columns for users and groups. 
Fixes #475.
 2014-12-01 11:52:13 -05:00
Teddy Reed
3ec6b473dd [Fix #498] Remove default catch in quaratine 2014-11-30 22:01:31 -07:00
Teddy Reed
13c8277bb4 Add query constraints to logged_in_users 2014-11-29 22:40:11 -08:00
Teddy Reed
e33443d354 clang-format on feature-predicate updates 2014-11-29 22:36:07 -08:00
Teddy Reed
76780aa6f0 Improve OSX apps table 2014-11-29 22:36:07 -08:00
Teddy Reed
b1cf8f1e61 Improve and use constraints for various OSX tables 2014-11-29 22:36:07 -08:00
Teddy Reed
3fa2442e25 Rename/improve bash_history to shell_history 2014-11-29 22:36:07 -08:00
Teddy Reed
56014b9c31 Moving tables definitions into core/tables.cpp 2014-11-29 22:36:06 -08:00
Teddy Reed
b18068f114 Improve kextstat/startup_items code and perf 2014-11-29 22:36:06 -08:00
Theodore M. Reed
8ab1863790 Predicate constraints for FreeBSD 2014-11-29 22:36:06 -08:00
Teddy Reed
59367b41af Predicate constraints for Linux 2014-11-29 22:36:06 -08:00
Teddy Reed
b4be08a702 Updating table generators to use QueryContext 2014-11-29 22:36:05 -08:00
Teddy Reed
cd8413d483 Organizing affinity types into tables. 2014-11-29 22:36:05 -08:00
Teddy Reed
2b1cd4eee3 Towards predicate constraint checking 2014-11-29 22:36:05 -08:00
Teddy Reed
750cc807cf Merge pull request #493 from wxsBSD/issue_9 
Implement logged_in_users.
 2014-11-29 22:22:10 -08:00
anuka
0a280f6546 Adding a table which maps services from /etc/services. 
Signed-off-by: anuka <david.vas1@gmail.com>
 2014-11-29 17:06:34 +01:00
mike@arpaia.co
fdcea6daa7 manual fix to spacing issue 2014-11-25 09:08:00 -08:00
mike@arpaia.co
8f50cae3aa clang-format on the codebase 
Periodic clang-format run.
 2014-11-25 09:05:16 -08:00
Wesley Shields
7abc9f75f2 Implement logged_in_users. 
Fixes #9.
 2014-11-22 23:49:37 -05:00
Teddy Reed
4de3c8a0cf Fix memory leaks in USB Devices for OSX 2014-11-22 18:04:47 -08:00
Nick
acad6d8e8d Added USB device support for Mac (Linux coming next) 2014-11-22 17:42:56 -08:00
Wesley Shields
059403eac4 Merge branch 'master' into macros 
Conflicts:
	osquery/tables/system/darwin/processes.cpp
 2014-11-22 15:12:21 -05:00
Teddy Reed
1caba72c30 Remove 'host' from OS X route types #483 2014-11-21 10:59:25 -08:00
Teddy Reed
44181b7aeb Add basic support for unsigned long long int 2014-11-21 10:32:56 -08:00
Teddy Reed
1961921d95 Pull process_open_files out of processes.cpp and reduce logging 2014-11-20 17:19:04 -08:00
Teddy Reed
a84c20a468 Merge pull request #472 from theopolis/cleanup-inode-tables 
Cleanup inode table implementations and unblacklist.
 2014-11-19 17:04:23 -08:00
Teddy Reed
b2debf509a Cleanup inode table implementations and unblacklist 2014-11-19 16:56:48 -08:00
Teddy Reed
9a6a69a224 Merge pull request #469 from theopolis/logging-nits 
Move expected errors to info log
 2014-11-19 14:54:32 -08:00
Mike Arpaia
ac70916719 Merge pull request #434 from lwhsu/freebsd-build 
FreeBSD support of build infrastructure
 2014-11-19 09:23:17 -08:00
Teddy Reed
bc9a5ed3b4 Move expected errors to info log 2014-11-19 09:03:58 -08:00
mike@arpaia.co
ee15228819 fixing naming of columns in tests 2014-11-18 17:43:16 -08:00
Wesley Shields
9cf662cca0 More explicit usage of macros. 2014-11-18 19:40:14 -05:00
Wesley Shields
550bf15c74 First pass at macro usage in tables. 2014-11-18 19:25:34 -05:00
Li-Wen Hsu
4f8006ad02 Add dummy table implementations for FreeBSD 2014-11-19 05:07:59 +08:00
Mike Arpaia
3c243e02f2 Merge pull request #463 from facebook/mounts-unified 
Unified mounts spec
 2014-11-18 11:32:17 -08:00
Teddy Reed
12a5daa225 Change user_name, group_name to username, groupname 2014-11-18 10:48:47 -08:00
mike@arpaia.co
ecb8e474a4 Unified mounts spec 2014-11-18 10:46:48 -08:00
Li-Wen Hsu
6c55b51c53 Merge branch 'master' into freebsd-build 
Conflicts:
	osquery/core/system.cpp
	tools/provision.sh
 2014-11-19 01:50:38 +08:00
Teddy Reed
7287ad5e63 Fix process free regression for libprocps 2014-11-17 16:52:20 -08:00
Mike Goffin
57faad63fa Merge branch 'master' into mounts_table 2014-11-17 15:03:50 -05:00
Mike Goffin
2ce6882317 Format fixes. 
- ran clang-format.
- lowercased column names for table.
- removed include for boost as it's no longer being used.
 2014-11-17 15:02:33 -05:00
Teddy Reed
1116d6a928 Merge pull request #438 from theopolis/feature-arp-table 
arp_cache vtable for OSX and Linux
 2014-11-17 11:36:46 -08:00
Mike Goffin
0b4e382e96 Merge branch 'master' into mounts_table 2014-11-17 13:46:59 -05:00
Mike Goffin
6cddf4ad39 Mounts table for Darwin. 
Associated with #255, this adds Mounts table support for Darwin.
 2014-11-17 13:43:59 -05:00
Wesley Shields
c764226b77 Use INTEGER macro. 
This makes the code match the example at:

https://github.com/facebook/osquery/wiki/creating-a-new-table
 2014-11-17 13:30:46 -05:00
Teddy
968f8027e6 Cleaner arp_table->arp_cache on Linux/OSX 2014-11-17 02:37:15 -08:00
Teddy Reed
ee015343f9 Simplify arp, move to arp_table 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
65c4ed4a7d Fix boost split on linux to remove sscanf 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
2b32673445 Some fixes: 
- clang-format on code
- NULL -> nullptr
- some (char *) changed in std::string favour
- Removed a memory leak.
- Moved struct inside the table namespace
 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
778951d6a4 Remove osx dependency on system() call to get arp information 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
c7fc2cee22 rename vtable field arp->mac 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
4f524abbea arp vtable different implementation in osx and linux 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
413d6f068b Change fgetln (osx specific) in favour of getline (both osx and linux) 2014-11-16 19:49:40 -08:00
Pablo S. Torralba
1843d80660 arp vtable with ip, arp and interface where it was seen 2014-11-16 19:49:40 -08:00
mike@arpaia.co
bfceaf8453 blacklisting port_inode and socket_inode 
port_inode and socket_inode have caused a few issues lately and, as of
right now, they both have open issues against them. For the time being,
I'm going to blacklist them. When the tables are production-ready, we
can re-add them back in to the base linux build.
 2014-11-16 09:42:57 -08:00
Li-Wen Hsu
ea7b617a7c No utmpxname() under FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
a102a3273e Include proper headers for FreeBSD 2014-11-16 01:41:50 +08:00
Li-Wen Hsu
e49537c8fa Add libraries and settings for FreeBSD 2014-11-16 01:41:50 +08:00
Teddy Reed
a1898ef03b Check tables row vector size before access 2014-11-14 15:18:25 -08:00
Teddy Reed
02841f5e7f Add kernel userland-API inet_diag header 2014-11-14 01:42:34 -08:00
Teddy Reed
565bce3c07 Fix unwind exception catching 2014-11-14 01:42:00 -08:00
Vincent Mauge
632151d56a Set ouput_bit to 0 instead of cast error 2014-11-12 22:02:04 -08:00
Teddy Reed
0d8b9d3eaa Use SQLite types 2014-11-12 11:07:24 -08:00
Teddy Reed
525a3b79a0 Tons of new build features 
* The OS/DISTRO are available as defines when writing tables:
  UBUNTU, UBUNTU_14_04, UBUNTU_12_04
  CENTOS, CENTOS_6_6
  DARWIN, DARWIN_10_10, DARWIN_10_9
* The table generation tooling now grabs virtual tables templates
  from ./osquery/tables/templates/<name>.cpp.in.
* The table generation tooling will detect reserved column names.
* suid_bin uses the new UBUNTU to restrict calls to root (fix #362).
 2014-11-12 00:57:47 -08:00
Teddy Reed
8e408f987e Table spec documentation examples 2014-11-11 11:26:11 -08:00
Teddy Reed
050e942d11 Support USE_BLACKLIST=1 to remove tables from release 2014-11-10 13:30:38 -08:00
Abe Stanway
811d98c595 free(linkname) and no more 'self' 2014-11-10 15:02:31 -05:00
Abe Stanway
30149a70f9 Updated 2014-11-10 15:02:31 -05:00
Abe Stanway
322fde0121 Socket_inode and port_inode tables to map PIDs->ports via netlink inet_diag 
Example query:
```
SELECT port.local_port,
       port.remote_port,
       port.local_ip,
       port.remote_ip,
       socket.pid,
       process.name,
       process.cmdline
       process.path
       FROM socket_inode AS socket
       JOIN port_inode AS port
       ON socket.inode = port.inode
       INNER JOIN processes AS process
       ON socket.pid = process.pid;
```
 2014-11-10 15:02:31 -05:00
Teddy Reed
86d2ac208b Use leaks for OSX memory leak profiling 2014-11-10 11:34:17 -08:00
Mike Arpaia
3245e5a6cd Merge pull request #394 from wizzat/process_args 
Add cmdline to darwin
 2014-11-10 13:20:47 -05:00
Teddy Reed
19aa99583e Linux processes vtable use freeproc 2014-11-10 10:12:47 -08:00
Mark Roberts
dc1684fca7 Add cmdline to darwin 2014-11-10 09:36:17 -08:00
Teddy Reed
b0ff403d3d Fixing librpm API usage leaks 2014-11-10 01:48:07 -08:00
Teddy Reed
b77406b122 [Fix #367] Check RPMTAG class before cast 2014-11-09 02:07:49 -08:00
Teddy Reed
078d4cf7d2 Refector shell flags/versioning 2014-11-08 20:27:28 -08:00
Veres Lajos
afc82c722f typo fixes - https://github.com/vlajos/misspell_fixer 2014-11-07 22:18:02 +00:00
Alexander Polyakov
00dbf282a6 / is not always readable 2014-11-07 01:00:58 +03:00
Alexander Polyakov
c0d827f534 Add euid / egid to process table 
(not tested on darwin)
 2014-11-06 01:35:52 +03:00
mike@arpaia.co
05cfff81c8 clang-format 2014-11-04 11:42:30 -08:00
mike@arpaia.co
896a4f2957 generic users function and some general cleanups 2014-11-04 11:40:54 -08:00
Zachary Wasserman
0b30b9f692 Add basic Mac startup items vtable 2014-11-04 11:40:54 -08:00
Alexander Polyakov
a60230af5e linux/processes: fix infinite loop, throw away workaround 2014-11-04 15:31:35 +03:00
Teddy Reed
03034780f1 Add note about blocking process_env as non-su 2014-11-03 23:46:47 -08:00
Teddy Reed
ea3880eefb Merge pull request #354 from wizzat/graceful_envs 
Graceful envs
 2014-11-03 23:43:04 -08:00
Mike Arpaia
37734bc5a4 Merge pull request #351 from LTD-Beget/blockdev_table 
Blockdev table for linux
 2014-11-03 22:29:35 -08:00
Mark Roberts
5780fffa22 Potential Linux fix, pending boost::filesystem::path fix on master. Issue #323 2014-11-03 20:39:51 -08:00
Alexander Polyakov
cbc2139047 block_devices: trim spaces around model and vendor 2014-11-04 05:00:24 +03:00
Teddy Reed
dc77df602e [format] Cleanup various PRs not run through clang-format 2014-11-03 17:57:01 -08:00
Mark Roberts
176af65fb5 Remove logging of permissions error when running as non-root user on OSX 
Issue #323
 2014-11-03 17:29:22 -08:00
Mike Arpaia
01944a3bb7 Merge pull request #352 from LTD-Beget/pci_devices_crash 
pci_devices: udev_device_get_property_values() can return NULL
 2014-11-03 15:17:03 -08:00
Alexander Polyakov
95aeaba024 pci_devices: unref things after use 2014-11-04 01:48:42 +03:00
Alexander Polyakov
1ce1424d01 Add braces 2014-11-04 01:21:02 +03:00
Alexander Polyakov
e3364ac34c Add braces 2014-11-04 01:13:49 +03:00
Mike Arpaia
a9e636af9f Merge pull request #349 from facebook/329 
Ensuring that listening_ports results are unique
 2014-11-03 14:08:04 -08:00
Alexander Polyakov
f96180e926 pci_devices: udev_device_get_property_values() can return NULL 2014-11-03 23:56:59 +03:00
Alexander Polakov
274e037527 Blockdev table for linux 2014-11-03 23:39:14 +03:00
mike@arpaia.co
75ded8b881 Ensuring that listening_ports results are unique 2014-11-03 12:03:57 -08:00
Akshay Dixit
c99c08c607 changed comments to // from /* , char* to std::string consts, and ran clang-format on the file 2014-11-02 21:09:04 -07:00
Akshay Dixit
cb1bf1c305 cleaned up pci_devices.cpp 2014-11-02 21:09:04 -07:00
Akshay Dixit
6c418507e6 renamed lspci to pci_devices and specified it linux only 2014-11-02 21:09:04 -07:00
Akshay Dixit
afd9d5e160 changed lspci to be a linux only virtual table, and added udev dependency to provisions.sh 2014-11-02 21:07:35 -07:00
Akshay Dixit
7896e7f78e added lspci virtual table and libudev dependencies 2014-11-02 21:03:43 -07:00
Teddy Reed
37b8336a1f Silence parentheses warnings in linux/mounts 2014-11-02 01:42:04 -08:00
Alexander Polyakov apolyakov@beget.ru
fd5ed3bc19 Rename dir to path 2014-11-02 01:09:24 +03:00
Alexander Polyakov apolyakov@beget.ru
fa81e54e27 Fix indentation, no functional change 2014-11-02 00:36:56 +03:00
Alexander Polyakov
58716d6cfa Mounts table for linux 2014-11-01 16:12:56 +03:00
Teddy Reed
eb240ac527 RPM table and more robust Linux building 2014-10-31 21:59:10 -07:00
castrapel
2557bac3d4 RPM Package listing is now working 2014-10-31 16:52:58 -07:00
castrapel
a51f97871f Adding RPM functionality for CentOS packages (Not working in EL6 due to older rpm-devel) 2014-10-31 16:52:58 -07:00
Teddy Reed
fd8f5782ab Merge pull request #308 from facebook/lsof 
Darwin lsof
 2014-10-31 16:32:30 -07:00
Mark Roberts
675dc308b9 Fix possible errors with getProcPath and getProcName 2014-10-31 16:07:09 -07:00
Pablo S. Torralba
42c73897bf Some minor stetic changes to keep the code clean 2014-10-31 14:27:15 -07:00
Mark Roberts
534999b396 Whitespace 2014-10-31 13:49:25 -07:00
Pablo S. Torralba
366274504b Feedback fixes to clean the code a bit 2014-10-31 13:44:00 -07:00
Mark Roberts
f38bcd390e Add file_type to process_open_files 2014-10-31 11:13:35 -07:00
Pablo S. Torralba
a6e04efdd7 Add quarantine vtable for OSX 
The tables reports:
- path: The file in quarantine
- creator: The application that created the file

Example:
osquery> select * from quarantine limit 10;

+----------------------------------------------------------------------------+---------------+
| path                                                                       | creator       |
+----------------------------------------------------------------------------+---------------+
| /Applications/Adium.app                                                    | Google Chrome |
| /Applications/Adium.app/Contents                                           | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature                            | Google Chrome |
| /Applications/Adium.app/Contents/_CodeSignature/CodeResources              | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks                                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework                | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Adium          | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Headers        | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/PrivateHeaders | Google Chrome |
| /Applications/Adium.app/Contents/Frameworks/Adium.framework/Resources      | Google Chrome |
+----------------------------------------------------------------------------+---------------+

Fixes issue #231
 2014-10-31 06:10:51 -07:00
Mark Roberts
3cf5aa4bae Add lsof for #28 functionality to Darwin, refactor to use shared infra for process_envs 2014-10-31 03:28:14 -07:00
yetanotherhacker
8cee7e0b3c Spelling fixes in comments and output. 2014-10-30 04:27:00 -04:00
Teddy Reed
4ed61ff868 Merge pull request #288 from vmauge/NewLongType 
Add new long type and migrate some vtables
 2014-10-29 23:12:52 -07:00
Vincent Mauge
07bd114107 Change users table to used new long long int type for uid and gid 
It is now possible to do a proper order on uid or gid, ie:
SELECT * FROM users ORDER BY uid;
 2014-10-29 18:57:12 -07:00
Vincent Mauge
755d8c198e Change groups table to used new long long int type for gid 
It is now possible to do a proper order on gid, ie:
SELECT * FROM groups ORDER BY gid;
 2014-10-29 18:57:00 -07:00
Mike Arpaia
0f037d4082 Merge pull request #283 from facebook/fix_sockaddr_inc 
Fix #277, add socket.h to interfaces on darwin
 2014-10-29 17:41:36 -07:00
Teddy Reed
cd74544208 Fix #277, add socket.h to interfaces on darwin 2014-10-29 16:44:17 -07:00
Mark Roberts
0867c2b547 Add process_envs table for OSX and Linux for issue #99 2014-10-29 03:45:26 -07:00
Teddy Reed
39f866387f [vtables] CPUID asm call feature information 2014-10-29 03:09:34 -07:00
Teddy Reed
1f1b38976a Merge pull request #261 from facebook/crontab 
[vtables] Crontab parsing for system/users
 2014-10-29 02:52:11 -07:00
Teddy Reed
6db0c67555 Merge pull request #269 from vmauge/suidbin 
Add suid_bin vtable
 2014-10-29 02:30:29 -07:00
Teddy Reed
8a9374d6e3 [vtables] Support linux crontab vars 2014-10-29 02:24:00 -07:00
Teddy Reed
94c64d80ce Merge pull request #267 from facebook/kernel_modules 
[vtables] Linux kernel modules from procfs
 2014-10-29 02:03:46 -07:00
Vincent Mauge
471d5faaa0 Add suid_bin vtable 
The vtabel report :
- path: full path of the file
- unix_user: name of the owner (if not available display the uid)
- unix_group: name of the groupe (if not available display the gid)
- permissions: report suid or guid
	* S for suid bin
	* G for guid bin

Example :
osquery> select * from suid_bin;
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| path                                                                                               | unix_user | unix_group    | permissions |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+
| "/bin/ps"                                                                                          | root      | wheel         | S           |
| "/bin/rcp"                                                                                         | root      | wheel         | S           |
| "/Users/vmauge/suid_test"                                                                          | vmauge    | 999           | SG          |
| "/usr/bin/at"                                                                                      | root      | wheel         | S           |
| "/usr/bin/atq"                                                                                     | root      | wheel         | S           |
| "/usr/bin/atrm"                                                                                    | root      | wheel         | S           |
| "/usr/bin/batch"                                                                                   | root      | wheel         | S           |
| "/usr/bin/crontab"                                                                                 | root      | wheel         | S           |
| "/usr/bin/ipcs"                                                                                    | root      | wheel         | S           |
| "/usr/bin/lockfile"                                                                                | root      | mail          | G           |
| "/usr/bin/login"                                                                                   | root      | wheel         | S           |
| "/usr/bin/newgrp"                                                                                  | root      | wheel         | S           |
| "/usr/bin/procmail"                                                                                | root      | mail          | G           |
| "/usr/bin/quota"                                                                                   | root      | wheel         | S           |
| "/usr/bin/rlogin"                                                                                  | root      | wheel         | S           |
| "/usr/bin/rsh"                                                                                     | root      | wheel         | S           |
| "/usr/bin/su"                                                                                      | root      | wheel         | S           |
| "/usr/bin/sudo"                                                                                    | root      | wheel         | S           |
| "/usr/bin/top"                                                                                     | root      | wheel         | S           |
| "/usr/bin/wall"                                                                                    | root      | tty           | G           |
| "/usr/bin/write"                                                                                   | root      | tty           | G           |
| "/usr/sbin/postdrop"                                                                               | root      | _postdrop     | G           |
| "/usr/sbin/postqueue"                                                                              | root      | _postdrop     | G           |
| "/usr/sbin/rpc.net"                                                                                | root      | wheel         | S           |
| "/usr/sbin/rpcset"                                                                                 | root      | wheel         | S           |
| "/usr/sbin/traceroute"                                                                             | root      | wheel         | S           |
| "/usr/sbin/traceroute6"                                                                            | root      | wheel         | S           |
+----------------------------------------------------------------------------------------------------+-----------+---------------+-------------+

This commit fixes issue #253.
 2014-10-29 01:33:58 -07:00
Teddy Reed
339b63677e [vtables] Rename homebrew files, some cleanup 2014-10-29 00:34:55 -07:00
Teddy Reed
c1991e94e5 [vtables] Add user crons and use files 2014-10-29 00:28:19 -07:00
Martin Majlis
d645dfc257 Initial implementation for the homebrew table. 2014-10-28 21:03:56 -07:00
Teddy Reed
9abcbcd485 [vtables] Linux kernel modules from procfs 2014-10-28 21:01:51 -07:00
Martin Majlis
e8eb1e222f Reformating the code with clang-formatter. 2014-10-28 19:43:13 -07:00
Martin Majlis
8b8ec7c644 Added initial implementation for crontab. 2014-10-28 17:52:03 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Mike Arpaia
0f57dba4d9 Merge pull request #228 from facebook/bash_history_table 
Adding virtual table bash_history, for linux and darwin
 2014-10-27 16:41:17 -04:00
mike@arpaia.co
dafd2d7534 updating comment 2014-10-27 16:34:00 -04:00
Mike Arpaia
a5f7dc1aa3 Merge pull request #247 from facebook/time-types 
time types
 2014-10-27 12:47:52 -04:00
mike@arpaia.co
2ba54f5211 time types 2014-10-27 09:13:21 -04:00
Teddy Reed
53afc6b8b2 Merge pull request #240 from facebook/event_logs 
Change log formatting to individual events
 2014-10-26 14:53:58 -07:00
Javier Marcos
c8c3363455 Changed logic to ignore when history file is not found (expected) 2014-10-24 20:38:09 -07:00
Javier Marcos
542d53fd5e Refactoring and added column for history file, also more history files supported 2014-10-24 20:29:23 -07:00
Teddy Reed
84e8718d62 Merge pull request #238 from facebook/unify_routes 
[vtable] Unify routes table for OSX/Linux
 2014-10-24 17:08:16 -07:00
Teddy Reed
a82792b3f7 Log results as events 2014-10-24 17:05:17 -07:00
Teddy Reed
3d7c8b5684 [vtable] Unify routes table for OSX/Linux 2014-10-24 12:34:18 -07:00
Javier Marcos
bf3cd15c91 Final fix for the allocation problem 2014-10-23 17:17:50 -07:00
Javier Marcos
f69913938f Bad memory leak with OpenDirectory and pwd/grp.h code 2014-10-22 23:49:16 -07:00
Javier Marcos
1066f667ab Adding virtual table bash_history, for linux and darwin 2014-10-22 15:21:05 -07:00
Javier Marcos
bf1ffb1537 Removing old code for generating virtual tables 2014-10-13 21:58:26 -07:00
Javier Marcos
06792db7f0 Adding support for last in linux 2014-10-13 18:19:08 -07:00
Javier Marcos
b3208bab70 Errors handled, shit is on fire 2014-10-10 16:09:45 -07:00
Javier Marcos
b518c6b9e0 Adding groups vtable and refactoring users 2014-10-10 15:09:14 -07:00
mike@arpaia.co
ae91f7af7e only index if it's not nullptr 2014-10-09 22:08:37 -07:00
mike@arpaia.co
0033e9bd02 cleaning up some memory leak supps 2014-10-09 22:06:55 -07:00
Javier Marcos
19a2d64959 Making sure we do not add duplicated users 2014-10-09 18:55:25 -07:00
mike@arpaia.co
f45798d31a OMG memory leaks 2014-10-09 18:08:31 -07:00
Javier Marcos
64ce35c949 Virtual table to be build in both linux and mac 2014-10-09 15:27:18 -07:00
Javier Marcos
d09e6037dd Fixing infinite loop adding mutex 2014-10-09 14:42:37 -07:00
Javier Marcos
7944ab50da Adding vtable for users 2014-10-09 12:50:34 -07:00
Javier Marcos
e66a4d8873 Install package depending on arch and better comments 2014-10-08 23:09:02 +00:00
Javier Marcos
5db9fa59a5 Adding support to build osquery in centos 6.5 2014-10-08 03:45:56 +00:00
Teddy Reed
2063252f73 [vtable] Fix warning for process in-condition assignment 2014-10-04 13:29:17 -07:00
Teddy Reed
5e6be33767 Merge pull request #199 from facebook/unify_processes 
[vtable] Parity with OSX/Linux processes table
 2014-10-03 17:30:47 -07:00
Teddy Reed
69607c7b32 [vtable] Parity with OSX/Linux processes table 2014-10-03 16:24:11 -07:00
Mike Arpaia
1d062bb038 Merge pull request #185 from facebook/ubuntu12_precise_build_support 
Adding support to build in Ubuntu 12
 2014-10-03 12:57:25 -07:00
Teddy Reed
c553a59745 [events] Use pub/sub diction for events 2014-10-03 11:30:51 -07:00
Teddy Reed
1e36b494b4 [events] Rename MonitorContext to SubscriptionContext 2014-10-03 08:26:41 -07:00
Teddy Reed
b2474b49eb [events] Renamed EventType to EventPublisher 2014-10-03 08:14:36 -07:00
Teddy Reed
e77ae22fe2 [events] Rename EventModule to EventSubscriber 2014-10-03 08:08:06 -07:00
Teddy Reed
69bfb92905 [events] Fleshing out OSX FSEvent framework 2014-10-02 21:30:14 -07:00
Javier Marcos
7c1afd1558 Adding support to build in Ubuntu 12 2014-10-02 17:58:56 +00:00
mike@arpaia.co
2348460ca4 Revert "Support for Ubuntu 12, precise" 
This reverts commit ed0e051eba.
 2014-10-01 23:00:23 -07:00
Javier Marcos
ed0e051eba Support for Ubuntu 12, precise 2014-10-02 01:24:23 +00:00
Teddy Reed
ed338e8356 [events] Events lifecycle complete, passwd_changes vtable 2014-09-26 12:58:32 -07:00
mike@arpaia.co
6beb5d1247 Moving table generation to CMake 
CMake now handles building all of the generated code.
 2014-09-23 17:55:54 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00
mike@arpaia.co
9e2507409c linking tests against libosquery 2014-09-22 19:54:59 -07:00
mike@arpaia.co
627821abc1 Periodic clang-format 2014-09-21 14:29:28 -07:00
mike@arpaia.co
b5ee19f49f Removing the osquery::db namespace 2014-09-21 14:27:09 -07:00
Teddy Reed
9516bf8fd7 Regressions from core NS removal, linux includes 2014-09-17 10:29:22 -06:00
mike@arpaia.co
de426754d9 moving fs to the global namespace 2014-09-15 11:47:52 -07:00
mike@arpaia.co
ad9b0bb5c1 Doxyfile, for docs 2014-09-13 15:18:26 -07:00
Mike Arpaia
db0f0105dd Revert "Skip tests when making 'fast'" 2014-09-09 21:37:08 -07:00
mike@arpaia.co
c9fafc00d3 using '#pragma once' instead of '#ifndef HEADER' 
let's start using #pragma once for our headers. it's less lines of code,
clang supports it, headers become more movable, etc. it's all around a
better plan.
 2014-09-09 18:54:53 -07:00
mike@arpaia.co
cec7b33afb removing unused header includes 2014-09-09 18:43:41 -07:00
Teddy Reed
2e150ef8a9 Skip tests when making 'fast' 2014-09-09 16:25:22 -07:00
mike@arpaia.co
df1332277d clang-format 2014-09-09 16:14:54 -07:00
Teddy Reed
825b50f932 [vtables] Routes table for Linux 2014-09-09 16:07:36 -07:00
Teddy Reed
bfba3d491d Merge pull request #117 from facebook/linux-processes-vtable 
[vtables] Processes table for Linux (procps3)
 2014-09-09 14:43:26 -07:00
Teddy Reed
2bcd89d70f [vtables] Adding cmdline, path to Linux processes 2014-09-09 10:59:16 -07:00
Mike Arpaia
d6699bd0fe Adding header files to CMakeLists.txt so that other build tools can perform better introspection into the codebase. 2014-09-09 10:53:59 -07:00
mike@arpaia.co
8fcad82b35 periodic clang-format 2014-09-09 00:56:27 -07:00
Teddy Reed
c6a7e86b18 [vtables] Processes table for Linux (procps3) 2014-09-08 22:42:17 -07:00
mike@arpaia.co
c72d069689 vagrant and make deps on linux 2014-09-08 19:24:23 -07:00
Teddy Reed
7e470747b4 Moving sublibs to single libosquery 2014-09-08 01:58:29 -07:00
Teddy Reed
e23e7bdab8 Merge pull request #102 from facebook/linux-build 
Changes for Linux (Ubuntu 14.04) build
 2014-09-05 14:52:35 -07:00
Teddy Reed
4ffd184eaf Changes for Linux (Ubuntu 14.04) build 2014-09-05 10:58:58 -07:00
Javier Marcos
344ca31f26 Adding last virtual table 2014-09-04 16:42:18 -07:00
mike@arpaia.co
66a2a6fdec Fix performance issue with the disk serializer 
This is the issue noted in #76. Keeping all historical results of
queries in the HistoricalQueryResults struct makes serializing and
deserializing those structs very, very slow as time goes on. By only
storing the last execution of the query, we keep the performance
constant, but we kill the feature where osquery can rebuild timelines
without accessing logs. After talking it over, we decided that this
isn't actually that big of a deal because, if you really wanted to
rebuild the old data, you should be able to process the logs, similarly
to bin log replication in MySQL.
 2014-09-02 13:13:12 -07:00
mike@arpaia.co
2b08ba60e3 Fixing #67 
Escaping spaces in the Program field of the launchd table since it
represents a path
 2014-09-02 12:22:12 -07:00
mike@arpaia.co
c6b7c04626 Fixing #65 
The column name was misspelled in the table spec, causing the column to
look blank.
 2014-09-02 12:15:45 -07:00
mike@arpaia.co
63070a0d49 migrating project to use CMake's CTest to run unit tests 2014-09-02 11:14:21 -07:00
mike@arpaia.co
6498f45924 renaming the cacerts table to ca_certs 2014-09-01 18:46:16 -07:00
Teddy Reed
c653e0b1be [vtable_nvram] Fixing type description memory leak, and re-org 2014-09-01 18:32:49 -07:00
mike@arpaia.co
8649951fab minimum possible linkages 2014-08-30 14:29:45 -07:00
mike@arpaia.co
f174c4dbd0 enabling unit tests for tables 2014-08-30 14:26:24 -07:00
mike@arpaia.co
2e5810ae9a proper ordering in tables/CMakeLists.txt 2014-08-30 04:28:49 -07:00
mike@arpaia.co
47bfe57272 clang-format 2014-08-30 04:06:31 -07:00
mike@arpaia.co
b1f86466e0 alphabetizing the order of sources in the tables cmake file 2014-08-30 03:46:08 -07:00
mike@arpaia.co
5b904cca26 moving the table_sources blob down to just above where it's used 2014-08-30 03:43:02 -07:00
mike@arpaia.co
dd909ed39d breaking out the implementation of os x specific virtual tables into their own cmake library 2014-08-30 03:24:35 -07:00
mike@arpaia.co
3b05ffb97d breaking out objective-c tables such that they use arc 2014-08-30 03:19:16 -07:00
mike@arpaia.co
92845146d7 re-adding all of the virtual tables that depended on performant objective-c interop 2014-08-30 03:09:04 -07:00
mike@arpaia.co
0e806eff83 Proper ARC in Objective-C++ code 2014-08-30 00:22:26 -07:00
mike@arpaia.co
bb46cd31b4 fixing a dirty memory overwrite 2014-08-29 00:24:48 -07:00
mike@arpaia.co
da7ec74840 new time virtual table. it's pretty useful to have a light weight table that doesn't leak at all which returns data that's always changing. 2014-08-28 23:15:45 -07:00
mike@arpaia.co
1da3fab7b7 fix memory leak in sqlite3_attach_tables #74 2014-08-28 21:33:44 -07:00