valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,572 Commits 2 Branches 109 Tags 25 MiB
e311a47774
Commit Graph

434 Commits

Author SHA1 Message Date
Teddy Reed
e311a47774 Add key_size to certificates table 2016-01-05 11:34:57 -08:00
Teddy Reed
5824b891d3 Only discovery SMBIOS tables once on Linux 2015-12-19 20:40:05 -08:00
Teddy Reed
4af9d8d61c Add certificate issuer and self_signed columns 2015-12-17 19:36:31 -08:00
Teddy Reed
63d12789b4 Fix regression in file content predicate refactor 2015-12-14 15:24:55 -08:00
Teddy Reed
e6a474a6f1 Fix Debian os_version detection 2015-12-14 15:09:40 -08:00
Teddy Reed
92719e7b48 Add OSX platform_info 2015-12-12 03:29:17 -08:00
Teddy Reed
70face8ac2 Add platform_info table for UEFI/ROM details 2015-12-12 01:55:14 -08:00
Teddy Reed
fdfe5f4d3f Add support for Linux SMBIOS/DMI EFI structure parsing 2015-12-11 23:18:04 -08:00
Teddy Reed
a99b62a31d Preserve atime and mtime by default for readFile 2015-12-11 22:18:45 -08:00
Teddy Reed
718ff77864 Extend fields of file_events 2015-12-11 10:26:36 -08:00
Teddy Reed
ccff0c8c18 [Fix #1686] Add 'subject' and 'signing_algorithm' to certificates 2015-11-29 18:32:13 -08:00
Teddy Reed
2e57869d34 Merge pull request #1681 from theopolis/fix_1665 
[#1665, #1615] Refactor user-based tables to act uniformly
 2015-11-24 13:07:28 -08:00
Teddy Reed
35129a7af7 [#1665, #1615] Refactor user-based tables to act uniformly 2015-11-24 12:46:25 -08:00
Teddy Reed
08c7911eb7 Merge pull request #1655 from theopolis/iokit_events 
Rewrite OS X hardware events to use IOKit proper
 2015-11-21 19:45:10 -08:00
Teddy Reed
6748fdb024 Rewrite OS X hardware events to use IOKit proper 2015-11-21 19:31:05 -08:00
Teddy Reed
7ca7974dfb Merge pull request #1668 from cdown/f/freebsd_uid 
freebsd process table: Fix EUID/EGID to not use saved IDs
 2015-11-21 11:19:36 -08:00
Teddy Reed
283f7c6d59 Fix clang analyze failures in signature table 2015-11-21 09:56:19 -08:00
Chris Down
d4d87a69ce freebsd process table: Fix EUID/EGID to not use saved IDs 
It's not totally clear why saved IDs were used here. There is some precident in
sigar (https://github.com/hyperic/sigar), where they also use the saved UID,
but me and @wxsBSD are not really sure why. Maybe it's because kinfo_proc feels
different than similar structs on other Unices.

Fixes #1662.
 2015-11-21 02:52:06 -08:00
Teddy Reed
8425010874 Merge pull request #1664 from stripe/andrew-better-homebrew 
Determine Homebrew Cellar from binary
 2015-11-20 16:06:30 -08:00
Andrew Dunham
161f8b9fd0 Determine Homebrew Cellar from binary 
We look at the location of the Homebrew binary `brew` on disk, and use
the real path (i.e. path with all symlinks resolved) from that binary to
determine the Cellar.  This behavior mirrors that of Homebrew itself.
 2015-11-20 15:15:18 -08:00
Teddy Reed
9ae53f2158 Merge pull request #1663 from cdown/f/saved_ids 
Add saved UIDs and GIDs to process table
 2015-11-20 14:35:20 -08:00
Teddy Reed
a673a793fe Merge pull request #1659 from PickmanSec/knownhosts 
Added known_hosts table
 2015-11-20 12:46:13 -08:00
Teddy Reed
16247f10e8 Merge pull request #1624 from PickmanSec/master 
added authorized_keys table
 2015-11-19 09:10:59 -08:00
Chris Down
39bdec4c8d Add saved UIDs and GIDs to process table 2015-11-18 16:44:07 -08:00
Michael George
dde59f8c18 Added known_hosts file 
added known_hosts table
 2015-11-17 12:38:19 -08:00
Michael George
a649bf6733 Added authorized_keys table 
Fixed mislabled variable from line parsing

Update authorized_keys.cpp

Update authorized_keys.cpp

Check if line is empty
 2015-11-16 10:36:24 -08:00
Andrew Dunham
a0932105f6 Refactor how we determine the OS version in the signature table 2015-11-11 11:34:15 -08:00
Andrew Dunham
dea93c8aa5 Add a signature table on Darwin 
This table allows verifying the signature of files (or bundles) on
Darwin.  It also provides the signing identifier that is a part of the
signature.
 2015-11-10 13:21:18 -08:00
Teddy Reed
57e8ef2ab3 [#1546] Add computer_name to system_info and extend to Linux 2015-11-04 10:31:16 -08:00
Teddy Reed
084ccaf080 Use default blank value for startup_items Alias 2015-11-03 22:58:00 -08:00
Teddy Reed
75bfcddc31 Merge pull request #1622 from theopolis/faster_sockets 
Faster socket_events on Linux
 2015-11-02 10:56:37 -08:00
Teddy Reed
a1a9131174 Optimize socket_events and Linux users 2015-11-02 10:37:56 -08:00
Teddy Reed
50550e607a Build and provision edits for FreeBSD CI 2015-11-02 01:47:09 -08:00
Teddy Reed
d27a7ecc4c Fix clang warnings, promote warnings to errors 2015-11-01 02:12:07 -08:00
Michael George
fb545bb85e added sh_history 2015-10-29 10:53:04 -07:00
Teddy Reed
b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux. 
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
 2015-10-27 15:13:02 -07:00
Teddy Reed
654830cf11 Merge pull request #1594 from rcseacord/additional-sign-fixes 
eliminated some warnings from Clang 3.7 analyze mode
 2015-10-23 13:03:54 -03:00
Robert C. Seacord
1d9695ac31 eliminated some warnings from Clang 3.7 analyze mode 2015-10-21 06:02:58 +00:00
Teddy Reed
7ba87a88bb Merge pull request #1585 from rcseacord/additional-sign-fixes 
Additional sign fixes
 2015-10-19 11:25:18 -07:00
Teddy Reed
8214dd1309 Merge pull request #1584 from theopolis/fix_1580 
[Fix #1580] Handle exceptions in linux process_memory_map
 2015-10-19 09:28:16 -07:00
Teddy Reed
f891503cd9 Merge pull request #1577 from nemith/dpkg 
Support for newer versions of libdpkg
 2015-10-19 09:24:37 -07:00
Robert C. Seacord
e57828aac3 changes for integer sign problems 2015-10-17 00:18:35 +00:00
Teddy Reed
3cc7984cc2 [Fix #1580] Handle exceptions in linux process_memory_map 2015-10-16 16:59:23 -07:00
Brandon Bennett
65738a73c1 Support for newer versions of libdpkg 
Libdpkg has some breaking changes in newer versions which prevented
compiling the deb_packages table on Ubuntu 15.04.  This change looks for
the libpkg version user pkg-config and adds some preprocessor magic to
support the newer versions.
 2015-10-15 16:43:14 -06:00
Teddy Reed
3be0994933 [Fix #1570] Check for invalid apt sources 
This fixes a crash identified by @endrazine.
When apt sources data in /etc/apt/sources.list or /etc/apt/sources.list.d/{*}.list contain invalid data/lines the cache_file.GetPkgCache(); call will fail and cache will be nullptr. Subsequent usage results in a SIGSEV.

To reproduce the fault try:

$ zzuf -I /etc/ -r 0.01:0.1 -s 0:1000 -v \
 ./build/trusty/osquery/osqueryi --registry_exceptions=true --verbose \
 "select count(*) from apt_sources"

Signed-off-by: Jonathan Brossard
 2015-10-15 15:20:26 -07:00
Teddy Reed
6b16720039 Fix kernel_info on OS X, remove md5 2015-10-11 11:43:42 -07:00
Teddy Reed
bbac2cf07f [#1529] Allow DB Readonly with RocksDB lite 2015-09-28 01:50:32 -07:00
Teddy Reed
64c18a70a9 Merge pull request #1525 from theopolis/process_adds 
Add state, group, and nice to processes
 2015-09-24 14:43:17 -07:00
Teddy Reed
5890901c00 Add state, group, and nice to processes 2015-09-24 13:11:46 -07:00
Mike Arpaia
327a9bcdb1 Merge pull request #1522 from marpaia/startup_items 
Include system startup items
 2015-09-22 16:06:20 -07:00