Commit Graph

264 Commits

Author SHA1 Message Date
Andrew Dunham
4ccdcc7864 Allow setting the mode of log files
This also sets the appropriate flags in glog
2015-11-11 11:37:55 -08:00
Teddy Reed
7c70183a87 Merge pull request #1625 from theopolis/pack_delim
Add pack_delimiter option
2015-11-03 21:05:44 -08:00
Sharvil Shah
97adb862ce Update to the correct link, fixes #1627 2015-11-03 04:37:25 -08:00
Teddy Reed
15c4673c5a Add pack_delimiter option 2015-11-02 18:05:46 -08:00
Teddy Reed
ba4eeb6a80 [#1600] Put inotify into a mod-only watch mode 2015-10-27 16:42:21 -07:00
Teddy Reed
c0257aa7d1 Merge pull request #1589 from theopolis/fix_1578
[Fix #1578] Support OPENSSL_NO_SSV3
2015-10-19 11:25:46 -07:00
Teddy Reed
00875988dc Use native OS X version as min ABI 2015-10-18 20:47:09 -07:00
Robert C. Seacord
8030866add Update reading-files.md
The smaller example was not going to compile because kPath was not defined.
2015-10-16 16:10:36 +00:00
Teddy Reed
2e7415f871 Convert wiki to UNIX format and refresh most content 2015-10-15 12:18:16 -07:00
Luis San Martin
0f0d873a96 sudo added as requeriment 2015-10-14 20:05:12 -03:00
Teddy Reed
82b0ccf782 Merge pull request #1553 from arubdesu/docs-darwinSysReqs
explicitly call out OS and requirements at top of OS X install doc
2015-10-13 11:26:32 -07:00
Allister Banks
d79d02dde5 explicitly call out OS compatibility at top of OS X install doc
Reordered install types, Pointed to the CI build status as an indication
of platform support, moved up the line about pkg/lib dependencies
to be after the pkg section. Someone stop Atom from tacking newlines to
the ends of files on save, GitHub, you’re not the boss of me!
2015-10-13 14:10:38 -04:00
Mike Arpaia
dea0b4d1c9 Merge pull request #1542 from keeleysam/keeleysam-patch-1
Use full key for apt
2015-10-12 16:55:18 -07:00
Teddy Reed
b7a2d861bf Build Glog with OS X ABI, add SKIP_BENCHMARK 2015-10-11 14:37:49 -07:00
Mike Arpaia
4d0cd46f42 Merge pull request #1539 from theopolis/nit_101
Minor nits around distributed CLIs
2015-10-09 14:55:05 -07:00
Samuel Keeley
e1b6f917fd Use full key for apt
The 8 digit key is not secure
2015-10-07 16:00:38 -07:00
Dan Farmer
2413615885 Typo in linux installation docs
Added the character "d" to two lines to fix a typo.

From:

sudo service osquery start
sudo service osquery status

To:

sudo service osqueryd start
sudo service osqueryd status
2015-10-06 18:36:18 -07:00
Teddy Reed
689ae4c865 Minor nits around distributed CLIs 2015-10-02 11:33:50 -07:00
Mike Arpaia
aaa03a1058 Distributed queries client-side 2015-09-08 13:33:48 -07:00
Mike Arpaia
a140333441 [fix #1390] query pack re-org
This commit contains the features specified in #1390 as well as a
refactoring of the general osquery configuration code.

The API for the config plugins hasn't changed, although now there's a
`genPack` method that config plugins can implement. If a plugin doesn't
implement `genPack`, then the map<string, string> format cannot be used.
The default config plugin, the filesystem plugin, now implements
`genPack`, so existing query packs code will continue to work as it
always has.

Now many other config plugins can implement custom pack handling for
what makes sense in their context. `genPacks` is not a pure virtual, so
it doesn't have to be implemented in your plugin if you don't want to
use it. Also, more importantly, all config plugins can use the standard
inline pack format if they want to use query packs. Which is awesome.

For more information, refer to #1390, the documentation and the doxygen
comments included with this pull requests, as well as the following
example config which is now supported, regardless of what config plugin
you're using:

```json
{
  "options": {
    "enable_monitor": "true"
  },
  "packs": {
    "core_os_monitoring": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "kernel_modules": {
              "query": "SELECT name, size FROM kernel_modules;",
              "interval": 600
          },
          "system_controls": {
              "query": "SELECT * FROM system_controls;",
              "interval": 600,
              "snapshot": true,
          },
          "usb_devices": {
              "query": "SELECT * FROM usb_devices;",
              "interval": 600
          }
        }
    },
    "osquery_internal_info": {
        "version": "1.4.5",
        "discovery": [
          "select pid from processes where name like '%osqueryd%';"
        ],
        "queries": {
          "info": {
              "query": "select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;",
              "interval": 60,
              "snapshot": true
          },
          "registry": {
              "query": "SELECT * FROM osquery_registry;",
              "interval": 600,
              "snapshot": true
          },
          "schedule": {
              "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory from osquery_schedule;",
              "interval": 60,
              "snapshot": true
          }
        }
    }
  }
}
```

The `osquery_packs` table was modified to remove the superfluous
columns which could already have been found in `osquery_schedule`. Two
more columns were added in their place, representing stats about pack's
discovery query execution history.

Notably, the internal API for the `osquery::Config` class has changed
rather dramatically as apart of the refactoring. We think this is an
improvement. While strictly adhering to the osquery config plugin
interface will have avoided any compatibility errors, advanced users may
notice compilation errors if they access config data directly. All
internal users of the config have obviously been updated. Yet another
reason to merge your code into mainline; we update it for you when we
refactor!
2015-09-02 10:56:26 -07:00
Teddy Reed
0e16f56c8d Add 'hidden' flags to customize TLS plugins 2015-08-28 12:57:53 -07:00
Kevin Thompson
e8772f2603 Adds an enroll_secret_env flag that allows the user to specify that
the enroll secret for TLS enrollment is stored in an environment
variable rather than a file.
2015-08-25 21:11:19 -05:00
Allister Banks
153fbdff0d osqueryctl subcommand reversed in doc
Yes it immediately told me about it, this is just a docs tweak to
reflect the proper order. 😅
2015-08-19 13:09:25 -04:00
Teddy Reed
b9ded9e7af [#1402] Add notes around pack paths in example.conf 2015-08-12 17:15:42 -07:00
Teddy Reed
ff9cb71628 Various additional tests and benchmarks 2015-07-28 12:26:17 -07:00
Elan Ruusamäe
9a4bc7ede4 Update building.md
fix doc link
2015-07-25 16:49:31 +03:00
Teddy Reed
6104aaebfe Add optional TLS config plugin refresh 2015-07-17 14:59:08 -07:00
Artur Chmiel
c0be6b5ba1 Fixed URLs and some typos in the documentation 2015-07-16 23:17:22 +02:00
Teddy Reed
c269bbeaf3 Rollup of build changes 2015-07-14 13:45:53 -07:00
Michael O'Farrell
276891ad00 Merge pull request #1330 from mofarrell/kernel
Kernel!!!
2015-07-13 17:29:08 -07:00
Artur Chmiel
cb1856654d Various fixes to the documentation 2015-07-11 23:37:25 +02:00
Mike Arpaia
3b11d974fa Merge pull request #1306 from marpaia/email-wiki
Add google group email to the wiki
2015-07-10 01:45:58 -04:00
Michael O'Farrell
0284b9e60d Merge branch 'master' into kernel
Conflicts:
	mkdocs.yml
2015-07-08 10:26:32 -07:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00
Mike Arpaia
8fe1c4029d Add google group email to the wiki
Let's start using our google group for long-form questions so that we
can leave issues for implementation tasks.
2015-07-06 17:24:27 -07:00
Teddy Reed
dd9fa25d78 [Fix #1171, #1089] Add configurable max reads
There are 3 new options that control how files are read:
--read_max: controls the maximum size, in bytes, for file reads. If a file is larger than `read_max` the read will fail.
--read_user_max: similar to `read_max` but applies additional limitations to user-controlled files.
--read_user_links: a boolean control to enable/disable following symlinks for user-controlled files.

Important highlights:
If files exceed the configured max, those reads will fail.
The `read_max` will override `read_user_max` if it is set lower.
A default integer value of `0` will disable the limitations.

The default `read_max` is set to 50M and the default `read_user_max` is 10M.
2015-07-06 00:49:43 -07:00
Mike Arpaia
1a6a6d4a1c README updates
Moving platform specific build instructions to the wiki, to keep the
README brief.
2015-07-01 23:47:41 -07:00
Teddy Reed
757940fe6f Towards CMake-powered kernel extension building 2015-06-30 00:49:16 -07:00
Michael O'Farrell
f4e05b992a Merge branch 'master' into kernel
Conflicts:
	mkdocs.yml
2015-06-26 17:04:42 -07:00
Michael O'Farrell
7adf170540 Base kernel module with circular queue and test. 2015-06-23 16:16:19 -07:00
Teddy Reed
0c6c1e3a62 Various quality control fixes 2015-06-12 01:32:24 -07:00
Teddy Reed
727f5b091f Various table perf improvements and TLS docs 2015-06-05 22:03:15 -07:00
Teddy Reed
a105924804 Move specs to a top-level path, add query examples
1. Example queries will run with an (optional) integration test.
2. Fix bad accesses with OS X package BOMs
3. Move spec files from ./osquery/tables/specs to ./specs
4. Remove server parsers (netlib) from client builds.
2015-06-03 10:39:05 -07:00
Teddy Reed
6591916fed [#1076] RTD wiki article on extensions autoloading 2015-05-28 16:27:29 -07:00
Teddy Reed
b405d9f24a Build/vagrant wiki cleanup
1. Adding us-west-2
2. Support for VPC/subnet options
3. Excluding binary/git dirs from AWS rsync
2015-05-27 11:12:02 -07:00
Blake Frantz
28d9237b50 Amazon EC2-based vagrant targets for RHEL/Amazon Linux
1. added docs for vagrant-aws support in Vagrantfile
2. removed aws target that have local vagrant support. inline-string'd aws.user_data
3. support building rhel6/7 in aws
4. correct aws-rhel6.6 name. it should be rhel6.5
2015-05-26 21:03:10 -07:00
Mike Arpaia
fff36af0af Removing trailing whitespace 2015-05-11 23:31:13 -07:00
Teddy Reed
e01a73b4f3 Schedule monitoring, doc updates, logger plugin fixes 2015-05-03 11:54:15 -07:00
Sharvil Shah
cb396bd7b7 fix 404s as a result of relative links not having .md extension 2015-05-02 04:12:21 -07:00
Sharvil Shah
35c6cb8f39 Fix https mixed content warning by updating image links to https 2015-05-02 03:35:05 -07:00
Teddy Reed
06aa60a127 Merge pull request #1074 from sharvilshah/disable_tables_runtime_flag
[Implements #1016] Disable tables runtime flag
2015-04-30 01:55:03 -07:00
Sharvil Shah
2735e731de Implement --disable_tables runtime flag 2015-04-30 01:41:01 -07:00
John Reese
bc978475c8 Add .py extension to build docs tools/profile 2015-04-29 23:14:34 -07:00
Ari Rubinstein
a69a4b1903 First iteration of FIM documentation 2015-04-29 12:46:51 -07:00
Wesley Shields
f431280c2e Address concerns from Mike.
Mostly cleanup as it moved from a gist to get the word out to docs.

This does assume that the change from file_changes to file_events
in #1049 will happen.
2015-04-28 21:55:22 -04:00
Wesley Shields
5de1f484df First cut at YARA docs. 2015-04-27 23:59:55 -04:00
Shawn Davenport
abdf273f0a Fix install-osx link. 2015-04-25 19:57:07 -07:00
Sharvil Shah
6383a9917f Support setting v.cpus via ENV variable, default fallback to 2
Update docs: mention V_CPUS ENV variable for vagrant

Use OSQUERY_BUILD_CPUS as the ENV var instead of V_CPUS
2015-04-23 14:15:16 -07:00
Teddy Reed
8930f9e692 Documentation updates, separate config/logging pages
Mostly minor documentation/wiki/guide fixes.
The breaks down the "using osqueryd" page into more of a summary
of what the daemon does from a schedule/logging perspective.

The bulk of the "using osqueryd" page now exists in the configuration
deployment page and the new "logging" deployment page.
2015-04-18 22:09:25 -07:00
Mike Arpaia
0745017233 missing quote in docs 2015-04-10 23:31:10 -07:00
Teddy Reed
e69f72cd56 Documentation updates 2015-04-10 14:31:34 -07:00
Teddy Reed
1305a2764a [Fix #964] Restrict apt-sources to arch=amd64 2015-04-08 14:13:01 -07:00
Wesley Shields
c2c6dbd216 Remove MATCHES from docs.
This is not a valid ConstraintOperator.
2015-04-06 20:43:56 -04:00
Teddy Reed
2df9a6558e Add some osquery-theme to API docs 2015-04-06 01:21:10 -07:00