valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 02:18:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,223 Commits 2 Branches 109 Tags 25 MiB
f21f931d40
Commit Graph

179 Commits

Author SHA1 Message Date
Mike Arpaia
5ccfe886ba Merge pull request #1363 from theopolis/less_rows 
[Fix #1303] Only emit rows when appropriate for processes/users.
 2015-07-19 20:36:26 -07:00
Teddy Reed
5249e74146 [Fix #1303] Only emit rows when appropriate for processes/users. 
When optimizing a table using query constraints an implementation should not add unneeded rows.
A user experience bug exists when selecting with an explicit non-existing pid/uid.
 2015-07-19 20:20:04 -07:00
Teddy Reed
95775be1d9 [Fix #1355] Allow plist keys with '.' 
Boost property trees are level delimited using '.' characters.
An Apple property list may contain keys with '.' characters, so the plist conversion must use iterators and raw node appends.
 2015-07-19 16:24:43 -07:00
Teddy Reed
c36fbda274 Merge pull request #1349 from theopolis/centos_version 
[Fix #1319] CentOS version reporting and file read error
 2015-07-17 09:07:29 -07:00
Teddy Reed
f06820f578 [Fix #1319] CentOS version reporting and file read error 
1. Redhat-based distributions were not reporting their version correct.
2. The file read API assumed stat would return an accurate file size.
This has been replaced with an attempt to seek to the end of the file.
 2015-07-16 14:16:51 -07:00
Artur Chmiel
ac9a320218 Updated the readFile function to correctly handle symbolic links 2015-07-16 07:55:12 +02:00
Teddy Reed
263090e8f2 [Fix #1332] Check mode for links in readFile 
1. "really" check for links in readFile
2. Apply the same restrictions and flag ACLs to file hashing.
 2015-07-14 14:24:52 -07:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00
Teddy Reed
d2685cfa41 [#1142] Move path resolution into publisher logic 2015-07-07 00:45:55 -07:00
Teddy Reed
dd9fa25d78 [Fix #1171, #1089] Add configurable max reads 
There are 3 new options that control how files are read:
--read_max: controls the maximum size, in bytes, for file reads. If a file is larger than `read_max` the read will fail.
--read_user_max: similar to `read_max` but applies additional limitations to user-controlled files.
--read_user_links: a boolean control to enable/disable following symlinks for user-controlled files.

Important highlights:
If files exceed the configured max, those reads will fail.
The `read_max` will override `read_user_max` if it is set lower.
A default integer value of `0` will disable the limitations.

The default `read_max` is set to 50M and the default `read_user_max` is 10M.
 2015-07-06 00:49:43 -07:00
Teddy Reed
7aac5fd358 Replace custom wildcarding with POSIX-glob 
POSIX-globbing will allow event publishers/subscribers to post-check
results against glob-syntax, fnpath matching, and POSIX C-regex.
These checks are anecdotally speedy.
 2015-07-02 13:53:16 -07:00
Teddy Reed
e7ab2fc47b Limit scope of git/tag version defines. 
Harden plist parsing against internal fuzzing tests.
Improve file/stream read speeds.
 2015-06-12 10:10:20 -07:00
Mike Arpaia
fff36af0af Removing trailing whitespace 2015-05-11 23:31:13 -07:00
Teddy Reed
70e3c190bb Easier build host-based sync 2015-05-05 15:15:45 -07:00
Teddy Reed
c63bf0451a Various exception hardening 2015-05-03 14:18:20 -07:00
Teddy Reed
d0bbb0bc4f Towards safer and shuffled unittests 2015-04-29 14:43:27 -07:00
Teddy Reed
be65922569 Fast tests 2015-04-27 09:40:31 -07:00
Teddy Reed
c9e07ec2ba Add launchd_overrides table 2015-04-15 23:19:23 -07:00
Teddy Reed
54af369702 [Fix #968] Refactor launchd 2015-04-10 18:04:26 -07:00
Teddy Reed
d30455893f Merge pull request #941 from theopolis/rhel_fun 
[Implement #926] RHEL6 provisioning
 2015-04-08 14:37:48 -07:00
Teddy Reed
41ce00e573 RHEL6 provisioning 2015-04-06 23:43:01 -07:00
Mitchell Grenier
a6a8cc596b Fixed a bug that would prevent single files from showing up in wildcard resolutions 2015-04-06 15:21:17 -07:00
Teddy Reed
692c1b1751 Add package_receipts/package_bom OS X tables 2015-03-27 23:12:09 -07:00
Teddy Reed
38bfed3414 Remove libprocps(ng) in favor of parsing proc manually 2015-03-27 12:37:16 -07:00
Teddy Reed
79ddc5ba38 Remove unused shell functions 2015-03-19 16:14:29 -07:00
Mitchell Grenier
3f75a0345f Fixing hopefully the last filesystem exception 2015-03-17 11:52:56 -07:00
Mitchell Grenier
e230aebab5 Fixing UBN by adding extra trys to uncaught throws 2015-03-16 15:44:24 -07:00
Mitchell Grenier
637336f8c9 Ability to configure osquery from multiple files 2015-03-13 17:19:02 -07:00
Teddy Reed
fe0f369af0 Extension-dependent config/logger plugins 2015-03-13 12:01:30 -07:00
Teddy Reed
5cfff6ac57 [For #579] Remove gotos from auto-release plist parsing 2015-03-08 15:45:39 -07:00
Teddy Reed
4916392aa8 Merge pull request #812 from theopolis/keychain 
Add more keychain search paths for certificates
 2015-03-07 23:27:50 -08:00
Teddy Reed
0673900837 Registry modules 2015-03-04 20:33:10 -08:00
Mitchell Grenier
93577f3ab2 Added filesystem .. test 
Supporting relative paths
 2015-03-03 16:18:37 -08:00
Mitchell Grenier
fc09924a59 clang format 2015-03-02 16:48:01 -08:00
Mitchell Grenier
0016bc4a8c Addressing theopolis changes 2015-03-02 15:46:42 -08:00
Mitchell Grenier
68ea487137 Addressing theopolis changes 2015-03-02 15:43:31 -08:00
Teddy Reed
e123f9f0a2 Add more keychain search paths for certificates 2015-03-01 21:15:42 -08:00
Mitchell Grenier
544615ef57 Bug fix for REC_LIST_FOLDERS 
Fixed a bug where when using REC_LIST_FOLDERS, the root resolution directory
would not be returned.
 2015-03-01 18:26:37 -08:00
Mitchell Grenier
0031c6ed57 Fixed many bugs. inotify and fsevents should be same now 2015-02-27 17:28:51 -08:00
Mitchell Grenier
70c82b5a40 Linux inotify more closely resembles fsevents and is generally more awesome 2015-02-25 16:43:37 -08:00
Mitchell Grenier
6548006d3e Adding ability to monitor whole folders 2015-02-25 16:28:24 -08:00
Teddy Reed
148d7385f6 [Fix #792] Replace std::regex with string parsing gcc below 4.9 2015-02-24 13:19:27 -08:00
Teddy Reed
451ef686ed Building example extension with SDK 2015-02-18 20:11:00 -08:00
Teddy Reed
1f8dacec3c Add flag aliasing, logger/flag tests 2015-02-17 16:26:14 -08:00
Teddy Reed
3c36c4196b Merge pull request #731 from jedi22/wildcard_events 
Added parsing of extra data along with its addition to the osqueryconfig structure
 2015-02-15 19:16:54 -08:00
Mitchell Grenier
de5ac74fab All changes addressed 2015-02-13 16:52:11 -08:00
Teddy Reed
aa078895d3 CentOS7 clang without fortify 
1. _FORTIFY_SOURCE=1 will cause readlink/recv to hang when using
heap-allocated target buffers.
2. Install boost/rocksdb/thrift using source, similar to CentOS6.5
3. Remove boost::regex, prefer extended std::regex without static
link to boost_regex.
 2015-02-13 12:47:30 -08:00
Teddy Reed
55dfdfcace Move lsperms into filesystem 2015-02-10 03:00:29 -07:00
Teddy Reed
d2b18c05c9 Add watcher profiles 2015-02-09 12:38:50 -08:00
Teddy Reed
993e2c4577 Changes to flags, extensions now loaded with shell/daemon 2015-02-06 09:40:49 -08:00
Teddy Reed
4f10a35f80 Adding thrift extension API 2015-02-06 09:40:49 -08:00
Mitchell Grenier
f9d310a6c4 Adding in the tests for recursive filesystems resolutions 2015-02-05 11:04:02 -08:00
Mitchell Grenier
159b2add89 Merge pull request #689 from jedi22/letter_wild 
First iteration to support letter wilds in file paths
 2015-02-05 10:42:50 -08:00
Mitchell Grenier
bb855f4551 Adding last wildcarding component 2015-02-05 10:34:42 -08:00
Teddy Reed
ed9bae29b7 Organizing headers/build for SDK 2015-02-03 14:59:32 -08:00
Teddy Reed
ab1cb942a8 Fix typo in passwd subscriber, merge vtable tests 2015-02-01 02:20:09 -07:00
Teddy Reed
ba3931cc1f Faster fstests using tmp structures 2015-02-01 02:11:46 -07:00
Teddy Reed
38a757c7f0 Merge pull request #673 from theopolis/fork 
Adding a watcher/worker model for osqueryd
 2015-01-30 19:09:55 -08:00
Mitchell Grenier
0ab10f9982 Added the ability to search through directories using wildcards 2015-01-29 17:18:39 -08:00
Teddy Reed
8fd56417fd Adding a watcher/worker model for osqueryd 2015-01-26 01:22:50 -07:00
Teddy Reed
9c1faec090 Isolate glog include and depend on libglog for #652 2015-01-21 13:37:06 -08:00
Teddy Reed
b7549e09ca SMBIOS parsing on Linux using mem 2015-01-20 15:10:19 -08:00
Teddy Reed
6b6649bbd4 Adding mem to Linux filesystem lib 2015-01-20 15:06:34 -08:00
Teddy Reed
bb6f313c6c Moved socket_inode on Linux to process_open_files 2015-01-13 08:26:47 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
Teddy Reed
ff7ca1e800 Merge pull request #557 from theopolis/xprotect_results 
OSX results of XProtect hits
 2014-12-18 13:04:08 -08:00
mike@arpaia.co
b9f732c31f Updating the license comment to be the correct open source header 
As per t5494224, all of the license headers in osquery needed to be updated
to reflect the correct open source header style.
 2014-12-18 10:52:55 -08:00
Teddy Reed
888f74de36 OSX results of XProtect hits 2014-12-17 18:35:01 -08:00
Teddy Reed
7602d17de9 Move base64Decode from ca_certs testing to conversions 2014-12-17 14:03:52 -08:00
Teddy Reed
fefe6de824 OSX XProtect siganture DB as virtual table 2014-12-16 21:35:26 -08:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00
Teddy Reed
343cdf8405 Organize /tools 2014-12-02 21:16:24 -08:00
mike@arpaia.co
807b7c735f can't format filesystem_tests because of raw strings 2014-11-25 09:05:16 -08:00
mike@arpaia.co
8f50cae3aa clang-format on the codebase 
Periodic clang-format run.
 2014-11-25 09:05:16 -08:00
Teddy Reed
b2debf509a Cleanup inode table implementations and unblacklist 2014-11-19 16:56:48 -08:00
Gabriele Carrettoni
77b521ce7b read the file directly into a stringstream buffer 2014-11-09 16:57:35 +01:00
Gabriele Carrettoni
848bd4d96e use unique_ptr instead of raw pointer 2014-11-09 02:23:19 +01:00
Veres Lajos
afc82c722f typo fixes - https://github.com/vlajos/misspell_fixer 2014-11-07 22:18:02 +00:00
Alexander Polyakov
78af7dd885 Catch exception in pathExists 
boost::filesystem::exists() throws
 2014-11-07 00:20:22 +03:00
Teddy Reed
dc77df602e [format] Cleanup various PRs not run through clang-format 2014-11-03 17:57:01 -08:00
mike@arpaia.co
92381f2009 unbreaking master 2014-11-03 14:28:34 -08:00
Mike Arpaia
3fd0645c07 Merge pull request #350 from zwass/filesystem_path 
Refactor osquery::fileystem to use boost::filesystem::path rather than std::string
 2014-11-03 14:00:19 -08:00
Zachary Wasserman
c559f0e1d2 Refactor osquery::fileystem to use boost::filesystem::path rather than std::string 2014-11-03 12:08:46 -08:00
Zachary Wasserman
07c8671ede Use relative path from argv[0] 2014-11-03 11:24:38 -08:00
Zachary Wasserman
e658aa5b65 Add test for plist with binary 2014-11-03 11:24:38 -08:00
Zachary Wasserman
66ceec0de3 Fix Plist parsing of binary blobs 2014-11-03 11:24:38 -08:00
Teddy Reed
24b7be320c Fix #328, add gflags defines for shell-internal flags 2014-11-02 15:40:35 -08:00
Teddy Reed
1554bf3295 Fix #290, add permissions to osqueryd logging 2014-10-30 15:03:05 -07:00
Teddy Reed
8a9374d6e3 [vtables] Support linux crontab vars 2014-10-29 02:24:00 -07:00
Teddy Reed
47d1f13966 Using Cpp03 to remove double right angle brackets 2014-10-27 17:56:55 -07:00
Teddy Reed
6e60612520 Using clang-format 3.5 2014-10-27 17:37:36 -07:00
Teddy Reed
0a1925200e Clean flags usage in daemon/shell and dbhandle 2014-10-27 12:09:35 -07:00
Teddy Reed
6d50d762ce Changing flag infra, reducing config testing, adding debug macro 2014-10-27 10:30:02 -07:00
Teddy Reed
991cbdfb00 Fix permissions on DB handle 2014-10-27 10:05:08 -07:00
Teddy Reed
ded0717e94 [events] Additional INotify tests 2014-10-07 12:27:25 -07:00
Teddy Reed
8213e7dcbc [events] Improve inotify 2014-10-06 14:37:44 -07:00
mike@arpaia.co
764619c849 Adding a function to read tomcat configs from disk 2014-09-30 19:59:52 -07:00
mike@arpaia.co
196ec880ab Adding a function to parse the Tomcat users XML file 
This is apart of a bigger, better virtual table idea that @carnal0wnage
had.
 2014-09-30 19:49:38 -07:00
mike@arpaia.co
6b25a216c9 periodic clang-format 2014-09-23 20:15:41 -07:00
mike@arpaia.co
4218a4c2ab cmake cleanups 2014-09-22 21:23:16 -07:00