valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,108 Commits 2 Branches 109 Tags 25 MiB
f93253ec48
Commit Graph

347 Commits

Author SHA1 Message Date
Teddy Reed
4cb6e37f1d Merge pull request #1338 from theopolis/join_bug 
Fix broken JOIN predicate passing
 2015-07-16 11:45:33 -07:00
Teddy Reed
deecef81c5 Fix broken JOIN predicate passing 2015-07-16 11:29:56 -07:00
Teddy Reed
263090e8f2 [Fix #1332] Check mode for links in readFile 
1. "really" check for links in readFile
2. Apply the same restrictions and flag ACLs to file hashing.
 2015-07-14 14:24:52 -07:00
Michael O'Farrell
4bbb591b37 Added kernel process events table. 2015-07-08 13:47:07 -07:00
Teddy Reed
f48619ed28 [#1285, #1276] Faster, optimized subscriber results 2015-07-07 00:59:28 -07:00
Teddy Reed
dd9fa25d78 [Fix #1171, #1089] Add configurable max reads 
There are 3 new options that control how files are read:
--read_max: controls the maximum size, in bytes, for file reads. If a file is larger than `read_max` the read will fail.
--read_user_max: similar to `read_max` but applies additional limitations to user-controlled files.
--read_user_links: a boolean control to enable/disable following symlinks for user-controlled files.

Important highlights:
If files exceed the configured max, those reads will fail.
The `read_max` will override `read_user_max` if it is set lower.
A default integer value of `0` will disable the limitations.

The default `read_max` is set to 50M and the default `read_user_max` is 10M.
 2015-07-06 00:49:43 -07:00
Ryan Steinmetz
6f6bd8cabc - Fix build under FreeBSD 2015-07-03 19:47:47 -04:00
Teddy Reed
79de0a5def [#1277] Forward status logs to osqueryd workers 
If watcher processes generate warning or error status logs they
will "relay" to the worker processes upon successful sanity check.
 2015-07-01 15:26:26 -07:00
Teddy Reed
e7ed68e187 [Fix #1198] Faster death/timeout checks in extensions tests 2015-06-25 02:53:53 -07:00
Teddy Reed
040d9d5fd1 Merge pull request #1216 from sharvilshah/osx_mount_events 
[Implement #1103] DMG Mount Events
 2015-06-22 12:38:32 -07:00
Sharvil Shah
f676ba7642 Implements disk_events and the related publisher and subscriber. 
We now have a Publisher to report on disk events and its metadata,
using the DiskArbitration framework on OS X. Currently disk appearance
and disappearance events are published for both physical and
virtual disks (DMG files). On an event trigger, disk properties are
parsed and that metadata is reported along with the action.

The Subscriber subscribes to virtual disk events currently.

This closes #1103.
 2015-06-22 11:09:18 -07:00
Teddy Reed
37188f788b Fixups in tables, add DOUBLE, shell extensions 2015-06-22 04:17:23 -04:00
Teddy Reed
e7ab2fc47b Limit scope of git/tag version defines. 
Harden plist parsing against internal fuzzing tests.
Improve file/stream read speeds.
 2015-06-12 10:10:20 -07:00
Teddy Reed
d143b22cfa [Fix #1202] Replace argv[*] with spaces, fallback to path in [0] 2015-06-11 20:58:17 -07:00
Teddy Reed
727f5b091f Various table perf improvements and TLS docs 2015-06-05 22:03:15 -07:00
Teddy Reed
1168b6ef3b Fix the watchdog/scheduler limit tracking 2015-06-04 17:43:37 -07:00
Teddy Reed
e244883ea4 [#1190] Schedule queries without logging removed results 2015-06-04 13:53:55 -07:00
Teddy Reed
c934ad0df3 Update tooling/profiling paths 2015-06-03 21:22:12 -07:00
Teddy Reed
33f53809ad Fix DBHandle checking with concurrent processes. 
`make tests` fails with another osquery process running.
The backing-store check happens after a config plugin is setUp and
the initial load occures. This may involve calls to cached keys, the
check should occur pre-config initialize.
 2015-06-02 02:50:04 -07:00
Michael O'Farrell
77aa36fa0b Constraint existence now check for constraints using specific operator types. 
This change allows QueryContext constraints to be checked for based on
operator type.  This makes checks for the existence of an equality
operator allow enumeration.

Example:
  if (context.constraints["pid"].exists(EQUALS)) {
    pids = context.constraints["pid"].getAll(EQUALS);
  } else {
    osquery::procProcesses(pids);
  }
 2015-05-29 13:47:04 -07:00
Mark Ignacio
84f8203dfd Converted CFAbsoluteTime in X509 certificates to UNIX time 2015-05-27 15:23:46 -07:00
Teddy Reed
8b3686a58a TLS plugin workflow tests 2015-05-26 19:55:00 -07:00
Teddy Reed
5e8c9b66d4 Merge pull request #1153 from theopolis/cleans 
Detect TLS version from OpenSSL/CMake FIND_LIBRARY
 2015-05-23 13:57:23 -07:00
Teddy Reed
4a6c002f62 Allow unit tests execs from project root 2015-05-23 13:12:31 -07:00
Teddy Reed
5969ae4fbf Clean up TLS-version from OpenSSL detection 2015-05-23 13:04:36 -07:00
Teddy Reed
700384dedc Minify tables namespace, extra CMake macros 2015-05-22 10:29:04 -07:00
Mike Arpaia
fff36af0af Removing trailing whitespace 2015-05-11 23:31:13 -07:00
Teddy Reed
771ed4da2f [Fix #1125 #1126] Flag padding checks, config_check tests 2015-05-11 10:37:16 -07:00
Teddy Reed
a7daa0ace5 Apply a safe permissions check to worker 2015-05-07 00:19:10 -07:00
Teddy Reed
23933cefe8 Harden extensions/dispatcher tests 2015-05-05 23:34:10 -07:00
Teddy Reed
cdb112eccb Add a CMake variable for packages 2015-05-04 17:09:09 -07:00
Teddy Reed
d6eb63ae2f Merge pull request #1097 from theopolis/intel_perf_limits 
Limit memory checks to worker allocations
 2015-05-04 12:14:43 -07:00
Teddy Reed
5b60eb9fb8 Limit memory checks to worker allocations 2015-05-04 11:30:25 -07:00
Teddy Reed
893f678403 Linting and asan fixups 2015-05-04 11:00:21 -07:00
Teddy Reed
c63bf0451a Various exception hardening 2015-05-03 14:18:20 -07:00
Teddy Reed
e01a73b4f3 Schedule monitoring, doc updates, logger plugin fixes 2015-05-03 11:54:15 -07:00
Sharvil Shah
2735e731de Implement --disable_tables runtime flag 2015-04-30 01:41:01 -07:00
Teddy Reed
b66a350526 Allow snapshot scheduled items 2015-04-29 15:55:00 -07:00
Teddy Reed
d0bbb0bc4f Towards safer and shuffled unittests 2015-04-29 14:43:27 -07:00
Teddy Reed
2c5cbdee63 Various shell fixups 2015-04-27 16:40:05 -07:00
Teddy Reed
be65922569 Fast tests 2015-04-27 09:40:31 -07:00
Teddy Reed
b90aeab2fe Fix dameon flags loading from options 2015-04-24 11:37:51 -07:00
Javier Marcos
ddb41ae84a Adding tests to the prototocols table 2015-04-22 17:49:27 -07:00
Teddy Reed
c59ce0e4e4 Lint fixes and clang analyze 2015-04-17 09:18:46 -07:00
Mike Arpaia
c37be342ec updating wiki link to read the docs 2015-04-15 01:02:58 -07:00
Teddy Reed
e1f0106710 Various fixes, checks 2015-04-11 15:57:12 -07:00
Mike Arpaia
5cebb95134 Merge pull request #979 from theopolis/fast_shell_query 
Skip event publishers when a single query is used
 2015-04-10 23:03:51 -07:00
Teddy Reed
aaecffa096 Skip event publishers when a single query is used 2015-04-10 17:37:49 -07:00
Mitchell Grenier
41283223af Better extended attributes 
For the second time in a couple of weeks, I've rewritten the xattr table into
a new extended_attributes table.

If we find an attribute that we don't have a parser for, we will check if it
contains non printable characters. If it does, we'll base64 it. If it doesn't,
we will just output the unencoded string.
 2015-04-10 13:17:22 -07:00
Sharvil Shah
e7a3d24ece Fix etc_hosts hostname parsing so that inline comments are now ignored; update tests 2015-04-06 23:32:56 -07:00
Mike Arpaia
91e70d1df3 Merge pull request #928 from theopolis/config_check_pp 
[#915] Skip daemon initialization if checking config
 2015-04-04 00:12:12 -07:00
Teddy Reed
2b20d3dde0 Merge yara subscribers 2015-04-03 00:48:13 -07:00
Teddy Reed
6dd92bd051 [#915] Skip daemon initialization if checking config 2015-04-02 13:31:51 -07:00
Teddy Reed
38bfed3414 Remove libprocps(ng) in favor of parsing proc manually 2015-03-27 12:37:16 -07:00
Teddy Reed
14a09cc6f2 Change schedule to a map, splay on config update 2015-03-24 16:28:49 -07:00
Teddy Reed
79ddc5ba38 Remove unused shell functions 2015-03-19 16:14:29 -07:00
Teddy Reed
afd11fe1f3 Set osquery_extensions for worker child 2015-03-17 10:36:19 -07:00
Teddy Reed
1a0334ec9a Use a .load file instead of delimited dirs 2015-03-17 10:11:43 -07:00
Teddy Reed
dd354c279d Merge pull request #854 from theopolis/osqueryi_tmp 
[Fix #852] Use a user-specific temporary dir for shell state
 2015-03-16 10:51:38 -07:00
Teddy Reed
8b990c546d [Fix #852] Use a user-specific temporary dir for shell state 2015-03-16 09:29:50 -07:00
Teddy Reed
4440b2f791 Renamed osx_version to os_version, include Linux versions 2015-03-15 16:07:49 -07:00
Teddy Reed
1170887d56 Improve extensions integration testing 2015-03-13 18:33:55 -07:00
Teddy Reed
fe0f369af0 Extension-dependent config/logger plugins 2015-03-13 12:01:30 -07:00
Teddy Reed
90b7f0a986 Merge pull request #836 from theopolis/active_plugins 
Move logger/config to use Registry getActive
 2015-03-10 16:04:40 -07:00
Teddy Reed
6a81cec937 Organize kernel_extensions to add signatures 2015-03-09 11:43:06 -07:00
Teddy Reed
6e7f3dbbbd Move logger/config to use Registry getActive 2015-03-08 14:52:13 -07:00
Teddy Reed
95a9716e02 Remove shell tools from daemon 2015-03-04 23:21:16 -08:00
Teddy Reed
0673900837 Registry modules 2015-03-04 20:33:10 -08:00
Teddy Reed
99beceaef6 Switch lazy=active concept for registry setup 2015-03-04 18:51:41 -08:00
Teddy Reed
8efa07e520 Watcher process will fail if DB path is incorrect 2015-03-04 18:51:41 -08:00
Teddy Reed
3c02806cd8 Extensions autoloading prequel 2015-03-04 18:51:41 -08:00
Mitchell Grenier
3d27fff697 Merge pull request #784 from jedi22/directory_monitoring 
Adding ability to monitor whole folders
 2015-03-02 17:21:24 -08:00
Mitchell Grenier
544615ef57 Bug fix for REC_LIST_FOLDERS 
Fixed a bug where when using REC_LIST_FOLDERS, the root resolution directory
would not be returned.
 2015-03-01 18:26:37 -08:00
Teddy Reed
9031bad609 Extensions helpers, API additions 
Use --socket for extensions, limit help
Add an 'active' concept to registries, support a blank item call
Add osquery_registry to list the internal/external plugin details
 2015-02-25 01:02:05 -07:00
Mike Arpaia
503cf32522 Merge pull request #794 from marpaia/fix-785 
Adding warning text if the system is not configured
 2015-02-24 13:27:16 -08:00
mike@arpaia.co
5a5ec45bbb Adding warning text if the system is not configured 
See #785 for context. If you don't have a properly configured system,
osqueryd will print a convenient warning with instructions.
 2015-02-24 13:19:37 -08:00
Teddy Reed
925deb8e74 [lints] Basic cpp linting 2015-02-24 03:47:12 -08:00
Teddy Reed
f173fb6e0a Working on sync using new non-macro decisions 2015-02-23 23:15:04 -08:00
Teddy Reed
ace433e49d Allow external calls from within registry 2015-02-23 21:35:54 -08:00
Teddy Reed
a29addba61 Extensions integrations testing 2015-02-22 22:56:18 -07:00
Teddy Reed
0f3adbbe24 Merge pull request #781 from theopolis/watcher_full_path 
Use full path for exec in watcher
 2015-02-19 17:02:46 -08:00
Teddy Reed
fa8dbf2b7f Use full path for exec in watcher 2015-02-19 16:00:12 -08:00
Teddy Reed
451ef686ed Building example extension with SDK 2015-02-18 20:11:00 -08:00
Teddy Reed
1f8dacec3c Add flag aliasing, logger/flag tests 2015-02-17 16:26:14 -08:00
Teddy Reed
6f155d63c5 Improve flag storage and printing 2015-02-16 16:26:06 -08:00
Teddy Reed
6994361f26 Improved logging control 2015-02-16 14:42:22 -08:00
Teddy Reed
3c36c4196b Merge pull request #731 from jedi22/wildcard_events 
Added parsing of extra data along with its addition to the osqueryconfig structure
 2015-02-15 19:16:54 -08:00
Teddy Reed
95dd2a808f Merge pull request #762 from theopolis/startup_items 
[Fix #758] Parse startup_items Alias data
 2015-02-15 16:33:39 -08:00
Teddy Reed
1ea06a9d15 [Fix #758] Parse startup_items Alias data 2015-02-13 17:40:02 -08:00
Mitchell Grenier
de5ac74fab All changes addressed 2015-02-13 16:52:11 -08:00
Zachary Wasserman
79034111a5 POC for client side of distributed queries. 
This introduces the notion of a DistributedQueryHandler that uses a "provider" to read/write requests and results to and from the master. The full flow is exercised via integration tests, and unit tests for each component.

It is intended to foster discussion around this client side interface, as well as provide a base to build from.
 2015-02-13 13:01:02 -08:00
Mitchell Grenier
54ef2045e5 Made config a meyers singleton. Load should now only ever have to happen once 2015-02-13 12:32:54 -08:00
Teddy Reed
9eeda1f02c Safer compile flags 2015-02-11 10:45:04 -08:00
Teddy Reed
d2b18c05c9 Add watcher profiles 2015-02-09 12:38:50 -08:00
Teddy Reed
19998a001a Harden watcher for more perf, use exec and watch from worker 2015-02-08 00:06:44 -07:00
Teddy Reed
993e2c4577 Changes to flags, extensions now loaded with shell/daemon 2015-02-06 09:40:49 -08:00
Teddy Reed
ed9bae29b7 Organizing headers/build for SDK 2015-02-03 14:59:32 -08:00
Mitchell Grenier
50eaccc40b Merge pull request #653 from jedi22/osx-xattr 
OS X Where From
 2015-02-03 11:55:35 -08:00
Mitchell Grenier
30e268b22b Can query for where a file came from using the OS X eXtended attributes 2015-02-03 11:34:29 -08:00
Zachary Wasserman
ac53637bcf Add getQueryColumns function to core 
This new getQueryColumns function allows us to determine what columns
will be returned by executing a given query. It is intended to be used
with the distributed query system, to determine a schema for the
results before sending the query.

Tested by unit tests. Also used valgrind and did not find errors that
looked related to this change (though there appear to be many errors
related to glog logging).
 2015-02-02 10:11:00 -08:00
Teddy Reed
5072b40997 Fix missing virtual destructors for event APIs 2015-02-01 04:32:18 -07:00
Teddy Reed
f96b498ae3 Remove EventFactory::deregister... in favor of ::end 2015-02-01 02:20:09 -07:00
Teddy Reed
bd620853aa Verbose log when table row is missing a column 2015-02-01 02:20:09 -07:00
Teddy Reed
d39f1fae95 Minor registry documentation, using macros for create/add 2015-02-01 02:20:09 -07:00
Teddy Reed
ab1cb942a8 Fix typo in passwd subscriber, merge vtable tests 2015-02-01 02:20:09 -07:00
Teddy Reed
ab08bc76a8 Towards a new registry 2015-02-01 02:20:09 -07:00
Teddy Reed
38a757c7f0 Merge pull request #673 from theopolis/fork 
Adding a watcher/worker model for osqueryd
 2015-01-30 19:09:55 -08:00
Zachary Wasserman
5a2296b91b Add useful operator implementations to Status 2015-01-29 17:33:41 -08:00
schettino72
f7357dd4b8 add column info to CREATE VIRTUAL TABLE statement. 2015-01-30 01:08:36 +08:00
schettino72
3a8df753e2 Add unit-test for TablePlugin::statement(). 2015-01-30 01:08:36 +08:00
Mitchell Grenier
0e7bf914a3 Removed 2 lines of code that didn't look like they were doing anything 2015-01-27 17:27:01 -08:00
Teddy Reed
a9ede83446 [FIx #676] Add --force option to osqueryd 2015-01-27 16:00:39 -08:00
Mike Arpaia
db24472539 Update init osquery to not overwrite the logging plugin 2015-01-26 10:44:27 -08:00
Teddy Reed
8fd56417fd Adding a watcher/worker model for osqueryd 2015-01-26 01:22:50 -07:00
Teddy Reed
d912009569 Add unit testing to hashing 2015-01-21 16:24:40 -08:00
Teddy Reed
9c1faec090 Isolate glog include and depend on libglog for #652 2015-01-21 13:37:06 -08:00
Mike Arpaia
778789d74e Merge pull request #648 from marpaia/hash-docs 
hash.h documentation
 2015-01-20 16:04:32 -08:00
mike@arpaia.co
ecfe29282b hash.h documentation 
I added some doxygen docs for hash.h
 2015-01-20 15:36:53 -08:00
mike@arpaia.co
b6eed30688 removing md5.h 2015-01-20 15:07:50 -08:00
Teddy Reed
64d82388e4 Update the md5 hashing callsites 2015-01-20 14:52:07 -08:00
Teddy Reed
11237d2397 Merge pull request #644 from theopolis/md5_macros 
Use API macro for hash algorithms
 2015-01-20 14:33:55 -08:00
Teddy Reed
a2d9236478 Use API macro for hash algorithms 2015-01-20 14:24:49 -08:00
Zachary Wasserman
ee798cdde7 Use sizeof with memcpy and memset 
I'd like to make sure we use expressions of sizeof to relate buffer
sizes to memcpy and memset. This should make modifying the code less
error prone.

Conflicts:
	osquery/tables/system/darwin/nvram.cpp
 2015-01-20 12:36:36 -08:00
Teddy Reed
416198732a Merge pull request #631 from jedi22/sha-hashs 
Added SHA1 and SHA256 in Hash Table
 2015-01-20 11:24:43 -08:00
Mitchell Grenier
8f407a1e8f Moving commits around for efficientcy 2015-01-20 10:49:58 -08:00
Teddy Reed
8475522e76 Remove goto/sprintf from NVRAM parsing 2015-01-19 17:10:40 -08:00
Teddy Reed
09ce5099b2 Merge pull request #632 from theopolis/osx_boot_info 
OSX IOKit registry and ACPI table data
 2015-01-17 17:56:51 -08:00
Mitchell Grenier
c1a1013e5a Minor code changes and namespacing 2015-01-16 12:03:23 -08:00
Teddy Reed
ba716712cf [Fix #630] Clear stacking index plans 2015-01-16 06:47:32 -08:00
Teddy Reed
1df958c583 ACPI tables for OSX 2015-01-15 21:37:02 -08:00
Mitchell Grenier
570c6a32f3 Moved hashing functions into core. #include<osquery/hash.h> 2015-01-15 17:16:05 -08:00
Teddy Reed
663e481d9e [Fix #620] Add query plan estimates bias toward constraints 2015-01-13 21:17:15 -08:00
Teddy Reed
376a438516 Moving splay to scheduler and adding config logging 2015-01-12 12:53:05 -08:00
Teddy Reed
84ef94ce9d Testing for table query constraints 2015-01-12 12:52:29 -08:00
Teddy Reed
2ad15763e2 Provide example config, improve pid check 2015-01-07 15:22:50 -08:00
Teddy Reed
9b0adcc47f [Fix #560] Improve config tests 2015-01-01 22:05:03 -08:00
Theodore M. Reed
53d683a3b3 Remove tables dependency from CMake build 2014-12-23 14:37:07 -08:00
mike@arpaia.co
b9f732c31f Updating the license comment to be the correct open source header 
As per t5494224, all of the license headers in osquery needed to be updated
to reflect the correct open source header style.
 2014-12-18 10:52:55 -08:00
Teddy Reed
6a6851c4bc Merge pull request #544 from theopolis/events_2.0 
Events 2.0
 2014-12-17 20:17:02 -08:00
Teddy Reed
7602d17de9 Move base64Decode from ca_certs testing to conversions 2014-12-17 14:03:52 -08:00
Teddy Reed
fefe6de824 OSX XProtect siganture DB as virtual table 2014-12-16 21:35:26 -08:00
Teddy Reed
30a27798d5 osqueryd should announce to syslog when starting 2014-12-16 12:04:43 -08:00
Teddy Reed
d5c5253bbc Add osquery_flags vtable 2014-12-16 02:07:50 -08:00
Teddy Reed
6de14466db Events 2.0 using pbr 2014-12-15 11:55:05 -08:00
Teddy Reed
7b56fa605d PCI/USB parity 2014-12-10 19:51:18 -08:00
Teddy Reed
b08ad3cb14 Check USB property for CFString type 2014-12-10 09:12:12 -08:00
Teddy Reed
4644c5e19b Simple usb_devices updates 2014-12-10 01:52:02 -08:00
Teddy Reed
0b5083bd0e Improve usb_devices on OSX 2014-12-10 01:17:24 -08:00
mike@arpaia.co
0846b6ddd5 Fixing pidfile creation bug 
If osqueryd was killed and another process was started with osqueryd's
old pid before a new osqueryd could start, osqueryd would encounter a
bug where osqueryd would never start.

This executes an osquery query to the processes table to make sure that
the name of the process is "osqueryd". Of course, you could perhaps
denial of service osqueryd this way, but that would require root
filesystem access (assuming that the last version of osqueryd was
ran as root). Thoughts?
 2014-12-08 23:52:38 -08:00
Teddy Reed
7c738c8497 Codemod to improve include search paths 2014-12-03 15:14:02 -08:00