valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
09e4e3c42e
osquery-1/include/osquery/packs.h
Teddy Reed b81b6de6ae This refactors a bit of config/packs and adds a socket_events table to Linux. 
The refactor of config/packs was initiated because event subscribers needed
a method for toggling `::init` based on some configurable option. In the case
of auditd, turning on the support with `--disable_audit=false` used to start
auditing the EXECVE syscall. It was understandable that this would cause
latency based on the number of processes executing per measure of time.

A new `socket_events` table will do the same but for `bind` and `connect`. These
are less-obvious and for now, require a scan of /proc for socket tuples. In the
future this file descriptor to socket tuple will be faster.
2015-10-27 15:13:02 -07:00

118 lines
3.2 KiB
C++
Raw Blame History

/*
* Copyright (c) 2014, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*
*/
#pragma once
#include <map>
#include <string>
#include <vector>
#include <boost/property_tree/ptree.hpp>
#include <osquery/database.h>
#include <osquery/status.h>
namespace osquery {
typedef struct {
int total;
int hits;
int misses;
} PackStats;
/**
* @brief The programatic representation of a query pack
*
* Instantiating a new Pack object parses JSON and may throw a
* boost::property_tree::json_parser::json_parser_error exception
*/
class Pack {
public:
Pack(const std::string& name, const boost::property_tree::ptree& tree)
: Pack(name, "", tree) {}
Pack(const std::string& name,
const std::string& source,
const boost::property_tree::ptree& tree) {
initialize(name, source, tree);
}
void initialize(const std::string& name,
const std::string& source,
const boost::property_tree::ptree& tree);
/**
* @brief Getter for the pack's discovery query
*
* If the pack doesn't have a discovery query, false will be returned. If
* the pack does have a discovery query, true will be returned and `query`
* will be populated with the pack's discovery query
*
* @return A bool indicating whether or not the pack has a discovery query
*/
const std::vector<std::string>& getDiscoveryQueries() const;
/// Utility for identifying whether or not the pack should be scheduled
bool shouldPackExecute();
/// Sets the name of the pack
void setName(const std::string& name);
/// Returns the name of the pack
const std::string& getName() const;
/// Returns the name of the source from which the pack originated
const std::string& getSource() const;
/// Returns the platform that the pack is configured to run on
const std::string& getPlatform() const;
/// Returns the minimum version that the pack is configured to run on
const std::string& getVersion() const;
/// Returns the schedule dictated by the pack
const std::map<std::string, ScheduledQuery>& getSchedule() const;
/// Verify that the platform is compatible
bool checkPlatform() const;
/// Verify that a given platform string is compatible
bool checkPlatform(const std::string& platform) const;
/// Verify that the version of osquery is compatible
bool checkVersion() const;
/// Verify that a given version string is compatible
bool checkVersion(const std::string& version) const;
/// Verify that a given discovery query returns the appropriate results
bool checkDiscovery();
const PackStats& getStats() const;
protected:
std::vector<std::string> discovery_queries_;
std::map<std::string, ScheduledQuery> schedule_;
std::string platform_;
std::string version_;
std::string name_;
std::string source_;
bool should_execute_;
std::pair<int, bool> discovery_cache_;
PackStats stats_;
private:
/**
* @brief Private default constructor
*
* Initialization must include pack content
*/
Pack(){};
};
}
Reference in New Issue View Git Blame Copy Permalink