valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 09:35:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
SQL powered operating system instrumentation, monitoring, and analytics.
4,878 Commits 2 Branches 109 Tags 25 MiB
C++ 64.1%
C 23.3%
CMake 7.7%
Python 2.3%
Objective-C++ 1.6%
Other 0.9%
1621213813
Go to file
Alexandru Stefanica 1621213813 fix magic table (#5438) 
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5438

currently the magic table is broken. libmagic which is used to generate this information needs a database/configuration file that it usually auto-finds.
Our libmagic library tries to open the following file ```open("/usr/local/osquery/Cellar/libmagic/5.32_200/share/misc/magic.mgc", O_RDONLY) = -1 ENOENT (No such file or directory)``` (you can generate  this by using strace like ```trace -q -e trace=open ./buck-out/debug/gen/xplat/osquery/oss/osquery/osqueryd#gcc-5-glibc-2.23-clang -verbose -S "select * from magic where path = '/etc/passwd'"```).
How it auto-finds it I don't know 100%, but I guess it has something to with how the libmagic.so is actually build and installed. Basically this never works unless you are a developer on mac and used our previous build system.

I've updated the table to be able to specify the path to magic database file. If you don't specify it, I tried to check if one of the default files (files that should be present under /usr/share/ exists and use the first found). If all fail, I try the default one, but that most likely will fail.

Reviewed By: guliashvili

Differential Revision: D14066467

fbshipit-source-id: d9d2aca4829b2275e6792f974de1f2a7808dc321
2019-02-13 13:58:52 -08:00
.github Add task issue template (#4901) 2018-08-13 17:13:37 +01:00
docs Remove unused flag enable_monitor 2019-02-07 08:16:00 -08:00
mode use new vs toolchain flag file (#5406) 2019-01-31 03:32:32 -08:00
osquery fix magic table (#5438) 2019-02-13 13:58:52 -08:00
packs detects when a proc is tapping keyboard event (#5345) 2019-01-15 06:43:32 -08:00
sdk prototype of osquery/plugin_sdk 2019-02-11 02:33:20 -08:00
specs fix magic table (#5438) 2019-02-13 13:58:52 -08:00
tests Use SQLITE_CONSTRAINT when required constraint does not exist (#5422) 2019-02-07 03:14:38 -08:00
third-party fixed last gtest direct dependency 2019-02-05 03:18:49 -08:00
tools Do not mess with namaspace which comes from thirdparty library (rapidjson) (#5424) 2019-02-11 02:33:19 -08:00
.buckconfig Move build system to BUCK 2018-12-07 16:12:35 +00:00
.clang-format format: Remove Cpp restriction (#3521) 2017-08-02 10:32:12 -07:00
.gitignore ux: adding generated buck config to .gitignore (#5423) 2019-02-07 09:17:23 -08:00
.travis.yml Enable TravisCI for macOS (#5352) 2019-01-15 06:12:25 -08:00
.watchmanconfig watcher: Do not initialize the config in watcher (#3403) 2017-06-13 17:26:34 -07:00
BUILD.md Adding testing and fix build instructions on BUILD.md (#5362) 2019-01-17 06:56:18 -08:00
CODE_OF_CONDUCT.md docs: Move code of conduct to its own file (#4751) 2018-07-25 08:39:01 -07:00
CONTRIBUTING.md Cleanup grammar, acronyms in CONTRIBUTING (#5432) 2019-02-12 06:04:01 -08:00
Doxyfile Add clang-format rules from 3.6 (#2360) 2016-08-15 01:33:17 -07:00
LICENSE Clarify licensing (#4792) 2018-08-02 19:26:40 +01:00
LICENSE-Apache-2.0 Clarify licensing (#4792) 2018-08-02 19:26:40 +01:00
LICENSE-GPL-2.0 Clarify licensing (#4792) 2018-08-02 19:26:40 +01:00
Makefile Move build system to BUCK 2018-12-07 16:12:35 +00:00
mkdocs.yml Removing macOS kernel module (#4572) 2018-06-17 19:21:07 +01:00
README.md typo fix, one other wording tweak/update in README.md (#5321) 2018-12-13 05:17:41 -08:00
SECURITY.md security: Update SECURITY.md with recent merges (#3787) 2017-10-04 17:28:06 -07:00
SUPPORT.md Improve SUPPORT.md (#4835) 2018-08-08 12:18:57 +01:00
Vagrantfile Move build system to BUCK 2018-12-07 16:12:35 +00:00

README.md

osquery

osquery logo

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.
Available for Linux, macOS, Windows and FreeBSD.

What is osquery?

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:

List the users:

SELECT * FROM users;

Check the processes that have a deleted executable:

SELECT * FROM processes WHERE on_disk = 0;

Get the process name, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.name, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.address = '0.0.0.0';

Find every macOS LaunchDaemon that launches an executable and keeps it running:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != '');

Check for ARP anomalies from the host's perspective:

SELECT address, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING count(mac) > 1;

Alternatively, you could also use a SQL sub-query to accomplish the same result:

SELECT address, mac, mac_count
  FROM
    (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac)
  WHERE mac_count > 1;

These queries can be:

  • performed on an ad-hoc basis to explore operating system state using the osqueryi shell
  • executed via a scheduler to monitor operating system state across a set of hosts
  • launched from custom applications using osquery Thrift APIs

Download & Install

To download the latest stable builds and for repository information and installation instructions visit https://osquery.io/downloads.

Build from source

Building osquery from source is encouraged! Check out our contributing guide and join the community on Slack.

License

By contributing to osquery you agree that your contributions will be licensed as defined on the LICENSE file.

Vulnerabilities

We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into SECURITY.md too.

Facebook has a bug bounty program that includes osquery. If you find a security vulnerability in osquery, please submit it via the process outlined on that page and do not file a public issue. For more information on finding vulnerabilities in osquery, see our blog post Bug Hunting osquery.

Learn more

If you're interested in learning more about osquery read the launch blog post for background on the project, visit the users guide.

Development and usage discussion is happening in the osquery Slack, grab an invite automatically here!