mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 18:33:54 +00:00
80 lines
2.3 KiB
C++
80 lines
2.3 KiB
C++
/*
|
|
* Copyright (c) 2014, Facebook, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This source code is licensed under the BSD-style license found in the
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
*
|
|
*/
|
|
|
|
#include <boost/algorithm/string/split.hpp>
|
|
|
|
#include <osquery/core.h>
|
|
#include <osquery/filesystem.h>
|
|
#include <osquery/hash.h>
|
|
#include <osquery/logger.h>
|
|
#include <osquery/tables.h>
|
|
|
|
namespace osquery {
|
|
namespace tables {
|
|
|
|
const std::string kKernelArgumentsPath = "/proc/cmdline";
|
|
const std::string kKernelSignaturePath = "/proc/version";
|
|
|
|
QueryData genKernelInfo(QueryContext& context) {
|
|
QueryData results;
|
|
Row r;
|
|
|
|
if (pathExists(kKernelArgumentsPath).ok()) {
|
|
std::string arguments_line;
|
|
// Grab the whole arguments string from proc.
|
|
if (readFile(kKernelArgumentsPath, arguments_line).ok()) {
|
|
auto arguments = split(arguments_line, " ");
|
|
std::string additional_arguments;
|
|
|
|
// Iterate over each space-tokenized argument.
|
|
for (const auto& argument : arguments) {
|
|
if (argument.substr(0, 11) == "BOOT_IMAGE=") {
|
|
r["path"] = argument.substr(11);
|
|
} else if (argument.substr(0, 5) == "root=") {
|
|
r["device"] = argument.substr(5);
|
|
} else {
|
|
if (additional_arguments.size() > 0) {
|
|
additional_arguments += " ";
|
|
}
|
|
additional_arguments += argument;
|
|
}
|
|
}
|
|
r["arguments"] = additional_arguments;
|
|
}
|
|
} else {
|
|
VLOG(1) << "Cannot find kernel arguments file: " << kKernelArgumentsPath;
|
|
}
|
|
|
|
if (pathExists(kKernelSignaturePath).ok()) {
|
|
std::string signature;
|
|
|
|
// The signature includes the kernel version, build data, buildhost,
|
|
// GCC version used, and possibly build date.
|
|
if (readFile(kKernelSignaturePath, signature).ok()) {
|
|
auto details = split(signature, " ");
|
|
if (details.size() > 2 && details[1] == "version") {
|
|
r["version"] = details[2];
|
|
}
|
|
}
|
|
} else {
|
|
VLOG(1) << "Cannot find kernel signature file: " << kKernelSignaturePath;
|
|
}
|
|
|
|
// Using the path of the boot image, attempt to calculate a hash.
|
|
if (r.count("path") > 0) {
|
|
r["md5"] = hashFromFile(HASH_TYPE_MD5, r.at("path"));
|
|
}
|
|
|
|
results.push_back(r);
|
|
return results;
|
|
}
|
|
}
|
|
}
|