mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 02:18:53 +00:00
256 lines
7.5 KiB
C++
256 lines
7.5 KiB
C++
// Copyright 2004-present Facebook. All Rights Reserved.
|
|
|
|
#include <boost/lexical_cast.hpp>
|
|
|
|
#include <glog/logging.h>
|
|
|
|
#include "osquery/core/conversions.h"
|
|
#include "osquery/events.h"
|
|
#include "osquery/dispatcher.h"
|
|
|
|
namespace osquery {
|
|
|
|
const std::vector<size_t> kEventTimeLists = {1 * 60, // 1 minute
|
|
1 * 60 * 60, // 1 hour
|
|
12 * 60 * 60, // half-day
|
|
};
|
|
|
|
void EventType::fire(const EventContextRef ec, EventTime event_time) {
|
|
EventContextID ec_id;
|
|
|
|
{
|
|
boost::lock_guard<boost::mutex> lock(ec_id_lock_);
|
|
ec_id = next_ec_id_++;
|
|
}
|
|
|
|
for (const auto& monitor : monitors_) {
|
|
auto callback = monitor->callback;
|
|
if (shouldFire(monitor->context, ec) && callback != nullptr) {
|
|
callback(ec_id, event_time, ec);
|
|
}
|
|
}
|
|
}
|
|
|
|
bool EventType::shouldFire(const MonitorContextRef mc,
|
|
const EventContextRef ec) {
|
|
return true;
|
|
}
|
|
|
|
Status EventType::run() {
|
|
// Runloops/entrypoints are ONLY implemented if needed.
|
|
return Status(1, "No runloop required");
|
|
}
|
|
|
|
Status EventModule::recordEvent(EventID eid, int event_time) {
|
|
Status status;
|
|
auto db = DBHandle::getInstance();
|
|
std::string time_value = boost::lexical_cast<std::string>(event_time);
|
|
|
|
// The record is identified by the event type then module name.
|
|
std::string record_key = "records." + type() + "." + name();
|
|
// The list key includes the list type (bin size) and the list ID (bin).
|
|
std::string list_key;
|
|
std::string list_id;
|
|
// This is an append operation, the record value is tokenized with this event.
|
|
std::string record_value;
|
|
|
|
for (auto time_list : kEventTimeLists) {
|
|
// The list_id is the MOST-Specific key ID, the bin for this list.
|
|
// If the event time was 13 and the time_list is 5 seconds, lid = 2.
|
|
list_id = boost::lexical_cast<std::string>(event_time % time_list);
|
|
// The list name identifies the 'type' of list.
|
|
list_key = boost::lexical_cast<std::string>(time_list);
|
|
list_key = record_key + "." + list_key + "." + list_id;
|
|
|
|
{
|
|
boost::lock_guard<boost::mutex> lock(event_record_lock_);
|
|
// Append the record (eid, unix_time) to the list bin.
|
|
status = db->Get(kEvents, list_key, record_value);
|
|
|
|
if (record_value.length() == 0) {
|
|
record_value = eid + ":" + time_value;
|
|
} else {
|
|
// Tokenize a record using ',' and the EID/time using ':'.
|
|
record_value += "," + eid + ":" + time_value;
|
|
}
|
|
status = db->Put(kEvents, list_key, record_value);
|
|
if (!status.ok()) {
|
|
LOG(ERROR) << "Could not put Event Record key: " << list_key;
|
|
}
|
|
}
|
|
}
|
|
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
EventID EventModule::getEventID() {
|
|
Status status;
|
|
auto db = DBHandle::getInstance();
|
|
// First get an event ID from the meta key.
|
|
std::string eid_key = "eid." + type() + "." + name();
|
|
std::string last_eid_value;
|
|
std::string eid_value;
|
|
|
|
{
|
|
boost::lock_guard<boost::mutex> lock(event_id_lock_);
|
|
status = db->Get(kEvents, eid_key, last_eid_value);
|
|
if (!status.ok()) {
|
|
last_eid_value = "0";
|
|
}
|
|
|
|
size_t eid = boost::lexical_cast<size_t>(last_eid_value) + 1;
|
|
eid_value = boost::lexical_cast<std::string>(eid);
|
|
status = db->Put(kEvents, eid_key, eid_value);
|
|
}
|
|
|
|
if (!status.ok()) {
|
|
return "0";
|
|
}
|
|
|
|
return eid_value;
|
|
}
|
|
|
|
Status EventModule::Add(const osquery::Row& r, int event_time) {
|
|
Status status;
|
|
auto db = DBHandle::getInstance();
|
|
|
|
// Get and increment the EID for this module.
|
|
EventID eid = getEventID();
|
|
|
|
std::string event_key = "data." + type() + "." + name() + "." + eid;
|
|
std::string data;
|
|
|
|
status = osquery::serializeRowJSON(r, data);
|
|
if (!status.ok()) {
|
|
printf("could not serialize json\n");
|
|
return status;
|
|
}
|
|
|
|
// Store the event data.
|
|
status = db->Put(kEvents, event_key, data);
|
|
// Record the event in the indexing bins.
|
|
recordEvent(eid, event_time);
|
|
return status;
|
|
}
|
|
|
|
void EventFactory::delay() {
|
|
auto ef = EventFactory::get();
|
|
for (const auto& eventtype : EventFactory::get()->event_types_) {
|
|
auto type_id = eventtype.first;
|
|
ef->threads_.push_back(new boost::thread(EventFactory::run, type_id));
|
|
}
|
|
}
|
|
|
|
Status EventFactory::run(EventTypeID type_id) {
|
|
// An interesting take on an event dispatched entrypoint.
|
|
// There is little introspection into the event type.
|
|
// Assume it can either make use of an entrypoint poller/selector or
|
|
// take care of async callback registrations in setUp/configure/run
|
|
// only once and handle event queueing/firing in callbacks.
|
|
auto event_type = EventFactory::get()->getEventType(type_id);
|
|
if (event_type == nullptr) {
|
|
return Status(1, "No Event Type");
|
|
}
|
|
|
|
Status status = Status(0, "OK");
|
|
while (!EventFactory::get()->ending_ && status.ok()) {
|
|
// Can optionally implement a global cooloff latency here.
|
|
status = event_type->run();
|
|
}
|
|
|
|
// The runloop status is not reflective of the event type's.
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
void EventFactory::end() {
|
|
EventFactory::get()->ending_ = true;
|
|
// Join on the thread group.
|
|
}
|
|
|
|
// There's no reason for the event factory to keep multiple instances.
|
|
boost::shared_ptr<EventFactory> EventFactory::get() {
|
|
static auto q = boost::shared_ptr<EventFactory>(new EventFactory());
|
|
return q;
|
|
}
|
|
|
|
Status EventFactory::registerEventType(const EventTypeRef event_type) {
|
|
EventTypeID type_id = event_type->type();
|
|
auto ef = EventFactory::get();
|
|
|
|
if (ef->getEventType(type_id) != nullptr) {
|
|
// This is a duplicate type id?
|
|
return Status(1, "Duplicate Event Type");
|
|
}
|
|
|
|
ef->event_types_[type_id] = event_type;
|
|
event_type->setUp();
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
Status EventFactory::addMonitor(EventTypeID type_id, const MonitorRef monitor) {
|
|
auto event_type = EventFactory::get()->getEventType(type_id);
|
|
if (event_type == nullptr) {
|
|
// Cannot create a Monitor for a missing type_id.
|
|
return Status(1, "No Event Type");
|
|
}
|
|
|
|
Status status;
|
|
|
|
// The event factory is responsible for configuring the event types.
|
|
status = event_type->addMonitor(monitor);
|
|
event_type->configure();
|
|
return status;
|
|
}
|
|
|
|
Status EventFactory::addMonitor(EventTypeID type_id,
|
|
const MonitorContextRef mc,
|
|
EventCallback callback) {
|
|
auto monitor = Monitor::create(mc, callback);
|
|
return EventFactory::addMonitor(type_id, monitor);
|
|
}
|
|
|
|
size_t EventFactory::numMonitors(EventTypeID type_id) {
|
|
const auto& event_type = EventFactory::get()->getEventType(type_id);
|
|
if (event_type != nullptr) {
|
|
return event_type->numMonitors();
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
boost::shared_ptr<EventType> EventFactory::getEventType(EventTypeID type_id) {
|
|
const auto& ef = EventFactory::get();
|
|
const auto& it = ef->event_types_.find(type_id);
|
|
if (it != ef->event_types_.end()) {
|
|
return ef->event_types_[type_id];
|
|
}
|
|
return nullptr;
|
|
}
|
|
|
|
Status EventFactory::deregisterEventType(const EventTypeRef event_type) {
|
|
return EventFactory::deregisterEventType(event_type->type());
|
|
}
|
|
|
|
Status EventFactory::deregisterEventType(EventTypeID type_id) {
|
|
auto ef = EventFactory::get();
|
|
const auto& it = ef->event_types_.find(type_id);
|
|
if (it == ef->event_types_.end()) {
|
|
return Status(1, "No Event Type registered");
|
|
}
|
|
|
|
ef->event_types_[type_id]->tearDown();
|
|
ef->event_types_.erase(it);
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
Status EventFactory::deregisterEventTypes() {
|
|
auto ef = EventFactory::get();
|
|
auto it = ef->event_types_.begin();
|
|
for (; it != ef->event_types_.end(); it++) {
|
|
it->second->tearDown();
|
|
}
|
|
|
|
ef->event_types_.erase(ef->event_types_.begin(), ef->event_types_.end());
|
|
return Status(0, "OK");
|
|
}
|
|
}
|