kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

- Update to 1.4.7

Browse source
This commit is contained in:
Ryan Steinmetz 2015-07-03 23:50:09 +00:00
parent d20f31f9ee
commit 70736607c5
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=391287
65 changed files with 37 additions and 3042 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
sysutils/osquery/Makefile
View file

@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= osquery
PORTVERSION= 1.4.5
PORTREVISION= 2
PORTVERSION= 1.4.7
CATEGORIES= sysutils
MAINTAINER= zi@FreeBSD.org
@ -30,7 +29,8 @@ LIB_DEPENDS= libboost_regex.so:${PORTSDIR}/devel/boost-libs \
libicuuc.so:${PORTSDIR}/devel/icu
USES= cmake:outsource gmake libtool python:build compiler:c++11-lib
CMAKE_ENV+= OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" SKIP_TESTS="yes"
CMAKE_ENV+= OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" \
SKIP_TESTS="yes" CC="${CC}" CXX="${CXX}"
CMAKE_ARGS+= -DFREEBSD=awesome -DCMAKE_SYSTEM_NAME="FreeBSD"
BLDDIR= ${WRKDIR}/.build/${PORTNAME}
USE_RC_SUBR= ${PORTNAME}d

8
sysutils/osquery/distinfo
View file

@ -1,4 +1,4 @@
SHA256 (facebook-osquery-1.4.5_GH0.tar.gz) = b0812eec4ca53eb6ada4692330caaed00ed1e50ead43b99486b3d15139369738
SIZE (facebook-osquery-1.4.5_GH0.tar.gz) = 412622
SHA256 (osquery-third-party-1.4.5_GH0.tar.gz) = 06897b9ddf637c61f5c9e90f640b9f8c50c124d6276058a71f7d952439c8e58f
SIZE (osquery-third-party-1.4.5_GH0.tar.gz) = 6073986
SHA256 (facebook-osquery-1.4.7_GH0.tar.gz) = da0b648159e8a9677152a2d2b3140d5a61e34b637c408c21462d07629d3b64c2
SIZE (facebook-osquery-1.4.7_GH0.tar.gz) = 459762
SHA256 (osquery-third-party-1.4.7_GH0.tar.gz) = baf57d27ca739d876e8da472c162552c6bb740cf4d723ffab4826a4abee83045
SIZE (osquery-third-party-1.4.7_GH0.tar.gz) = 5509720

164
sysutils/osquery/files/patch-CMakeLists.txt
View file

@ -1,164 +0,0 @@
--- CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ CMakeLists.txt
@@ -1,7 +1,18 @@
cmake_minimum_required(VERSION 2.8.12)
-set(CMAKE_C_COMPILER "clang")
-set(CMAKE_CXX_COMPILER "clang++")
+#if(NOT DEFINED ENV{CC})
+# set(CMAKE_C_COMPILER "clang")
+#else()
+# set(CMAKE_C_COMPILER "$ENV{CC}")
+# message("-- Overriding C compiler from clang to $ENV{CC}")
+#endif()
+#if(NOT DEFINED ENV{CXX})
+# set(CMAKE_CXX_COMPILER "clang++")
+#else()
+# set(CMAKE_CXX_COMPILER "$ENV{CXX}")
+# message("-- Overriding CXX compiler from clang++ to $ENV{CXX}")
+#endif()
+
add_compile_options(
-Wall
-Wextra
@@ -22,6 +33,21 @@ add_compile_options(
)
set(CXX_COMPILE_FLAGS "")
+# Use osquery language to set platform/os
+execute_process(
+ COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform
+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+ OUTPUT_VARIABLE PLATFORM
+ OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM)
+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO)
+string(REPLACE "." "_" PLATFORM "${PLATFORM}")
+string(TOUPPER "${PLATFORM}" PLATFORM)
+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE)
+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE)
+
# Set non-C compile flags and whole-loading linker flags.
# osquery needs ALL symbols in the libraries it includes for relaxed ctors
# late-loading modules and SQLite introspection utilities.
@@ -34,34 +60,21 @@ if(APPLE)
# Special compile flags for Objective-C++
set(OBJCXX_COMPILE_FLAGS
"-x objective-c++ -fobjc-arc -Wno-c++11-extensions -mmacosx-version-min=${APPLE_MIN_ABI}")
-elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
- set(FREEBSD TRUE)
- set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++")
- set(OS_WHOLELINK_PRE "")
- set(OS_WHOLELINK_POST "")
else()
- set(LINUX TRUE)
- # Do not use the shared linker flags for modules.
set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11")
set(OS_WHOLELINK_PRE "-Wl,-whole-archive")
set(OS_WHOLELINK_POST "-Wl,-no-whole-archive")
+ # Set CMAKE variables depending on platform, to know which tables and what
+ # component-specific globbing is needed.
+ if(${OSQUERY_BUILD_PLATFORM} STREQUAL "freebsd")
+ set(FREEBSD TRUE)
+ set(LINUX FALSE)
+ else()
+ set(LINUX TRUE)
+ set(FREEBSD FALSE)
+ endif()
endif()
-# Use osquery language to set platform/os
-execute_process(
- COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform
- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
- OUTPUT_VARIABLE PLATFORM
- OUTPUT_STRIP_TRAILING_WHITESPACE
-)
-
-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM)
-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO)
-string(REPLACE "." "_" PLATFORM "${PLATFORM}")
-string(TOUPPER "${PLATFORM}" PLATFORM)
-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE)
-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE)
-
# RHEL6 uses a different gcc 4.9 runtime
if(${OSQUERY_BUILD_DISTRO} STREQUAL "rhel6")
set(GCC_RUNTIME "/opt/rh/devtoolset-3/root/usr/")
@@ -73,7 +86,7 @@ endif()
if(DEFINED ENV{DEBUG})
set(DEBUG TRUE)
set(CMAKE_BUILD_TYPE "Debug")
- add_compile_options(-g -O0 -pg)
+ add_compile_options(-g -O0)
add_definitions(-DDEBUG)
message("-- Setting DEBUG build")
elseif(DEFINED ENV{SANITIZE})
@@ -116,7 +129,7 @@ endif()
# Finished setting compiler/compiler flags.
project(OSQUERY)
-# Make sure deps were built before compiling (else show warning)
+# Make sure deps were built before compiling (else show warning).
execute_process(
COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" check "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
@@ -126,16 +139,23 @@ execute_process(
)
string(ASCII 27 Esc)
if(OSQUERY_DEPS_CHECK)
- message(WARNING "${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m")
+ message("-- ${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m")
endif()
-# Generate version from git
-execute_process(
- COMMAND git describe --tags HEAD --always
- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
- OUTPUT_VARIABLE OSQUERY_BUILD_VERSION
- OUTPUT_STRIP_TRAILING_WHITESPACE
-)
+# Discover build version from an environment variable or from the git checkout.
+if(DEFINED ENV{OSQUERY_BUILD_VERSION})
+ set(OSQUERY_BUILD_VERSION "$ENV{OSQUERY_BUILD_VERSION}")
+else()
+ # Generate version from git
+ execute_process(
+ COMMAND git describe --tags HEAD --always
+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+ OUTPUT_VARIABLE OSQUERY_BUILD_VERSION
+ OUTPUT_STRIP_TRAILING_WHITESPACE
+ )
+endif()
+
+# Discover the SDK version from an environment variable or the build version.
if(DEFINED ENV{SDK_VERSION})
set(OSQUERY_BUILD_SDK_VERSION "${ENV{SDK_VERSION}}")
else()
@@ -164,7 +184,8 @@ elseif(OSQUERY_BUILD_PLATFORM STREQUAL "
elseif(OSQUERY_BUILD_PLATFORM STREQUAL "rhel")
set(RHEL TRUE)
message("-- Building for RHEL")
-elseif(FREEBSD)
+elseif(OSQUERY_BUILD_PLATFORM STREQUAL "freebsd")
+ set(FREEBSD TRUE)
message("-- Building for FreeBSD")
endif()
@@ -233,7 +254,7 @@ add_custom_target(
# make format
add_custom_target(
format
- python "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py"
+ python2 "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
COMMENT "Formatting code staged code changes with clang-format" VERBATIM
)
@@ -244,4 +265,5 @@ add_custom_target(
"${CMAKE_SOURCE_DIR}/tools/sync.sh" "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
COMMENT "Generating sdk sync: ${CMAKE_BINARY_DIR}/sync"
+ DEPENDS osquery_extensions osquery_amalgamation
)

46
sysutils/osquery/files/patch-CMake_CMakeLibs.cmake
View file

@ -1,46 +0,0 @@
--- CMake/CMakeLibs.cmake.orig 2015-05-05 00:16:41 UTC
+++ CMake/CMakeLibs.cmake
@@ -15,7 +15,7 @@ endmacro(SET_OSQUERY_COMPILE)
macro(ADD_OSQUERY_PYTHON_TEST TEST_NAME SOURCE)
add_test(NAME python_${TEST_NAME}
- COMMAND python "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}"
+ COMMAND python2 "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/tools/tests/")
endmacro(ADD_OSQUERY_PYTHON_TEST)
@@ -30,7 +30,7 @@ endmacro(ADD_OSQUERY_LINK)
macro(ADD_OSQUERY_LINK_INTERNAL LINK LINK_PATHS LINK_SET)
if(NOT "${LINK}" MATCHES "(^[-/].*)")
- find_library("${LINK}_library" NAMES "lib${LINK}.a" "${LINK}" ${LINK_PATHS})
+ find_library("${LINK}_library" NAMES "${LINK}" "lib${LINK}" ${LINK_PATHS})
message("-- Found library dependency ${${LINK}_library}")
if("${${LINK}_library}" STREQUAL "${${LINK}_library}-NOTFOUND")
string(ASCII 27 Esc)
@@ -105,7 +105,6 @@ endmacro(ADD_OSQUERY_EXTENSION)
macro(ADD_OSQUERY_MODULE TARGET)
add_library(${TARGET} SHARED ${ARGN})
- target_link_libraries(${TARGET} dl)
add_dependencies(${TARGET} libglog libosquery)
if(APPLE)
target_link_libraries(${TARGET} "-undefined dynamic_lookup")
@@ -182,7 +181,7 @@ macro(GENERATE_TABLE TABLE_FILE NAME BAS
GET_GENERATION_DEPS(${BASE_PATH})
add_custom_command(
OUTPUT "${TABLE_FILE_GEN}"
- COMMAND python "${BASE_PATH}/tools/codegen/gentable.py"
+ COMMAND python2 "${BASE_PATH}/tools/codegen/gentable.py"
"${TABLE_FILE}" "${TABLE_FILE_GEN}" "$ENV{DISABLE_BLACKLIST}"
DEPENDS ${TABLE_FILE} ${GENERATION_DEPENDENCIES}
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
@@ -207,7 +206,7 @@ macro(AMALGAMATE BASE_PATH NAME OUTPUT)
# Append all of the code to a single amalgamation.
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/generated/${NAME}_amalgamation.cpp"
- COMMAND python "${BASE_PATH}/tools/codegen/amalgamate.py"
+ COMMAND python2 "${BASE_PATH}/tools/codegen/amalgamate.py"
"${BASE_PATH}/osquery/tables/" "${CMAKE_BINARY_DIR}/generated" "${NAME}"
DEPENDS ${GENERATED_TARGETS} ${GENERATION_DEPENDENCIES}
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"

34
sysutils/osquery/files/patch-CMake_FindGlog.cmake
View file

@ -1,34 +0,0 @@
--- CMake/FindGlog.cmake.orig 2015-05-05 00:16:41 UTC
+++ CMake/FindGlog.cmake
@@ -6,20 +6,6 @@ endif()
set(GLOG_ROOT_DIR "${CMAKE_BINARY_DIR}/third-party/glog")
set(GLOG_SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/glog")
-if(NOT APPLE)
- include(CheckIncludeFiles)
- unset(LIBUNWIND_FOUND CACHE)
- check_include_files("libunwind.h;unwind.h" LIBUNWIND_FOUND)
- if(LIBUNWIND_FOUND)
- unset(libglog_FOUND CACHE)
- execute_process(
- COMMAND rm -rf "${GLOG_ROOT_DIR}" "${CMAKE_BINARY_DIR}/libglog-prefix"
- ERROR_QUIET
- )
- message(WARNING "${Esc}[31mWarning: libunwind headers found [Issue #596], please: make deps\n${Esc}[m")
- endif()
-endif()
-
set(GLOG_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-register -Wno-unnamed-type-template-args -Wno-deprecated -Wno-error")
INCLUDE(ExternalProject)
@@ -31,8 +17,8 @@ ExternalProject_Add(
CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER}
CXXFLAGS=${GLOG_CXX_FLAGS}
--enable-frame-pointers --enable-shared=no --prefix=${GLOG_ROOT_DIR}
- BUILD_COMMAND make
- INSTALL_COMMAND make install
+ BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+ INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install
LOG_CONFIGURE ON
LOG_INSTALL ON
LOG_BUILD ON

53
sysutils/osquery/files/patch-Makefile
View file

@ -1,53 +0,0 @@
--- Makefile.orig 2015-05-05 00:16:41 UTC
+++ Makefile
@@ -1,8 +1,11 @@
PLATFORM := $(shell uname -s)
VERSION := $(shell git describe --tags HEAD --always)
-MAKE = make
+SHELL := $(shell which bash)
-SHELL := /bin/bash
+MAKE = make
+ifeq ($(PLATFORM),FreeBSD)
+ MAKE = gmake
+endif
DISTRO := $(shell . ./tools/lib.sh; _platform)
DISTRO_VERSION := $(shell . ./tools/lib.sh; _distro $(DISTRO))
@@ -16,11 +19,11 @@ DEFINES := CTEST_OUTPUT_ON_FAILURE=1
.PHONY: docs build
all: .setup
- cd build/$(BUILD_DIR) && cmake ../.. && \
+ cd build/$(BUILD_DIR) && cmake ../../ && \
$(DEFINES) $(MAKE) --no-print-directory $(MAKEFLAGS)
docs: .setup
- cd build && cmake .. && \
+ cd build && cmake ../ && \
$(DEFINES) $(MAKE) docs --no-print-directory $(MAKEFLAGS)
debug: .setup
@@ -74,6 +77,10 @@ test_debug_build:
deps: .setup
./tools/provision.sh build build/$(BUILD_DIR)
+clean: .setup
+ cd build/$(BUILD_DIR) && cmake ../../ && \
+ $(DEFINES) $(MAKE) clean --no-print-directory $(MAKEFLAGS)
+
distclean:
rm -rf .sources build/$(BUILD_DIR) build/debug_$(BUILD_DIR) build/docs
ifeq ($(PLATFORM),Linux)
@@ -101,6 +108,10 @@ packages: .setup
cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \
$(DEFINES) $(MAKE) packages --no-print-directory $(MAKEFLAGS)
+sync: .setup
+ cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \
+ $(DEFINES) $(MAKE) sync --no-print-directory $(MAKEFLAGS)
+
%::
- cd build/$(BUILD_DIR) && cmake ../.. && \
+ cd build/$(BUILD_DIR) && cmake ../../ && \
$(DEFINES) $(MAKE) --no-print-directory $@

15
sysutils/osquery/files/patch-include_osquery_core.h
View file

@ -1,15 +0,0 @@
--- include/osquery/core.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/core.h
@@ -30,7 +30,11 @@
// clang-format on
#ifndef __constructor__
-#define __constructor__ __attribute__((constructor))
+#define __registry_constructor__ __attribute__((constructor(101)))
+#define __plugin_constructor__ __attribute__((constructor(102)))
+#else
+#define __registry_constructor__ __attribute__((__constructor__(101)))
+#define __plugin_constructor__ __attribute__((__constructor__(102)))
#endif
/// A configuration error is catastrophic and should exit the watcher.

110
sysutils/osquery/files/patch-include_osquery_events.h
View file

@ -1,110 +0,0 @@
--- include/osquery/events.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/events.h
@@ -197,8 +197,8 @@ class EventPublisherPlugin : public Plug
* @brief Perform handle opening, OS API callback registration.
*
* `setUp` is the event framework's EventPublisher constructor equivalent.
- * When `setUp` is called the EventPublisher is running in a dedicated thread
- * and may manage/allocate/wait for resources.
+ * This is called in the main thread before the publisher's run loop has
+ * started, immediately following registration.
*/
virtual Status setUp() { return Status(0, "Not used"); }
@@ -206,17 +206,28 @@ class EventPublisherPlugin : public Plug
* @brief Perform handle closing, resource cleanup.
*
* osquery is about to end, the EventPublisher should close handle descriptors
- * unblock resources, and prepare to exit.
+ * unblock resources, and prepare to exit. This will be called from the main
+ * thread after the run loop thread has exited.
*/
virtual void tearDown() {}
/**
- * @brief Implement a step of an optional run loop.
+ * @brief Implement a "step" of an optional run loop.
*
* @return A SUCCESS status will immediately call `run` again. A FAILED status
* will exit the run loop and the thread.
*/
- virtual Status run() { return Status(1, "No runloop required"); }
+ virtual Status run() { return Status(1, "No run loop required"); }
+
+ /**
+ * @brief Allow the EventFactory to interrupt the run loop.
+ *
+ * Assume the main thread may ask the run loop to stop at anytime.
+ * Before end is called the publisher's `isEnding` is set and the EventFactory
+ * run loop manager will exit the stepping loop and fall through to a call
+ * to tearDown followed by a removal of the publisher.
+ */
+ virtual void end() {}
/**
* @brief A new EventSubscriber is subscriptioning events of this
@@ -260,9 +271,16 @@ class EventPublisherPlugin : public Plug
/// Return a string identifier associated with this EventPublisher.
virtual EventPublisherID type() const { return "publisher"; }
+ /// Check if the EventFactory is ending all publisher threads.
bool isEnding() const { return ending_; }
+
+ /// Set the ending status for this publisher.
void isEnding(bool ending) { ending_ = ending; }
+
+ /// Check if the publisher's run loop has started.
bool hasStarted() const { return started_; }
+
+ /// Set the run or started status for this publisher.
void hasStarted(bool started) { started_ = started; }
protected:
@@ -284,6 +302,7 @@ class EventPublisherPlugin : public Plug
private:
/// Set ending to True to cause event type run loops to finish.
bool ending_;
+
/// Set to indicate whether the event run loop ever started.
bool started_;
@@ -661,11 +680,14 @@ class EventFactory : private boost::nonc
}
/**
- * @brief Halt the EventPublisher run loop and call its `tearDown`.
+ * @brief Halt the EventPublisher run loop.
*
* Any EventSubscriber%s with Subscription%s for this EventPublisher will
* become useless. osquery callers MUST deregister events.
* EventPublisher%s assume they can hook/trampoline, which requires cleanup.
+ * This will tear down and remove the publisher if the run loop did not start.
+ * Otherwise it will call end on the publisher and assume the run loop will
+ * tear down and remove.
*
* @param event_pub The string label for the EventPublisher.
*
@@ -681,6 +703,8 @@ class EventFactory : private boost::nonc
/// Return an instance to a registered EventSubscriber.
static EventSubscriberRef getEventSubscriber(EventSubscriberID& sub);
+
+ /// Check if an event subscriber exists.
static bool exists(EventSubscriberID& sub);
static std::vector<std::string> publisherTypes();
@@ -701,9 +725,12 @@ class EventFactory : private boost::nonc
}
/**
- * @brief End all EventPublisher run loops and call their `tearDown` methods.
+ * @brief End all EventPublisher run loops and deregister.
*
- * End is NOT the same as deregistration.
+ * End is NOT the same as deregistration. End will call deregister on all
+ * publishers then either join or detach their run loop threads.
+ * See EventFactory::deregisterEventPublisher for actions taken during
+ * deregistration.
*
* @param should_end Reset the "is ending" state if False.
*/

14
sysutils/osquery/files/patch-include_osquery_flags.h
View file

@ -1,14 +0,0 @@
--- include/osquery/flags.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/flags.h
@@ -19,7 +19,11 @@
#include <osquery/core.h>
+#ifdef FREEBSD
+#define GFLAGS_NAMESPACE gflags
+#elif !defined(GFLAGS_NAMESPACE)
#define GFLAGS_NAMESPACE google
+#endif
namespace boost {
/// We define a lexical_cast template for boolean for Gflags boolean string

58
sysutils/osquery/files/patch-include_osquery_registry.h
View file

@ -1,58 +0,0 @@
--- include/osquery/registry.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/registry.h
@@ -41,11 +41,11 @@ namespace osquery {
* @param type A typename that derives from Plugin.
* @param name A string identifier for the registry.
*/
-#define CREATE_REGISTRY(type, name) \
- namespace registry { \
- __constructor__ static void type##Registry() { \
- Registry::create<type>(name); \
- } \
+#define CREATE_REGISTRY(type, name) \
+ namespace registry { \
+ __registry_constructor__ static void type##Registry() { \
+ Registry::create<type>(name); \
+ } \
}
/**
@@ -56,11 +56,11 @@ namespace osquery {
* @param type A typename that derives from Plugin.
* @param name A string identifier for the registry.
*/
-#define CREATE_LAZY_REGISTRY(type, name) \
- namespace registry { \
- __constructor__ static void type##Registry() { \
- Registry::create<type>(name, true); \
- } \
+#define CREATE_LAZY_REGISTRY(type, name) \
+ namespace registry { \
+ __registry_constructor__ static void type##Registry() { \
+ Registry::create<type>(name, true); \
+ } \
}
/**
@@ -75,15 +75,15 @@ namespace osquery {
* @param registry The string name for the registry.
* @param name A string identifier for this registry item.
*/
-#define REGISTER(type, registry, name) \
- __constructor__ static void type##RegistryItem() { \
- Registry::add<type>(registry, name); \
+#define REGISTER(type, registry, name) \
+ __plugin_constructor__ static void type##RegistryItem() { \
+ Registry::add<type>(registry, name); \
}
/// The same as REGISTER but prevents the plugin item from being broadcasted.
-#define REGISTER_INTERNAL(type, registry, name) \
- __constructor__ static void type##RegistryItem() { \
- Registry::add<type>(registry, name, true); \
+#define REGISTER_INTERNAL(type, registry, name) \
+ __plugin_constructor__ static void type##RegistryItem() { \
+ Registry::add<type>(registry, name, true); \
}
/**

9
sysutils/osquery/files/patch-kernel_linux_.gitignore
View file

@ -1,9 +0,0 @@
--- kernel/linux/.gitignore.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/.gitignore
@@ -1,6 +0,0 @@
-Module.symvers
-modules.order
-.tmp_versions*
-*.cmd
-*.mod.c
-*.ko

50
sysutils/osquery/files/patch-kernel_linux_Makefile
View file

@ -1,50 +0,0 @@
--- kernel/linux/Makefile.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/Makefile
@@ -1,47 +0,0 @@
-obj-m += camb.o
-camb-objs += main.o sysfs.o hash.o
-
-# We need headers to build against a specific kernel version
-ifndef KDIR
- KDIR = /lib/modules/$(shell uname -r)/build
-# @echo "Using default kernel directory: ${KDIR}"
-endif
-
-# If user specifies a System.map, get addresses from there
-ifdef SMAP
- OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')"
- OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')"
- OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')"
-
-# Otherwise, they must be present on the build line
-else
- OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}"
- OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}"
- OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}"
-endif
-
-ifdef HIDE_ME
- OPTS += -DHIDE_ME
- camb-objs += hide.o
-endif
-
-all:
-
-ifndef SMAP
- ifndef TEXT_SEGMENT_START
- @echo "Missing parameter: TEXT_SEGMENT_START"
- @exit 1
- endif
-
- ifndef TEXT_SEGMENT_END
- @echo "Missing parameter: TEXT_SEGMENT_END"
- @exit 1
- endif
-
- ifndef SYSCALL_BASE_ADDR
- @echo "Missing parameter: SYSCALL_BASE_ADDR"
- @exit 1
- endif
-endif
-
- $(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules

94
sysutils/osquery/files/patch-kernel_linux_hash.c
View file

@ -1,94 +0,0 @@
--- kernel/linux/hash.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hash.c
@@ -1,91 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-
-/* Crypto */
-#include <linux/crypto.h>
-#include <linux/err.h>
-#include <linux/scatterlist.h>
-#include <crypto/sha.h>
-
-#include "hash.h"
-
-unsigned char *kernel_text_hash(void) {
- return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START,
- TEXT_SEGMENT_END - TEXT_SEGMENT_START);
-}
-
-/**
- * @brief Generic function for performing a SHA-1 hash of a memory range
- *
- * @param data - Beginning memory address to perform hash
- * @param len - size in bytes of the address range to hash
- *
- * @return allocated buffer containing the hash string; or NULL upon error.
- */
-unsigned char *hash_data(const void *data, size_t len) {
- struct scatterlist sg;
- struct hash_desc desc;
- size_t out_len = SHA1_DIGEST_SIZE * 2 + 1;
- unsigned char hashtext[SHA1_DIGEST_SIZE];
- unsigned char *hashtext_out = kmalloc(out_len, GFP_KERNEL);
-
- if (!hashtext_out) {
- printk(KERN_INFO "Could not allocate space for hash\n");
- return NULL;
- }
-
- sg_init_one(&sg, data, len);
- desc.flags = 0;
- desc.tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC);
-
- crypto_hash_init(&desc);
- crypto_hash_update(&desc, &sg, sg.length);
- crypto_hash_final(&desc, hashtext);
-
- snprintf(hashtext_out,
- out_len,
- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
- hashtext[0], hashtext[1], hashtext[2], hashtext[3],
- hashtext[4], hashtext[5], hashtext[6], hashtext[7],
- hashtext[8], hashtext[9], hashtext[10], hashtext[11],
- hashtext[12], hashtext[13], hashtext[14], hashtext[15],
- hashtext[16], hashtext[17], hashtext[18], hashtext[19]
- );
-
- if (desc.tfm) {
- crypto_free_hash(desc.tfm);
- }
-
- return hashtext_out;
-}
-
-/**
- * @brief Callback for the sysfs object read. This happens when a file is
- * read(2) (or equivalent) from within sysfs. E.g. cat /sys/foo/bar will
- * call bar's *_show callback method.
- *
- * @param obj - reference to a kernel object within the sysfs filesystem
- * @param attr - attribute of said kernel object
- * @param buf - buffer that will be allocated and filled with the hash
- *
- * @return size in bytes of the hash string; or -1 upon error.
- */
-ssize_t text_segment_hash_show(struct kobject *obj,
- struct attribute *attr,
- char *buf) {
- ssize_t ret;
- char *hash = kernel_text_hash();
-
- if (hash) {
- ret = scnprintf(buf, PAGE_SIZE, "%s\n", hash);
- kfree(hash);
- } else {
- ret = -1;
- }
-
- return ret;
-}

7
sysutils/osquery/files/patch-kernel_linux_hash.h
View file

@ -1,7 +0,0 @@
--- kernel/linux/hash.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hash.h
@@ -1,4 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-unsigned char *kernel_text_hash(void);
-unsigned char *hash_data(const void *, size_t);

29
sysutils/osquery/files/patch-kernel_linux_hide.c
View file

@ -1,29 +0,0 @@
--- kernel/linux/hide.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hide.c
@@ -1,26 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/module.h>
-
-#include "hide.h"
-
-extern char *module_str;
-
-void rm_mod_from_list(void) {
- THIS_MODULE->list.next->prev = THIS_MODULE->list.prev;
- THIS_MODULE->list.prev->next = THIS_MODULE->list.next;
-}
-
-void rm_mod_from_sysfs(void) {
- kobject_del(THIS_MODULE->holders_dir->parent);
-}
-
-void rm_mod_from_ddebug_tables(void) {
- ddebug_remove_module(module_str);
-}
-
-void hide_me(void) {
- rm_mod_from_list();
- rm_mod_from_sysfs();
- rm_mod_from_ddebug_tables();
-}

9
sysutils/osquery/files/patch-kernel_linux_hide.h
View file

@ -1,9 +0,0 @@
--- kernel/linux/hide.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hide.h
@@ -1,6 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-void rm_mod_from_list(void);
-void rm_mod_from_sysfs(void);
-void rm_mod_from_ddebug_tables(void);
-void hide_me(void);

99
sysutils/osquery/files/patch-kernel_linux_main.c
View file

@ -1,99 +0,0 @@
--- kernel/linux/main.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/main.c
@@ -1,96 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/file.h>
-#include <linux/fdtable.h>
-#include <linux/dcache.h>
-#include <linux/syscalls.h>
-#include <linux/fs.h>
-#include <linux/fcntl.h>
-#include <linux/slab.h>
-#include <linux/mutex.h>
-#include <linux/kallsyms.h>
-#include <linux/sched.h>
-#include <linux/dirent.h>
-#include <linux/reboot.h>
-#include <linux/notifier.h>
-#include <linux/kobject.h>
-#include <asm/syscall.h>
-
-#include "sysfs.h"
-#include "hash.h"
-#ifdef HIDE_ME
- #include "hide.h"
-#endif
-
-extern struct kobject *camb_kobj;
-char *module_str = "camb";
-
-static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR;
-static unsigned long *syscall_table_copy[NR_syscalls];
-
-/* Allow writes to executable memory pages */
-void en_mem_wr(void) {
- write_cr0(read_cr0() & (~0x10000));
-}
-
-/* Disallow writes to executable memory pages */
-void dis_mem_wr(void) {
- write_cr0(read_cr0() | 0x10000);
-}
-
-int syscall_addr_modified_show(struct kobject *obj,
- struct attribute *attr,
- char *buf) {
- unsigned int i = -1, mod = 0, ret;
-
- while(++i < NR_syscalls)
- if (syscall_table[i] != syscall_table_copy[i])
- mod = 1;
- ret = scnprintf(buf, PAGE_SIZE, "%d\n", mod);
-
- return ret;
-}
-
-/* Copy the system call pointer table */
-void grab_syscall_table(void) {
- unsigned int i;
- for (i = 0; i < NR_syscalls; i++)
- syscall_table_copy[i] = syscall_table[i];
-}
-
-static int __init camb_init(void) {
- printk(KERN_INFO "[%s] init\n", module_str);
-
- if (expose_sysfs()) {
- printk(KERN_ERR "Cannot expose self to sysfs\n");
- return -1;
- }
-
- /* Hide the fact that we're monitoring the system for tampering */
-#ifdef HIDE_ME
- hide_me();
-#endif
-
- grab_syscall_table();
-
- return 0;
-}
-
-static void __exit camb_exit(void) {
- printk(KERN_INFO "[%s] exit\n", module_str);
-
- if (camb_kobj) {
- kobject_put(camb_kobj);
- }
-
-}
-
-module_init(camb_init);
-module_exit(camb_exit);
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("@unixist");
-MODULE_DESCRIPTION("Detect kernel tampering");

52
sysutils/osquery/files/patch-kernel_linux_sysfs.c
View file

@ -1,52 +0,0 @@
--- kernel/linux/sysfs.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/sysfs.c
@@ -1,49 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/sysfs.h>
-#include <linux/kobject.h>
-#include <linux/module.h>
-#include <linux/slab.h>
-
-#include "hash.h"
-#include "sysfs.h"
-
-struct kobject *camb_kobj;
-
-extern ssize_t syscall_addr_modified_show(struct kobject *obj,
- struct attribute *attr,
- char *buf);
-extern ssize_t text_segment_hash_show(struct kobject *obj,
- struct attribute *attr,
- char *buf);
-
-struct kobj_attribute attr_syscall_addr_modified =
- __ATTR(syscall_addr_modified, 0444, syscall_addr_modified_show, NULL);
-
-struct kobj_attribute attr_text_segment_hash =
- __ATTR(text_segment_hash, 0444, text_segment_hash_show, NULL);
-
-struct attribute *camb_attrs[] = {
- &attr_text_segment_hash.attr,
- &attr_syscall_addr_modified.attr,
- NULL,
-};
-
-struct attribute_group attr_group = {
- .attrs = camb_attrs
-};
-
-int expose_sysfs(void) {
- int err = 0;
- camb_kobj = kobject_create_and_add("camb", kernel_kobj);
- if (camb_kobj) {
- if ((err = sysfs_create_group(camb_kobj, &attr_group)) != 0) {
- kobject_put(camb_kobj);
- }
- }
- return err;
-}
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("@unixist");
-MODULE_DESCRIPTION("Detect kernel tampering");

6
sysutils/osquery/files/patch-kernel_linux_sysfs.h
View file

@ -1,6 +0,0 @@
--- kernel/linux/sysfs.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/sysfs.h
@@ -1,3 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-int expose_sysfs(void);

43
sysutils/osquery/files/patch-osquery_CMakeLists.txt
View file

@ -1,40 +1,11 @@
--- osquery/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
--- osquery/CMakeLists.txt.orig 2015-07-03 23:09:06 UTC
+++ osquery/CMakeLists.txt
@@ -22,11 +22,14 @@ set(OSQUERY_LIBS
readline
pthread
- dl
bz2
z
)
+if(NOT FREEBSD)
+ set(OSQUERY_LIBS ${OSQUERY_LIBS} dl)
+endif()
+
# Add default linking details (the first argument means SDK + core).
ADD_OSQUERY_LINK(TRUE "-rdynamic")
@@ -44,7 +47,7 @@ endif()
@@ -54,7 +54,7 @@ endif()
# The remaining boost libraries are discovered with find_library.
ADD_OSQUERY_LINK(TRUE "boost_system")
ADD_OSQUERY_LINK(TRUE "boost_filesystem")
-ADD_OSQUERY_LINK(TRUE "boost_regex")
+ADD_OSQUERY_LINK(TRUE "-lboost_regex")
ADD_OSQUERY_LINK(TRUE "yara")
ADD_OSQUERY_LINK_CORE("boost_system")
ADD_OSQUERY_LINK_CORE("boost_filesystem")
-ADD_OSQUERY_LINK_CORE("boost_regex")
+ADD_OSQUERY_LINK_CORE("-lboost_regex")
ADD_OSQUERY_LINK_CORE("yara")
if(DEFINED ENV{SANITIZE})
@@ -133,7 +136,11 @@ if(NOT OSQUERY_BUILD_SDK_ONLY)
# Include the public API includes if make devel.
install(TARGETS libosquery ARCHIVE DESTINATION lib COMPONENT devel OPTIONAL)
- install(DIRECTORY "${CMAKE_SOURCE_DIR}/include/" DESTINATION include COMPONENT devel OPTIONAL)
+ install(DIRECTORY "${CMAKE_SOURCE_DIR}/include"
+ DESTINATION include
+ COMPONENT devel OPTIONAL
+ PATTERN ".*" EXCLUDE
+ )
# make install (executables)
install(TARGETS shell RUNTIME DESTINATION bin COMPONENT main)

19
sysutils/osquery/files/patch-osquery_config_config.cpp
View file

@ -1,19 +0,0 @@
--- osquery/config/config.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/config.cpp
@@ -167,7 +167,15 @@ inline void mergeExtraKey(const std::str
if (node.second.count("") == 0 && conf.all_data.count(name) > 0) {
conf.all_data.get_child(name).erase(subitem.first);
}
- conf.all_data.add_child(name + "." + subitem.first, subitem.second);
+
+ if (subitem.first.size() == 0) {
+ if (conf.all_data.count(name) == 0) {
+ conf.all_data.add_child(name, subitem.second);
+ }
+ conf.all_data.get_child(name).push_back(subitem);
+ } else {
+ conf.all_data.add_child(name + "." + subitem.first, subitem.second);
+ }
}
}

106
sysutils/osquery/files/patch-osquery_config_plugins_http.cpp
View file

@ -1,106 +0,0 @@
--- osquery/config/plugins/http.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/plugins/http.cpp
@@ -14,10 +14,10 @@
#include <boost/property_tree/ptree.hpp>
#include <osquery/config.h>
+#include <osquery/enrollment.h>
#include <osquery/flags.h>
-#include <osquery/logger.h>
-#include <osquery/filesystem.h>
#include <osquery/registry.h>
+
#include "osquery/remote/requests.h"
#include "osquery/remote/transports/http.h"
#include "osquery/remote/serializers/json.h"
@@ -30,7 +30,7 @@ DECLARE_string(enrollment_app_id);
FLAG(string,
config_enrollment_uri,
- "Not Specified",
+ "",
"The endpoint for server side client enrollment");
class HTTPConfigPlugin : public ConfigPlugin {
@@ -40,49 +40,45 @@ class HTTPConfigPlugin : public ConfigPl
REGISTER(HTTPConfigPlugin, "config", "http");
-Status runEnrollment(const bool force = false) {
- PluginResponse resp;
- PluginRequest req;
- if (force) {
- req = {{"enroll", "1"}};
- } else {
- req = {{"enroll", "0"}};
+Status runEnrollment(bool force = false) {
+ PluginResponse response;
+ PluginRequest request = {{"enroll", (force) ? "1" : "0"}};
+ auto status = Registry::call("enrollment", "get_key", request, response);
+ if (!status.ok()) {
+ return status;
}
- Status stat = Registry::call("enrollment", "get_key", req, resp);
- if (!stat.ok()) {
- return stat;
- }
- if (resp.size() > 0 && resp[0]["key"].length() == 0) {
+ if (response.size() > 0 && response[0]["key"].size() == 0) {
return Status(1, "Enrollment Error: No Key");
}
return Status(0, "OK");
}
-Status getConfig(boost::property_tree::ptree& recv) {
- // Make request to endpoint with secrets
+Status getConfig(boost::property_tree::ptree& output) {
+ // Make request to endpoint with secrets.
auto r = Request<HTTPTransport, JSONSerializer>(FLAGS_config_enrollment_uri);
boost::property_tree::ptree params;
- PluginResponse resp;
- Status stat =
- Registry::call("enrollment", "get_key", {{"enroll", "0"}}, resp);
- params.put<std::string>("enrollment_key", resp[0]["key"]);
+ PluginResponse response;
+ Registry::call("enrollment", "get_key", {{"enroll", "0"}}, response);
+ params.put<std::string>("enrollment_key", response[0]["key"]);
params.put<std::string>("app_id", FLAGS_enrollment_app_id);
- stat = r.call(params);
- if (!stat.ok()) {
- return stat;
+ auto status = r.call(params);
+ if (!status.ok()) {
+ return status;
}
- // The call was ok, so store the enrolled key
- stat = r.getResponse(recv);
- if (!stat.ok()) {
- return stat;
+
+ // The call succeeded, store the enrolled key.
+ status = r.getResponse(output);
+ if (!status.ok()) {
+ return status;
}
+
// Receive config or key rejection
- if (recv.count("enrollment_invalid") > 0 &&
- recv.get<std::string>("enrollment_invalid", "") == "1") {
- return stat;
+ if (output.count("enrollment_invalid") > 0 &&
+ output.get<std::string>("enrollment_invalid", "") == "1") {
+ return status;
}
return Status(0, "OK");
}
@@ -97,6 +93,7 @@ Status HTTPConfigPlugin::genConfig(std::
break;
}
}
+
std::stringstream ss;
write_json(ss, recv);
config[FLAGS_enrollment_app_id] = ss.str();

123
sysutils/osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp
View file

@ -1,123 +0,0 @@
--- osquery/config/plugins/tests/http_config_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/plugins/tests/http_config_tests.cpp
@@ -1,120 +0,0 @@
-/*
- * Copyright (c) 2014, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed under the BSD-style license found in the
- * LICENSE file in the root directory of this source tree. An additional grant
- * of patent rights can be found in the PATENTS file in the same directory.
- *
- */
-
-#include <iostream>
-#include <random>
-#include <sstream>
-#include <thread>
-
-#include <boost/network/protocol/http/server.hpp>
-#include <boost/property_tree/ptree.hpp>
-
-#include <gtest/gtest.h>
-
-#include <osquery/config.h>
-#include <osquery/enrollment.h>
-
-#include "osquery/remote/requests.h"
-#include "osquery/remote/transports/http.h"
-#include "osquery/remote/serializers/json.h"
-
-namespace http = boost::network::http;
-
-namespace osquery {
-
-DECLARE_string(enrollment_uri);
-DECLARE_string(config_enrollment_uri);
-DECLARE_string(enrollment_app_id);
-
-struct EnrollHTTPHandler;
-struct ConfigHTTPHandler;
-typedef http::server<EnrollHTTPHandler> EnrollServer;
-typedef http::server<ConfigHTTPHandler> ConfigServer;
-
-struct EnrollHTTPHandler {
- void operator()(EnrollServer::request const &request,
- EnrollServer::response &response) {
- response = EnrollServer::response::stock_reply(
- EnrollServer::response::ok,
- std::string("{\"enrollment_key\":\"potatoes\"}"));
- }
- void log(...) {}
-};
-
-struct ConfigHTTPHandler {
- void operator()(ConfigServer::request const &request,
- ConfigServer::response &response) {
- response = ConfigServer::response::stock_reply(
- ConfigServer::response::ok,
- std::string(
- "{ \"schedule\": {\"config_server_launchd\": {\"query\": \"select "
- "* from launchd;\", \"interval\": 3600 }}}"));
- }
- void log(...) {}
-};
-
-class HttpConfigTests : public testing::Test {
- public:
- HttpConfigTests() {
- // Create an enrollment endpoint and configuration retrieval endpoint.
- auto enroll_port = rand() % 10000 + 10000;
- auto config_port = enroll_port + 1;
- // Set the URIs.
- FLAGS_enrollment_uri = "http://localhost:" + std::to_string(enroll_port);
- FLAGS_config_enrollment_uri =
- "http://localhost:" + std::to_string(config_port);
- FLAGS_enrollment_app_id = "just_a_test_id";
-
- // Create two servers + handlers with default options.
- EnrollHTTPHandler enrollment;
- ConfigHTTPHandler config;
- EnrollServer::options opt_enroll(enrollment);
- ConfigServer::options opt_config(config);
- enrollment_server_ = std::make_shared<EnrollServer>(
- opt_enroll.address("127.0.0.1").port(std::to_string(enroll_port)));
- config_server_ = std::make_shared<ConfigServer>(
- opt_config.address("127.0.0.1").port(std::to_string(config_port)));
-
- // Start each server in a separate service thread.
- config_thread_ = std::make_shared<boost::thread>(
- boost::bind(&ConfigServer::run, &*config_server_));
- enroll_thread_ = std::make_shared<boost::thread>(
- boost::bind(&EnrollServer::run, &*enrollment_server_));
- }
-
- ~HttpConfigTests() {
- enrollment_server_->stop();
- config_server_->stop();
- enroll_thread_->join();
- config_thread_->join();
- }
-
- protected:
- std::shared_ptr<EnrollServer> enrollment_server_;
- std::shared_ptr<ConfigServer> config_server_;
- std::shared_ptr<boost::thread> enroll_thread_;
- std::shared_ptr<boost::thread> config_thread_;
-};
-
-TEST_F(HttpConfigTests, test_enroll_config) {
- // Change the active config plugin.
- EXPECT_TRUE(Registry::setActive("config", "http").ok());
-
- // Request the config server to generate a config data.
- PluginResponse response;
- auto stat = Registry::call("config", {{"action", "genConfig"}}, response);
- EXPECT_TRUE(stat.ok());
-
- // Update the config instance with the content from the server.
- Config::update(response[0]);
- ConfigDataInstance config;
- EXPECT_EQ(config.schedule().count("config_server_launchd"), 1);
-}
-}

22
sysutils/osquery/files/patch-osquery_core_init.cpp Normal file
View file

@ -0,0 +1,22 @@
--- osquery/core/init.cpp.orig 2015-07-03 22:32:52 UTC
+++ osquery/core/init.cpp
@@ -31,6 +31,10 @@
#include "osquery/core/watcher.h"
#include "osquery/database/db_handle.h"
+#ifdef __FreeBSD__
+#include <sys/resource.h>
+#endif
+
#ifdef __linux__
#include <sys/resource.h>
#include <sys/syscall.h>
@@ -238,7 +242,7 @@ void Initializer::initDaemon() {
#ifdef __linux__
// Using: ioprio_set(IOPRIO_WHO_PGRP, 0, IOPRIO_CLASS_IDLE);
syscall(SYS_ioprio_set, IOPRIO_WHO_PGRP, 0, IOPRIO_CLASS_IDLE);
-#elif defined(__APPLE__) || defined(__FreeBSD__)
+#elif defined(__APPLE__)
setiopolicy_np(IOPOL_TYPE_DISK, IOPOL_SCOPE_PROCESS, IOPOL_THROTTLE);
#endif
}

52
sysutils/osquery/files/patch-osquery_core_watcher.cpp
View file

@ -1,52 +0,0 @@
--- osquery/core/watcher.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/core/watcher.cpp
@@ -171,7 +171,7 @@ bool WatcherRunner::ok() {
return (Watcher::getWorker() >= 0 || Watcher::hasManagedExtensions());
}
-void WatcherRunner::enter() {
+void WatcherRunner::start() {
// Set worker performance counters to an initial state.
Watcher::resetWorkerCounters(0);
signal(SIGCHLD, childHandler);
@@ -327,6 +327,15 @@ void WatcherRunner::createWorker() {
setenv("OSQUERY_EXTENSIONS", "true", 1);
}
+ // Get the complete path of the osquery process binary.
+ auto exec_path = fs::system_complete(fs::path(qd[0]["path"]));
+ if (!safePermissions(
+ exec_path.parent_path().string(), exec_path.string(), true)) {
+ // osqueryd binary has become unsafe.
+ LOG(ERROR) << "osqueryd has unsafe permissions: " << exec_path.string();
+ ::exit(EXIT_FAILURE);
+ }
+
auto worker_pid = fork();
if (worker_pid < 0) {
// Unrecoverable error, cannot create a worker process.
@@ -335,8 +344,6 @@ void WatcherRunner::createWorker() {
} else if (worker_pid == 0) {
// This is the new worker process, no watching needed.
setenv("OSQUERY_WORKER", std::to_string(getpid()).c_str(), 1);
- // Get the complete path of the osquery process binary.
- auto exec_path = fs::system_complete(fs::path(qd[0]["path"]));
execve(exec_path.string().c_str(), argv_, environ);
// Code should never reach this point.
LOG(ERROR) << "osqueryd could not start worker process";
@@ -401,13 +408,13 @@ bool WatcherRunner::createExtension(cons
return true;
}
-void WatcherWatcherRunner::enter() {
+void WatcherWatcherRunner::start() {
while (true) {
if (getppid() != watcher_) {
// Watcher died, the worker must follow.
VLOG(1) << "osqueryd worker (" << getpid()
<< ") detected killed watcher (" << watcher_ << ")";
- Dispatcher::removeServices();
+ Dispatcher::stopServices();
Dispatcher::joinServices();
::exit(EXIT_SUCCESS);
}

20
sysutils/osquery/files/patch-osquery_core_watcher.h
View file

@ -1,20 +0,0 @@
--- osquery/core/watcher.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/core/watcher.h
@@ -210,7 +210,7 @@ class WatcherRunner : public InternalRun
private:
/// Dispatcher (this service thread's) entry point.
- void enter();
+ void start();
/// Boilerplate function to sleep for some configured latency
bool ok();
/// Begin the worker-watcher process.
@@ -239,7 +239,7 @@ class WatcherRunner : public InternalRun
class WatcherWatcherRunner : public InternalRunnable {
public:
explicit WatcherWatcherRunner(pid_t watcher) : watcher_(watcher) {}
- void enter();
+ void start();
private:
pid_t watcher_;

13
sysutils/osquery/files/patch-osquery_database_db__handle.cpp
View file

@ -1,13 +0,0 @@
--- osquery/database/db_handle.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/database/db_handle.cpp
@@ -50,6 +50,10 @@ FLAG_ALIAS(bool, use_in_memory_database,
DBHandle::DBHandle(const std::string& path, bool in_memory) {
options_.create_if_missing = true;
options_.create_missing_column_families = true;
+ options_.info_log_level = rocksdb::WARN_LEVEL;
+ options_.log_file_time_to_roll = 0;
+ options_.keep_log_file_num = 10;
+ options_.max_log_file_size = 1024 * 1024 * 1;
if (in_memory) {
// Remove when MemEnv is included in librocksdb

69
sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.cpp
View file

@ -1,69 +0,0 @@
--- osquery/dispatcher/dispatcher.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/dispatcher.cpp
@@ -30,13 +30,19 @@ void interruptableSleep(size_t milli) {
Dispatcher::Dispatcher() {
thread_manager_ = InternalThreadManager::newSimpleThreadManager(
(size_t)FLAGS_worker_threads, 0);
- auto threadFactory = ThriftThreadFactory(new PosixThreadFactory());
- thread_manager_->threadFactory(threadFactory);
+ auto thread_factory = ThriftThreadFactory(new PosixThreadFactory());
+ thread_manager_->threadFactory(thread_factory);
thread_manager_->start();
}
+Dispatcher::~Dispatcher() { join(); }
+
Status Dispatcher::add(ThriftInternalRunnableRef task) {
+ auto& self = instance();
try {
+ if (self.state() != InternalThreadManager::STARTED) {
+ self.thread_manager_->start();
+ }
instance().thread_manager_->add(task, 0, 0);
} catch (std::exception& e) {
return Status(1, e.what());
@@ -61,7 +67,12 @@ InternalThreadManagerRef Dispatcher::get
return instance().thread_manager_;
}
-void Dispatcher::join() { instance().thread_manager_->join(); }
+void Dispatcher::join() {
+ if (instance().thread_manager_ != nullptr) {
+ instance().thread_manager_->stop();
+ instance().thread_manager_->join();
+ }
+}
void Dispatcher::joinServices() {
for (auto& thread : instance().service_threads_) {
@@ -69,11 +80,11 @@ void Dispatcher::joinServices() {
}
}
-void Dispatcher::removeServices() {
+void Dispatcher::stopServices() {
auto& self = instance();
for (const auto& service : self.services_) {
while (true) {
- // Wait for each thread's entry point (enter) meaning the thread context
+ // Wait for each thread's entry point (start) meaning the thread context
// was allocated and (run) was called by boost::thread started.
if (service->hasRun()) {
break;
@@ -82,15 +93,12 @@ void Dispatcher::removeServices() {
// the boost::thread is created.
::usleep(200);
}
+ service->stop();
}
for (auto& thread : self.service_threads_) {
thread->interrupt();
}
-
- // Deallocate services.
- self.service_threads_.clear();
- self.services_.clear();
}
InternalThreadManager::STATE Dispatcher::state() const {

95
sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.h
View file

@ -1,95 +0,0 @@
--- osquery/dispatcher/dispatcher.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/dispatcher.h
@@ -31,8 +31,12 @@
namespace osquery {
+using namespace apache::thrift::concurrency;
+
+/// Create easier to reference typedefs for Thrift layer implementations.
+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr
typedef apache::thrift::concurrency::ThreadManager InternalThreadManager;
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<InternalThreadManager> InternalThreadManagerRef;
+typedef SHARED_PTR_IMPL<InternalThreadManager> InternalThreadManagerRef;
/**
* @brief Default number of threads in the thread pool.
@@ -42,7 +46,7 @@ typedef OSQUERY_THRIFT_POINTER::shared_p
*/
extern const int kDefaultThreadPoolSize;
-class InternalRunnable : public apache::thrift::concurrency::Runnable {
+class InternalRunnable : public Runnable {
public:
virtual ~InternalRunnable() {}
InternalRunnable() : run_(false) {}
@@ -51,16 +55,20 @@ class InternalRunnable : public apache::
/// The boost::thread entrypoint.
void run() {
run_ = true;
- enter();
+ start();
}
/// Check if the thread's entrypoint (run) executed, meaning thread context
/// was allocated.
bool hasRun() { return run_; }
+ /// The runnable may also tear down services before the thread context
+ /// is removed.
+ virtual void stop() {}
+
protected:
/// Require the runnable thread define an entrypoint.
- virtual void enter() = 0;
+ virtual void start() = 0;
private:
bool run_;
@@ -70,9 +78,8 @@ class InternalRunnable : public apache::
typedef std::shared_ptr<InternalRunnable> InternalRunnableRef;
typedef std::shared_ptr<boost::thread> InternalThreadRef;
/// A thrift internal runnable with variable pointer wrapping.
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<InternalRunnable> ThriftInternalRunnableRef;
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<
- apache::thrift::concurrency::PosixThreadFactory> ThriftThreadFactory;
+typedef SHARED_PTR_IMPL<InternalRunnable> ThriftInternalRunnableRef;
+typedef SHARED_PTR_IMPL<PosixThreadFactory> ThriftThreadFactory;
/**
* @brief Singleton for queueing asynchronous tasks to be executed in parallel
@@ -160,7 +167,7 @@ class Dispatcher : private boost::noncop
static void joinServices();
/// Destroy and stop all osquery service threads and service objects.
- static void removeServices();
+ static void stopServices();
/**
* @brief Get the current state of the thread manager.
@@ -248,7 +255,7 @@ class Dispatcher : private boost::noncop
Dispatcher();
Dispatcher(Dispatcher const&);
void operator=(Dispatcher const&);
- virtual ~Dispatcher() {}
+ virtual ~Dispatcher();
private:
/**
@@ -262,10 +269,15 @@ class Dispatcher : private boost::noncop
* @see getThreadManager
*/
InternalThreadManagerRef thread_manager_;
+
/// The set of shared osquery service threads.
std::vector<InternalThreadRef> service_threads_;
- /// THe set of shared osquery services.
+
+ /// The set of shared osquery services.
std::vector<InternalRunnableRef> services_;
+
+ private:
+ friend class ExtensionsTest;
};
/// Allow a dispatched thread to wait while processing or to prevent thrashing.

11
sysutils/osquery/files/patch-osquery_dispatcher_scheduler.cpp
View file

@ -1,11 +0,0 @@
--- osquery/dispatcher/scheduler.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/scheduler.cpp
@@ -150,7 +150,7 @@ void launchQuery(const std::string& name
}
}
-void SchedulerRunner::enter() {
+void SchedulerRunner::start() {
time_t t = std::time(nullptr);
struct tm* local = std::localtime(&t);
unsigned long int i = local->tm_sec;

11
sysutils/osquery/files/patch-osquery_dispatcher_scheduler.h
View file

@ -1,11 +0,0 @@
--- osquery/dispatcher/scheduler.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/scheduler.h
@@ -23,7 +23,7 @@ class SchedulerRunner : public InternalR
public:
/// The Dispatcher thread entry point.
- void enter();
+ void start();
protected:
/// The UNIX domain socket path for the ExtensionManager.

11
sysutils/osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp
View file

@ -1,11 +0,0 @@
--- osquery/dispatcher/tests/dispatcher_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/tests/dispatcher_tests.cpp
@@ -28,7 +28,7 @@ class TestRunnable : public InternalRunn
public:
int* i;
explicit TestRunnable(int* i) : i(i) {}
- virtual void enter() { ++*i; }
+ virtual void start() { ++*i; }
};
TEST_F(DispatcherTests, test_add_work) {

11
sysutils/osquery/files/patch-osquery_events_darwin_fsevents.cpp
View file

@ -1,11 +0,0 @@
--- osquery/events/darwin/fsevents.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/fsevents.cpp
@@ -137,6 +137,8 @@ Status FSEventsEventPublisher::run() {
return Status(0, "OK");
}
+void FSEventsEventPublisher::end() { stop(); }
+
void FSEventsEventPublisher::Callback(
ConstFSEventStreamRef stream,
void* callback_info,

11
sysutils/osquery/files/patch-osquery_events_darwin_fsevents.h
View file

@ -1,11 +0,0 @@
--- osquery/events/darwin/fsevents.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/fsevents.h
@@ -76,6 +76,8 @@ class FSEventsEventPublisher
// Entrypoint to the run loop
Status run();
+ // Callin for stopping the streams/run loop.
+ void end();
public:
/// FSEvents registers a client callback instead of using a select/poll loop.

132
sysutils/osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp
View file

@ -1,132 +0,0 @@
--- osquery/events/darwin/tests/fsevents_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/tests/fsevents_tests.cpp
@@ -25,27 +25,33 @@
namespace osquery {
-const std::string kRealTestPath = kTestWorkingDirectory + "fsevents_trigger";
int kMaxEventLatency = 3000;
class FSEventsTests : public testing::Test {
protected:
- void TearDown() { boost::filesystem::remove_all(kRealTestPath); }
+ void SetUp() {
+ trigger_path = kTestWorkingDirectory + "fsevents" +
+ std::to_string(rand() % 10000 + 10000);
+ }
+
+ void TearDown() { remove(trigger_path); }
void StartEventLoop() {
event_pub_ = std::make_shared<FSEventsEventPublisher>();
EventFactory::registerEventPublisher(event_pub_);
- FILE* fd = fopen(kRealTestPath.c_str(), "w");
+ FILE* fd = fopen(trigger_path.c_str(), "w");
fclose(fd);
temp_thread_ = boost::thread(EventFactory::run, "fsevents");
+ // Wait for the publisher thread and FSEvent run loop to start.
}
void EndEventLoop() {
while (!event_pub_->hasStarted()) {
::usleep(20);
}
- EventFactory::end();
+ EventFactory::end(false);
+ temp_thread_.join();
}
void WaitForStream(int max) {
@@ -76,7 +82,7 @@ class FSEventsTests : public testing::Te
void CreateEvents(int num = 1) {
WaitForStream(kMaxEventLatency);
for (int i = 0; i < num; ++i) {
- FILE* fd = fopen(kRealTestPath.c_str(), "w");
+ FILE* fd = fopen(trigger_path.c_str(), "a");
fputs("fsevents", fd);
fclose(fd);
}
@@ -84,8 +90,14 @@ class FSEventsTests : public testing::Te
std::shared_ptr<FSEventsEventPublisher> event_pub_;
boost::thread temp_thread_;
+
+ public:
+ /// Trigger path is the current test's eventing sink (accessed anywhere).
+ static std::string trigger_path;
};
+std::string FSEventsTests::trigger_path = kTestWorkingDirectory + "fsevents";
+
TEST_F(FSEventsTests, test_register_event_pub) {
auto pub = std::make_shared<FSEventsEventPublisher>();
auto status = EventFactory::registerEventPublisher(pub);
@@ -159,7 +171,7 @@ class TestFSEventsEventSubscriber
SCRef GetSubscription(uint32_t mask = 0) {
auto sc = createSubscriptionContext();
- sc->path = kRealTestPath;
+ sc->path = FSEventsTests::trigger_path;
sc->mask = mask;
return sc;
}
@@ -176,10 +188,10 @@ class TestFSEventsEventSubscriber
return Status(0, "OK");
}
- void WaitForEvents(int max) {
+ void WaitForEvents(int max, int initial = 0) {
int delay = 0;
while (delay < max * 1000) {
- if (callback_count_ > 0) {
+ if (callback_count_ > initial) {
return;
}
::usleep(50);
@@ -203,14 +215,17 @@ TEST_F(FSEventsTests, test_fsevents_run)
// Create a subscriptioning context
auto mc = std::make_shared<FSEventsSubscriptionContext>();
- mc->path = kRealTestPath;
+ mc->path = trigger_path;
EventFactory::addSubscription(
"fsevents", Subscription::create("TestFSEventsEventSubscriber", mc));
// Create an event loop thread (similar to main)
- boost::thread temp_thread(EventFactory::run, "fsevents");
+ temp_thread_ = boost::thread(EventFactory::run, "fsevents");
EXPECT_TRUE(event_pub_->numEvents() == 0);
+ // Wait for the thread to start and the FSEvents stream to turn on.
+ WaitForStream(kMaxEventLatency);
+
// Cause an fsevents event(s) by writing to the watched path.
CreateEvents();
@@ -218,7 +233,10 @@ TEST_F(FSEventsTests, test_fsevents_run)
WaitForEvents(kMaxEventLatency);
EXPECT_TRUE(event_pub_->numEvents() > 0);
- EventFactory::end();
+
+ // We are managing the thread ourselves, so no join needed.
+ EventFactory::end(false);
+ temp_thread_.join();
}
TEST_F(FSEventsTests, test_fsevents_fire_event) {
@@ -257,10 +275,9 @@ TEST_F(FSEventsTests, test_fsevents_even
sub->WaitForEvents(kMaxEventLatency);
// Make sure the fsevents action was expected.
- EXPECT_TRUE(sub->actions_.size() > 0);
- if (sub->actions_.size() > 1) {
- EXPECT_EQ(sub->actions_[0], "UPDATED");
- }
+ ASSERT_TRUE(sub->actions_.size() > 0);
+ EXPECT_EQ(sub->actions_[0], "CREATED");
+
EndEventLoop();
}
}

70
sysutils/osquery/files/patch-osquery_events_events.cpp
View file

@ -1,70 +0,0 @@
--- osquery/events/events.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/events.cpp
@@ -407,6 +407,8 @@ void EventFactory::delay() {
}
Status EventFactory::run(EventPublisherID& type_id) {
+ auto& ef = EventFactory::getInstance();
+
// An interesting take on an event dispatched entrypoint.
// There is little introspection into the event type.
// Assume it can either make use of an entrypoint poller/selector or
@@ -414,12 +416,17 @@ Status EventFactory::run(EventPublisherI
// only once and handle event queueing/firing in callbacks.
EventPublisherRef publisher;
try {
- publisher = EventFactory::getInstance().getEventPublisher(type_id);
+ publisher = ef.getEventPublisher(type_id);
} catch (std::out_of_range& e) {
return Status(1, "No event type found");
}
- VLOG(1) << "Starting event publisher runloop: " + type_id;
+ if (publisher == nullptr) {
+ return Status(1, "Event publisher is missing");
+ } else if (publisher->hasStarted()) {
+ return Status(1, "Cannot restart an event publisher");
+ }
+ VLOG(1) << "Starting event publisher run loop: " + type_id;
publisher->hasStarted(true);
auto status = Status(0, "OK");
@@ -428,11 +435,12 @@ Status EventFactory::run(EventPublisherI
status = publisher->run();
osquery::publisherSleep(EVENTS_COOLOFF);
}
-
// The runloop status is not reflective of the event type's.
- publisher->tearDown();
VLOG(1) << "Event publisher " << publisher->type()
- << " runloop terminated for reason: " << status.getMessage();
+ << " run loop terminated for reason: " << status.getMessage();
+ // Publishers auto tear down when their run loop stops.
+ publisher->tearDown();
+ ef.event_pubs_.erase(type_id);
return Status(0, "OK");
}
@@ -573,9 +581,12 @@ Status EventFactory::deregisterEventPubl
// If a publisher's run loop was not started, call tearDown since
// the setUp happened at publisher registration time.
publisher->tearDown();
+ // If the run loop did run the tear down and erase will happen in the event
+ // thread wrapper when isEnding is next checked.
+ ef.event_pubs_.erase(type_id);
+ } else {
+ publisher->end();
}
-
- ef.event_pubs_.erase(type_id);
return Status(0, "OK");
}
@@ -612,6 +623,7 @@ void EventFactory::end(bool join) {
}
}
+ // A small cool off helps OS API event publisher flushing.
::usleep(400);
ef.threads_.clear();
}

11
sysutils/osquery/files/patch-osquery_extensions_extensions.cpp
View file

@ -1,11 +0,0 @@
--- osquery/extensions/extensions.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/extensions.cpp
@@ -76,7 +76,7 @@ EXTENSION_FLAG_ALIAS(socket, extensions_
EXTENSION_FLAG_ALIAS(timeout, extensions_timeout);
EXTENSION_FLAG_ALIAS(interval, extensions_interval);
-void ExtensionWatcher::enter() {
+void ExtensionWatcher::start() {
// Watch the manager, if the socket is removed then the extension will die.
while (true) {
watch();

126
sysutils/osquery/files/patch-osquery_extensions_interface.cpp
View file

@ -1,126 +0,0 @@
--- osquery/extensions/interface.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/interface.cpp
@@ -173,89 +173,56 @@ bool ExtensionManagerHandler::exists(con
}
}
-ExtensionRunner::~ExtensionRunner() { remove(path_); }
+ExtensionRunnerCore::~ExtensionRunnerCore() { remove(path_); }
-void ExtensionRunner::enter() {
- // Set the socket information for the extension manager.
- auto socket_path = path_;
+void ExtensionRunnerCore::stop() {
+ if (server_ != nullptr) {
+ server_->stop();
+ }
+}
- // Create the thrift instances.
- OSQUERY_THRIFT_POINTER::shared_ptr<ExtensionHandler> handler(
- new ExtensionHandler(uuid_));
- OSQUERY_THRIFT_POINTER::shared_ptr<TProcessor> processor(
- new ExtensionProcessor(handler));
- OSQUERY_THRIFT_POINTER::shared_ptr<TServerTransport> serverTransport(
- new TServerSocket(socket_path));
- OSQUERY_THRIFT_POINTER::shared_ptr<TTransportFactory> transportFactory(
- new TBufferedTransportFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProtocolFactory> protocolFactory(
- new TBinaryProtocolFactory());
+void ExtensionRunnerCore::startServer(TProcessorRef processor) {
+ auto transport = TServerTransportRef(new TServerSocket(path_));
+ auto transport_fac = TTransportFactoryRef(new TBufferedTransportFactory());
+ auto protocol_fac = TProtocolFactoryRef(new TBinaryProtocolFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<ThreadManager> threadManager =
- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads);
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory> threadFactory =
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory>(
- new PosixThreadFactory());
- threadManager->threadFactory(threadFactory);
- threadManager->start();
+ auto thread_manager_ =
+ ThreadManager::newSimpleThreadManager((size_t)FLAGS_worker_threads, 0);
+ auto thread_fac = ThriftThreadFactory(new PosixThreadFactory());
+ thread_manager_->threadFactory(thread_fac);
+ thread_manager_->start();
// Start the Thrift server's run loop.
+ server_ = TThreadPoolServerRef(new TThreadPoolServer(
+ processor, transport, transport_fac, protocol_fac, thread_manager_));
+ server_->serve();
+}
+
+void ExtensionRunner::start() {
+ // Create the thrift instances.
+ auto handler = ExtensionHandlerRef(new ExtensionHandler(uuid_));
+ auto processor = TProcessorRef(new ExtensionProcessor(handler));
+
+ VLOG(1) << "Extension service starting: " << path_;
try {
- VLOG(1) << "Extension service starting: " << socket_path;
- TThreadPoolServer server(processor,
- serverTransport,
- transportFactory,
- protocolFactory,
- threadManager);
- server.serve();
+ startServer(processor);
} catch (const std::exception& e) {
- LOG(ERROR) << "Cannot start extension handler: " << socket_path << " ("
+ LOG(ERROR) << "Cannot start extension handler: " << path_ << " ("
<< e.what() << ")";
- return;
}
}
-ExtensionManagerRunner::~ExtensionManagerRunner() {
- // Remove the socket path.
- remove(path_);
-}
-
-void ExtensionManagerRunner::enter() {
- // Set the socket information for the extension manager.
- auto socket_path = path_;
-
+void ExtensionManagerRunner::start() {
// Create the thrift instances.
- OSQUERY_THRIFT_POINTER::shared_ptr<ExtensionManagerHandler> handler(
- new ExtensionManagerHandler());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProcessor> processor(
- new ExtensionManagerProcessor(handler));
- OSQUERY_THRIFT_POINTER::shared_ptr<TServerTransport> serverTransport(
- new TServerSocket(socket_path));
- OSQUERY_THRIFT_POINTER::shared_ptr<TTransportFactory> transportFactory(
- new TBufferedTransportFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProtocolFactory> protocolFactory(
- new TBinaryProtocolFactory());
-
- OSQUERY_THRIFT_POINTER::shared_ptr<ThreadManager> threadManager =
- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads);
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory> threadFactory =
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory>(
- new PosixThreadFactory());
- threadManager->threadFactory(threadFactory);
- threadManager->start();
+ auto handler = ExtensionManagerHandlerRef(new ExtensionManagerHandler());
+ auto processor = TProcessorRef(new ExtensionManagerProcessor(handler));
- // Start the Thrift server's run loop.
+ VLOG(1) << "Extension manager service starting: " << path_;
try {
- VLOG(1) << "Extension manager service starting: " << socket_path;
- TThreadPoolServer server(processor,
- serverTransport,
- transportFactory,
- protocolFactory,
- threadManager);
- server.serve();
+ startServer(processor);
} catch (const std::exception& e) {
LOG(WARNING) << "Extensions disabled: cannot start extension manager ("
- << socket_path << ") (" << e.what() << ")";
+ << path_ << ") (" << e.what() << ")";
}
}
}

189
sysutils/osquery/files/patch-osquery_extensions_interface.h
View file

@ -1,189 +0,0 @@
--- osquery/extensions/interface.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/interface.h
@@ -30,7 +30,6 @@
// clang-format on
namespace osquery {
-namespace extensions {
using namespace apache::thrift;
using namespace apache::thrift::protocol;
@@ -38,6 +37,21 @@ using namespace apache::thrift::transpor
using namespace apache::thrift::server;
using namespace apache::thrift::concurrency;
+/// Create easier to reference typedefs for Thrift layer implementations.
+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr
+typedef SHARED_PTR_IMPL<TSocket> TSocketRef;
+typedef SHARED_PTR_IMPL<TTransport> TTransportRef;
+typedef SHARED_PTR_IMPL<TProtocol> TProtocolRef;
+
+typedef SHARED_PTR_IMPL<TProcessor> TProcessorRef;
+typedef SHARED_PTR_IMPL<TServerTransport> TServerTransportRef;
+typedef SHARED_PTR_IMPL<TTransportFactory> TTransportFactoryRef;
+typedef SHARED_PTR_IMPL<TProtocolFactory> TProtocolFactoryRef;
+typedef SHARED_PTR_IMPL<PosixThreadFactory> PosixThreadFactoryRef;
+typedef std::shared_ptr<TThreadPoolServer> TThreadPoolServerRef;
+
+namespace extensions {
+
/**
* @brief The Thrift API server used by an osquery Extension process.
*
@@ -68,6 +82,7 @@ class ExtensionHandler : virtual public
const ExtensionPluginRequest& request);
protected:
+ /// Transient UUID assigned to the extension after registering.
RouteUUID uuid_;
};
@@ -163,6 +178,7 @@ class ExtensionManagerHandler : virtual
private:
/// Check if an extension exists by the name it registered.
bool exists(const std::string& name);
+
/// Introspect into the registry, checking if any extension routes have been
/// removed.
void refresh();
@@ -170,6 +186,9 @@ class ExtensionManagerHandler : virtual
/// Maintain a map of extension UUID to metadata for tracking deregistration.
InternalExtensionList extensions_;
};
+
+typedef SHARED_PTR_IMPL<ExtensionHandler> ExtensionHandlerRef;
+typedef SHARED_PTR_IMPL<ExtensionManagerHandler> ExtensionManagerHandlerRef;
}
/// A Dispatcher service thread that watches an ExtensionManagerHandler.
@@ -183,7 +202,8 @@ class ExtensionWatcher : public Internal
public:
/// The Dispatcher thread entry point.
- void enter();
+ void start();
+
/// Perform health checks.
virtual void watch();
@@ -194,8 +214,10 @@ class ExtensionWatcher : public Internal
protected:
/// The UNIX domain socket path for the ExtensionManager.
std::string path_;
+
/// The internal in milliseconds to ping the ExtensionManager.
size_t interval_;
+
/// If the ExtensionManager socket is closed, should the extension exit.
bool fatal_;
};
@@ -205,60 +227,87 @@ class ExtensionManagerWatcher : public E
ExtensionManagerWatcher(const std::string& path, size_t interval)
: ExtensionWatcher(path, interval, false) {}
+ /// Start a specialized health check for an ExtensionManager.
void watch();
};
-/// A Dispatcher service thread that starts ExtensionHandler.
-class ExtensionRunner : public InternalRunnable {
+class ExtensionRunnerCore : public InternalRunnable {
+ public:
+ virtual ~ExtensionRunnerCore();
+ ExtensionRunnerCore(const std::string& path)
+ : path_(path), server_(nullptr) {}
+
+ public:
+ /// Given a handler transport and protocol start a thrift threaded server.
+ void startServer(TProcessorRef processor);
+
+ // The Dispatcher thread service stop point.
+ void stop();
+
+ protected:
+ /// The UNIX domain socket used for requests from the ExtensionManager.
+ std::string path_;
+
+ /// Server instance, will be stopped if thread service is removed.
+ TThreadPoolServerRef server_;
+};
+
+/**
+ * @brief A Dispatcher service thread that starts ExtensionHandler.
+ *
+ * This runner will start a Thrift Extension server, call serve, and wait
+ * until the extension exists or the ExtensionManager (core) terminates or
+ * deregisters the extension.
+ *
+ */
+class ExtensionRunner : public ExtensionRunnerCore {
public:
- virtual ~ExtensionRunner();
ExtensionRunner(const std::string& manager_path, RouteUUID uuid)
- : uuid_(uuid) {
+ : ExtensionRunnerCore(""), uuid_(uuid) {
path_ = getExtensionSocket(uuid, manager_path);
}
public:
- /// The Dispatcher thread entry point.
- void enter();
+ void start();
/// Access the UUID provided by the ExtensionManager.
RouteUUID getUUID() { return uuid_; }
private:
- /// The UNIX domain socket used for requests from the ExtensionManager.
- std::string path_;
/// The unique and transient Extension UUID assigned by the ExtensionManager.
RouteUUID uuid_;
};
-/// A Dispatcher service thread that starts ExtensionManagerHandler.
-class ExtensionManagerRunner : public InternalRunnable {
+/**
+ * @brief A Dispatcher service thread that starts ExtensionManagerHandler.
+ *
+ * This runner will start a Thrift ExtensionManager server, call serve, and wait
+ * until for extensions to register, or thrift API calls.
+ *
+ */
+class ExtensionManagerRunner : public ExtensionRunnerCore {
public:
- virtual ~ExtensionManagerRunner();
explicit ExtensionManagerRunner(const std::string& manager_path)
- : path_(manager_path) {}
+ : ExtensionRunnerCore(manager_path) {}
public:
- void enter();
-
- private:
- std::string path_;
+ void start();
};
/// Internal accessor for extension clients.
class EXInternal {
public:
explicit EXInternal(const std::string& path)
- : socket_(new extensions::TSocket(path)),
- transport_(new extensions::TBufferedTransport(socket_)),
- protocol_(new extensions::TBinaryProtocol(transport_)) {}
+ : socket_(new TSocket(path)),
+ transport_(new TBufferedTransport(socket_)),
+ protocol_(new TBinaryProtocol(transport_)) {}
virtual ~EXInternal() { transport_->close(); }
protected:
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TSocket> socket_;
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TTransport> transport_;
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TProtocol> protocol_;
+ TSocketRef socket_;
+ TTransportRef transport_;
+ TProtocolRef protocol_;
};
/// Internal accessor for a client to an extension (from an extension manager).

136
sysutils/osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp
View file

@ -1,136 +0,0 @@
--- osquery/extensions/tests/extensions_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/tests/extensions_tests.cpp
@@ -30,16 +30,17 @@ const std::string kTestManagerSocket = k
class ExtensionsTest : public testing::Test {
protected:
void SetUp() {
- remove(kTestManagerSocket);
- if (pathExists(kTestManagerSocket).ok()) {
- throw std::domain_error("Cannot test sockets: " + kTestManagerSocket);
+ socket_path = kTestManagerSocket + std::to_string(rand());
+ remove(socket_path);
+ if (pathExists(socket_path).ok()) {
+ throw std::domain_error("Cannot test sockets: " + socket_path);
}
}
void TearDown() {
- Dispatcher::removeServices();
+ Dispatcher::stopServices();
Dispatcher::joinServices();
- remove(kTestManagerSocket);
+ remove(socket_path);
}
bool ping(int attempts = 3) {
@@ -47,7 +48,7 @@ class ExtensionsTest : public testing::T
ExtensionStatus status;
for (int i = 0; i < attempts; ++i) {
try {
- EXManagerClient client(kTestManagerSocket);
+ EXManagerClient client(socket_path);
client.get()->ping(status);
return (status.code == ExtensionCode::EXT_SUCCESS);
} catch (const std::exception& e) {
@@ -63,7 +64,7 @@ class ExtensionsTest : public testing::T
ExtensionResponse response;
for (int i = 0; i < attempts; ++i) {
try {
- EXManagerClient client(kTestManagerSocket);
+ EXManagerClient client(socket_path);
client.get()->query(response, sql);
} catch (const std::exception& e) {
::usleep(kDelayUS);
@@ -81,7 +82,7 @@ class ExtensionsTest : public testing::T
ExtensionList registeredExtensions(int attempts = 3) {
ExtensionList extensions;
for (int i = 0; i < attempts; ++i) {
- if (getExtensions(kTestManagerSocket, extensions).ok()) {
+ if (getExtensions(socket_path, extensions).ok()) {
break;
}
}
@@ -101,34 +102,37 @@ class ExtensionsTest : public testing::T
}
return false;
}
+
+ public:
+ std::string socket_path;
};
TEST_F(ExtensionsTest, test_manager_runnable) {
// Start a testing extension manager.
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
// Call success if the Unix socket was created.
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
}
TEST_F(ExtensionsTest, test_extension_runnable) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
// Wait for the extension manager to start.
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// Test the extension manager API 'ping' call.
EXPECT_TRUE(ping());
}
TEST_F(ExtensionsTest, test_extension_start) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// Now allow duplicates (for testing, since EM/E are the same).
Registry::allowDuplicates(true);
- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1");
+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1");
// This will not be false since we are allowing deplicate items.
// Otherwise, starting an extension and extensionManager would fatal.
ASSERT_TRUE(status.ok());
@@ -138,7 +142,7 @@ TEST_F(ExtensionsTest, test_extension_st
RouteUUID uuid = (RouteUUID)stoi(status.getMessage(), nullptr, 0);
// We can test-wait for the extensions's socket to open.
- EXPECT_TRUE(socketExists(kTestManagerSocket + "." + std::to_string(uuid)));
+ EXPECT_TRUE(socketExists(socket_path + "." + std::to_string(uuid)));
// Then clean up the registry modifications.
Registry::removeBroadcast(uuid);
@@ -160,9 +164,9 @@ class TestExtensionPlugin : public Exten
CREATE_REGISTRY(ExtensionPlugin, "extension_test");
TEST_F(ExtensionsTest, test_extension_broadcast) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// This time we're going to add a plugin to the extension_test registry.
Registry::add<TestExtensionPlugin>("extension_test", "test_item");
@@ -180,7 +184,7 @@ TEST_F(ExtensionsTest, test_extension_br
EXPECT_TRUE(Registry::exists("extension_test", "test_item"));
EXPECT_FALSE(Registry::exists("extension_test", "test_alias"));
- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1");
+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1");
EXPECT_TRUE(status.ok());
RouteUUID uuid;
@@ -191,7 +195,7 @@ TEST_F(ExtensionsTest, test_extension_br
return;
}
- auto ext_socket = kTestManagerSocket + "." + std::to_string(uuid);
+ auto ext_socket = socket_path + "." + std::to_string(uuid);
EXPECT_TRUE(socketExists(ext_socket));
// Make sure the EM registered the extension (called in start extension).

10
sysutils/osquery/files/patch-osquery_filesystem_CMakeLists.txt
View file

@ -1,10 +0,0 @@
--- osquery/filesystem/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ osquery/filesystem/CMakeLists.txt
@@ -4,6 +4,7 @@ if(APPLE)
)
ADD_OSQUERY_LINK(TRUE "-framework Foundation")
+elseif(FREEBSD)
elseif(LINUX)
ADD_OSQUERY_LIBRARY(TRUE osquery_filesystem_linux
linux/mem.cpp

23
sysutils/osquery/files/patch-osquery_main_run.cpp
View file

@ -1,23 +0,0 @@
--- osquery/main/run.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/main/run.cpp
@@ -10,10 +10,9 @@
#include <errno.h>
-#include <gflags/gflags.h>
-
#include <osquery/core.h>
#include <osquery/events.h>
+#include <osquery/flags.h>
#include <osquery/logger.h>
#include <osquery/sql.h>
@@ -27,7 +26,7 @@ int main(int argc, char* argv[]) {
// Let gflags parse the non-help options/flags.
GFLAGS_NAMESPACE::ParseCommandLineFlags(&argc, &argv, false);
- GFLAGS_NAMESPACE::InitGoogleLogging(argv[0]);
+ google::InitGoogleLogging(argv[0]);
if (FLAGS_query == "") {
fprintf(stderr, "Usage: %s --query=\"query\"\n", argv[0]);

112
sysutils/osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp
View file

@ -1,112 +0,0 @@
--- osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp
@@ -16,6 +16,8 @@
#include <gtest/gtest.h>
#include <osquery/enrollment.h>
+
+#include "osquery/dispatcher/dispatcher.h"
#include "osquery/remote/requests.h"
#include "osquery/remote/transports/http.h"
#include "osquery/remote/serializers/json.h"
@@ -35,48 +37,78 @@ struct TestHTTPEnrollmentHandler {
response = Server::response::stock_reply(
Server::response::ok, std::string("{\"enrollment_key\":\"potatoes\"}"));
}
- void log(...) {}
+
+ void log(Server::string_type const &info) {
+ VLOG(1) << "TestHTTPEnrollmentHandler logging";
+ }
+};
+
+class HTTPEnrollServerRunner : public InternalRunnable {
+ public:
+ explicit HTTPEnrollServerRunner(std::shared_ptr<Server> server)
+ : server_(server) {}
+
+ void start() {
+ // Using a dispatcher and runnable allows us to catch and pretty print
+ // any socket/service exceptions.
+ try {
+ server_->run();
+ } catch (const std::exception &e) {
+ LOG(ERROR) << "Testing HTTP server failed: " << e.what();
+ }
+ }
+
+ private:
+ std::shared_ptr<Server> server_;
};
class RemoteEnrollmentTests : public testing::Test {
public:
- RemoteEnrollmentTests() {
- auto enroll_port = std::to_string(rand() % 10000 + 10000);
- FLAGS_enrollment_uri = "http://localhost:" + enroll_port;
- FLAGS_enrollment_app_id = "just_a_test_id";
+ void SetUp() {
+ port_ = std::to_string(rand() % 10000 + 20000);
TestHTTPEnrollmentHandler handler;
- Server::options options(handler);
- server_ = std::make_shared<Server>(
- options.address("127.0.0.1").port(enroll_port));
- t_ =
- std::make_shared<boost::thread>(boost::bind(&Server::run, &(*server_)));
+ Server::options opts(handler);
+
+ // Create an HTTP server instance.
+ server_ = std::make_shared<Server>(opts.address("127.0.0.1").port(port_));
+
+ // Create a runnable and add it to the dispatcher.
+ Dispatcher::addService(std::make_shared<HTTPEnrollServerRunner>(server_));
}
~RemoteEnrollmentTests() {
server_->stop();
- t_->join();
+ Dispatcher::joinServices();
}
- private:
+ protected:
std::shared_ptr<Server> server_;
- std::shared_ptr<boost::thread> t_;
+ std::string port_;
};
-/*
TEST_F(RemoteEnrollmentTests, test_enroll) {
+ // Set the enrollment URI to the server we created.
+ FLAGS_enrollment_uri = "http://127.0.0.1:" + port_;
+ FLAGS_enrollment_app_id = "just_a_test_id";
+
// Call enroll
PluginRequest request = {
- {"enroll", "1"}, // 0 enroll if needed, 1 force re-enroll
+ {"enroll", "1"},
+ // 0 enroll if needed, 1 force re-enroll
};
PluginResponse resp;
Status stat = Registry::call("enrollment", "get_key", request, resp);
- EXPECT_TRUE(stat.ok());
- // Verify get key contains the string
- if (resp.size() == 1) {
- EXPECT_EQ(resp[0]["key"], "potatoes");
- } else {
- EXPECT_EQ(resp.size(), 1);
+
+ // The enrollment server test mostly stresses workflow and code coverage.
+ // Occasionally, like with the transports testing, the non-mocked netlib
+ // server failed to bind.
+ if (stat.ok()) {
+ // Verify get key contains the string
+ if (resp.size() == 1) {
+ EXPECT_EQ(resp[0]["key"], "potatoes");
+ } else {
+ EXPECT_EQ(resp.size(), 1);
+ }
}
}
-*/
}

11
sysutils/osquery/files/patch-osquery_remote_requests.h
View file

@ -1,11 +0,0 @@
--- osquery/remote/requests.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/requests.h
@@ -152,7 +152,7 @@ class Serializer {
std::string& serialized) = 0;
/**
- * @brief Deerialize a property tree into a property tree
+ * @brief Deserialize a property tree into a property tree
*
* @param params A string of serialized parameters
*

38
sysutils/osquery/files/patch-osquery_remote_transports_http.cpp
View file

@ -1,38 +0,0 @@
--- osquery/remote/transports/http.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/transports/http.cpp
@@ -25,9 +25,14 @@ Status HTTPTransport::sendRequest() {
http::client client;
http::client::request r(destination_);
decorateRequest(r);
- response_ = client.get(r);
- response_status_ =
- serializer_->deserialize(body(response_), response_params_);
+
+ try {
+ response_ = client.get(r);
+ response_status_ =
+ serializer_->deserialize(body(response_), response_params_);
+ } catch (const std::exception& e) {
+ return Status(1, std::string("Request error: ") + e.what());
+ }
return response_status_;
}
@@ -35,9 +40,14 @@ Status HTTPTransport::sendRequest(const
http::client client;
http::client::request r(destination_);
decorateRequest(r);
- response_ = client.post(r, params);
- response_status_ =
- serializer_->deserialize(body(response_), response_params_);
+
+ try {
+ response_ = client.post(r, params);
+ response_status_ =
+ serializer_->deserialize(body(response_), response_params_);
+ } catch (const std::exception& e) {
+ return Status(1, std::string("Request error: ") + e.what());
+ }
return response_status_;
}
}

116
sysutils/osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp
View file

@ -1,116 +0,0 @@
--- osquery/remote/transports/tests/http_transports_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/transports/tests/http_transports_tests.cpp
@@ -15,6 +15,7 @@
#include <gtest/gtest.h>
+#include "osquery/dispatcher/dispatcher.h"
#include "osquery/remote/requests.h"
#include "osquery/remote/serializers/json.h"
#include "osquery/remote/transports/http.h"
@@ -32,51 +33,83 @@ struct TestHTTPTransportHandler {
std::string("{\"foo\":\"bar\"}"));
}
- void log(...) {}
+ void log(Server::string_type const &info) {
+ VLOG(1) << "TestHTTPTransportHandler logging";
+ }
+};
+
+class HTTPServerRunner : public InternalRunnable {
+ public:
+ explicit HTTPServerRunner(std::shared_ptr<Server> server) : server_(server) {}
+
+ void start() {
+ // Using a dispatcher and runnable allows us to catch and pretty print
+ // any socket/service exceptions.
+ try {
+ server_->run();
+ } catch (const std::exception &e) {
+ LOG(ERROR) << "Testing HTTP server failed: " << e.what();
+ }
+ }
+
+ private:
+ std::shared_ptr<Server> server_;
};
class HTTPTransportsTests : public testing::Test {
public:
- HTTPTransportsTests() {
- port_ = std::to_string(rand() % 10000 + 10000);
+ void SetUp() {
+ port_ = std::to_string(rand() % 10000 + 20000);
TestHTTPTransportHandler handler;
- Server::options options(handler);
- server_ =
- std::make_shared<Server>(options.address("127.0.0.1").port(port_));
- t_ =
- std::make_shared<boost::thread>(boost::bind(&Server::run, &(*server_)));
+ Server::options opts(handler);
+
+ // Create an HTTP server instance.
+ server_ = std::make_shared<Server>(opts.address("127.0.0.1").port(port_));
+
+ // Create a runnable and add it to the dispatcher.
+ Dispatcher::addService(std::make_shared<HTTPServerRunner>(server_));
}
- ~HTTPTransportsTests() {
+ void TearDown() {
server_->stop();
- t_->join();
+ Dispatcher::joinServices();
}
protected:
std::shared_ptr<Server> server_;
- std::shared_ptr<boost::thread> t_;
std::string port_;
};
TEST_F(HTTPTransportsTests, test_call) {
auto r = Request<HTTPTransport, JSONSerializer>("http://127.0.0.1:" + port_);
- auto s1 = r.call();
- EXPECT_TRUE(s1.ok());
- boost::property_tree::ptree params;
- auto s2 = r.getResponse(params);
- EXPECT_TRUE(s2.ok());
+ Status status;
+ ASSERT_NO_THROW(status = r.call());
+
+ // Sometimes the best we can test is the call workflow.
+ if (status.ok()) {
+ boost::property_tree::ptree params;
+ status = r.getResponse(params);
+ EXPECT_TRUE(status.ok());
+ } else {
+ // The socket bind failed.
+ }
}
TEST_F(HTTPTransportsTests, test_call_with_params) {
auto r = Request<HTTPTransport, JSONSerializer>("http://127.0.0.1:" + port_);
boost::property_tree::ptree params;
params.put<std::string>("foo", "bar");
- auto s1 = r.call(params);
- EXPECT_TRUE(s1.ok());
- boost::property_tree::ptree recv;
- auto s2 = r.getResponse(recv);
- EXPECT_TRUE(s2.ok());
- EXPECT_EQ(params, recv);
+ Status status;
+ ASSERT_NO_THROW(status = r.call(params));
+
+ if (status.ok()) {
+ boost::property_tree::ptree recv;
+ auto s2 = r.getResponse(recv);
+ EXPECT_TRUE(s2.ok());
+ EXPECT_EQ(params, recv);
+ } else {
+ // The socket bind failed.
+ }
}
}

39
sysutils/osquery/files/patch-osquery_tables_CMakeLists.txt
View file

@ -1,39 +0,0 @@
--- osquery/tables/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/CMakeLists.txt
@@ -33,7 +33,7 @@ else()
file(GLOB OSQUERY_LINUX_TABLES_TESTS "*/linux/tests/*.cpp")
ADD_OSQUERY_TABLE_TEST(${OSQUERY_LINUX_TABLES_TESTS})
- if(CENTOS)
+ if(CENTOS OR RHEL)
# CentOS specific tables
file(GLOB OSQUERY_REDHAT_TABLES "*/centos/*.cpp")
ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat
@@ -59,7 +59,7 @@ else()
ADD_OSQUERY_LINK(FALSE "uuid")
endif()
-file(GLOB OSQUERY_CROSS_TABLES "[!u]*/*.cpp")
+file(GLOB OSQUERY_CROSS_TABLES "[!ue]*/*.cpp")
ADD_OSQUERY_LIBRARY(FALSE osquery_tables
${OSQUERY_CROSS_TABLES}
)
@@ -72,10 +72,12 @@ ADD_OSQUERY_LIBRARY(TRUE osquery_tables_
${OSQUERY_UTILITY_TABLES}
)
-file(GLOB OSQUERY_UTILS "utils/*.cpp")
-ADD_OSQUERY_LIBRARY(FALSE osquery_utils
- ${OSQUERY_UTILS}
-)
+if(NOT FREEBSD)
+ file(GLOB OSQUERY_UTILS "utils/*.cpp")
+ ADD_OSQUERY_LIBRARY(FALSE osquery_utils
+ ${OSQUERY_UTILS}
+ )
-file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")
-ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})
+ file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")
+ ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})
+endif()

12
sysutils/osquery/files/patch-osquery_tables_networking_interfaces.cpp
View file

@ -1,12 +0,0 @@
--- osquery/tables/networking/interfaces.cpp.orig 2015-05-08 22:48:42 UTC
+++ osquery/tables/networking/interfaces.cpp
@@ -11,8 +11,8 @@
#include <sstream>
#include <iomanip>
-#include <ifaddrs.h>
#include <net/if.h>
+#include <ifaddrs.h>
#include <sys/socket.h>
#ifdef __linux__

16
sysutils/osquery/files/patch-osquery_tables_networking_utils.h
View file

@ -1,16 +0,0 @@
--- osquery/tables/networking/utils.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/networking/utils.h
@@ -19,10 +19,10 @@ namespace osquery {
namespace tables {
// Define AF_INTERFACE as the alias for interface details.
-#ifdef __APPLE__
-#define AF_INTERFACE AF_LINK
-#else
+#ifdef __linux__
#define AF_INTERFACE AF_PACKET
+#else
+#define AF_INTERFACE AF_LINK
#endif
// Return a string representation for an IPv4/IPv6 struct.

40
sysutils/osquery/files/patch-osquery_tables_specs_blacklist
View file

@ -1,40 +0,0 @@
--- osquery/tables/specs/blacklist.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/specs/blacklist
@@ -1,4 +1,36 @@
# osquery/tables/specs/blacklist
# Usage: add table spec names to this list to prevent table generation
# Example: add tables that are not yet ready for release
-
+# Example: add a platform:table_name, which is not yet ready
+freebsd:acpi_tables
+freebsd:arp_cache
+freebsd:block_devices
+freebsd:chrome_extensions
+freebsd:disk_encryption
+freebsd:file_events
+freebsd:firefox_addons
+#freebsd:groups
+freebsd:hardware_events
+#freebsd:interface_addresses
+#freebsd:interface_details
+freebsd:kernel_info
+freebsd:last
+#freebsd:listening_ports
+#freebsd:mounts
+freebsd:opera_extensions
+freebsd:os_version
+freebsd:passwd_changes
+freebsd:pci_devices
+freebsd:process_envs
+freebsd:process_memory_map
+freebsd:process_open_files
+freebsd:process_open_sockets
+freebsd:processes
+freebsd:routes
+freebsd:system_controls
+freebsd:usb_devices
+#freebsd:users
+freebsd:yara_events
+freebsd:yara
+freebsd:system_controls
+freebsd:smbios_tables

11
sysutils/osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp
View file

@ -1,11 +0,0 @@
--- osquery/tables/system/centos/rpm_packages.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/centos/rpm_packages.cpp
@@ -147,7 +147,7 @@ QueryData genRpmPackageFiles(QueryContex
r["mode"] = lsperms(rpmfiFMode(fi));
r["size"] = BIGINT(rpmfiFSize(fi));
-#ifdef CENTOS_CENTOS6
+#if defined(CENTOS_CENTOS6) || defined(RHEL_RHEL6)
// Older versions of rpmlib/rpmip use a hash algorithm enum.
pgpHashAlgo digest_algo;
#else

43
sysutils/osquery/files/patch-osquery_tables_system_freebsd_groups.cpp
View file

@ -1,43 +0,0 @@
--- osquery/tables/system/freebsd/groups.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/freebsd/groups.cpp
@@ -8,6 +8,11 @@
*
*/
+#include <set>
+#include <mutex>
+
+#include <grp.h>
+
#include <osquery/core.h>
#include <osquery/tables.h>
@@ -16,10 +21,26 @@ namespace tables {
std::mutex grpEnumerationMutex;
-QueryData genGroups(QueryContext& context) {
+QueryData genGroups(QueryContext &context) {
+ std::lock_guard<std::mutex> lock(grpEnumerationMutex);
QueryData results;
+ struct group *grp = nullptr;
+ std::set<long> groups_in;
- throw std::domain_error("Table not implemented for FreeBSD");
+ setgrent();
+ while ((grp = getgrent()) != nullptr) {
+ if (std::find(groups_in.begin(), groups_in.end(), grp->gr_gid) ==
+ groups_in.end()) {
+ Row r;
+ r["gid"] = INTEGER(grp->gr_gid);
+ r["gid_signed"] = INTEGER((int32_t) grp->gr_gid);
+ r["groupname"] = TEXT(grp->gr_name);
+ results.push_back(r);
+ groups_in.insert(grp->gr_gid);
+ }
+ }
+ endgrent();
+ groups_in.clear();
return results;
}

57
sysutils/osquery/files/patch-osquery_tables_system_freebsd_mounts.cpp
View file

@ -1,57 +0,0 @@
--- osquery/tables/system/freebsd/mounts.cpp.orig 2015-05-18 14:14:18 UTC
+++ osquery/tables/system/freebsd/mounts.cpp
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2014, Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+#include <stdio.h>
+#include <sys/mount.h>
+
+#include <osquery/tables.h>
+
+namespace osquery {
+namespace tables {
+
+QueryData genMounts(QueryContext& context) {
+ QueryData results;
+
+ struct statfs *mnt;
+ int mnts = 0;
+ int i;
+ char real_path[PATH_MAX];
+
+ mnts = getmntinfo(&mnt, MNT_WAIT);
+ if (mnts == 0) {
+ // Failed to get mount information.
+ return results;
+ }
+
+ for (i = 0; i < mnts; i++) {
+ Row r;
+ r["path"] = TEXT(mnt[i].f_mntonname);
+ r["device"] = TEXT(mnt[i].f_mntfromname);
+ r["device_alias"] = std::string(realpath(mnt[i].f_mntfromname, real_path)
+ ? real_path
+ : mnt[i].f_mntfromname);
+ r["type"] = TEXT(mnt[i].f_fstypename);
+ r["flags"] = INTEGER(mnt[i].f_flags);
+ r["blocks"] = BIGINT(mnt[i].f_blocks);
+ r["blocks_free"] = BIGINT(mnt[i].f_bfree);
+ r["blocks_available"] = BIGINT(mnt[i].f_bavail);
+ r["blocks_size"] = BIGINT(mnt[i].f_bsize);
+ r["inodes"] = BIGINT(mnt[i].f_files);
+ r["inodes_free"] = BIGINT(mnt[i].f_ffree);
+ r["owner"] = INTEGER(mnt[i].f_owner);
+ results.push_back(r);
+ }
+ return results;
+}
+}
+}

39
sysutils/osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp
View file

@ -1,39 +0,0 @@
--- osquery/tables/system/freebsd/sysctl_utils.cpp.orig 2015-05-10 20:45:08 UTC
+++ osquery/tables/system/freebsd/sysctl_utils.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2014, Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+//#include <sys/sysctl.h>
+
+#include <osquery/filesystem.h>
+#include <osquery/tables.h>
+
+#include "osquery/tables/system/sysctl_utils.h"
+
+namespace osquery {
+namespace tables {
+
+void genControlInfo(int* oid,
+ size_t oid_size,
+ QueryData& results,
+ const std::map<std::string, std::string>& config) {
+}
+
+void genControlInfoFromName(const std::string& name, QueryData& results,
+ const std::map<std::string, std::string>& config) {
+}
+
+void genAllControls(QueryData& results,
+ const std::map<std::string, std::string>& config,
+ const std::string& subsystem) {
+}
+}
+}

49
sysutils/osquery/files/patch-osquery_tables_system_freebsd_users.cpp
View file

@ -1,49 +0,0 @@
--- osquery/tables/system/freebsd/users.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/freebsd/users.cpp
@@ -8,16 +8,45 @@
*
*/
+#include <set>
+#include <mutex>
+#include <vector>
+#include <string>
+
+#include <pwd.h>
+
#include <osquery/core.h>
#include <osquery/tables.h>
namespace osquery {
namespace tables {
+std::mutex pwdEnumerationMutex;
+
QueryData genUsers(QueryContext& context) {
+ std::lock_guard<std::mutex> lock(pwdEnumerationMutex);
QueryData results;
+ struct passwd *pwd = nullptr;
+ std::set<long> users_in;
- throw std::domain_error("Table not implemented for FreeBSD");
+ while ((pwd = getpwent()) != nullptr) {
+ if (std::find(users_in.begin(), users_in.end(), pwd->pw_uid) ==
+ users_in.end()) {
+ Row r;
+ r["uid"] = BIGINT(pwd->pw_uid);
+ r["gid"] = BIGINT(pwd->pw_gid);
+ r["uid_signed"] = BIGINT((int32_t) pwd->pw_uid);
+ r["gid_signed"] = BIGINT((int32_t) pwd->pw_gid);
+ r["username"] = TEXT(pwd->pw_name);
+ r["description"] = TEXT(pwd->pw_gecos);
+ r["directory"] = TEXT(pwd->pw_dir);
+ r["shell"] = TEXT(pwd->pw_shell);
+ results.push_back(r);
+ users_in.insert(pwd->pw_uid);
+ }
+ }
+ endpwent();
+ users_in.clear();
return results;
}

11
sysutils/osquery/files/patch-osquery_tables_system_linux_os__version.cpp
View file

@ -1,11 +0,0 @@
--- osquery/tables/system/linux/os_version.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/linux/os_version.cpp
@@ -22,7 +22,7 @@ namespace xp = boost::xpressive;
namespace osquery {
namespace tables {
-#ifdef CENTOS
+#if defined(CENTOS) || defined(RHEL)
const std::string kLinuxOSRelease = "/etc/redhat-release";
const std::string kLinuxOSRegex =
"(?P<name>\\w+) .* "

44
sysutils/osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt
View file

@ -1,44 +0,0 @@
--- third-party/cpp-netlib/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC
+++ third-party/cpp-netlib/CMakeLists.txt
@@ -101,41 +101,3 @@ if (MSVC)
endif()
enable_testing()
-
-install(DIRECTORY boost DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
-
-###
-## Export Targets
-# (so cpp-netlib can be easily used by other CMake projects)
-# [see http://www.cmake.org/Wiki/CMake/Tutorials/How_to_create_a_ProjectConfig.cmake_file]
-
-# Add all targets to the build-tree export set
-export(TARGETS cppnetlib-client-connections cppnetlib-server-parsers cppnetlib-uri
- FILE "${PROJECT_BINARY_DIR}/cppnetlibTargets.cmake")
-# Export the package for use from the build-tree
-# (this registers the build-tree with a global CMake-registry)
-export(PACKAGE cppnetlib)
-# Create the cppnetlibConfig.cmake and cppnetlibConfigVersion files
-file(RELATIVE_PATH REL_INCLUDE_DIR "${INSTALL_CMAKE_DIR}"
- "${CMAKE_INSTALL_FULL_INCLUDEDIR}")
-# ... for the build tree
-set(CONF_INCLUDE_DIRS "${PROJECT_SOURCE_DIR}")
-configure_file(cppnetlibConfig.cmake.in
- "${PROJECT_BINARY_DIR}/cppnetlibConfig.cmake" @ONLY)
-# ... for the install tree
-set(CONF_INCLUDE_DIRS "\${CPPNETLIB_CMAKE_DIR}/${REL_INCLUDE_DIR}")
-configure_file(cppnetlibConfig.cmake.in
- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake" @ONLY)
-# ... for both
-configure_file(cppnetlibConfigVersion.cmake.in
- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake" @ONLY)
-# Install the cppnetlibConfig.cmake and cppnetlibConfigVersion.cmake
-install(FILES
- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake"
- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake"
- DESTINATION "${INSTALL_CMAKE_DIR}"
- COMPONENT dev)
-# Install the export set for use with the install-tree
-install(EXPORT cppnetlibTargets
- DESTINATION "${INSTALL_CMAKE_DIR}"
- COMPONENT dev)

35
sysutils/osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt
View file

@ -1,35 +0,0 @@
--- third-party/cpp-netlib/libs/network/src/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC
+++ third-party/cpp-netlib/libs/network/src/CMakeLists.txt
@@ -17,11 +17,6 @@ set_target_properties(cppnetlib-uri
PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING}
SOVERSION ${CPPNETLIB_VERSION_MAJOR}
PUBLIC_HEADER "${CPP-NETLIB_HEADERS}")
-install(TARGETS cppnetlib-uri
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})
set(CPP-NETLIB_HTTP_SERVER_SRCS server_request_parsers_impl.cpp)
add_library(cppnetlib-server-parsers ${CPP-NETLIB_HTTP_SERVER_SRCS})
@@ -29,11 +24,6 @@ set_target_properties(cppnetlib-server-p
PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING}
SOVERSION ${CPPNETLIB_VERSION_MAJOR}
PUBLIC_HEADER "${CPP-NETLIB_HEADERS}")
-install(TARGETS cppnetlib-server-parsers
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})
set(CPP-NETLIB_HTTP_CLIENT_SRCS client.cpp)
add_library(cppnetlib-client-connections ${CPP-NETLIB_HTTP_CLIENT_SRCS})
@@ -47,8 +37,3 @@ endif ()
if (Boost_FOUND)
target_link_libraries(cppnetlib-client-connections ${Boost_System_LIBRARY})
endif ()
-install(TARGETS cppnetlib-client-connections
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})

57
sysutils/osquery/files/patch-third-party_glog_src_utilities.h
View file

@ -1,57 +0,0 @@
--- third-party/glog/src/utilities.h.orig 2015-04-16 17:06:51 UTC
+++ third-party/glog/src/utilities.h
@@ -81,54 +81,6 @@
#include "config.h"
#include "glog/logging.h"
-// There are three different ways we can try to get the stack trace:
-//
-// 1) The libunwind library. This is still in development, and as a
-// separate library adds a new dependency, but doesn't need a frame
-// pointer. It also doesn't call malloc.
-//
-// 2) Our hand-coded stack-unwinder. This depends on a certain stack
-// layout, which is used by gcc (and those systems using a
-// gcc-compatible ABI) on x86 systems, at least since gcc 2.95.
-// It uses the frame pointer to do its work.
-//
-// 3) The gdb unwinder -- also the one used by the c++ exception code.
-// It's obviously well-tested, but has a fatal flaw: it can call
-// malloc() from the unwinder. This is a problem because we're
-// trying to use the unwinder to instrument malloc().
-//
-// Note: if you add a new implementation here, make sure it works
-// correctly when GetStackTrace() is called with max_depth == 0.
-// Some code may do that.
-
-#if defined(HAVE_LIB_UNWIND)
-# define STACKTRACE_H "stacktrace_libunwind-inl.h"
-#elif !defined(NO_FRAME_POINTER)
-# if defined(__i386__) && __GNUC__ >= 2
-# define STACKTRACE_H "stacktrace_x86-inl.h"
-# elif defined(__x86_64__) && __GNUC__ >= 2 && HAVE_UNWIND_H
-# define STACKTRACE_H "stacktrace_x86_64-inl.h"
-# elif (defined(__ppc__) || defined(__PPC__)) && __GNUC__ >= 2
-# define STACKTRACE_H "stacktrace_powerpc-inl.h"
-# endif
-#endif
-
-#if !defined(STACKTRACE_H) && defined(HAVE_EXECINFO_H)
-# define STACKTRACE_H "stacktrace_generic-inl.h"
-#endif
-
-#if defined(STACKTRACE_H)
-# define HAVE_STACKTRACE
-#endif
-
-// defined by gcc
-#if defined(__ELF__) && defined(OS_LINUX)
-# define HAVE_SYMBOLIZE
-#elif defined(OS_MACOSX) && defined(HAVE_DLADDR)
-// Use dladdr to symbolize.
-# define HAVE_SYMBOLIZE
-#endif
-
#ifndef ARRAYSIZE
// There is a better way, but this is good enough for our purpose.
# define ARRAYSIZE(a) (sizeof(a) / sizeof(*(a)))

51
sysutils/osquery/files/patch-tools_codegen_gentable.py
View file

@ -1,51 +0,0 @@
--- tools/codegen/gentable.py.orig 2015-05-05 00:16:41 UTC
+++ tools/codegen/gentable.py
@@ -30,9 +30,15 @@ TEMPLATES = {}
# Temporary reserved column names
RESERVED = ["n", "index"]
-# Supported SQL types for spec
-
+# Set the platform in osquery-language
+if sys.platform.find("freebsd") == 0:
+ PLATFORM = "freebsd"
+elif sys.platform in ["linux", "linux2"]:
+ PLATFORM = "linux"
+else:
+ PLATFORM = sys.platform
+# Supported SQL types for spec
class DataType(object):
def __init__(self, affinity, cpp_type="std::string"):
@@ -79,6 +85,8 @@ def is_blacklisted(table_name, path=None
"""Allow blacklisting by tablename."""
if blacklist is None:
specs_path = os.path.dirname(os.path.dirname(path))
+ if os.path.basename(specs_path) == "tables":
+ specs_path += "/specs"
blacklist_path = os.path.join(specs_path, "blacklist")
if not os.path.exists(blacklist_path):
return False
@@ -91,9 +99,19 @@ def is_blacklisted(table_name, path=None
except:
# Blacklist is not readable.
return False
- # table_name based blacklisting!
- return table_name in blacklist if blacklist else False
+ if not blacklist:
+ return False
+ # table_name based blacklisting!
+ for item in blacklist:
+ item = item.split(":")
+ # If this item is restricted to a platform and the platform
+ # and table name match
+ if len(item) > 1 and PLATFORM == item[0] and table_name == item[1]:
+ return True
+ elif len(item) == 1 and table_name == item[0]:
+ return True
+ return False
def setup_templates(path):
tables_path = os.path.dirname(os.path.dirname(path))

28
sysutils/osquery/files/patch-tools_deployment_osquery.example.conf
View file

@ -1,28 +0,0 @@
--- tools/deployment/osquery.example.conf.orig 2015-05-09 02:10:08 UTC
+++ tools/deployment/osquery.example.conf
@@ -10,7 +10,7 @@
// The log directory stores info, warning, and errors.
// If the daemon uses the 'filesystem' logging retriever then the log_dir
// will also contain the query results.
- //"logger_path": "/var/log/osquery",
+ "logger_path": "/var/log/osquery",
// Set 'disable_logging' to true to prevent writing any info, warning, error
// logs. If a logging plugin is selected it will still write query results.
@@ -27,14 +27,14 @@
//"schedule_splay_percent": "10",
// Write the pid of the osqueryd process to a pidfile/mutex.
- //"pidfile": "/var/osquery/osquery.pidfile",
+ "pidfile": "/var/run/osqueryd.pid",
// Clear events from the osquery backing store after a number of seconds.
"event_pubsub_expiry": "86000",
// A filesystem path for disk-based backing storage used for events and
// and query results differentials. See also 'use_in_memory_database'.
- //"database_path": "/var/osquery/osquery.db",
+ "database_path": "/var/db/osquery/osquery.db",
// Comma-delimited list of table names to be disabled.
// This allows osquery to be launched without certain tables.

12
sysutils/osquery/files/patch-tools_provision_freebsd.sh
View file

@ -1,12 +0,0 @@
--- tools/provision/freebsd.sh.orig 2015-05-05 00:16:41 UTC
+++ tools/provision/freebsd.sh
@@ -12,6 +12,9 @@ function main_freebsd() {
package git
package python
package py27-pip
+ package snappy
package rocksdb
+ package thrift
package thrift-cpp
+ package yara
}

61
sysutils/osquery/files/patch-tools_provision_lib.sh
View file

@ -1,61 +0,0 @@
--- tools/provision/lib.sh.orig 2015-05-05 00:16:41 UTC
+++ tools/provision/lib.sh
@@ -57,27 +57,31 @@ function install_thrift() {
function install_rocksdb() {
if [[ ! -f /usr/local/lib/librocksdb.a ]]; then
- if [[ ! -f rocksdb-3.5.tar.gz ]]; then
- wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.5.tar.gz
+ if [[ ! -f rocksdb-3.10.2.tar.gz ]]; then
+ wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.10.2.tar.gz
else
log "rocksdb source is already downloaded. skipping."
fi
- if [[ ! -d rocksdb-rocksdb-3.5 ]]; then
- tar -xf rocksdb-3.5.tar.gz
+ if [[ ! -d rocksdb-rocksdb-3.10.2 ]]; then
+ tar -xf rocksdb-3.10.2.tar.gz
fi
- if [[ ! -f rocksdb-rocksdb-3.5/librocksdb.a ]]; then
+ if [[ ! -f rocksdb-rocksdb-3.10.2/librocksdb.a ]]; then
if [[ $OS = "ubuntu" ]]; then
CLANG_INCLUDE="-I/usr/include/clang/3.4/include"
elif [ $OS = "centos" ] || [ $OS = "rhel" ]; then
CLANG_VERSION=`clang --version | grep version | cut -d" " -f3`
CLANG_INCLUDE="-I/usr/lib/clang/$CLANG_VERSION/include"
fi
- pushd rocksdb-rocksdb-3.5
- make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ pushd rocksdb-rocksdb-3.10.2
+ if [[ $OS = "freebsd" ]]; then
+ CC=cc CXX=c++ gmake static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ else
+ make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ fi
popd
fi
- sudo cp rocksdb-rocksdb-3.5/librocksdb.a /usr/local/lib
- sudo cp -R rocksdb-rocksdb-3.5/include/rocksdb /usr/local/include
+ sudo cp rocksdb-rocksdb-3.10.2/librocksdb.a /usr/local/lib
+ sudo cp -R rocksdb-rocksdb-3.10.2/include/rocksdb /usr/local/include
else
log "rocksdb already installed. skipping."
fi
@@ -253,7 +257,7 @@ function package() {
brew install --build-bottle $1 || brew upgrade $@
fi
elif [[ $OS = "freebsd" ]]; then
- if [[ -z "$(pkg info -q $1)" ]]; then
+ if pkg info -q $1; then
log "$1 is already installed. skipping."
else
log "installing $1"
@@ -285,7 +289,7 @@ function remove_package() {
log "Removing: $1 is not installed. skipping."
fi
elif [[ $OS = "freebsd" ]]; then
- if [[ -n "$(pkg info -q $1)" ]]; then
+ if ! pkg info -q $1; then
log "removing $1"
sudo pkg delete -y $1
else

15
sysutils/osquery/files/patch-tools_tests_test__extensions.py
View file

@ -1,15 +0,0 @@
--- tools/tests/test_extensions.py.orig 2015-05-05 00:16:41 UTC
+++ tools/tests/test_extensions.py
@@ -364,9 +364,11 @@ if __name__ == "__main__":
thrift_path = test_base.ARGS.build + "/generated/gen-py"
try:
sys.path.append(thrift_path)
+ sys.path.append(thrift_path + "/osquery")
from osquery import *
- except ImportError:
+ except ImportError as e:
print ("Cannot import osquery thrift API from %s" % (thrift_path))
+ print ("Exception: %s" % (str(e)))
print ("You must first run: make")
exit(1)

5
sysutils/osquery/pkg-plist
View file

@ -3,10 +3,7 @@ bin/osqueryi
include/osquery/config.h
include/osquery/core.h
include/osquery/database.h
include/osquery/database/db_handle.h
include/osquery/database/query.h
include/osquery/database/results.h
include/osquery/enrollment.h
include/osquery/enroll.h
include/osquery/events.h
include/osquery/extensions.h
include/osquery/filesystem.h