mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-07 06:40:06 +00:00
Code Issues Releases Activity

New port: sysutils/osquery:

Browse Source 
osquery exposes an operating system as a high-performance relational database.
This allows you to write SQL-based queries to explore operating system data.
With osquery, SQL tables represent abstract concepts such as running
processes, loaded kernel modules, open network connections, browser plugins,
hardware events or file hashes.

WWW: https://osquery.io/

Sponsored by:	Beer from wxs@
This commit is contained in:
Ryan Steinmetz 2015-05-10 15:19:11 +00:00
parent ceb8478250
commit 6efaeef862
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=385963
70 changed files with 3125 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sysutils/Makefile
View File

@ -581,6 +581,7 @@
SUBDIR += openipmi
SUBDIR += openupsd
SUBDIR += ori
SUBDIR += osquery
SUBDIR += p5-BSD-Jail-Object
SUBDIR += p5-BSD-Process
SUBDIR += p5-BSD-Sysctl

74
sysutils/osquery/Makefile Normal file
View File

@ -0,0 +1,74 @@
# Created by: Ryan Steinmetz <zi@FreeBSD.org>
# $FreeBSD$
PORTNAME= osquery
PORTVERSION= 1.4.5
CATEGORIES= sysutils
MASTER_SITES= GH:ghc \
https://codeload.github.com/${PORTNAME}/third-party/tar.gz/${PORTVERSION}?dummy=/:gh
DISTFILES= ${PORTNAME}-${PORTVERSION}.tar.gz:ghc \
third-party-${PORTVERSION}.tar.gz:gh
MAINTAINER= zi@FreeBSD.org
COMMENT= SQL powered OS instrumentation, monitoring, and analytics
LICENSE= BSD3CLAUSE
BUILD_DEPENDS= snappy>0:${PORTSDIR}/archivers/snappy \
rocksdb>0:${PORTSDIR}/databases/rocksdb \
thrift>0:${PORTSDIR}/devel/thrift \
thrift-cpp>0:${PORTSDIR}/devel/thrift-cpp \
bash>0:${PORTSDIR}/shells/bash \
yara>0:${PORTSDIR}/security/yara \
doxygen:${PORTSDIR}/devel/doxygen \
${PYTHON_PKGNAMEPREFIX}MarkupSafe>0:${PORTSDIR}/textproc/py-MarkupSafe \
${PYTHON_PKGNAMEPREFIX}psutil>0:${PORTSDIR}/sysutils/py-psutil \
${PYTHON_PKGNAMEPREFIX}argparse>0:${PORTSDIR}/devel/py-argparse \
${PYTHON_PKGNAMEPREFIX}pexpect>0:${PORTSDIR}/misc/py-pexpect \
${PYTHON_PKGNAMEPREFIX}Jinja2>0:${PORTSDIR}/devel/py-Jinja2 \
${PYTHON_PKGNAMEPREFIX}thrift>0:${PORTSDIR}/devel/py-thrift \
${PYTHON_PKGNAMEPREFIX}pip>0:${PORTSDIR}/devel/py-pip
LIB_DEPENDS= libboost_regex.so:${PORTSDIR}/devel/boost-libs \
libgflags.so:${PORTSDIR}/devel/gflags \
libicuuc.so:${PORTSDIR}/devel/icu
USES= cmake:outsource gmake libtool python:build compiler:c++11-lib
CMAKE_ENV+= OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" SKIP_TESTS="yes"
CMAKE_ARGS+= -DFREEBSD=awesome -DCMAKE_SYSTEM_NAME="FreeBSD"
BLDDIR= ${WRKDIR}/.build/${PORTNAME}
USE_RC_SUBR= ${PORTNAME}d
USE_GITHUB= yes
GH_ACCOUNT= facebook
MAKE_JOBS_UNSAFE= yes
.include <bsd.port.pre.mk>
.if ${OSVERSION} <= 1000000
CFLAGS+= -D_GLIBCXX_USE_C99
.endif
post-extract:
${RMDIR} ${WRKSRC}/third-party
${LN} -sf ${WRKDIR}/third-party-${PORTVERSION} ${WRKSRC}/third-party
post-patch:
${REINPLACE_CMD} -e 's|/var/osquery/osquery.conf|${PREFIX}/etc/osquery.conf|g' \
${WRKSRC}/osquery/config/plugins/filesystem.cpp
${REINPLACE_CMD} -e 's|/var/osquery/|/var/db/osquery/|g' \
${WRKSRC}/tools/deployment/osquery.example.conf
${REINPLACE_CMD} -e 's|python |${PYTHON_CMD} |g' \
${WRKSRC}/CMake/CMakeLibs.cmake \
${WRKSRC}/CMakeLists.txt
do-install:
${INSTALL_PROGRAM} ${BLDDIR}/osqueryi ${STAGEDIR}${PREFIX}/bin
${INSTALL_PROGRAM} ${BLDDIR}/osqueryd ${STAGEDIR}${PREFIX}/sbin
${INSTALL_DATA} ${BLDDIR}/libosquery.a ${STAGEDIR}${PREFIX}/lib
(cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include)
${INSTALL_DATA} ${WRKSRC}/tools/deployment/osquery.example.conf \
${STAGEDIR}${PREFIX}/etc/osquery.conf.sample
post-stage:
${MKDIR} ${STAGEDIR}/var/db/osquery
.include <bsd.port.post.mk>

4
sysutils/osquery/distinfo Normal file
View File

@ -0,0 +1,4 @@
SHA256 (osquery-1.4.5.tar.gz) = b0812eec4ca53eb6ada4692330caaed00ed1e50ead43b99486b3d15139369738
SIZE (osquery-1.4.5.tar.gz) = 412622
SHA256 (third-party-1.4.5.tar.gz) = 06897b9ddf637c61f5c9e90f640b9f8c50c124d6276058a71f7d952439c8e58f
SIZE (third-party-1.4.5.tar.gz) = 6073986

41
sysutils/osquery/files/osqueryd.in Normal file
View File

@ -0,0 +1,41 @@
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: osqueryd
# REQUIRE: %%REQUIRE%%
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable osqueryd:
#
# osqueryd_enable="YES"
#
. /etc/rc.subr
name=osqueryd
rcvar=osqueryd_enable
load_rc_config $name
command=%%PREFIX%%/sbin/osqueryd
osqueryd_enable=${osqueryd_enable-"NO"}
osqueryd_flags=${osqueryd_flags-""}
osqueryd_config=${osqueryd_config-"%%PREFIX%%/etc/osquery.conf"}
required_files=${osqueryd_config}
command_args="--pidfile /var/run/osqueryd.pid --disable_watchdog --daemonize=true --config_path=${osqueryd_config}"
extra_commands="configtest"
configtest_cmd="configtest"
pidfile="/var/run/osqueryd.pid"
start_precmd=prestart
configtest() {
${command} ${osqueryd_flags} --config_check --config_path=${osqueryd_config} --verbose
}
prestart() {
install -d /var/db/osquery
}
run_rc_command "$1"

164
sysutils/osquery/files/patch-CMakeLists.txt Normal file
View File

@ -0,0 +1,164 @@
--- CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ CMakeLists.txt
@@ -1,7 +1,18 @@
cmake_minimum_required(VERSION 2.8.12)
-set(CMAKE_C_COMPILER "clang")
-set(CMAKE_CXX_COMPILER "clang++")
+#if(NOT DEFINED ENV{CC})
+# set(CMAKE_C_COMPILER "clang")
+#else()
+# set(CMAKE_C_COMPILER "$ENV{CC}")
+# message("-- Overriding C compiler from clang to $ENV{CC}")
+#endif()
+#if(NOT DEFINED ENV{CXX})
+# set(CMAKE_CXX_COMPILER "clang++")
+#else()
+# set(CMAKE_CXX_COMPILER "$ENV{CXX}")
+# message("-- Overriding CXX compiler from clang++ to $ENV{CXX}")
+#endif()
+
add_compile_options(
-Wall
-Wextra
@@ -22,6 +33,21 @@ add_compile_options(
)
set(CXX_COMPILE_FLAGS "")
+# Use osquery language to set platform/os
+execute_process(
+ COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform
+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+ OUTPUT_VARIABLE PLATFORM
+ OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM)
+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO)
+string(REPLACE "." "_" PLATFORM "${PLATFORM}")
+string(TOUPPER "${PLATFORM}" PLATFORM)
+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE)
+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE)
+
# Set non-C compile flags and whole-loading linker flags.
# osquery needs ALL symbols in the libraries it includes for relaxed ctors
# late-loading modules and SQLite introspection utilities.
@@ -34,34 +60,21 @@ if(APPLE)
# Special compile flags for Objective-C++
set(OBJCXX_COMPILE_FLAGS
"-x objective-c++ -fobjc-arc -Wno-c++11-extensions -mmacosx-version-min=${APPLE_MIN_ABI}")
-elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
- set(FREEBSD TRUE)
- set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++")
- set(OS_WHOLELINK_PRE "")
- set(OS_WHOLELINK_POST "")
else()
- set(LINUX TRUE)
- # Do not use the shared linker flags for modules.
set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11")
set(OS_WHOLELINK_PRE "-Wl,-whole-archive")
set(OS_WHOLELINK_POST "-Wl,-no-whole-archive")
+ # Set CMAKE variables depending on platform, to know which tables and what
+ # component-specific globbing is needed.
+ if(${OSQUERY_BUILD_PLATFORM} STREQUAL "freebsd")
+ set(FREEBSD TRUE)
+ set(LINUX FALSE)
+ else()
+ set(LINUX TRUE)
+ set(FREEBSD FALSE)
+ endif()
endif()
-# Use osquery language to set platform/os
-execute_process(
- COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform
- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
- OUTPUT_VARIABLE PLATFORM
- OUTPUT_STRIP_TRAILING_WHITESPACE
-)
-
-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM)
-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO)
-string(REPLACE "." "_" PLATFORM "${PLATFORM}")
-string(TOUPPER "${PLATFORM}" PLATFORM)
-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE)
-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE)
-
# RHEL6 uses a different gcc 4.9 runtime
if(${OSQUERY_BUILD_DISTRO} STREQUAL "rhel6")
set(GCC_RUNTIME "/opt/rh/devtoolset-3/root/usr/")
@@ -73,7 +86,7 @@ endif()
if(DEFINED ENV{DEBUG})
set(DEBUG TRUE)
set(CMAKE_BUILD_TYPE "Debug")
- add_compile_options(-g -O0 -pg)
+ add_compile_options(-g -O0)
add_definitions(-DDEBUG)
message("-- Setting DEBUG build")
elseif(DEFINED ENV{SANITIZE})
@@ -116,7 +129,7 @@ endif()
# Finished setting compiler/compiler flags.
project(OSQUERY)
-# Make sure deps were built before compiling (else show warning)
+# Make sure deps were built before compiling (else show warning).
execute_process(
COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" check "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
@@ -126,16 +139,23 @@ execute_process(
)
string(ASCII 27 Esc)
if(OSQUERY_DEPS_CHECK)
- message(WARNING "${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m")
+ message("-- ${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m")
endif()
-# Generate version from git
-execute_process(
- COMMAND git describe --tags HEAD --always
- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
- OUTPUT_VARIABLE OSQUERY_BUILD_VERSION
- OUTPUT_STRIP_TRAILING_WHITESPACE
-)
+# Discover build version from an environment variable or from the git checkout.
+if(DEFINED ENV{OSQUERY_BUILD_VERSION})
+ set(OSQUERY_BUILD_VERSION "$ENV{OSQUERY_BUILD_VERSION}")
+else()
+ # Generate version from git
+ execute_process(
+ COMMAND git describe --tags HEAD --always
+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+ OUTPUT_VARIABLE OSQUERY_BUILD_VERSION
+ OUTPUT_STRIP_TRAILING_WHITESPACE
+ )
+endif()
+
+# Discover the SDK version from an environment variable or the build version.
if(DEFINED ENV{SDK_VERSION})
set(OSQUERY_BUILD_SDK_VERSION "${ENV{SDK_VERSION}}")
else()
@@ -164,7 +184,8 @@ elseif(OSQUERY_BUILD_PLATFORM STREQUAL "
elseif(OSQUERY_BUILD_PLATFORM STREQUAL "rhel")
set(RHEL TRUE)
message("-- Building for RHEL")
-elseif(FREEBSD)
+elseif(OSQUERY_BUILD_PLATFORM STREQUAL "freebsd")
+ set(FREEBSD TRUE)
message("-- Building for FreeBSD")
endif()
@@ -233,7 +254,7 @@ add_custom_target(
# make format
add_custom_target(
format
- python "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py"
+ python2 "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
COMMENT "Formatting code staged code changes with clang-format" VERBATIM
)
@@ -244,4 +265,5 @@ add_custom_target(
"${CMAKE_SOURCE_DIR}/tools/sync.sh" "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
COMMENT "Generating sdk sync: ${CMAKE_BINARY_DIR}/sync"
+ DEPENDS osquery_extensions osquery_amalgamation
)

46
sysutils/osquery/files/patch-CMake_CMakeLibs.cmake Normal file
View File

@ -0,0 +1,46 @@
--- CMake/CMakeLibs.cmake.orig 2015-05-05 00:16:41 UTC
+++ CMake/CMakeLibs.cmake
@@ -15,7 +15,7 @@ endmacro(SET_OSQUERY_COMPILE)
macro(ADD_OSQUERY_PYTHON_TEST TEST_NAME SOURCE)
add_test(NAME python_${TEST_NAME}
- COMMAND python "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}"
+ COMMAND python2 "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}"
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/tools/tests/")
endmacro(ADD_OSQUERY_PYTHON_TEST)
@@ -30,7 +30,7 @@ endmacro(ADD_OSQUERY_LINK)
macro(ADD_OSQUERY_LINK_INTERNAL LINK LINK_PATHS LINK_SET)
if(NOT "${LINK}" MATCHES "(^[-/].*)")
- find_library("${LINK}_library" NAMES "lib${LINK}.a" "${LINK}" ${LINK_PATHS})
+ find_library("${LINK}_library" NAMES "${LINK}" "lib${LINK}" ${LINK_PATHS})
message("-- Found library dependency ${${LINK}_library}")
if("${${LINK}_library}" STREQUAL "${${LINK}_library}-NOTFOUND")
string(ASCII 27 Esc)
@@ -105,7 +105,6 @@ endmacro(ADD_OSQUERY_EXTENSION)
macro(ADD_OSQUERY_MODULE TARGET)
add_library(${TARGET} SHARED ${ARGN})
- target_link_libraries(${TARGET} dl)
add_dependencies(${TARGET} libglog libosquery)
if(APPLE)
target_link_libraries(${TARGET} "-undefined dynamic_lookup")
@@ -182,7 +181,7 @@ macro(GENERATE_TABLE TABLE_FILE NAME BAS
GET_GENERATION_DEPS(${BASE_PATH})
add_custom_command(
OUTPUT "${TABLE_FILE_GEN}"
- COMMAND python "${BASE_PATH}/tools/codegen/gentable.py"
+ COMMAND python2 "${BASE_PATH}/tools/codegen/gentable.py"
"${TABLE_FILE}" "${TABLE_FILE_GEN}" "$ENV{DISABLE_BLACKLIST}"
DEPENDS ${TABLE_FILE} ${GENERATION_DEPENDENCIES}
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
@@ -207,7 +206,7 @@ macro(AMALGAMATE BASE_PATH NAME OUTPUT)
# Append all of the code to a single amalgamation.
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/generated/${NAME}_amalgamation.cpp"
- COMMAND python "${BASE_PATH}/tools/codegen/amalgamate.py"
+ COMMAND python2 "${BASE_PATH}/tools/codegen/amalgamate.py"
"${BASE_PATH}/osquery/tables/" "${CMAKE_BINARY_DIR}/generated" "${NAME}"
DEPENDS ${GENERATED_TARGETS} ${GENERATION_DEPENDENCIES}
WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"

34
sysutils/osquery/files/patch-CMake_FindGlog.cmake Normal file
View File

@ -0,0 +1,34 @@
--- CMake/FindGlog.cmake.orig 2015-05-05 00:16:41 UTC
+++ CMake/FindGlog.cmake
@@ -6,20 +6,6 @@ endif()
set(GLOG_ROOT_DIR "${CMAKE_BINARY_DIR}/third-party/glog")
set(GLOG_SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/glog")
-if(NOT APPLE)
- include(CheckIncludeFiles)
- unset(LIBUNWIND_FOUND CACHE)
- check_include_files("libunwind.h;unwind.h" LIBUNWIND_FOUND)
- if(LIBUNWIND_FOUND)
- unset(libglog_FOUND CACHE)
- execute_process(
- COMMAND rm -rf "${GLOG_ROOT_DIR}" "${CMAKE_BINARY_DIR}/libglog-prefix"
- ERROR_QUIET
- )
- message(WARNING "${Esc}[31mWarning: libunwind headers found [Issue #596], please: make deps\n${Esc}[m")
- endif()
-endif()
-
set(GLOG_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-register -Wno-unnamed-type-template-args -Wno-deprecated -Wno-error")
INCLUDE(ExternalProject)
@@ -31,8 +17,8 @@ ExternalProject_Add(
CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER}
CXXFLAGS=${GLOG_CXX_FLAGS}
--enable-frame-pointers --enable-shared=no --prefix=${GLOG_ROOT_DIR}
- BUILD_COMMAND make
- INSTALL_COMMAND make install
+ BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
+ INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install
LOG_CONFIGURE ON
LOG_INSTALL ON
LOG_BUILD ON

53
sysutils/osquery/files/patch-Makefile Normal file
View File

@ -0,0 +1,53 @@
--- Makefile.orig 2015-05-05 00:16:41 UTC
+++ Makefile
@@ -1,8 +1,11 @@
PLATFORM := $(shell uname -s)
VERSION := $(shell git describe --tags HEAD --always)
-MAKE = make
+SHELL := $(shell which bash)
-SHELL := /bin/bash
+MAKE = make
+ifeq ($(PLATFORM),FreeBSD)
+ MAKE = gmake
+endif
DISTRO := $(shell . ./tools/lib.sh; _platform)
DISTRO_VERSION := $(shell . ./tools/lib.sh; _distro $(DISTRO))
@@ -16,11 +19,11 @@ DEFINES := CTEST_OUTPUT_ON_FAILURE=1
.PHONY: docs build
all: .setup
- cd build/$(BUILD_DIR) && cmake ../.. && \
+ cd build/$(BUILD_DIR) && cmake ../../ && \
$(DEFINES) $(MAKE) --no-print-directory $(MAKEFLAGS)
docs: .setup
- cd build && cmake .. && \
+ cd build && cmake ../ && \
$(DEFINES) $(MAKE) docs --no-print-directory $(MAKEFLAGS)
debug: .setup
@@ -74,6 +77,10 @@ test_debug_build:
deps: .setup
./tools/provision.sh build build/$(BUILD_DIR)
+clean: .setup
+ cd build/$(BUILD_DIR) && cmake ../../ && \
+ $(DEFINES) $(MAKE) clean --no-print-directory $(MAKEFLAGS)
+
distclean:
rm -rf .sources build/$(BUILD_DIR) build/debug_$(BUILD_DIR) build/docs
ifeq ($(PLATFORM),Linux)
@@ -101,6 +108,10 @@ packages: .setup
cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \
$(DEFINES) $(MAKE) packages --no-print-directory $(MAKEFLAGS)
+sync: .setup
+ cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \
+ $(DEFINES) $(MAKE) sync --no-print-directory $(MAKEFLAGS)
+
%::
- cd build/$(BUILD_DIR) && cmake ../.. && \
+ cd build/$(BUILD_DIR) && cmake ../../ && \
$(DEFINES) $(MAKE) --no-print-directory $@

15
sysutils/osquery/files/patch-include_osquery_core.h Normal file
View File

@ -0,0 +1,15 @@
--- include/osquery/core.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/core.h
@@ -30,7 +30,11 @@
// clang-format on
#ifndef __constructor__
-#define __constructor__ __attribute__((constructor))
+#define __registry_constructor__ __attribute__((constructor(101)))
+#define __plugin_constructor__ __attribute__((constructor(102)))
+#else
+#define __registry_constructor__ __attribute__((__constructor__(101)))
+#define __plugin_constructor__ __attribute__((__constructor__(102)))
#endif
/// A configuration error is catastrophic and should exit the watcher.

110
sysutils/osquery/files/patch-include_osquery_events.h Normal file
View File

@ -0,0 +1,110 @@
--- include/osquery/events.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/events.h
@@ -197,8 +197,8 @@ class EventPublisherPlugin : public Plug
* @brief Perform handle opening, OS API callback registration.
*
* `setUp` is the event framework's EventPublisher constructor equivalent.
- * When `setUp` is called the EventPublisher is running in a dedicated thread
- * and may manage/allocate/wait for resources.
+ * This is called in the main thread before the publisher's run loop has
+ * started, immediately following registration.
*/
virtual Status setUp() { return Status(0, "Not used"); }
@@ -206,17 +206,28 @@ class EventPublisherPlugin : public Plug
* @brief Perform handle closing, resource cleanup.
*
* osquery is about to end, the EventPublisher should close handle descriptors
- * unblock resources, and prepare to exit.
+ * unblock resources, and prepare to exit. This will be called from the main
+ * thread after the run loop thread has exited.
*/
virtual void tearDown() {}
/**
- * @brief Implement a step of an optional run loop.
+ * @brief Implement a "step" of an optional run loop.
*
* @return A SUCCESS status will immediately call `run` again. A FAILED status
* will exit the run loop and the thread.
*/
- virtual Status run() { return Status(1, "No runloop required"); }
+ virtual Status run() { return Status(1, "No run loop required"); }
+
+ /**
+ * @brief Allow the EventFactory to interrupt the run loop.
+ *
+ * Assume the main thread may ask the run loop to stop at anytime.
+ * Before end is called the publisher's `isEnding` is set and the EventFactory
+ * run loop manager will exit the stepping loop and fall through to a call
+ * to tearDown followed by a removal of the publisher.
+ */
+ virtual void end() {}
/**
* @brief A new EventSubscriber is subscriptioning events of this
@@ -260,9 +271,16 @@ class EventPublisherPlugin : public Plug
/// Return a string identifier associated with this EventPublisher.
virtual EventPublisherID type() const { return "publisher"; }
+ /// Check if the EventFactory is ending all publisher threads.
bool isEnding() const { return ending_; }
+
+ /// Set the ending status for this publisher.
void isEnding(bool ending) { ending_ = ending; }
+
+ /// Check if the publisher's run loop has started.
bool hasStarted() const { return started_; }
+
+ /// Set the run or started status for this publisher.
void hasStarted(bool started) { started_ = started; }
protected:
@@ -284,6 +302,7 @@ class EventPublisherPlugin : public Plug
private:
/// Set ending to True to cause event type run loops to finish.
bool ending_;
+
/// Set to indicate whether the event run loop ever started.
bool started_;
@@ -661,11 +680,14 @@ class EventFactory : private boost::nonc
}
/**
- * @brief Halt the EventPublisher run loop and call its `tearDown`.
+ * @brief Halt the EventPublisher run loop.
*
* Any EventSubscriber%s with Subscription%s for this EventPublisher will
* become useless. osquery callers MUST deregister events.
* EventPublisher%s assume they can hook/trampoline, which requires cleanup.
+ * This will tear down and remove the publisher if the run loop did not start.
+ * Otherwise it will call end on the publisher and assume the run loop will
+ * tear down and remove.
*
* @param event_pub The string label for the EventPublisher.
*
@@ -681,6 +703,8 @@ class EventFactory : private boost::nonc
/// Return an instance to a registered EventSubscriber.
static EventSubscriberRef getEventSubscriber(EventSubscriberID& sub);
+
+ /// Check if an event subscriber exists.
static bool exists(EventSubscriberID& sub);
static std::vector<std::string> publisherTypes();
@@ -701,9 +725,12 @@ class EventFactory : private boost::nonc
}
/**
- * @brief End all EventPublisher run loops and call their `tearDown` methods.
+ * @brief End all EventPublisher run loops and deregister.
*
- * End is NOT the same as deregistration.
+ * End is NOT the same as deregistration. End will call deregister on all
+ * publishers then either join or detach their run loop threads.
+ * See EventFactory::deregisterEventPublisher for actions taken during
+ * deregistration.
*
* @param should_end Reset the "is ending" state if False.
*/

14
sysutils/osquery/files/patch-include_osquery_flags.h Normal file
View File

@ -0,0 +1,14 @@
--- include/osquery/flags.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/flags.h
@@ -19,7 +19,11 @@
#include <osquery/core.h>
+#ifdef FREEBSD
+#define GFLAGS_NAMESPACE gflags
+#elif !defined(GFLAGS_NAMESPACE)
#define GFLAGS_NAMESPACE google
+#endif
namespace boost {
/// We define a lexical_cast template for boolean for Gflags boolean string

58
sysutils/osquery/files/patch-include_osquery_registry.h Normal file
View File

@ -0,0 +1,58 @@
--- include/osquery/registry.h.orig 2015-05-05 00:16:41 UTC
+++ include/osquery/registry.h
@@ -41,11 +41,11 @@ namespace osquery {
* @param type A typename that derives from Plugin.
* @param name A string identifier for the registry.
*/
-#define CREATE_REGISTRY(type, name) \
- namespace registry { \
- __constructor__ static void type##Registry() { \
- Registry::create<type>(name); \
- } \
+#define CREATE_REGISTRY(type, name) \
+ namespace registry { \
+ __registry_constructor__ static void type##Registry() { \
+ Registry::create<type>(name); \
+ } \
}
/**
@@ -56,11 +56,11 @@ namespace osquery {
* @param type A typename that derives from Plugin.
* @param name A string identifier for the registry.
*/
-#define CREATE_LAZY_REGISTRY(type, name) \
- namespace registry { \
- __constructor__ static void type##Registry() { \
- Registry::create<type>(name, true); \
- } \
+#define CREATE_LAZY_REGISTRY(type, name) \
+ namespace registry { \
+ __registry_constructor__ static void type##Registry() { \
+ Registry::create<type>(name, true); \
+ } \
}
/**
@@ -75,15 +75,15 @@ namespace osquery {
* @param registry The string name for the registry.
* @param name A string identifier for this registry item.
*/
-#define REGISTER(type, registry, name) \
- __constructor__ static void type##RegistryItem() { \
- Registry::add<type>(registry, name); \
+#define REGISTER(type, registry, name) \
+ __plugin_constructor__ static void type##RegistryItem() { \
+ Registry::add<type>(registry, name); \
}
/// The same as REGISTER but prevents the plugin item from being broadcasted.
-#define REGISTER_INTERNAL(type, registry, name) \
- __constructor__ static void type##RegistryItem() { \
- Registry::add<type>(registry, name, true); \
+#define REGISTER_INTERNAL(type, registry, name) \
+ __plugin_constructor__ static void type##RegistryItem() { \
+ Registry::add<type>(registry, name, true); \
}
/**

9
sysutils/osquery/files/patch-kernel_linux_.gitignore Normal file
View File

@ -0,0 +1,9 @@
--- kernel/linux/.gitignore.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/.gitignore
@@ -1,6 +0,0 @@
-Module.symvers
-modules.order
-.tmp_versions*
-*.cmd
-*.mod.c
-*.ko

50
sysutils/osquery/files/patch-kernel_linux_Makefile Normal file
View File

@ -0,0 +1,50 @@
--- kernel/linux/Makefile.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/Makefile
@@ -1,47 +0,0 @@
-obj-m += camb.o
-camb-objs += main.o sysfs.o hash.o
-
-# We need headers to build against a specific kernel version
-ifndef KDIR
- KDIR = /lib/modules/$(shell uname -r)/build
-# @echo "Using default kernel directory: ${KDIR}"
-endif
-
-# If user specifies a System.map, get addresses from there
-ifdef SMAP
- OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')"
- OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')"
- OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')"
-
-# Otherwise, they must be present on the build line
-else
- OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}"
- OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}"
- OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}"
-endif
-
-ifdef HIDE_ME
- OPTS += -DHIDE_ME
- camb-objs += hide.o
-endif
-
-all:
-
-ifndef SMAP
- ifndef TEXT_SEGMENT_START
- @echo "Missing parameter: TEXT_SEGMENT_START"
- @exit 1
- endif
-
- ifndef TEXT_SEGMENT_END
- @echo "Missing parameter: TEXT_SEGMENT_END"
- @exit 1
- endif
-
- ifndef SYSCALL_BASE_ADDR
- @echo "Missing parameter: SYSCALL_BASE_ADDR"
- @exit 1
- endif
-endif
-
- $(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules

94
sysutils/osquery/files/patch-kernel_linux_hash.c Normal file
View File

@ -0,0 +1,94 @@
--- kernel/linux/hash.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hash.c
@@ -1,91 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-
-/* Crypto */
-#include <linux/crypto.h>
-#include <linux/err.h>
-#include <linux/scatterlist.h>
-#include <crypto/sha.h>
-
-#include "hash.h"
-
-unsigned char *kernel_text_hash(void) {
- return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START,
- TEXT_SEGMENT_END - TEXT_SEGMENT_START);
-}
-
-/**
- * @brief Generic function for performing a SHA-1 hash of a memory range
- *
- * @param data - Beginning memory address to perform hash
- * @param len - size in bytes of the address range to hash
- *
- * @return allocated buffer containing the hash string; or NULL upon error.
- */
-unsigned char *hash_data(const void *data, size_t len) {
- struct scatterlist sg;
- struct hash_desc desc;
- size_t out_len = SHA1_DIGEST_SIZE * 2 + 1;
- unsigned char hashtext[SHA1_DIGEST_SIZE];
- unsigned char *hashtext_out = kmalloc(out_len, GFP_KERNEL);
-
- if (!hashtext_out) {
- printk(KERN_INFO "Could not allocate space for hash\n");
- return NULL;
- }
-
- sg_init_one(&sg, data, len);
- desc.flags = 0;
- desc.tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC);
-
- crypto_hash_init(&desc);
- crypto_hash_update(&desc, &sg, sg.length);
- crypto_hash_final(&desc, hashtext);
-
- snprintf(hashtext_out,
- out_len,
- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
- hashtext[0], hashtext[1], hashtext[2], hashtext[3],
- hashtext[4], hashtext[5], hashtext[6], hashtext[7],
- hashtext[8], hashtext[9], hashtext[10], hashtext[11],
- hashtext[12], hashtext[13], hashtext[14], hashtext[15],
- hashtext[16], hashtext[17], hashtext[18], hashtext[19]
- );
-
- if (desc.tfm) {
- crypto_free_hash(desc.tfm);
- }
-
- return hashtext_out;
-}
-
-/**
- * @brief Callback for the sysfs object read. This happens when a file is
- * read(2) (or equivalent) from within sysfs. E.g. cat /sys/foo/bar will
- * call bar's *_show callback method.
- *
- * @param obj - reference to a kernel object within the sysfs filesystem
- * @param attr - attribute of said kernel object
- * @param buf - buffer that will be allocated and filled with the hash
- *
- * @return size in bytes of the hash string; or -1 upon error.
- */
-ssize_t text_segment_hash_show(struct kobject *obj,
- struct attribute *attr,
- char *buf) {
- ssize_t ret;
- char *hash = kernel_text_hash();
-
- if (hash) {
- ret = scnprintf(buf, PAGE_SIZE, "%s\n", hash);
- kfree(hash);
- } else {
- ret = -1;
- }
-
- return ret;
-}

7
sysutils/osquery/files/patch-kernel_linux_hash.h Normal file
View File

@ -0,0 +1,7 @@
--- kernel/linux/hash.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hash.h
@@ -1,4 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-unsigned char *kernel_text_hash(void);
-unsigned char *hash_data(const void *, size_t);

29
sysutils/osquery/files/patch-kernel_linux_hide.c Normal file
View File

@ -0,0 +1,29 @@
--- kernel/linux/hide.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hide.c
@@ -1,26 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/module.h>
-
-#include "hide.h"
-
-extern char *module_str;
-
-void rm_mod_from_list(void) {
- THIS_MODULE->list.next->prev = THIS_MODULE->list.prev;
- THIS_MODULE->list.prev->next = THIS_MODULE->list.next;
-}
-
-void rm_mod_from_sysfs(void) {
- kobject_del(THIS_MODULE->holders_dir->parent);
-}
-
-void rm_mod_from_ddebug_tables(void) {
- ddebug_remove_module(module_str);
-}
-
-void hide_me(void) {
- rm_mod_from_list();
- rm_mod_from_sysfs();
- rm_mod_from_ddebug_tables();
-}

9
sysutils/osquery/files/patch-kernel_linux_hide.h Normal file
View File

@ -0,0 +1,9 @@
--- kernel/linux/hide.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/hide.h
@@ -1,6 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-void rm_mod_from_list(void);
-void rm_mod_from_sysfs(void);
-void rm_mod_from_ddebug_tables(void);
-void hide_me(void);

99
sysutils/osquery/files/patch-kernel_linux_main.c Normal file
View File

@ -0,0 +1,99 @@
--- kernel/linux/main.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/main.c
@@ -1,96 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/file.h>
-#include <linux/fdtable.h>
-#include <linux/dcache.h>
-#include <linux/syscalls.h>
-#include <linux/fs.h>
-#include <linux/fcntl.h>
-#include <linux/slab.h>
-#include <linux/mutex.h>
-#include <linux/kallsyms.h>
-#include <linux/sched.h>
-#include <linux/dirent.h>
-#include <linux/reboot.h>
-#include <linux/notifier.h>
-#include <linux/kobject.h>
-#include <asm/syscall.h>
-
-#include "sysfs.h"
-#include "hash.h"
-#ifdef HIDE_ME
- #include "hide.h"
-#endif
-
-extern struct kobject *camb_kobj;
-char *module_str = "camb";
-
-static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR;
-static unsigned long *syscall_table_copy[NR_syscalls];
-
-/* Allow writes to executable memory pages */
-void en_mem_wr(void) {
- write_cr0(read_cr0() & (~0x10000));
-}
-
-/* Disallow writes to executable memory pages */
-void dis_mem_wr(void) {
- write_cr0(read_cr0() | 0x10000);
-}
-
-int syscall_addr_modified_show(struct kobject *obj,
- struct attribute *attr,
- char *buf) {
- unsigned int i = -1, mod = 0, ret;
-
- while(++i < NR_syscalls)
- if (syscall_table[i] != syscall_table_copy[i])
- mod = 1;
- ret = scnprintf(buf, PAGE_SIZE, "%d\n", mod);
-
- return ret;
-}
-
-/* Copy the system call pointer table */
-void grab_syscall_table(void) {
- unsigned int i;
- for (i = 0; i < NR_syscalls; i++)
- syscall_table_copy[i] = syscall_table[i];
-}
-
-static int __init camb_init(void) {
- printk(KERN_INFO "[%s] init\n", module_str);
-
- if (expose_sysfs()) {
- printk(KERN_ERR "Cannot expose self to sysfs\n");
- return -1;
- }
-
- /* Hide the fact that we're monitoring the system for tampering */
-#ifdef HIDE_ME
- hide_me();
-#endif
-
- grab_syscall_table();
-
- return 0;
-}
-
-static void __exit camb_exit(void) {
- printk(KERN_INFO "[%s] exit\n", module_str);
-
- if (camb_kobj) {
- kobject_put(camb_kobj);
- }
-
-}
-
-module_init(camb_init);
-module_exit(camb_exit);
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("@unixist");
-MODULE_DESCRIPTION("Detect kernel tampering");

52
sysutils/osquery/files/patch-kernel_linux_sysfs.c Normal file
View File

@ -0,0 +1,52 @@
--- kernel/linux/sysfs.c.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/sysfs.c
@@ -1,49 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-#include <linux/sysfs.h>
-#include <linux/kobject.h>
-#include <linux/module.h>
-#include <linux/slab.h>
-
-#include "hash.h"
-#include "sysfs.h"
-
-struct kobject *camb_kobj;
-
-extern ssize_t syscall_addr_modified_show(struct kobject *obj,
- struct attribute *attr,
- char *buf);
-extern ssize_t text_segment_hash_show(struct kobject *obj,
- struct attribute *attr,
- char *buf);
-
-struct kobj_attribute attr_syscall_addr_modified =
- __ATTR(syscall_addr_modified, 0444, syscall_addr_modified_show, NULL);
-
-struct kobj_attribute attr_text_segment_hash =
- __ATTR(text_segment_hash, 0444, text_segment_hash_show, NULL);
-
-struct attribute *camb_attrs[] = {
- &attr_text_segment_hash.attr,
- &attr_syscall_addr_modified.attr,
- NULL,
-};
-
-struct attribute_group attr_group = {
- .attrs = camb_attrs
-};
-
-int expose_sysfs(void) {
- int err = 0;
- camb_kobj = kobject_create_and_add("camb", kernel_kobj);
- if (camb_kobj) {
- if ((err = sysfs_create_group(camb_kobj, &attr_group)) != 0) {
- kobject_put(camb_kobj);
- }
- }
- return err;
-}
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("@unixist");
-MODULE_DESCRIPTION("Detect kernel tampering");

6
sysutils/osquery/files/patch-kernel_linux_sysfs.h Normal file
View File

@ -0,0 +1,6 @@
--- kernel/linux/sysfs.h.orig 2015-05-05 00:16:41 UTC
+++ kernel/linux/sysfs.h
@@ -1,3 +0,0 @@
-// Copyright 2004-present Facebook. All Rights Reserved.
-
-int expose_sysfs(void);

40
sysutils/osquery/files/patch-osquery_CMakeLists.txt Normal file
View File

@ -0,0 +1,40 @@
--- osquery/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ osquery/CMakeLists.txt
@@ -22,11 +22,14 @@ set(OSQUERY_LIBS
readline
pthread
- dl
bz2
z
)
+if(NOT FREEBSD)
+ set(OSQUERY_LIBS ${OSQUERY_LIBS} dl)
+endif()
+
# Add default linking details (the first argument means SDK + core).
ADD_OSQUERY_LINK(TRUE "-rdynamic")
@@ -44,7 +47,7 @@ endif()
# The remaining boost libraries are discovered with find_library.
ADD_OSQUERY_LINK(TRUE "boost_system")
ADD_OSQUERY_LINK(TRUE "boost_filesystem")
-ADD_OSQUERY_LINK(TRUE "boost_regex")
+ADD_OSQUERY_LINK(TRUE "-lboost_regex")
ADD_OSQUERY_LINK(TRUE "yara")
if(DEFINED ENV{SANITIZE})
@@ -133,7 +136,11 @@ if(NOT OSQUERY_BUILD_SDK_ONLY)
# Include the public API includes if make devel.
install(TARGETS libosquery ARCHIVE DESTINATION lib COMPONENT devel OPTIONAL)
- install(DIRECTORY "${CMAKE_SOURCE_DIR}/include/" DESTINATION include COMPONENT devel OPTIONAL)
+ install(DIRECTORY "${CMAKE_SOURCE_DIR}/include"
+ DESTINATION include
+ COMPONENT devel OPTIONAL
+ PATTERN ".*" EXCLUDE
+ )
# make install (executables)
install(TARGETS shell RUNTIME DESTINATION bin COMPONENT main)

19
sysutils/osquery/files/patch-osquery_config_config.cpp Normal file
View File

@ -0,0 +1,19 @@
--- osquery/config/config.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/config.cpp
@@ -167,7 +167,15 @@ inline void mergeExtraKey(const std::str
if (node.second.count("") == 0 && conf.all_data.count(name) > 0) {
conf.all_data.get_child(name).erase(subitem.first);
}
- conf.all_data.add_child(name + "." + subitem.first, subitem.second);
+
+ if (subitem.first.size() == 0) {
+ if (conf.all_data.count(name) == 0) {
+ conf.all_data.add_child(name, subitem.second);
+ }
+ conf.all_data.get_child(name).push_back(subitem);
+ } else {
+ conf.all_data.add_child(name + "." + subitem.first, subitem.second);
+ }
}
}

106
sysutils/osquery/files/patch-osquery_config_plugins_http.cpp Normal file
View File

@ -0,0 +1,106 @@
--- osquery/config/plugins/http.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/plugins/http.cpp
@@ -14,10 +14,10 @@
#include <boost/property_tree/ptree.hpp>
#include <osquery/config.h>
+#include <osquery/enrollment.h>
#include <osquery/flags.h>
-#include <osquery/logger.h>
-#include <osquery/filesystem.h>
#include <osquery/registry.h>
+
#include "osquery/remote/requests.h"
#include "osquery/remote/transports/http.h"
#include "osquery/remote/serializers/json.h"
@@ -30,7 +30,7 @@ DECLARE_string(enrollment_app_id);
FLAG(string,
config_enrollment_uri,
- "Not Specified",
+ "",
"The endpoint for server side client enrollment");
class HTTPConfigPlugin : public ConfigPlugin {
@@ -40,49 +40,45 @@ class HTTPConfigPlugin : public ConfigPl
REGISTER(HTTPConfigPlugin, "config", "http");
-Status runEnrollment(const bool force = false) {
- PluginResponse resp;
- PluginRequest req;
- if (force) {
- req = {{"enroll", "1"}};
- } else {
- req = {{"enroll", "0"}};
+Status runEnrollment(bool force = false) {
+ PluginResponse response;
+ PluginRequest request = {{"enroll", (force) ? "1" : "0"}};
+ auto status = Registry::call("enrollment", "get_key", request, response);
+ if (!status.ok()) {
+ return status;
}
- Status stat = Registry::call("enrollment", "get_key", req, resp);
- if (!stat.ok()) {
- return stat;
- }
- if (resp.size() > 0 && resp[0]["key"].length() == 0) {
+ if (response.size() > 0 && response[0]["key"].size() == 0) {
return Status(1, "Enrollment Error: No Key");
}
return Status(0, "OK");
}
-Status getConfig(boost::property_tree::ptree& recv) {
- // Make request to endpoint with secrets
+Status getConfig(boost::property_tree::ptree& output) {
+ // Make request to endpoint with secrets.
auto r = Request<HTTPTransport, JSONSerializer>(FLAGS_config_enrollment_uri);
boost::property_tree::ptree params;
- PluginResponse resp;
- Status stat =
- Registry::call("enrollment", "get_key", {{"enroll", "0"}}, resp);
- params.put<std::string>("enrollment_key", resp[0]["key"]);
+ PluginResponse response;
+ Registry::call("enrollment", "get_key", {{"enroll", "0"}}, response);
+ params.put<std::string>("enrollment_key", response[0]["key"]);
params.put<std::string>("app_id", FLAGS_enrollment_app_id);
- stat = r.call(params);
- if (!stat.ok()) {
- return stat;
+ auto status = r.call(params);
+ if (!status.ok()) {
+ return status;
}
- // The call was ok, so store the enrolled key
- stat = r.getResponse(recv);
- if (!stat.ok()) {
- return stat;
+
+ // The call succeeded, store the enrolled key.
+ status = r.getResponse(output);
+ if (!status.ok()) {
+ return status;
}
+
// Receive config or key rejection
- if (recv.count("enrollment_invalid") > 0 &&
- recv.get<std::string>("enrollment_invalid", "") == "1") {
- return stat;
+ if (output.count("enrollment_invalid") > 0 &&
+ output.get<std::string>("enrollment_invalid", "") == "1") {
+ return status;
}
return Status(0, "OK");
}
@@ -97,6 +93,7 @@ Status HTTPConfigPlugin::genConfig(std::
break;
}
}
+
std::stringstream ss;
write_json(ss, recv);
config[FLAGS_enrollment_app_id] = ss.str();

123
sysutils/osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp Normal file
View File

@ -0,0 +1,123 @@
--- osquery/config/plugins/tests/http_config_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/config/plugins/tests/http_config_tests.cpp
@@ -1,120 +0,0 @@
-/*
- * Copyright (c) 2014, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed under the BSD-style license found in the
- * LICENSE file in the root directory of this source tree. An additional grant
- * of patent rights can be found in the PATENTS file in the same directory.
- *
- */
-
-#include <iostream>
-#include <random>
-#include <sstream>
-#include <thread>
-
-#include <boost/network/protocol/http/server.hpp>
-#include <boost/property_tree/ptree.hpp>
-
-#include <gtest/gtest.h>
-
-#include <osquery/config.h>
-#include <osquery/enrollment.h>
-
-#include "osquery/remote/requests.h"
-#include "osquery/remote/transports/http.h"
-#include "osquery/remote/serializers/json.h"
-
-namespace http = boost::network::http;
-
-namespace osquery {
-
-DECLARE_string(enrollment_uri);
-DECLARE_string(config_enrollment_uri);
-DECLARE_string(enrollment_app_id);
-
-struct EnrollHTTPHandler;
-struct ConfigHTTPHandler;
-typedef http::server<EnrollHTTPHandler> EnrollServer;
-typedef http::server<ConfigHTTPHandler> ConfigServer;
-
-struct EnrollHTTPHandler {
- void operator()(EnrollServer::request const &request,
- EnrollServer::response &response) {
- response = EnrollServer::response::stock_reply(
- EnrollServer::response::ok,
- std::string("{\"enrollment_key\":\"potatoes\"}"));
- }
- void log(...) {}
-};
-
-struct ConfigHTTPHandler {
- void operator()(ConfigServer::request const &request,
- ConfigServer::response &response) {
- response = ConfigServer::response::stock_reply(
- ConfigServer::response::ok,
- std::string(
- "{ \"schedule\": {\"config_server_launchd\": {\"query\": \"select "
- "* from launchd;\", \"interval\": 3600 }}}"));
- }
- void log(...) {}
-};
-
-class HttpConfigTests : public testing::Test {
- public:
- HttpConfigTests() {
- // Create an enrollment endpoint and configuration retrieval endpoint.
- auto enroll_port = rand() % 10000 + 10000;
- auto config_port = enroll_port + 1;
- // Set the URIs.
- FLAGS_enrollment_uri = "http://localhost:" + std::to_string(enroll_port);
- FLAGS_config_enrollment_uri =
- "http://localhost:" + std::to_string(config_port);
- FLAGS_enrollment_app_id = "just_a_test_id";
-
- // Create two servers + handlers with default options.
- EnrollHTTPHandler enrollment;
- ConfigHTTPHandler config;
- EnrollServer::options opt_enroll(enrollment);
- ConfigServer::options opt_config(config);
- enrollment_server_ = std::make_shared<EnrollServer>(
- opt_enroll.address("127.0.0.1").port(std::to_string(enroll_port)));
- config_server_ = std::make_shared<ConfigServer>(
- opt_config.address("127.0.0.1").port(std::to_string(config_port)));
-
- // Start each server in a separate service thread.
- config_thread_ = std::make_shared<boost::thread>(
- boost::bind(&ConfigServer::run, &*config_server_));
- enroll_thread_ = std::make_shared<boost::thread>(
- boost::bind(&EnrollServer::run, &*enrollment_server_));
- }
-
- ~HttpConfigTests() {
- enrollment_server_->stop();
- config_server_->stop();
- enroll_thread_->join();
- config_thread_->join();
- }
-
- protected:
- std::shared_ptr<EnrollServer> enrollment_server_;
- std::shared_ptr<ConfigServer> config_server_;
- std::shared_ptr<boost::thread> enroll_thread_;
- std::shared_ptr<boost::thread> config_thread_;
-};
-
-TEST_F(HttpConfigTests, test_enroll_config) {
- // Change the active config plugin.
- EXPECT_TRUE(Registry::setActive("config", "http").ok());
-
- // Request the config server to generate a config data.
- PluginResponse response;
- auto stat = Registry::call("config", {{"action", "genConfig"}}, response);
- EXPECT_TRUE(stat.ok());
-
- // Update the config instance with the content from the server.
- Config::update(response[0]);
- ConfigDataInstance config;
- EXPECT_EQ(config.schedule().count("config_server_launchd"), 1);
-}
-}

52
sysutils/osquery/files/patch-osquery_core_watcher.cpp Normal file
View File

@ -0,0 +1,52 @@
--- osquery/core/watcher.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/core/watcher.cpp
@@ -171,7 +171,7 @@ bool WatcherRunner::ok() {
return (Watcher::getWorker() >= 0 || Watcher::hasManagedExtensions());
}
-void WatcherRunner::enter() {
+void WatcherRunner::start() {
// Set worker performance counters to an initial state.
Watcher::resetWorkerCounters(0);
signal(SIGCHLD, childHandler);
@@ -327,6 +327,15 @@ void WatcherRunner::createWorker() {
setenv("OSQUERY_EXTENSIONS", "true", 1);
}
+ // Get the complete path of the osquery process binary.
+ auto exec_path = fs::system_complete(fs::path(qd[0]["path"]));
+ if (!safePermissions(
+ exec_path.parent_path().string(), exec_path.string(), true)) {
+ // osqueryd binary has become unsafe.
+ LOG(ERROR) << "osqueryd has unsafe permissions: " << exec_path.string();
+ ::exit(EXIT_FAILURE);
+ }
+
auto worker_pid = fork();
if (worker_pid < 0) {
// Unrecoverable error, cannot create a worker process.
@@ -335,8 +344,6 @@ void WatcherRunner::createWorker() {
} else if (worker_pid == 0) {
// This is the new worker process, no watching needed.
setenv("OSQUERY_WORKER", std::to_string(getpid()).c_str(), 1);
- // Get the complete path of the osquery process binary.
- auto exec_path = fs::system_complete(fs::path(qd[0]["path"]));
execve(exec_path.string().c_str(), argv_, environ);
// Code should never reach this point.
LOG(ERROR) << "osqueryd could not start worker process";
@@ -401,13 +408,13 @@ bool WatcherRunner::createExtension(cons
return true;
}
-void WatcherWatcherRunner::enter() {
+void WatcherWatcherRunner::start() {
while (true) {
if (getppid() != watcher_) {
// Watcher died, the worker must follow.
VLOG(1) << "osqueryd worker (" << getpid()
<< ") detected killed watcher (" << watcher_ << ")";
- Dispatcher::removeServices();
+ Dispatcher::stopServices();
Dispatcher::joinServices();
::exit(EXIT_SUCCESS);
}

20
sysutils/osquery/files/patch-osquery_core_watcher.h Normal file
View File

@ -0,0 +1,20 @@
--- osquery/core/watcher.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/core/watcher.h
@@ -210,7 +210,7 @@ class WatcherRunner : public InternalRun
private:
/// Dispatcher (this service thread's) entry point.
- void enter();
+ void start();
/// Boilerplate function to sleep for some configured latency
bool ok();
/// Begin the worker-watcher process.
@@ -239,7 +239,7 @@ class WatcherRunner : public InternalRun
class WatcherWatcherRunner : public InternalRunnable {
public:
explicit WatcherWatcherRunner(pid_t watcher) : watcher_(watcher) {}
- void enter();
+ void start();
private:
pid_t watcher_;

13
sysutils/osquery/files/patch-osquery_database_db__handle.cpp Normal file
View File

@ -0,0 +1,13 @@
--- osquery/database/db_handle.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/database/db_handle.cpp
@@ -50,6 +50,10 @@ FLAG_ALIAS(bool, use_in_memory_database,
DBHandle::DBHandle(const std::string& path, bool in_memory) {
options_.create_if_missing = true;
options_.create_missing_column_families = true;
+ options_.info_log_level = rocksdb::WARN_LEVEL;
+ options_.log_file_time_to_roll = 0;
+ options_.keep_log_file_num = 10;
+ options_.max_log_file_size = 1024 * 1024 * 1;
if (in_memory) {
// Remove when MemEnv is included in librocksdb

69
sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.cpp Normal file
View File

@ -0,0 +1,69 @@
--- osquery/dispatcher/dispatcher.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/dispatcher.cpp
@@ -30,13 +30,19 @@ void interruptableSleep(size_t milli) {
Dispatcher::Dispatcher() {
thread_manager_ = InternalThreadManager::newSimpleThreadManager(
(size_t)FLAGS_worker_threads, 0);
- auto threadFactory = ThriftThreadFactory(new PosixThreadFactory());
- thread_manager_->threadFactory(threadFactory);
+ auto thread_factory = ThriftThreadFactory(new PosixThreadFactory());
+ thread_manager_->threadFactory(thread_factory);
thread_manager_->start();
}
+Dispatcher::~Dispatcher() { join(); }
+
Status Dispatcher::add(ThriftInternalRunnableRef task) {
+ auto& self = instance();
try {
+ if (self.state() != InternalThreadManager::STARTED) {
+ self.thread_manager_->start();
+ }
instance().thread_manager_->add(task, 0, 0);
} catch (std::exception& e) {
return Status(1, e.what());
@@ -61,7 +67,12 @@ InternalThreadManagerRef Dispatcher::get
return instance().thread_manager_;
}
-void Dispatcher::join() { instance().thread_manager_->join(); }
+void Dispatcher::join() {
+ if (instance().thread_manager_ != nullptr) {
+ instance().thread_manager_->stop();
+ instance().thread_manager_->join();
+ }
+}
void Dispatcher::joinServices() {
for (auto& thread : instance().service_threads_) {
@@ -69,11 +80,11 @@ void Dispatcher::joinServices() {
}
}
-void Dispatcher::removeServices() {
+void Dispatcher::stopServices() {
auto& self = instance();
for (const auto& service : self.services_) {
while (true) {
- // Wait for each thread's entry point (enter) meaning the thread context
+ // Wait for each thread's entry point (start) meaning the thread context
// was allocated and (run) was called by boost::thread started.
if (service->hasRun()) {
break;
@@ -82,15 +93,12 @@ void Dispatcher::removeServices() {
// the boost::thread is created.
::usleep(200);
}
+ service->stop();
}
for (auto& thread : self.service_threads_) {
thread->interrupt();
}
-
- // Deallocate services.
- self.service_threads_.clear();
- self.services_.clear();
}
InternalThreadManager::STATE Dispatcher::state() const {

95
sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.h Normal file
View File

@ -0,0 +1,95 @@
--- osquery/dispatcher/dispatcher.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/dispatcher.h
@@ -31,8 +31,12 @@
namespace osquery {
+using namespace apache::thrift::concurrency;
+
+/// Create easier to reference typedefs for Thrift layer implementations.
+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr
typedef apache::thrift::concurrency::ThreadManager InternalThreadManager;
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<InternalThreadManager> InternalThreadManagerRef;
+typedef SHARED_PTR_IMPL<InternalThreadManager> InternalThreadManagerRef;
/**
* @brief Default number of threads in the thread pool.
@@ -42,7 +46,7 @@ typedef OSQUERY_THRIFT_POINTER::shared_p
*/
extern const int kDefaultThreadPoolSize;
-class InternalRunnable : public apache::thrift::concurrency::Runnable {
+class InternalRunnable : public Runnable {
public:
virtual ~InternalRunnable() {}
InternalRunnable() : run_(false) {}
@@ -51,16 +55,20 @@ class InternalRunnable : public apache::
/// The boost::thread entrypoint.
void run() {
run_ = true;
- enter();
+ start();
}
/// Check if the thread's entrypoint (run) executed, meaning thread context
/// was allocated.
bool hasRun() { return run_; }
+ /// The runnable may also tear down services before the thread context
+ /// is removed.
+ virtual void stop() {}
+
protected:
/// Require the runnable thread define an entrypoint.
- virtual void enter() = 0;
+ virtual void start() = 0;
private:
bool run_;
@@ -70,9 +78,8 @@ class InternalRunnable : public apache::
typedef std::shared_ptr<InternalRunnable> InternalRunnableRef;
typedef std::shared_ptr<boost::thread> InternalThreadRef;
/// A thrift internal runnable with variable pointer wrapping.
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<InternalRunnable> ThriftInternalRunnableRef;
-typedef OSQUERY_THRIFT_POINTER::shared_ptr<
- apache::thrift::concurrency::PosixThreadFactory> ThriftThreadFactory;
+typedef SHARED_PTR_IMPL<InternalRunnable> ThriftInternalRunnableRef;
+typedef SHARED_PTR_IMPL<PosixThreadFactory> ThriftThreadFactory;
/**
* @brief Singleton for queueing asynchronous tasks to be executed in parallel
@@ -160,7 +167,7 @@ class Dispatcher : private boost::noncop
static void joinServices();
/// Destroy and stop all osquery service threads and service objects.
- static void removeServices();
+ static void stopServices();
/**
* @brief Get the current state of the thread manager.
@@ -248,7 +255,7 @@ class Dispatcher : private boost::noncop
Dispatcher();
Dispatcher(Dispatcher const&);
void operator=(Dispatcher const&);
- virtual ~Dispatcher() {}
+ virtual ~Dispatcher();
private:
/**
@@ -262,10 +269,15 @@ class Dispatcher : private boost::noncop
* @see getThreadManager
*/
InternalThreadManagerRef thread_manager_;
+
/// The set of shared osquery service threads.
std::vector<InternalThreadRef> service_threads_;
- /// THe set of shared osquery services.
+
+ /// The set of shared osquery services.
std::vector<InternalRunnableRef> services_;
+
+ private:
+ friend class ExtensionsTest;
};
/// Allow a dispatched thread to wait while processing or to prevent thrashing.

11
sysutils/osquery/files/patch-osquery_dispatcher_scheduler.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/dispatcher/scheduler.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/scheduler.cpp
@@ -150,7 +150,7 @@ void launchQuery(const std::string& name
}
}
-void SchedulerRunner::enter() {
+void SchedulerRunner::start() {
time_t t = std::time(nullptr);
struct tm* local = std::localtime(&t);
unsigned long int i = local->tm_sec;

11
sysutils/osquery/files/patch-osquery_dispatcher_scheduler.h Normal file
View File

@ -0,0 +1,11 @@
--- osquery/dispatcher/scheduler.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/scheduler.h
@@ -23,7 +23,7 @@ class SchedulerRunner : public InternalR
public:
/// The Dispatcher thread entry point.
- void enter();
+ void start();
protected:
/// The UNIX domain socket path for the ExtensionManager.

11
sysutils/osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/dispatcher/tests/dispatcher_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/dispatcher/tests/dispatcher_tests.cpp
@@ -28,7 +28,7 @@ class TestRunnable : public InternalRunn
public:
int* i;
explicit TestRunnable(int* i) : i(i) {}
- virtual void enter() { ++*i; }
+ virtual void start() { ++*i; }
};
TEST_F(DispatcherTests, test_add_work) {

11
sysutils/osquery/files/patch-osquery_events_darwin_fsevents.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/events/darwin/fsevents.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/fsevents.cpp
@@ -137,6 +137,8 @@ Status FSEventsEventPublisher::run() {
return Status(0, "OK");
}
+void FSEventsEventPublisher::end() { stop(); }
+
void FSEventsEventPublisher::Callback(
ConstFSEventStreamRef stream,
void* callback_info,

11
sysutils/osquery/files/patch-osquery_events_darwin_fsevents.h Normal file
View File

@ -0,0 +1,11 @@
--- osquery/events/darwin/fsevents.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/fsevents.h
@@ -76,6 +76,8 @@ class FSEventsEventPublisher
// Entrypoint to the run loop
Status run();
+ // Callin for stopping the streams/run loop.
+ void end();
public:
/// FSEvents registers a client callback instead of using a select/poll loop.

132
sysutils/osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp Normal file
View File

@ -0,0 +1,132 @@
--- osquery/events/darwin/tests/fsevents_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/darwin/tests/fsevents_tests.cpp
@@ -25,27 +25,33 @@
namespace osquery {
-const std::string kRealTestPath = kTestWorkingDirectory + "fsevents_trigger";
int kMaxEventLatency = 3000;
class FSEventsTests : public testing::Test {
protected:
- void TearDown() { boost::filesystem::remove_all(kRealTestPath); }
+ void SetUp() {
+ trigger_path = kTestWorkingDirectory + "fsevents" +
+ std::to_string(rand() % 10000 + 10000);
+ }
+
+ void TearDown() { remove(trigger_path); }
void StartEventLoop() {
event_pub_ = std::make_shared<FSEventsEventPublisher>();
EventFactory::registerEventPublisher(event_pub_);
- FILE* fd = fopen(kRealTestPath.c_str(), "w");
+ FILE* fd = fopen(trigger_path.c_str(), "w");
fclose(fd);
temp_thread_ = boost::thread(EventFactory::run, "fsevents");
+ // Wait for the publisher thread and FSEvent run loop to start.
}
void EndEventLoop() {
while (!event_pub_->hasStarted()) {
::usleep(20);
}
- EventFactory::end();
+ EventFactory::end(false);
+ temp_thread_.join();
}
void WaitForStream(int max) {
@@ -76,7 +82,7 @@ class FSEventsTests : public testing::Te
void CreateEvents(int num = 1) {
WaitForStream(kMaxEventLatency);
for (int i = 0; i < num; ++i) {
- FILE* fd = fopen(kRealTestPath.c_str(), "w");
+ FILE* fd = fopen(trigger_path.c_str(), "a");
fputs("fsevents", fd);
fclose(fd);
}
@@ -84,8 +90,14 @@ class FSEventsTests : public testing::Te
std::shared_ptr<FSEventsEventPublisher> event_pub_;
boost::thread temp_thread_;
+
+ public:
+ /// Trigger path is the current test's eventing sink (accessed anywhere).
+ static std::string trigger_path;
};
+std::string FSEventsTests::trigger_path = kTestWorkingDirectory + "fsevents";
+
TEST_F(FSEventsTests, test_register_event_pub) {
auto pub = std::make_shared<FSEventsEventPublisher>();
auto status = EventFactory::registerEventPublisher(pub);
@@ -159,7 +171,7 @@ class TestFSEventsEventSubscriber
SCRef GetSubscription(uint32_t mask = 0) {
auto sc = createSubscriptionContext();
- sc->path = kRealTestPath;
+ sc->path = FSEventsTests::trigger_path;
sc->mask = mask;
return sc;
}
@@ -176,10 +188,10 @@ class TestFSEventsEventSubscriber
return Status(0, "OK");
}
- void WaitForEvents(int max) {
+ void WaitForEvents(int max, int initial = 0) {
int delay = 0;
while (delay < max * 1000) {
- if (callback_count_ > 0) {
+ if (callback_count_ > initial) {
return;
}
::usleep(50);
@@ -203,14 +215,17 @@ TEST_F(FSEventsTests, test_fsevents_run)
// Create a subscriptioning context
auto mc = std::make_shared<FSEventsSubscriptionContext>();
- mc->path = kRealTestPath;
+ mc->path = trigger_path;
EventFactory::addSubscription(
"fsevents", Subscription::create("TestFSEventsEventSubscriber", mc));
// Create an event loop thread (similar to main)
- boost::thread temp_thread(EventFactory::run, "fsevents");
+ temp_thread_ = boost::thread(EventFactory::run, "fsevents");
EXPECT_TRUE(event_pub_->numEvents() == 0);
+ // Wait for the thread to start and the FSEvents stream to turn on.
+ WaitForStream(kMaxEventLatency);
+
// Cause an fsevents event(s) by writing to the watched path.
CreateEvents();
@@ -218,7 +233,10 @@ TEST_F(FSEventsTests, test_fsevents_run)
WaitForEvents(kMaxEventLatency);
EXPECT_TRUE(event_pub_->numEvents() > 0);
- EventFactory::end();
+
+ // We are managing the thread ourselves, so no join needed.
+ EventFactory::end(false);
+ temp_thread_.join();
}
TEST_F(FSEventsTests, test_fsevents_fire_event) {
@@ -257,10 +275,9 @@ TEST_F(FSEventsTests, test_fsevents_even
sub->WaitForEvents(kMaxEventLatency);
// Make sure the fsevents action was expected.
- EXPECT_TRUE(sub->actions_.size() > 0);
- if (sub->actions_.size() > 1) {
- EXPECT_EQ(sub->actions_[0], "UPDATED");
- }
+ ASSERT_TRUE(sub->actions_.size() > 0);
+ EXPECT_EQ(sub->actions_[0], "CREATED");
+
EndEventLoop();
}
}

70
sysutils/osquery/files/patch-osquery_events_events.cpp Normal file
View File

@ -0,0 +1,70 @@
--- osquery/events/events.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/events/events.cpp
@@ -407,6 +407,8 @@ void EventFactory::delay() {
}
Status EventFactory::run(EventPublisherID& type_id) {
+ auto& ef = EventFactory::getInstance();
+
// An interesting take on an event dispatched entrypoint.
// There is little introspection into the event type.
// Assume it can either make use of an entrypoint poller/selector or
@@ -414,12 +416,17 @@ Status EventFactory::run(EventPublisherI
// only once and handle event queueing/firing in callbacks.
EventPublisherRef publisher;
try {
- publisher = EventFactory::getInstance().getEventPublisher(type_id);
+ publisher = ef.getEventPublisher(type_id);
} catch (std::out_of_range& e) {
return Status(1, "No event type found");
}
- VLOG(1) << "Starting event publisher runloop: " + type_id;
+ if (publisher == nullptr) {
+ return Status(1, "Event publisher is missing");
+ } else if (publisher->hasStarted()) {
+ return Status(1, "Cannot restart an event publisher");
+ }
+ VLOG(1) << "Starting event publisher run loop: " + type_id;
publisher->hasStarted(true);
auto status = Status(0, "OK");
@@ -428,11 +435,12 @@ Status EventFactory::run(EventPublisherI
status = publisher->run();
osquery::publisherSleep(EVENTS_COOLOFF);
}
-
// The runloop status is not reflective of the event type's.
- publisher->tearDown();
VLOG(1) << "Event publisher " << publisher->type()
- << " runloop terminated for reason: " << status.getMessage();
+ << " run loop terminated for reason: " << status.getMessage();
+ // Publishers auto tear down when their run loop stops.
+ publisher->tearDown();
+ ef.event_pubs_.erase(type_id);
return Status(0, "OK");
}
@@ -573,9 +581,12 @@ Status EventFactory::deregisterEventPubl
// If a publisher's run loop was not started, call tearDown since
// the setUp happened at publisher registration time.
publisher->tearDown();
+ // If the run loop did run the tear down and erase will happen in the event
+ // thread wrapper when isEnding is next checked.
+ ef.event_pubs_.erase(type_id);
+ } else {
+ publisher->end();
}
-
- ef.event_pubs_.erase(type_id);
return Status(0, "OK");
}
@@ -612,6 +623,7 @@ void EventFactory::end(bool join) {
}
}
+ // A small cool off helps OS API event publisher flushing.
::usleep(400);
ef.threads_.clear();
}

11
sysutils/osquery/files/patch-osquery_extensions_extensions.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/extensions/extensions.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/extensions.cpp
@@ -76,7 +76,7 @@ EXTENSION_FLAG_ALIAS(socket, extensions_
EXTENSION_FLAG_ALIAS(timeout, extensions_timeout);
EXTENSION_FLAG_ALIAS(interval, extensions_interval);
-void ExtensionWatcher::enter() {
+void ExtensionWatcher::start() {
// Watch the manager, if the socket is removed then the extension will die.
while (true) {
watch();

126
sysutils/osquery/files/patch-osquery_extensions_interface.cpp Normal file
View File

@ -0,0 +1,126 @@
--- osquery/extensions/interface.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/interface.cpp
@@ -173,89 +173,56 @@ bool ExtensionManagerHandler::exists(con
}
}
-ExtensionRunner::~ExtensionRunner() { remove(path_); }
+ExtensionRunnerCore::~ExtensionRunnerCore() { remove(path_); }
-void ExtensionRunner::enter() {
- // Set the socket information for the extension manager.
- auto socket_path = path_;
+void ExtensionRunnerCore::stop() {
+ if (server_ != nullptr) {
+ server_->stop();
+ }
+}
- // Create the thrift instances.
- OSQUERY_THRIFT_POINTER::shared_ptr<ExtensionHandler> handler(
- new ExtensionHandler(uuid_));
- OSQUERY_THRIFT_POINTER::shared_ptr<TProcessor> processor(
- new ExtensionProcessor(handler));
- OSQUERY_THRIFT_POINTER::shared_ptr<TServerTransport> serverTransport(
- new TServerSocket(socket_path));
- OSQUERY_THRIFT_POINTER::shared_ptr<TTransportFactory> transportFactory(
- new TBufferedTransportFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProtocolFactory> protocolFactory(
- new TBinaryProtocolFactory());
+void ExtensionRunnerCore::startServer(TProcessorRef processor) {
+ auto transport = TServerTransportRef(new TServerSocket(path_));
+ auto transport_fac = TTransportFactoryRef(new TBufferedTransportFactory());
+ auto protocol_fac = TProtocolFactoryRef(new TBinaryProtocolFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<ThreadManager> threadManager =
- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads);
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory> threadFactory =
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory>(
- new PosixThreadFactory());
- threadManager->threadFactory(threadFactory);
- threadManager->start();
+ auto thread_manager_ =
+ ThreadManager::newSimpleThreadManager((size_t)FLAGS_worker_threads, 0);
+ auto thread_fac = ThriftThreadFactory(new PosixThreadFactory());
+ thread_manager_->threadFactory(thread_fac);
+ thread_manager_->start();
// Start the Thrift server's run loop.
+ server_ = TThreadPoolServerRef(new TThreadPoolServer(
+ processor, transport, transport_fac, protocol_fac, thread_manager_));
+ server_->serve();
+}
+
+void ExtensionRunner::start() {
+ // Create the thrift instances.
+ auto handler = ExtensionHandlerRef(new ExtensionHandler(uuid_));
+ auto processor = TProcessorRef(new ExtensionProcessor(handler));
+
+ VLOG(1) << "Extension service starting: " << path_;
try {
- VLOG(1) << "Extension service starting: " << socket_path;
- TThreadPoolServer server(processor,
- serverTransport,
- transportFactory,
- protocolFactory,
- threadManager);
- server.serve();
+ startServer(processor);
} catch (const std::exception& e) {
- LOG(ERROR) << "Cannot start extension handler: " << socket_path << " ("
+ LOG(ERROR) << "Cannot start extension handler: " << path_ << " ("
<< e.what() << ")";
- return;
}
}
-ExtensionManagerRunner::~ExtensionManagerRunner() {
- // Remove the socket path.
- remove(path_);
-}
-
-void ExtensionManagerRunner::enter() {
- // Set the socket information for the extension manager.
- auto socket_path = path_;
-
+void ExtensionManagerRunner::start() {
// Create the thrift instances.
- OSQUERY_THRIFT_POINTER::shared_ptr<ExtensionManagerHandler> handler(
- new ExtensionManagerHandler());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProcessor> processor(
- new ExtensionManagerProcessor(handler));
- OSQUERY_THRIFT_POINTER::shared_ptr<TServerTransport> serverTransport(
- new TServerSocket(socket_path));
- OSQUERY_THRIFT_POINTER::shared_ptr<TTransportFactory> transportFactory(
- new TBufferedTransportFactory());
- OSQUERY_THRIFT_POINTER::shared_ptr<TProtocolFactory> protocolFactory(
- new TBinaryProtocolFactory());
-
- OSQUERY_THRIFT_POINTER::shared_ptr<ThreadManager> threadManager =
- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads);
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory> threadFactory =
- OSQUERY_THRIFT_POINTER::shared_ptr<PosixThreadFactory>(
- new PosixThreadFactory());
- threadManager->threadFactory(threadFactory);
- threadManager->start();
+ auto handler = ExtensionManagerHandlerRef(new ExtensionManagerHandler());
+ auto processor = TProcessorRef(new ExtensionManagerProcessor(handler));
- // Start the Thrift server's run loop.
+ VLOG(1) << "Extension manager service starting: " << path_;
try {
- VLOG(1) << "Extension manager service starting: " << socket_path;
- TThreadPoolServer server(processor,
- serverTransport,
- transportFactory,
- protocolFactory,
- threadManager);
- server.serve();
+ startServer(processor);
} catch (const std::exception& e) {
LOG(WARNING) << "Extensions disabled: cannot start extension manager ("
- << socket_path << ") (" << e.what() << ")";
+ << path_ << ") (" << e.what() << ")";
}
}
}

189
sysutils/osquery/files/patch-osquery_extensions_interface.h Normal file
View File

@ -0,0 +1,189 @@
--- osquery/extensions/interface.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/interface.h
@@ -30,7 +30,6 @@
// clang-format on
namespace osquery {
-namespace extensions {
using namespace apache::thrift;
using namespace apache::thrift::protocol;
@@ -38,6 +37,21 @@ using namespace apache::thrift::transpor
using namespace apache::thrift::server;
using namespace apache::thrift::concurrency;
+/// Create easier to reference typedefs for Thrift layer implementations.
+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr
+typedef SHARED_PTR_IMPL<TSocket> TSocketRef;
+typedef SHARED_PTR_IMPL<TTransport> TTransportRef;
+typedef SHARED_PTR_IMPL<TProtocol> TProtocolRef;
+
+typedef SHARED_PTR_IMPL<TProcessor> TProcessorRef;
+typedef SHARED_PTR_IMPL<TServerTransport> TServerTransportRef;
+typedef SHARED_PTR_IMPL<TTransportFactory> TTransportFactoryRef;
+typedef SHARED_PTR_IMPL<TProtocolFactory> TProtocolFactoryRef;
+typedef SHARED_PTR_IMPL<PosixThreadFactory> PosixThreadFactoryRef;
+typedef std::shared_ptr<TThreadPoolServer> TThreadPoolServerRef;
+
+namespace extensions {
+
/**
* @brief The Thrift API server used by an osquery Extension process.
*
@@ -68,6 +82,7 @@ class ExtensionHandler : virtual public
const ExtensionPluginRequest& request);
protected:
+ /// Transient UUID assigned to the extension after registering.
RouteUUID uuid_;
};
@@ -163,6 +178,7 @@ class ExtensionManagerHandler : virtual
private:
/// Check if an extension exists by the name it registered.
bool exists(const std::string& name);
+
/// Introspect into the registry, checking if any extension routes have been
/// removed.
void refresh();
@@ -170,6 +186,9 @@ class ExtensionManagerHandler : virtual
/// Maintain a map of extension UUID to metadata for tracking deregistration.
InternalExtensionList extensions_;
};
+
+typedef SHARED_PTR_IMPL<ExtensionHandler> ExtensionHandlerRef;
+typedef SHARED_PTR_IMPL<ExtensionManagerHandler> ExtensionManagerHandlerRef;
}
/// A Dispatcher service thread that watches an ExtensionManagerHandler.
@@ -183,7 +202,8 @@ class ExtensionWatcher : public Internal
public:
/// The Dispatcher thread entry point.
- void enter();
+ void start();
+
/// Perform health checks.
virtual void watch();
@@ -194,8 +214,10 @@ class ExtensionWatcher : public Internal
protected:
/// The UNIX domain socket path for the ExtensionManager.
std::string path_;
+
/// The internal in milliseconds to ping the ExtensionManager.
size_t interval_;
+
/// If the ExtensionManager socket is closed, should the extension exit.
bool fatal_;
};
@@ -205,60 +227,87 @@ class ExtensionManagerWatcher : public E
ExtensionManagerWatcher(const std::string& path, size_t interval)
: ExtensionWatcher(path, interval, false) {}
+ /// Start a specialized health check for an ExtensionManager.
void watch();
};
-/// A Dispatcher service thread that starts ExtensionHandler.
-class ExtensionRunner : public InternalRunnable {
+class ExtensionRunnerCore : public InternalRunnable {
+ public:
+ virtual ~ExtensionRunnerCore();
+ ExtensionRunnerCore(const std::string& path)
+ : path_(path), server_(nullptr) {}
+
+ public:
+ /// Given a handler transport and protocol start a thrift threaded server.
+ void startServer(TProcessorRef processor);
+
+ // The Dispatcher thread service stop point.
+ void stop();
+
+ protected:
+ /// The UNIX domain socket used for requests from the ExtensionManager.
+ std::string path_;
+
+ /// Server instance, will be stopped if thread service is removed.
+ TThreadPoolServerRef server_;
+};
+
+/**
+ * @brief A Dispatcher service thread that starts ExtensionHandler.
+ *
+ * This runner will start a Thrift Extension server, call serve, and wait
+ * until the extension exists or the ExtensionManager (core) terminates or
+ * deregisters the extension.
+ *
+ */
+class ExtensionRunner : public ExtensionRunnerCore {
public:
- virtual ~ExtensionRunner();
ExtensionRunner(const std::string& manager_path, RouteUUID uuid)
- : uuid_(uuid) {
+ : ExtensionRunnerCore(""), uuid_(uuid) {
path_ = getExtensionSocket(uuid, manager_path);
}
public:
- /// The Dispatcher thread entry point.
- void enter();
+ void start();
/// Access the UUID provided by the ExtensionManager.
RouteUUID getUUID() { return uuid_; }
private:
- /// The UNIX domain socket used for requests from the ExtensionManager.
- std::string path_;
/// The unique and transient Extension UUID assigned by the ExtensionManager.
RouteUUID uuid_;
};
-/// A Dispatcher service thread that starts ExtensionManagerHandler.
-class ExtensionManagerRunner : public InternalRunnable {
+/**
+ * @brief A Dispatcher service thread that starts ExtensionManagerHandler.
+ *
+ * This runner will start a Thrift ExtensionManager server, call serve, and wait
+ * until for extensions to register, or thrift API calls.
+ *
+ */
+class ExtensionManagerRunner : public ExtensionRunnerCore {
public:
- virtual ~ExtensionManagerRunner();
explicit ExtensionManagerRunner(const std::string& manager_path)
- : path_(manager_path) {}
+ : ExtensionRunnerCore(manager_path) {}
public:
- void enter();
-
- private:
- std::string path_;
+ void start();
};
/// Internal accessor for extension clients.
class EXInternal {
public:
explicit EXInternal(const std::string& path)
- : socket_(new extensions::TSocket(path)),
- transport_(new extensions::TBufferedTransport(socket_)),
- protocol_(new extensions::TBinaryProtocol(transport_)) {}
+ : socket_(new TSocket(path)),
+ transport_(new TBufferedTransport(socket_)),
+ protocol_(new TBinaryProtocol(transport_)) {}
virtual ~EXInternal() { transport_->close(); }
protected:
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TSocket> socket_;
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TTransport> transport_;
- OSQUERY_THRIFT_POINTER::shared_ptr<extensions::TProtocol> protocol_;
+ TSocketRef socket_;
+ TTransportRef transport_;
+ TProtocolRef protocol_;
};
/// Internal accessor for a client to an extension (from an extension manager).

136
sysutils/osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp Normal file
View File

@ -0,0 +1,136 @@
--- osquery/extensions/tests/extensions_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/extensions/tests/extensions_tests.cpp
@@ -30,16 +30,17 @@ const std::string kTestManagerSocket = k
class ExtensionsTest : public testing::Test {
protected:
void SetUp() {
- remove(kTestManagerSocket);
- if (pathExists(kTestManagerSocket).ok()) {
- throw std::domain_error("Cannot test sockets: " + kTestManagerSocket);
+ socket_path = kTestManagerSocket + std::to_string(rand());
+ remove(socket_path);
+ if (pathExists(socket_path).ok()) {
+ throw std::domain_error("Cannot test sockets: " + socket_path);
}
}
void TearDown() {
- Dispatcher::removeServices();
+ Dispatcher::stopServices();
Dispatcher::joinServices();
- remove(kTestManagerSocket);
+ remove(socket_path);
}
bool ping(int attempts = 3) {
@@ -47,7 +48,7 @@ class ExtensionsTest : public testing::T
ExtensionStatus status;
for (int i = 0; i < attempts; ++i) {
try {
- EXManagerClient client(kTestManagerSocket);
+ EXManagerClient client(socket_path);
client.get()->ping(status);
return (status.code == ExtensionCode::EXT_SUCCESS);
} catch (const std::exception& e) {
@@ -63,7 +64,7 @@ class ExtensionsTest : public testing::T
ExtensionResponse response;
for (int i = 0; i < attempts; ++i) {
try {
- EXManagerClient client(kTestManagerSocket);
+ EXManagerClient client(socket_path);
client.get()->query(response, sql);
} catch (const std::exception& e) {
::usleep(kDelayUS);
@@ -81,7 +82,7 @@ class ExtensionsTest : public testing::T
ExtensionList registeredExtensions(int attempts = 3) {
ExtensionList extensions;
for (int i = 0; i < attempts; ++i) {
- if (getExtensions(kTestManagerSocket, extensions).ok()) {
+ if (getExtensions(socket_path, extensions).ok()) {
break;
}
}
@@ -101,34 +102,37 @@ class ExtensionsTest : public testing::T
}
return false;
}
+
+ public:
+ std::string socket_path;
};
TEST_F(ExtensionsTest, test_manager_runnable) {
// Start a testing extension manager.
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
// Call success if the Unix socket was created.
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
}
TEST_F(ExtensionsTest, test_extension_runnable) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
// Wait for the extension manager to start.
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// Test the extension manager API 'ping' call.
EXPECT_TRUE(ping());
}
TEST_F(ExtensionsTest, test_extension_start) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// Now allow duplicates (for testing, since EM/E are the same).
Registry::allowDuplicates(true);
- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1");
+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1");
// This will not be false since we are allowing deplicate items.
// Otherwise, starting an extension and extensionManager would fatal.
ASSERT_TRUE(status.ok());
@@ -138,7 +142,7 @@ TEST_F(ExtensionsTest, test_extension_st
RouteUUID uuid = (RouteUUID)stoi(status.getMessage(), nullptr, 0);
// We can test-wait for the extensions's socket to open.
- EXPECT_TRUE(socketExists(kTestManagerSocket + "." + std::to_string(uuid)));
+ EXPECT_TRUE(socketExists(socket_path + "." + std::to_string(uuid)));
// Then clean up the registry modifications.
Registry::removeBroadcast(uuid);
@@ -160,9 +164,9 @@ class TestExtensionPlugin : public Exten
CREATE_REGISTRY(ExtensionPlugin, "extension_test");
TEST_F(ExtensionsTest, test_extension_broadcast) {
- auto status = startExtensionManager(kTestManagerSocket);
+ auto status = startExtensionManager(socket_path);
EXPECT_TRUE(status.ok());
- EXPECT_TRUE(socketExists(kTestManagerSocket));
+ EXPECT_TRUE(socketExists(socket_path));
// This time we're going to add a plugin to the extension_test registry.
Registry::add<TestExtensionPlugin>("extension_test", "test_item");
@@ -180,7 +184,7 @@ TEST_F(ExtensionsTest, test_extension_br
EXPECT_TRUE(Registry::exists("extension_test", "test_item"));
EXPECT_FALSE(Registry::exists("extension_test", "test_alias"));
- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1");
+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1");
EXPECT_TRUE(status.ok());
RouteUUID uuid;
@@ -191,7 +195,7 @@ TEST_F(ExtensionsTest, test_extension_br
return;
}
- auto ext_socket = kTestManagerSocket + "." + std::to_string(uuid);
+ auto ext_socket = socket_path + "." + std::to_string(uuid);
EXPECT_TRUE(socketExists(ext_socket));
// Make sure the EM registered the extension (called in start extension).

10
sysutils/osquery/files/patch-osquery_filesystem_CMakeLists.txt Normal file
View File

@ -0,0 +1,10 @@
--- osquery/filesystem/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ osquery/filesystem/CMakeLists.txt
@@ -4,6 +4,7 @@ if(APPLE)
)
ADD_OSQUERY_LINK(TRUE "-framework Foundation")
+elseif(FREEBSD)
elseif(LINUX)
ADD_OSQUERY_LIBRARY(TRUE osquery_filesystem_linux
linux/mem.cpp

23
sysutils/osquery/files/patch-osquery_main_run.cpp Normal file
View File

@ -0,0 +1,23 @@
--- osquery/main/run.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/main/run.cpp
@@ -10,10 +10,9 @@
#include <errno.h>
-#include <gflags/gflags.h>
-
#include <osquery/core.h>
#include <osquery/events.h>
+#include <osquery/flags.h>
#include <osquery/logger.h>
#include <osquery/sql.h>
@@ -27,7 +26,7 @@ int main(int argc, char* argv[]) {
// Let gflags parse the non-help options/flags.
GFLAGS_NAMESPACE::ParseCommandLineFlags(&argc, &argv, false);
- GFLAGS_NAMESPACE::InitGoogleLogging(argv[0]);
+ google::InitGoogleLogging(argv[0]);
if (FLAGS_query == "") {
fprintf(stderr, "Usage: %s --query=\"query\"\n", argv[0]);

112
sysutils/osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp Normal file
View File

@ -0,0 +1,112 @@
--- osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp
@@ -16,6 +16,8 @@
#include <gtest/gtest.h>
#include <osquery/enrollment.h>
+
+#include "osquery/dispatcher/dispatcher.h"
#include "osquery/remote/requests.h"
#include "osquery/remote/transports/http.h"
#include "osquery/remote/serializers/json.h"
@@ -35,48 +37,78 @@ struct TestHTTPEnrollmentHandler {
response = Server::response::stock_reply(
Server::response::ok, std::string("{\"enrollment_key\":\"potatoes\"}"));
}
- void log(...) {}
+
+ void log(Server::string_type const &info) {
+ VLOG(1) << "TestHTTPEnrollmentHandler logging";
+ }
+};
+
+class HTTPEnrollServerRunner : public InternalRunnable {
+ public:
+ explicit HTTPEnrollServerRunner(std::shared_ptr<Server> server)
+ : server_(server) {}
+
+ void start() {
+ // Using a dispatcher and runnable allows us to catch and pretty print
+ // any socket/service exceptions.
+ try {
+ server_->run();
+ } catch (const std::exception &e) {
+ LOG(ERROR) << "Testing HTTP server failed: " << e.what();
+ }
+ }
+
+ private:
+ std::shared_ptr<Server> server_;
};
class RemoteEnrollmentTests : public testing::Test {
public:
- RemoteEnrollmentTests() {
- auto enroll_port = std::to_string(rand() % 10000 + 10000);
- FLAGS_enrollment_uri = "http://localhost:" + enroll_port;
- FLAGS_enrollment_app_id = "just_a_test_id";
+ void SetUp() {
+ port_ = std::to_string(rand() % 10000 + 20000);
TestHTTPEnrollmentHandler handler;
- Server::options options(handler);
- server_ = std::make_shared<Server>(
- options.address("127.0.0.1").port(enroll_port));
- t_ =
- std::make_shared<boost::thread>(boost::bind(&Server::run, &(*server_)));
+ Server::options opts(handler);
+
+ // Create an HTTP server instance.
+ server_ = std::make_shared<Server>(opts.address("127.0.0.1").port(port_));
+
+ // Create a runnable and add it to the dispatcher.
+ Dispatcher::addService(std::make_shared<HTTPEnrollServerRunner>(server_));
}
~RemoteEnrollmentTests() {
server_->stop();
- t_->join();
+ Dispatcher::joinServices();
}
- private:
+ protected:
std::shared_ptr<Server> server_;
- std::shared_ptr<boost::thread> t_;
+ std::string port_;
};
-/*
TEST_F(RemoteEnrollmentTests, test_enroll) {
+ // Set the enrollment URI to the server we created.
+ FLAGS_enrollment_uri = "http://127.0.0.1:" + port_;
+ FLAGS_enrollment_app_id = "just_a_test_id";
+
// Call enroll
PluginRequest request = {
- {"enroll", "1"}, // 0 enroll if needed, 1 force re-enroll
+ {"enroll", "1"},
+ // 0 enroll if needed, 1 force re-enroll
};
PluginResponse resp;
Status stat = Registry::call("enrollment", "get_key", request, resp);
- EXPECT_TRUE(stat.ok());
- // Verify get key contains the string
- if (resp.size() == 1) {
- EXPECT_EQ(resp[0]["key"], "potatoes");
- } else {
- EXPECT_EQ(resp.size(), 1);
+
+ // The enrollment server test mostly stresses workflow and code coverage.
+ // Occasionally, like with the transports testing, the non-mocked netlib
+ // server failed to bind.
+ if (stat.ok()) {
+ // Verify get key contains the string
+ if (resp.size() == 1) {
+ EXPECT_EQ(resp[0]["key"], "potatoes");
+ } else {
+ EXPECT_EQ(resp.size(), 1);
+ }
}
}
-*/
}

11
sysutils/osquery/files/patch-osquery_remote_requests.h Normal file
View File

@ -0,0 +1,11 @@
--- osquery/remote/requests.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/requests.h
@@ -152,7 +152,7 @@ class Serializer {
std::string& serialized) = 0;
/**
- * @brief Deerialize a property tree into a property tree
+ * @brief Deserialize a property tree into a property tree
*
* @param params A string of serialized parameters
*

38
sysutils/osquery/files/patch-osquery_remote_transports_http.cpp Normal file
View File

@ -0,0 +1,38 @@
--- osquery/remote/transports/http.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/transports/http.cpp
@@ -25,9 +25,14 @@ Status HTTPTransport::sendRequest() {
http::client client;
http::client::request r(destination_);
decorateRequest(r);
- response_ = client.get(r);
- response_status_ =
- serializer_->deserialize(body(response_), response_params_);
+
+ try {
+ response_ = client.get(r);
+ response_status_ =
+ serializer_->deserialize(body(response_), response_params_);
+ } catch (const std::exception& e) {
+ return Status(1, std::string("Request error: ") + e.what());
+ }
return response_status_;
}
@@ -35,9 +40,14 @@ Status HTTPTransport::sendRequest(const
http::client client;
http::client::request r(destination_);
decorateRequest(r);
- response_ = client.post(r, params);
- response_status_ =
- serializer_->deserialize(body(response_), response_params_);
+
+ try {
+ response_ = client.post(r, params);
+ response_status_ =
+ serializer_->deserialize(body(response_), response_params_);
+ } catch (const std::exception& e) {
+ return Status(1, std::string("Request error: ") + e.what());
+ }
return response_status_;
}
}

116
sysutils/osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp Normal file
View File

@ -0,0 +1,116 @@
--- osquery/remote/transports/tests/http_transports_tests.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/remote/transports/tests/http_transports_tests.cpp
@@ -15,6 +15,7 @@
#include <gtest/gtest.h>
+#include "osquery/dispatcher/dispatcher.h"
#include "osquery/remote/requests.h"
#include "osquery/remote/serializers/json.h"
#include "osquery/remote/transports/http.h"
@@ -32,51 +33,83 @@ struct TestHTTPTransportHandler {
std::string("{\"foo\":\"bar\"}"));
}
- void log(...) {}
+ void log(Server::string_type const &info) {
+ VLOG(1) << "TestHTTPTransportHandler logging";
+ }
+};
+
+class HTTPServerRunner : public InternalRunnable {
+ public:
+ explicit HTTPServerRunner(std::shared_ptr<Server> server) : server_(server) {}
+
+ void start() {
+ // Using a dispatcher and runnable allows us to catch and pretty print
+ // any socket/service exceptions.
+ try {
+ server_->run();
+ } catch (const std::exception &e) {
+ LOG(ERROR) << "Testing HTTP server failed: " << e.what();
+ }
+ }
+
+ private:
+ std::shared_ptr<Server> server_;
};
class HTTPTransportsTests : public testing::Test {
public:
- HTTPTransportsTests() {
- port_ = std::to_string(rand() % 10000 + 10000);
+ void SetUp() {
+ port_ = std::to_string(rand() % 10000 + 20000);
TestHTTPTransportHandler handler;
- Server::options options(handler);
- server_ =
- std::make_shared<Server>(options.address("127.0.0.1").port(port_));
- t_ =
- std::make_shared<boost::thread>(boost::bind(&Server::run, &(*server_)));
+ Server::options opts(handler);
+
+ // Create an HTTP server instance.
+ server_ = std::make_shared<Server>(opts.address("127.0.0.1").port(port_));
+
+ // Create a runnable and add it to the dispatcher.
+ Dispatcher::addService(std::make_shared<HTTPServerRunner>(server_));
}
- ~HTTPTransportsTests() {
+ void TearDown() {
server_->stop();
- t_->join();
+ Dispatcher::joinServices();
}
protected:
std::shared_ptr<Server> server_;
- std::shared_ptr<boost::thread> t_;
std::string port_;
};
TEST_F(HTTPTransportsTests, test_call) {
auto r = Request<HTTPTransport, JSONSerializer>("http://127.0.0.1:" + port_);
- auto s1 = r.call();
- EXPECT_TRUE(s1.ok());
- boost::property_tree::ptree params;
- auto s2 = r.getResponse(params);
- EXPECT_TRUE(s2.ok());
+ Status status;
+ ASSERT_NO_THROW(status = r.call());
+
+ // Sometimes the best we can test is the call workflow.
+ if (status.ok()) {
+ boost::property_tree::ptree params;
+ status = r.getResponse(params);
+ EXPECT_TRUE(status.ok());
+ } else {
+ // The socket bind failed.
+ }
}
TEST_F(HTTPTransportsTests, test_call_with_params) {
auto r = Request<HTTPTransport, JSONSerializer>("http://127.0.0.1:" + port_);
boost::property_tree::ptree params;
params.put<std::string>("foo", "bar");
- auto s1 = r.call(params);
- EXPECT_TRUE(s1.ok());
- boost::property_tree::ptree recv;
- auto s2 = r.getResponse(recv);
- EXPECT_TRUE(s2.ok());
- EXPECT_EQ(params, recv);
+ Status status;
+ ASSERT_NO_THROW(status = r.call(params));
+
+ if (status.ok()) {
+ boost::property_tree::ptree recv;
+ auto s2 = r.getResponse(recv);
+ EXPECT_TRUE(s2.ok());
+ EXPECT_EQ(params, recv);
+ } else {
+ // The socket bind failed.
+ }
}
}

39
sysutils/osquery/files/patch-osquery_tables_CMakeLists.txt Normal file
View File

@ -0,0 +1,39 @@
--- osquery/tables/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/CMakeLists.txt
@@ -33,7 +33,7 @@ else()
file(GLOB OSQUERY_LINUX_TABLES_TESTS "*/linux/tests/*.cpp")
ADD_OSQUERY_TABLE_TEST(${OSQUERY_LINUX_TABLES_TESTS})
- if(CENTOS)
+ if(CENTOS OR RHEL)
# CentOS specific tables
file(GLOB OSQUERY_REDHAT_TABLES "*/centos/*.cpp")
ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat
@@ -59,7 +59,7 @@ else()
ADD_OSQUERY_LINK(FALSE "uuid")
endif()
-file(GLOB OSQUERY_CROSS_TABLES "[!u]*/*.cpp")
+file(GLOB OSQUERY_CROSS_TABLES "[!ue]*/*.cpp")
ADD_OSQUERY_LIBRARY(FALSE osquery_tables
${OSQUERY_CROSS_TABLES}
)
@@ -72,10 +72,12 @@ ADD_OSQUERY_LIBRARY(TRUE osquery_tables_
${OSQUERY_UTILITY_TABLES}
)
-file(GLOB OSQUERY_UTILS "utils/*.cpp")
-ADD_OSQUERY_LIBRARY(FALSE osquery_utils
- ${OSQUERY_UTILS}
-)
+if(NOT FREEBSD)
+ file(GLOB OSQUERY_UTILS "utils/*.cpp")
+ ADD_OSQUERY_LIBRARY(FALSE osquery_utils
+ ${OSQUERY_UTILS}
+ )
-file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")
-ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})
+ file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp")
+ ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS})
+endif()

12
sysutils/osquery/files/patch-osquery_tables_networking_interfaces.cpp Normal file
View File

@ -0,0 +1,12 @@
--- osquery/tables/networking/interfaces.cpp.orig 2015-05-08 22:48:42 UTC
+++ osquery/tables/networking/interfaces.cpp
@@ -11,8 +11,8 @@
#include <sstream>
#include <iomanip>
-#include <ifaddrs.h>
#include <net/if.h>
+#include <ifaddrs.h>
#include <sys/socket.h>
#ifdef __linux__

16
sysutils/osquery/files/patch-osquery_tables_networking_utils.h Normal file
View File

@ -0,0 +1,16 @@
--- osquery/tables/networking/utils.h.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/networking/utils.h
@@ -19,10 +19,10 @@ namespace osquery {
namespace tables {
// Define AF_INTERFACE as the alias for interface details.
-#ifdef __APPLE__
-#define AF_INTERFACE AF_LINK
-#else
+#ifdef __linux__
#define AF_INTERFACE AF_PACKET
+#else
+#define AF_INTERFACE AF_LINK
#endif
// Return a string representation for an IPv4/IPv6 struct.

40
sysutils/osquery/files/patch-osquery_tables_specs_blacklist Normal file
View File

@ -0,0 +1,40 @@
--- osquery/tables/specs/blacklist.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/specs/blacklist
@@ -1,4 +1,36 @@
# osquery/tables/specs/blacklist
# Usage: add table spec names to this list to prevent table generation
# Example: add tables that are not yet ready for release
-
+# Example: add a platform:table_name, which is not yet ready
+freebsd:acpi_tables
+freebsd:arp_cache
+freebsd:block_devices
+freebsd:chrome_extensions
+freebsd:disk_encryption
+freebsd:file_events
+freebsd:firefox_addons
+#freebsd:groups
+freebsd:hardware_events
+#freebsd:interface_addresses
+#freebsd:interface_details
+freebsd:kernel_info
+freebsd:last
+#freebsd:listening_ports
+freebsd:mounts
+freebsd:opera_extensions
+freebsd:os_version
+freebsd:passwd_changes
+freebsd:pci_devices
+freebsd:process_envs
+freebsd:process_memory_map
+freebsd:process_open_files
+freebsd:process_open_sockets
+freebsd:processes
+freebsd:routes
+freebsd:system_controls
+freebsd:usb_devices
+freebsd:users
+freebsd:yara_events
+freebsd:yara
+freebsd:system_controls
+freebsd:smbios_tables

11
sysutils/osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/tables/system/centos/rpm_packages.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/centos/rpm_packages.cpp
@@ -147,7 +147,7 @@ QueryData genRpmPackageFiles(QueryContex
r["mode"] = lsperms(rpmfiFMode(fi));
r["size"] = BIGINT(rpmfiFSize(fi));
-#ifdef CENTOS_CENTOS6
+#if defined(CENTOS_CENTOS6) || defined(RHEL_RHEL6)
// Older versions of rpmlib/rpmip use a hash algorithm enum.
pgpHashAlgo digest_algo;
#else

39
sysutils/osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp Normal file
View File

@ -0,0 +1,39 @@
--- osquery/tables/system/freebsd/sysctl_utils.cpp.orig 2015-05-08 22:20:24 UTC
+++ osquery/tables/system/freebsd/sysctl_utils.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2014, Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ *
+ */
+
+//#include <sys/sysctl.h>
+
+#include <osquery/filesystem.h>
+#include <osquery/tables.h>
+
+#include "osquery/tables/system/sysctl_utils.h"
+
+namespace osquery {
+namespace tables {
+
+void genControlInfo(int* oid,
+ size_t oid_size,
+ QueryData& results,
+ const std::map<std::string, std::string>& config) {
+}
+
+void genControlInfoFromName(const std::string& name, QueryData& results,
+ const std::map<std::string, std::string>& config) {
+}
+
+void genAllControls(QueryData& results,
+ const std::map<std::string, std::string>& config,
+ const std::string& subsystem) {
+}
+}
+}

11
sysutils/osquery/files/patch-osquery_tables_system_linux_os__version.cpp Normal file
View File

@ -0,0 +1,11 @@
--- osquery/tables/system/linux/os_version.cpp.orig 2015-05-05 00:16:41 UTC
+++ osquery/tables/system/linux/os_version.cpp
@@ -22,7 +22,7 @@ namespace xp = boost::xpressive;
namespace osquery {
namespace tables {
-#ifdef CENTOS
+#if defined(CENTOS) || defined(RHEL)
const std::string kLinuxOSRelease = "/etc/redhat-release";
const std::string kLinuxOSRegex =
"(?P<name>\\w+) .* "

44
sysutils/osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt Normal file
View File

@ -0,0 +1,44 @@
--- third-party/cpp-netlib/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC
+++ third-party/cpp-netlib/CMakeLists.txt
@@ -101,41 +101,3 @@ if (MSVC)
endif()
enable_testing()
-
-install(DIRECTORY boost DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
-
-###
-## Export Targets
-# (so cpp-netlib can be easily used by other CMake projects)
-# [see http://www.cmake.org/Wiki/CMake/Tutorials/How_to_create_a_ProjectConfig.cmake_file]
-
-# Add all targets to the build-tree export set
-export(TARGETS cppnetlib-client-connections cppnetlib-server-parsers cppnetlib-uri
- FILE "${PROJECT_BINARY_DIR}/cppnetlibTargets.cmake")
-# Export the package for use from the build-tree
-# (this registers the build-tree with a global CMake-registry)
-export(PACKAGE cppnetlib)
-# Create the cppnetlibConfig.cmake and cppnetlibConfigVersion files
-file(RELATIVE_PATH REL_INCLUDE_DIR "${INSTALL_CMAKE_DIR}"
- "${CMAKE_INSTALL_FULL_INCLUDEDIR}")
-# ... for the build tree
-set(CONF_INCLUDE_DIRS "${PROJECT_SOURCE_DIR}")
-configure_file(cppnetlibConfig.cmake.in
- "${PROJECT_BINARY_DIR}/cppnetlibConfig.cmake" @ONLY)
-# ... for the install tree
-set(CONF_INCLUDE_DIRS "\${CPPNETLIB_CMAKE_DIR}/${REL_INCLUDE_DIR}")
-configure_file(cppnetlibConfig.cmake.in
- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake" @ONLY)
-# ... for both
-configure_file(cppnetlibConfigVersion.cmake.in
- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake" @ONLY)
-# Install the cppnetlibConfig.cmake and cppnetlibConfigVersion.cmake
-install(FILES
- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake"
- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake"
- DESTINATION "${INSTALL_CMAKE_DIR}"
- COMPONENT dev)
-# Install the export set for use with the install-tree
-install(EXPORT cppnetlibTargets
- DESTINATION "${INSTALL_CMAKE_DIR}"
- COMPONENT dev)

35
sysutils/osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt Normal file
View File

@ -0,0 +1,35 @@
--- third-party/cpp-netlib/libs/network/src/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC
+++ third-party/cpp-netlib/libs/network/src/CMakeLists.txt
@@ -17,11 +17,6 @@ set_target_properties(cppnetlib-uri
PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING}
SOVERSION ${CPPNETLIB_VERSION_MAJOR}
PUBLIC_HEADER "${CPP-NETLIB_HEADERS}")
-install(TARGETS cppnetlib-uri
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})
set(CPP-NETLIB_HTTP_SERVER_SRCS server_request_parsers_impl.cpp)
add_library(cppnetlib-server-parsers ${CPP-NETLIB_HTTP_SERVER_SRCS})
@@ -29,11 +24,6 @@ set_target_properties(cppnetlib-server-p
PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING}
SOVERSION ${CPPNETLIB_VERSION_MAJOR}
PUBLIC_HEADER "${CPP-NETLIB_HEADERS}")
-install(TARGETS cppnetlib-server-parsers
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})
set(CPP-NETLIB_HTTP_CLIENT_SRCS client.cpp)
add_library(cppnetlib-client-connections ${CPP-NETLIB_HTTP_CLIENT_SRCS})
@@ -47,8 +37,3 @@ endif ()
if (Boost_FOUND)
target_link_libraries(cppnetlib-client-connections ${Boost_System_LIBRARY})
endif ()
-install(TARGETS cppnetlib-client-connections
- EXPORT cppnetlibTargets
- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR}
- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}
- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR})

26
sysutils/osquery/files/patch-third-party_glog_src_glog_stl__logging.h.in Normal file
View File

@ -0,0 +1,26 @@
--- third-party/glog/src/glog/stl_logging.h.in.orig 2015-04-16 17:06:51 UTC
+++ third-party/glog/src/glog/stl_logging.h.in
@@ -76,6 +76,9 @@
#ifdef GLOG_STL_LOGGING_FOR_EXT_SLIST
# include <ext/slist>
#endif
+#ifdef GLOG_STL_LOGGING_FOR_FORWARD_LIST
+# include <forward_list>
+#endif
// Forward declare these two, and define them after all the container streams
// operators so that we can recurse from pair -> container -> container -> pair
@@ -101,9 +104,13 @@ inline std::ostream& operator<<(std::ost
OUTPUT_TWO_ARG_CONTAINER(std::vector)
OUTPUT_TWO_ARG_CONTAINER(std::deque)
OUTPUT_TWO_ARG_CONTAINER(std::list)
+
#ifdef GLOG_STL_LOGGING_FOR_EXT_SLIST
OUTPUT_TWO_ARG_CONTAINER(__gnu_cxx::slist)
#endif
+#ifdef GLOG_STL_LOGGING_FOR_FORWARD_LIST
+OUTPUT_TWO_ARG_CONTAINER(std::forward_list)
+#endif
#undef OUTPUT_TWO_ARG_CONTAINER

13
sysutils/osquery/files/patch-third-party_glog_src_googletest.h Normal file
View File

@ -0,0 +1,13 @@
--- third-party/glog/src/googletest.h.orig 2015-04-16 17:06:51 UTC
+++ third-party/glog/src/googletest.h
@@ -58,6 +58,10 @@
#include "base/commandlineflags.h"
+#ifdef HAVE_LIB_GFLAGS
+#include <gflags/gflags.h>
+using namespace gflags;
+#endif
using std::map;
using std::string;
using std::vector;

10
sysutils/osquery/files/patch-third-party_glog_src_logging__unittest.cc Normal file
View File

@ -0,0 +1,10 @@
--- third-party/glog/src/logging_unittest.cc.orig 2015-05-10 14:03:15 UTC
+++ third-party/glog/src/logging_unittest.cc
@@ -61,6 +61,7 @@ DECLARE_string(log_backtrace_at); // lo
#ifdef HAVE_LIB_GFLAGS
#include <gflags/gflags.h>
+using namespace gflags;
#endif
#ifdef HAVE_LIB_GMOCK

19
sysutils/osquery/files/patch-third-party_glog_src_stacktrace__unittest.cc Normal file
View File

@ -0,0 +1,19 @@
--- third-party/glog/src/stacktrace_unittest.cc.orig 2015-05-05 12:29:29 UTC
+++ third-party/glog/src/stacktrace_unittest.cc
@@ -125,16 +125,6 @@ void ATTRIBUTE_NOINLINE CheckStackTraceL
CHECK_GE(size, 1);
CHECK_LE(size, STACK_LEN);
- if (1) {
-#ifdef HAVE_EXECINFO_H
- char **strings = backtrace_symbols(stack, size);
- printf("Obtained %d stack frames.\n", size);
- for (int i = 0; i < size; i++)
- printf("%s %p\n", strings[i], stack[i]);
- printf("CheckStackTrace() addr: %p\n", &CheckStackTrace);
- free(strings);
-#endif
- }
for (int i = 0; i < BACKTRACE_STEPS; i++) {
printf("Backtrace %d: expected: %p..%p actual: %p ... ",
i, expected_range[i].start, expected_range[i].end, stack[i]);

10
sysutils/osquery/files/patch-third-party_glog_src_stl__logging__unittest.cc Normal file
View File

@ -0,0 +1,10 @@
--- third-party/glog/src/stl_logging_unittest.cc.orig 2015-04-16 17:06:51 UTC
+++ third-party/glog/src/stl_logging_unittest.cc
@@ -41,6 +41,7 @@
// C++0x isn't enabled by default in GCC and libc++ does not have
// non-standard ext/* and tr1/unordered_*.
# if defined(_LIBCPP_VERSION)
+# define GLOG_STL_LOGGING_FOR_FORWARD_LIST
# define GLOG_STL_LOGGING_FOR_UNORDERED
# else
# define GLOG_STL_LOGGING_FOR_EXT_HASH

57
sysutils/osquery/files/patch-third-party_glog_src_utilities.h Normal file
View File

@ -0,0 +1,57 @@
--- third-party/glog/src/utilities.h.orig 2015-04-16 17:06:51 UTC
+++ third-party/glog/src/utilities.h
@@ -81,54 +81,6 @@
#include "config.h"
#include "glog/logging.h"
-// There are three different ways we can try to get the stack trace:
-//
-// 1) The libunwind library. This is still in development, and as a
-// separate library adds a new dependency, but doesn't need a frame
-// pointer. It also doesn't call malloc.
-//
-// 2) Our hand-coded stack-unwinder. This depends on a certain stack
-// layout, which is used by gcc (and those systems using a
-// gcc-compatible ABI) on x86 systems, at least since gcc 2.95.
-// It uses the frame pointer to do its work.
-//
-// 3) The gdb unwinder -- also the one used by the c++ exception code.
-// It's obviously well-tested, but has a fatal flaw: it can call
-// malloc() from the unwinder. This is a problem because we're
-// trying to use the unwinder to instrument malloc().
-//
-// Note: if you add a new implementation here, make sure it works
-// correctly when GetStackTrace() is called with max_depth == 0.
-// Some code may do that.
-
-#if defined(HAVE_LIB_UNWIND)
-# define STACKTRACE_H "stacktrace_libunwind-inl.h"
-#elif !defined(NO_FRAME_POINTER)
-# if defined(__i386__) && __GNUC__ >= 2
-# define STACKTRACE_H "stacktrace_x86-inl.h"
-# elif defined(__x86_64__) && __GNUC__ >= 2 && HAVE_UNWIND_H
-# define STACKTRACE_H "stacktrace_x86_64-inl.h"
-# elif (defined(__ppc__) || defined(__PPC__)) && __GNUC__ >= 2
-# define STACKTRACE_H "stacktrace_powerpc-inl.h"
-# endif
-#endif
-
-#if !defined(STACKTRACE_H) && defined(HAVE_EXECINFO_H)
-# define STACKTRACE_H "stacktrace_generic-inl.h"
-#endif
-
-#if defined(STACKTRACE_H)
-# define HAVE_STACKTRACE
-#endif
-
-// defined by gcc
-#if defined(__ELF__) && defined(OS_LINUX)
-# define HAVE_SYMBOLIZE
-#elif defined(OS_MACOSX) && defined(HAVE_DLADDR)
-// Use dladdr to symbolize.
-# define HAVE_SYMBOLIZE
-#endif
-
#ifndef ARRAYSIZE
// There is a better way, but this is good enough for our purpose.
# define ARRAYSIZE(a) (sizeof(a) / sizeof(*(a)))

51
sysutils/osquery/files/patch-tools_codegen_gentable.py Normal file
View File

@ -0,0 +1,51 @@
--- tools/codegen/gentable.py.orig 2015-05-05 00:16:41 UTC
+++ tools/codegen/gentable.py
@@ -30,9 +30,15 @@ TEMPLATES = {}
# Temporary reserved column names
RESERVED = ["n", "index"]
-# Supported SQL types for spec
-
+# Set the platform in osquery-language
+if sys.platform.find("freebsd") == 0:
+ PLATFORM = "freebsd"
+elif sys.platform in ["linux", "linux2"]:
+ PLATFORM = "linux"
+else:
+ PLATFORM = sys.platform
+# Supported SQL types for spec
class DataType(object):
def __init__(self, affinity, cpp_type="std::string"):
@@ -79,6 +85,8 @@ def is_blacklisted(table_name, path=None
"""Allow blacklisting by tablename."""
if blacklist is None:
specs_path = os.path.dirname(os.path.dirname(path))
+ if os.path.basename(specs_path) == "tables":
+ specs_path += "/specs"
blacklist_path = os.path.join(specs_path, "blacklist")
if not os.path.exists(blacklist_path):
return False
@@ -91,9 +99,19 @@ def is_blacklisted(table_name, path=None
except:
# Blacklist is not readable.
return False
- # table_name based blacklisting!
- return table_name in blacklist if blacklist else False
+ if not blacklist:
+ return False
+ # table_name based blacklisting!
+ for item in blacklist:
+ item = item.split(":")
+ # If this item is restricted to a platform and the platform
+ # and table name match
+ if len(item) > 1 and PLATFORM == item[0] and table_name == item[1]:
+ return True
+ elif len(item) == 1 and table_name == item[0]:
+ return True
+ return False
def setup_templates(path):
tables_path = os.path.dirname(os.path.dirname(path))

28
sysutils/osquery/files/patch-tools_deployment_osquery.example.conf Normal file
View File

@ -0,0 +1,28 @@
--- tools/deployment/osquery.example.conf.orig 2015-05-09 02:10:08 UTC
+++ tools/deployment/osquery.example.conf
@@ -10,7 +10,7 @@
// The log directory stores info, warning, and errors.
// If the daemon uses the 'filesystem' logging retriever then the log_dir
// will also contain the query results.
- //"logger_path": "/var/log/osquery",
+ "logger_path": "/var/log/osquery",
// Set 'disable_logging' to true to prevent writing any info, warning, error
// logs. If a logging plugin is selected it will still write query results.
@@ -27,14 +27,14 @@
//"schedule_splay_percent": "10",
// Write the pid of the osqueryd process to a pidfile/mutex.
- //"pidfile": "/var/osquery/osquery.pidfile",
+ "pidfile": "/var/run/osqueryd.pid",
// Clear events from the osquery backing store after a number of seconds.
"event_pubsub_expiry": "86000",
// A filesystem path for disk-based backing storage used for events and
// and query results differentials. See also 'use_in_memory_database'.
- //"database_path": "/var/osquery/osquery.db",
+ "database_path": "/var/db/osquery/osquery.db",
// Comma-delimited list of table names to be disabled.
// This allows osquery to be launched without certain tables.

12
sysutils/osquery/files/patch-tools_provision_freebsd.sh Normal file
View File

@ -0,0 +1,12 @@
--- tools/provision/freebsd.sh.orig 2015-05-05 00:16:41 UTC
+++ tools/provision/freebsd.sh
@@ -12,6 +12,9 @@ function main_freebsd() {
package git
package python
package py27-pip
+ package snappy
package rocksdb
+ package thrift
package thrift-cpp
+ package yara
}

61
sysutils/osquery/files/patch-tools_provision_lib.sh Normal file
View File

@ -0,0 +1,61 @@
--- tools/provision/lib.sh.orig 2015-05-05 00:16:41 UTC
+++ tools/provision/lib.sh
@@ -57,27 +57,31 @@ function install_thrift() {
function install_rocksdb() {
if [[ ! -f /usr/local/lib/librocksdb.a ]]; then
- if [[ ! -f rocksdb-3.5.tar.gz ]]; then
- wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.5.tar.gz
+ if [[ ! -f rocksdb-3.10.2.tar.gz ]]; then
+ wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.10.2.tar.gz
else
log "rocksdb source is already downloaded. skipping."
fi
- if [[ ! -d rocksdb-rocksdb-3.5 ]]; then
- tar -xf rocksdb-3.5.tar.gz
+ if [[ ! -d rocksdb-rocksdb-3.10.2 ]]; then
+ tar -xf rocksdb-3.10.2.tar.gz
fi
- if [[ ! -f rocksdb-rocksdb-3.5/librocksdb.a ]]; then
+ if [[ ! -f rocksdb-rocksdb-3.10.2/librocksdb.a ]]; then
if [[ $OS = "ubuntu" ]]; then
CLANG_INCLUDE="-I/usr/include/clang/3.4/include"
elif [ $OS = "centos" ] || [ $OS = "rhel" ]; then
CLANG_VERSION=`clang --version | grep version | cut -d" " -f3`
CLANG_INCLUDE="-I/usr/lib/clang/$CLANG_VERSION/include"
fi
- pushd rocksdb-rocksdb-3.5
- make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ pushd rocksdb-rocksdb-3.10.2
+ if [[ $OS = "freebsd" ]]; then
+ CC=cc CXX=c++ gmake static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ else
+ make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS"
+ fi
popd
fi
- sudo cp rocksdb-rocksdb-3.5/librocksdb.a /usr/local/lib
- sudo cp -R rocksdb-rocksdb-3.5/include/rocksdb /usr/local/include
+ sudo cp rocksdb-rocksdb-3.10.2/librocksdb.a /usr/local/lib
+ sudo cp -R rocksdb-rocksdb-3.10.2/include/rocksdb /usr/local/include
else
log "rocksdb already installed. skipping."
fi
@@ -253,7 +257,7 @@ function package() {
brew install --build-bottle $1 || brew upgrade $@
fi
elif [[ $OS = "freebsd" ]]; then
- if [[ -z "$(pkg info -q $1)" ]]; then
+ if pkg info -q $1; then
log "$1 is already installed. skipping."
else
log "installing $1"
@@ -285,7 +289,7 @@ function remove_package() {
log "Removing: $1 is not installed. skipping."
fi
elif [[ $OS = "freebsd" ]]; then
- if [[ -n "$(pkg info -q $1)" ]]; then
+ if ! pkg info -q $1; then
log "removing $1"
sudo pkg delete -y $1
else

15
sysutils/osquery/files/patch-tools_tests_test__extensions.py Normal file
View File

@ -0,0 +1,15 @@
--- tools/tests/test_extensions.py.orig 2015-05-05 00:16:41 UTC
+++ tools/tests/test_extensions.py
@@ -364,9 +364,11 @@ if __name__ == "__main__":
thrift_path = test_base.ARGS.build + "/generated/gen-py"
try:
sys.path.append(thrift_path)
+ sys.path.append(thrift_path + "/osquery")
from osquery import *
- except ImportError:
+ except ImportError as e:
print ("Cannot import osquery thrift API from %s" % (thrift_path))
+ print ("Exception: %s" % (str(e)))
print ("You must first run: make")
exit(1)

7
sysutils/osquery/pkg-descr Normal file
View File

@ -0,0 +1,7 @@
osquery exposes an operating system as a high-performance relational database.
This allows you to write SQL-based queries to explore operating system data.
With osquery, SQL tables represent abstract concepts such as running
processes, loaded kernel modules, open network connections, browser plugins,
hardware events or file hashes.
WWW: https://osquery.io/

11
sysutils/osquery/pkg-message Normal file
View File

@ -0,0 +1,11 @@
This is the initial release of the FreeBSD port for osquery.
We aren't anywhere near 100% feature parity when compared to
Linux, however, we are actively working to get there.
osqueryd does not yet have the required functionality to run,
however, osqueryi (the interactive CLI version) can perform
basic tasks.
Please submit patches as pull requests here:
https://github.com/facebook/osquery

23
sysutils/osquery/pkg-plist Normal file
View File

@ -0,0 +1,23 @@
bin/osqueryi
@dir /var/db/osquery
include/osquery/config.h
include/osquery/core.h
include/osquery/database.h
include/osquery/database/db_handle.h
include/osquery/database/query.h
include/osquery/database/results.h
include/osquery/enrollment.h
include/osquery/events.h
include/osquery/extensions.h
include/osquery/filesystem.h
include/osquery/flags.h
include/osquery/hash.h
include/osquery/logger.h
include/osquery/registry.h
include/osquery/sdk.h
include/osquery/sql.h
include/osquery/status.h
include/osquery/tables.h
lib/libosquery.a
sbin/osqueryd
@sample etc/osquery.conf.sample