QueryData EventSubscriberPlugin::get(EventTime start, EventTime stop) {
QueryData results;
// Get the records for this time range.
auto indexes = getIndexes(start, stop);
auto records = getRecords(indexes);
std::string events_key = "data." + dbNamespace();
std::vector<std::string> mapped_records;
for (const auto& record : records) {
if (record.second >= start && (record.second <= stop || stop == 0)) {
mapped_records.push_back(events_key + "." + record.first);
}
}
if (FLAGS_events_optimize && !records.empty()) {
// If records were returned save the ordered-last as the optimization EID.
unsigned long int eidr = 0;
if (safeStrtoul(records.back().first, 10, eidr)) {
optimize_eid_ = static_cast<size_t>(eidr);
auto index_key = "optimize_id." + dbNamespace();
setDatabaseValue(kEvents, index_key, records.back().first);
}
}
// Select mapped_records using event_ids as keys.
std::string data_value;
for (const auto& record : mapped_records) {
Row r;
auto status = getDatabaseValue(kEvents, record, data_value);
if (data_value.length() == 0) {
// There is no record here, interesting error case.
continue;
}
status = deserializeRowJSON(data_value, r);
data_value.clear();
if (status.ok()) {
results.push_back(std::move(r));
}
}
if (getEventsExpiry() > 0) {
// Set the expire time to NOW - "configured lifetime".
// Index retrieval will apply the constraints checking and auto-expire.
expire_time_ = getUnixTime() - getEventsExpiry();
}
return results;
}
Status Distributed::acceptWork(const std::string& work) {
try {
pt::ptree tree;
{
std::stringstream ss(work);
pt::read_json(ss, tree);
}
std::set<std::string> queries_to_run;
// Check for and run discovery queries first
if (tree.count("discovery") > 0) {
auto& queries = tree.get_child("discovery");
for (const auto& node : queries) {
auto query = queries.get<std::string>(node.first, "");
if (query.empty() || node.first.empty()) {
return Status(
1,
"Distributed discovery query does not have complete attributes");
}
SQL sql(query);
if (!sql.getStatus().ok()) {
return Status(1, "Distributed discovery query has an SQL error");
}
if (sql.rows().size() > 0) {
queries_to_run.insert(node.first);
}
}
}
auto& queries = tree.get_child("queries");
for (const auto& node : queries) {
auto query = queries.get<std::string>(node.first, "");
if (query.empty() || node.first.empty()) {
return Status(1, "Distributed query does not have complete attributes");
}
if (queries_to_run.empty() || queries_to_run.count(node.first)) {
setDatabaseValue(kQueries, kDistributedQueryPrefix + node.first, query);
}
}
if (tree.count("accelerate") > 0) {
auto new_time = tree.get<std::string>("accelerate", "");
unsigned long duration;
Status conversion = safeStrtoul(new_time, 10, duration);
if (conversion.ok()) {
LOG(INFO) << "Accelerating distributed query checkins for " << duration
<< " seconds";
setDatabaseValue(kPersistentSettings,
"distributed_accelerate_checkins_expire",
std::to_string(getUnixTime() + duration));
} else {
LOG(WARNING) << "Failed to Accelerate: Timeframe is not an integer";
}
}
} catch (const pt::ptree_error& e) {
return Status(1, "Error parsing JSON: " + std::string(e.what()));
}
return Status(0, "OK");
}
QueryData genSystemInfo(QueryContext& context) {
Row r;
r["hostname"] = osquery::getFqdn();
r["computer_name"] = osquery::getHostname();
r["local_hostname"] = r["computer_name"];
getHostUUID(r["uuid"]);
auto qd = SQL::selectAllFrom("cpuid");
for (const auto& row : qd) {
if (row.at("feature") == "product_name") {
r["cpu_brand"] = row.at("value");
boost::trim(r["cpu_brand"]);
}
}
WmiRequest wmiSystemReq("select * from Win32_ComputerSystem");
WmiRequest wmiSystemReqProc("select * from Win32_Processor");
std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
std::vector<WmiResultItem>& wmiResultsProc = wmiSystemReqProc.results();
if (!wmiResults.empty() && !wmiResultsProc.empty()) {
long numProcs = 0;
wmiResults[0].GetLong("NumberOfLogicalProcessors", numProcs);
r["cpu_logical_cores"] = INTEGER(numProcs);
wmiResultsProc[0].GetLong("NumberOfCores", numProcs);
r["cpu_physical_cores"] = INTEGER(numProcs);
wmiResults[0].GetString("TotalPhysicalMemory", r["physical_memory"]);
wmiResults[0].GetString("Manufacturer", r["hardware_vendor"]);
wmiResults[0].GetString("Model", r["hardware_model"]);
} else {
r["cpu_logical_cores"] = "-1";
r["cpu_physical_cores"] = "-1";
r["physical_memory"] = "-1";
r["hardware_vendor"] = "-1";
r["hardware_model"] = "-1";
}
QueryData regResults;
queryKey(
"HKEY_LOCAL_MACHINE\\"
"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\",
regResults);
for (const auto& key : regResults) {
if (key.at("name") == "Update Revision") {
if (key.at("data").size() >= 16) {
unsigned long int revision = 0;
safeStrtoul(key.at("data").substr(8, 2), 16, revision);
r["cpu_microcode"] = std::to_string(revision);
}
break;
}
}
WmiRequest wmiBiosReq("select * from Win32_Bios");
std::vector<WmiResultItem>& wmiBiosResults = wmiBiosReq.results();
if (wmiBiosResults.size() != 0) {
wmiBiosResults[0].GetString("SerialNumber", r["hardware_serial"]);
} else {
r["hardware_serial"] = "-1";
}
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
switch (systemInfo.wProcessorArchitecture) {
case PROCESSOR_ARCHITECTURE_AMD64:
r["cpu_type"] = "x86_64";
break;
case PROCESSOR_ARCHITECTURE_ARM:
r["cpu_type"] = "ARM";
break;
case PROCESSOR_ARCHITECTURE_IA64:
r["cpu_type"] = "x64 Itanium";
break;
case PROCESSOR_ARCHITECTURE_INTEL:
r["cpu_type"] = "x86";
break;
case PROCESSOR_ARCHITECTURE_UNKNOWN:
r["cpu_type"] = "Unknown";
default:
break;
}
r["cpu_subtype"] = "-1";
r["hardware_version"] = "-1";
return {r};
}