Status parsePack(const std::string& name, const pt::ptree& data) {
if (data.count("queries") == 0) {
return Status(0, "Pack contains no queries");
}
// Check the pack-global minimum SDK version and platform.
auto version = data.get("version", "");
if (version.size() > 0 && !versionChecker(version, kSDKVersion)) {
return Status(0, "Minimum SDK version not met");
}
auto platform = data.get("platform", "");
if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) {
return Status(0, "Platform version mismatch");
}
// For each query in the pack's queries, check their version/platform.
for (const auto& query : data.get_child("queries")) {
auto query_string = query.second.get("query", "");
if (Config::checkScheduledQuery(query_string)) {
VLOG(1) << "Query pack " << name
<< " contains a duplicated query: " << query.first;
continue;
}
// Check the specific query's required version.
version = query.second.get("version", "");
if (version.size() > 0 && !versionChecker(version, kSDKVersion)) {
continue;
}
// Check the specific query's required platform.
platform = query.second.get("platform", "");
if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) {
continue;
}
// Hope there is a supplied/non-0 query interval to apply this query pack
// query to the osquery schedule.
auto query_interval = query.second.get("interval", 0);
if (query_interval > 0) {
auto query_name = "pack_" + name + "_" + query.first;
Config::addScheduledQuery(query_name, query_string, query_interval);
}
}
return Status(0, "OK");
}
TEST_F(QueryPacksConfigTests, version_comparisons) {
EXPECT_TRUE(versionChecker("1.0.0", "1.0.0"));
EXPECT_TRUE(versionChecker("1.0.0", "1.2.0"));
EXPECT_TRUE(versionChecker("1.0", "1.2.0"));
EXPECT_TRUE(versionChecker("1.0", "1.0.2"));
EXPECT_TRUE(versionChecker("1.0.0", "1.0.2-r1"));
EXPECT_FALSE(versionChecker("1.2", "1.0.2"));
EXPECT_TRUE(versionChecker("1.0.0-r1", "1.0.0"));
}
