コード例 #1
0
ファイル: process_events.cpp プロジェクト: 1514louluo/osquery 
Status ProcessEventSubscriber::Callback(
    const TypedKernelEventContextRef<osquery_process_event_t> &ec,
    const KernelSubscriptionContextRef &sc) {
  Row r;
  r["overflows"] = "";
  r["cmdline_size"] = BIGINT(ec->event.arg_length);
  if (ec->event.argc != ec->event.actual_argc) {
    r["overflows"] = "cmdline";
  }

  r["env_count"] = BIGINT(ec->event.actual_envc);
  r["env_size"] = BIGINT(ec->event.env_length);
  if (ec->event.envc != ec->event.actual_envc) {
    r["overflows"] +=
        std::string(((r["overflows"].size() > 0) ? ", " : "")) + "environment";
  }

  char *argv = &(ec->flexible_data.data()[ec->event.argv_offset]);
  std::string argv_accumulator("");
  while (ec->event.argc-- > 0) {
    argv_accumulator += argv;
    argv_accumulator += " ";
    argv += strlen(argv) + 1;
  }
  r["cmdline"] = std::move(argv_accumulator);

  {
    // A configuration can optionally restrict environment variable logging to
    // a whitelist. This is helpful for limiting logged data as well as
    // protecting against logging unsafe/private variables.
    bool use_whitelist = false;
    pt::ptree whitelist;

    auto plugin = Config::getInstance().getParser("events");
    if (plugin == nullptr || plugin.get() == nullptr) {
      LOG(ERROR) << "Could not load events config parser";
    } else {
      const auto &data = plugin->getData();
      if (data.get_child("events").count("environment_variables") > 0) {
        use_whitelist = true;
        whitelist = data.get_child("events.environment_variables");
      }
    }

    char *envv = &(ec->flexible_data.data()[ec->event.envv_offset]);
    std::string envv_accumulator("");
    while (ec->event.envc-- > 0) {
      auto envv_string = std::string(envv);
      if (use_whitelist) {
        for (const auto &item : whitelist) {
          if (envv_string.find(item.second.data()) == 0) {
            envv_accumulator += std::move(envv_string) + ' ';
            break;
          }
        }
      } else {
        envv_accumulator += std::move(envv_string) + ' ';
      }
      envv += strlen(envv) + 1;
    }
    r["env"] = std::move(envv_accumulator);
  }

  r["pid"] = BIGINT(ec->event.pid);
  r["parent"] = BIGINT(ec->event.ppid);
  r["uid"] = BIGINT(ec->event.uid);
  r["euid"] = BIGINT(ec->event.euid);
  r["gid"] = BIGINT(ec->event.gid);
  r["egid"] = BIGINT(ec->event.egid);
  r["owner_uid"] = BIGINT(ec->event.owner_uid);
  r["owner_gid"] = BIGINT(ec->event.owner_gid);
  r["btime"] = BIGINT(ec->event.create_time);
  r["atime"] = BIGINT(ec->event.access_time);
  r["mtime"] = BIGINT(ec->event.modify_time);
  r["ctime"] = BIGINT(ec->event.change_time);
  r["mode"] = BIGINT(ec->event.mode);
  r["path"] = ec->event.path;
  r["uptime"] = BIGINT(ec->uptime);

  add(r, ec->time);

  return Status(0, "OK");
}
コード例 #2
0
ファイル: process_events.cpp プロジェクト: 0xdabbad00/osquery 
Status ProcessEventSubscriber::Callback(
    const TypedKernelEventContextRef<osquery_process_event_t> &ec,
    const void *user_data) {
  Row r;
  r["overflows"] = "";
  r["cmdline_count"] = BIGINT(ec->event.actual_argc);
  r["cmdline_size"] = BIGINT(ec->event.arg_length);
  if (ec->event.argc != ec->event.actual_argc) {
    r["overflows"] = "cmdline";
  }

  r["envc"] = BIGINT(ec->event.envc);
  r["environment_count"] = BIGINT(ec->event.actual_envc);
  r["environment_size"] = BIGINT(ec->event.env_length);
  if (ec->event.envc != ec->event.actual_envc) {
    r["overflows"] +=
        std::string(((r["overflows"].size() > 0) ? ", " : "")) + "environment";
  }

  char *argv = &(ec->flexible_data.data()[ec->event.argv_offset]);
  std::string argv_accumulator("");
  while (ec->event.argc-- > 0) {
    argv_accumulator += argv;
    argv_accumulator += " ";
    argv += strlen(argv) + 1;
  }
  r["cmdline"] = std::move(argv_accumulator);

  {
    // A configuration can optionally restrict environment variable logging to
    // a whitelist. This is helpful for limiting logged data as well as
    // protecting against logging unsafe/private variables.
    bool use_whitelist = false;
    pt::ptree whitelist;

    // Check if an events whitelist exists.
    ConfigDataInstance config;
    if (config.data().count("events")) {
      // Only apply a whitelist search if the events and environment_variables
      // keys are included. Otherwise, optimize by adding all.
      if (config.data().get_child("events").count("environment_variables")) {
        use_whitelist = true;
        whitelist = config.data().get_child("events.environment_variables");
      }
    }

    char *envv = &(ec->flexible_data.data()[ec->event.envv_offset]);
    std::string envv_accumulator("");
    while (ec->event.envc-- > 0) {
      auto envv_string = std::string(envv);
      if (use_whitelist) {
        for (const auto &item : whitelist) {
          if (envv_string.find(item.second.data()) == 0) {
            envv_accumulator += std::move(envv_string) + ' ';
            break;
          }
        }
      } else {
        envv_accumulator += std::move(envv_string) + ' ';
      }
      envv += strlen(envv) + 1;
    }
    r["environment"] = std::move(envv_accumulator);
  }

  r["pid"] = BIGINT(ec->event.pid);
  r["parent"] = BIGINT(ec->event.ppid);
  r["uid"] = BIGINT(ec->event.uid);
  r["euid"] = BIGINT(ec->event.euid);
  r["gid"] = BIGINT(ec->event.gid);
  r["egid"] = BIGINT(ec->event.egid);
  r["owner_uid"] = BIGINT(ec->event.owner_uid);
  r["owner_gid"] = BIGINT(ec->event.owner_gid);
  r["create_time"] = BIGINT(ec->event.create_time);
  r["access_time"] = BIGINT(ec->event.access_time);
  r["modify_time"] = BIGINT(ec->event.modify_time);
  r["change_time"] = BIGINT(ec->event.change_time);
  r["mode"] = BIGINT(ec->event.mode);
  r["path"] = ec->event.path;
  r["uptime"] = BIGINT(ec->uptime);

  add(r, ec->time);

  return Status(0, "OK");
}