Status parsePack(const std::string& name, const pt::ptree& data) {
if (data.count("queries") == 0) {
return Status(0, "Pack contains no queries");
}
// Check the pack-global minimum SDK version and platform.
auto version = data.get("version", "");
if (version.size() > 0 && !versionChecker(version, kSDKVersion)) {
return Status(0, "Minimum SDK version not met");
}
auto platform = data.get("platform", "");
if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) {
return Status(0, "Platform version mismatch");
}
// For each query in the pack's queries, check their version/platform.
for (const auto& query : data.get_child("queries")) {
auto query_string = query.second.get("query", "");
if (Config::checkScheduledQuery(query_string)) {
VLOG(1) << "Query pack " << name
<< " contains a duplicated query: " << query.first;
continue;
}
// Check the specific query's required version.
version = query.second.get("version", "");
if (version.size() > 0 && !versionChecker(version, kSDKVersion)) {
continue;
}
// Check the specific query's required platform.
platform = query.second.get("platform", "");
if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) {
continue;
}
// Hope there is a supplied/non-0 query interval to apply this query pack
// query to the osquery schedule.
auto query_interval = query.second.get("interval", 0);
if (query_interval > 0) {
auto query_name = "pack_" + name + "_" + query.first;
Config::addScheduledQuery(query_name, query_string, query_interval);
}
}
return Status(0, "OK");
}
TEST_F(QueryPacksConfigTests, platform_comparisons) {
#ifdef __linux__
// If the platform is linux and the required platform is linux, match
EXPECT_TRUE(platformChecker("linux", "ubuntu"));
EXPECT_TRUE(platformChecker("linux", "who_knows_what"));
#endif
EXPECT_TRUE(platformChecker("linux,darwin", "darwin"));
EXPECT_TRUE(platformChecker("darwin", "darwin"));
EXPECT_FALSE(platformChecker("darwin", "linux"));
EXPECT_TRUE(platformChecker(" darwin", "darwin"));
// There are no logical operators, just matching.
EXPECT_TRUE(platformChecker("!darwin", "darwin"));
EXPECT_TRUE(platformChecker("all", "darwin"));
EXPECT_TRUE(platformChecker("any", "darwin"));
}
