Status parsePack(const std::string& name, const pt::ptree& data) { if (data.count("queries") == 0) { return Status(0, "Pack contains no queries"); } // Check the pack-global minimum SDK version and platform. auto version = data.get("version", ""); if (version.size() > 0 && !versionChecker(version, kSDKVersion)) { return Status(0, "Minimum SDK version not met"); } auto platform = data.get("platform", ""); if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) { return Status(0, "Platform version mismatch"); } // For each query in the pack's queries, check their version/platform. for (const auto& query : data.get_child("queries")) { auto query_string = query.second.get("query", ""); if (Config::checkScheduledQuery(query_string)) { VLOG(1) << "Query pack " << name << " contains a duplicated query: " << query.first; continue; } // Check the specific query's required version. version = query.second.get("version", ""); if (version.size() > 0 && !versionChecker(version, kSDKVersion)) { continue; } // Check the specific query's required platform. platform = query.second.get("platform", ""); if (platform.size() > 0 && !platformChecker(platform, kSDKPlatform)) { continue; } // Hope there is a supplied/non-0 query interval to apply this query pack // query to the osquery schedule. auto query_interval = query.second.get("interval", 0); if (query_interval > 0) { auto query_name = "pack_" + name + "_" + query.first; Config::addScheduledQuery(query_name, query_string, query_interval); } } return Status(0, "OK"); }
TEST_F(QueryPacksConfigTests, platform_comparisons) { #ifdef __linux__ // If the platform is linux and the required platform is linux, match EXPECT_TRUE(platformChecker("linux", "ubuntu")); EXPECT_TRUE(platformChecker("linux", "who_knows_what")); #endif EXPECT_TRUE(platformChecker("linux,darwin", "darwin")); EXPECT_TRUE(platformChecker("darwin", "darwin")); EXPECT_FALSE(platformChecker("darwin", "linux")); EXPECT_TRUE(platformChecker(" darwin", "darwin")); // There are no logical operators, just matching. EXPECT_TRUE(platformChecker("!darwin", "darwin")); EXPECT_TRUE(platformChecker("all", "darwin")); EXPECT_TRUE(platformChecker("any", "darwin")); }