QueryData genProcessEnvs(QueryContext &context) {
QueryData results;
auto pidlist = getProcList(context);
int argmax = genMaxArgs();
for (auto &pid : pidlist) {
if (!context.constraints["pid"].matches<int>(pid)) {
// Optimize by not searching when a pid is a constraint.
continue;
}
auto env = getProcEnv(pid, argmax);
for (auto env_itr = env.begin(); env_itr != env.end(); ++env_itr) {
Row r;
r["pid"] = INTEGER(pid);
r["key"] = env_itr->first;
r["value"] = env_itr->second;
results.push_back(r);
}
}
return results;
}
QueryData genProcessEnvs(QueryContext &context) {
QueryData results;
auto pidlist = getProcList(context);
int argmax = genMaxArgs();
for (const auto &pid : pidlist) {
auto args = getProcRawArgs(pid, argmax);
for (const auto &env : args.env) {
Row r;
r["pid"] = INTEGER(pid);
r["key"] = env.first;
r["value"] = env.second;
results.push_back(r);
}
}
return results;
}
QueryData genProcesses(QueryContext &context) {
QueryData results;
auto pidlist = getProcList(context);
auto parent_pid = getParentMap(pidlist);
int argmax = genMaxArgs();
for (auto &pid : pidlist) {
if (!context.constraints["pid"].matches<int>(pid)) {
// Optimize by not searching when a pid is a constraint.
continue;
}
Row r;
r["pid"] = INTEGER(pid);
r["path"] = getProcPath(pid);
// OS X proc_name only returns 16 bytes, use the basename of the path.
r["name"] = boost::filesystem::path(r["path"]).filename().string();
// The command line invocation including arguments.
std::string cmdline = boost::algorithm::join(getProcArgs(pid, argmax), " ");
boost::algorithm::trim(cmdline);
r["cmdline"] = cmdline;
genProcRootAndCWD(pid, r);
proc_cred cred;
if (getProcCred(pid, cred)) {
r["uid"] = BIGINT(cred.real.uid);
r["gid"] = BIGINT(cred.real.gid);
r["euid"] = BIGINT(cred.effective.uid);
r["egid"] = BIGINT(cred.effective.gid);
} else {
r["uid"] = "-1";
r["gid"] = "-1";
r["euid"] = "-1";
r["egid"] = "-1";
}
// Find the parent process.
const auto parent_it = parent_pid.find(pid);
if (parent_it != parent_pid.end()) {
r["parent"] = INTEGER(parent_it->second);
} else {
r["parent"] = "-1";
}
// If the path of the executable that started the process is available and
// the path exists on disk, set on_disk to 1. If the path is not
// available, set on_disk to -1. If, and only if, the path of the
// executable is available and the file does NOT exist on disk, set on_disk
// to 0.
r["on_disk"] = osquery::pathExists(r["path"]).toString();
// systems usage and time information
struct rusage_info_v2 rusage_info_data;
int rusage_status = proc_pid_rusage(
pid, RUSAGE_INFO_V2, (rusage_info_t *)&rusage_info_data);
// proc_pid_rusage returns -1 if it was unable to gather information
if (rusage_status == 0) {
// size/memory information
r["wired_size"] = TEXT(rusage_info_data.ri_wired_size);
r["resident_size"] = TEXT(rusage_info_data.ri_resident_size);
r["phys_footprint"] = TEXT(rusage_info_data.ri_phys_footprint);
// time information
r["user_time"] = TEXT(rusage_info_data.ri_user_time / 1000000);
r["system_time"] = TEXT(rusage_info_data.ri_system_time / 1000000);
r["start_time"] = TEXT(rusage_info_data.ri_proc_start_abstime);
} else {
r["wired_size"] = "-1";
r["resident_size"] = "-1";
r["phys_footprint"] = "-1";
r["user_time"] = "-1";
r["system_time"] = "-1";
r["start_time"] = "-1";
}
results.push_back(r);
}
return results;
}
QueryData genProcesses(QueryContext& context) {
QueryData results;
// Initialize time conversions.
static mach_timebase_info_data_t time_base;
if (time_base.denom == 0) {
mach_timebase_info(&time_base);
}
auto pidlist = getProcList(context);
int argmax = genMaxArgs();
for (auto& pid : pidlist) {
Row r;
r["pid"] = INTEGER(pid);
{
// The command line invocation including arguments.
auto args = getProcRawArgs(pid, argmax);
std::string cmdline = boost::algorithm::join(args.args, " ");
r["cmdline"] = cmdline;
}
// The process relative root and current working directory.
genProcRootAndCWD(pid, r);
proc_cred cred;
if (getProcCred(pid, cred)) {
r["parent"] = BIGINT(cred.parent);
r["pgroup"] = BIGINT(cred.group);
// check if process state is one of the expected ones
r["state"] = (1 <= cred.status && cred.status <= 5)
? TEXT(kProcessStateMapping[cred.status])
: TEXT('?');
r["nice"] = INTEGER(cred.nice);
r["uid"] = BIGINT(cred.real.uid);
r["gid"] = BIGINT(cred.real.gid);
r["euid"] = BIGINT(cred.effective.uid);
r["egid"] = BIGINT(cred.effective.gid);
r["suid"] = BIGINT(cred.saved.uid);
r["sgid"] = BIGINT(cred.saved.gid);
} else {
continue;
}
// If the process is not a Zombie, try to find the path and name.
if (cred.status != 5) {
r["path"] = getProcPath(pid);
// OS X proc_name only returns 16 bytes, use the basename of the path.
r["name"] = fs::path(r["path"]).filename().string();
} else {
r["path"] = "";
std::vector<char> name(17);
proc_name(pid, name.data(), 16);
r["name"] = std::string(name.data());
}
// If the path of the executable that started the process is available and
// the path exists on disk, set on_disk to 1. If the path is not
// available, set on_disk to -1. If, and only if, the path of the
// executable is available and the file does NOT exist on disk, set on_disk
// to 0.
if (r["path"].empty()) {
r["on_disk"] = INTEGER(-1);
} else if (pathExists(r["path"])) {
r["on_disk"] = INTEGER(1);
} else {
r["on_disk"] = INTEGER(0);
}
// systems usage and time information
struct rusage_info_v2 rusage_info_data;
int status =
proc_pid_rusage(pid, RUSAGE_INFO_V2, (rusage_info_t*)&rusage_info_data);
// proc_pid_rusage returns -1 if it was unable to gather information
if (status == 0) {
// size/memory information
r["wired_size"] = TEXT(rusage_info_data.ri_wired_size);
r["resident_size"] = TEXT(rusage_info_data.ri_resident_size);
r["total_size"] = TEXT(rusage_info_data.ri_phys_footprint);
// time information
r["user_time"] = TEXT(rusage_info_data.ri_user_time / CPU_TIME_RATIO);
r["system_time"] = TEXT(rusage_info_data.ri_system_time / CPU_TIME_RATIO);
// Convert the time in CPU ticks since boot to seconds.
// This is relative to time not-sleeping since boot.
r["start_time"] =
TEXT((rusage_info_data.ri_proc_start_abstime / START_TIME_RATIO) *
time_base.numer / time_base.denom);
} else {
r["wired_size"] = "-1";
r["resident_size"] = "-1";
r["total_size"] = "-1";
r["user_time"] = "-1";
r["system_time"] = "-1";
r["start_time"] = "-1";
}
struct proc_taskinfo task_info;
status =
proc_pidinfo(pid, PROC_PIDTASKINFO, 0, &task_info, sizeof(task_info));
if (status == sizeof(task_info)) {
r["threads"] = INTEGER(task_info.pti_threadnum);
} else {
r["threads"] = "-1";
}
results.push_back(r);
}
return results;
}
