+++ /dev/null
-/*
- * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-
-/**
- * @file groups.h
- * @brief The scheme of groups (sync with osquery/tables/spec/groups.table)
- */
-
-
-#pragma once
-
-#include <string>
-
-struct Groups {
- unsigned long long int gid; /// Unsigned int64 group ID
- long long int gid_signed; /// A signed int64 version of gid
- std::string groupname; /// Canonical local group name
-};
+++ /dev/null
-/*
- * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-
-/**
- * @file uses.h
- * @brief The scheme of uses (sync with osquery/tables/spec/users.table)
- */
-
-
-#pragma once
-
-#include <string>
-
-struct Users {
- unsigned long long int uid; /// User ID
- unsigned long long int gid; /// Group ID (unsigned)
- long long int uid_signed; /// User ID as int64 signed
- long long int gid_signed; /// Group ID as int64 signed
- std::string username; /// User name
- std::string description; /// Optional user description
- std::string directory; /// User's home directory
- std::string shell; /// User's configured default shell
-};
+++ /dev/null
-table_name("groups")\r
-description("Local system groups.")\r
-schema([\r
- Column("gid", BIGINT, "Unsigned int64 group ID", index=True),\r
- Column("gid_signed", BIGINT, "A signed int64 version of gid"),\r
- Column("groupname", TEXT, "Canonical local group name"),\r
-])\r
-extended_schema(WINDOWS, [\r
- Column("group_sid", TEXT, "Unique group ID", index=True),\r
- Column("comment", TEXT, "Remarks or comments associated with the group"),\r
-])\r
-\r
-extended_schema(DARWIN, [\r
- Column("is_hidden", INTEGER, "IsHidden attribute set in OpenDirectory"),\r
-])\r
-implementation("groups@genGroups")\r
-examples([\r
- "select * from groups where gid = 0",\r
- # Group/user_groups is not JOIN optimized\r
- #"select g.groupname, ug.uid from groups g, user_groups ug where g.gid = ug.gid",\r
- # The relative group ID, or RID, is used by osquery as the "gid"\r
- # For Windows, "gid" and "gid_signed" will always be the same.\r
-])\r
+++ /dev/null
-table_name("users")
-description("Local user accounts (including domain accounts that have logged on locally (Windows)).")
-schema([
- Column("uid", BIGINT, "User ID", index=True),
- Column("gid", BIGINT, "Group ID (unsigned)"),
- Column("uid_signed", BIGINT, "User ID as int64 signed (Apple)"),
- Column("gid_signed", BIGINT, "Default group ID as int64 signed (Apple)"),
- Column("username", TEXT, "Username", additional=True),
- Column("description", TEXT, "Optional user description"),
- Column("directory", TEXT, "User's home directory"),
- Column("shell", TEXT, "User's configured default shell"),
- Column("uuid", TEXT, "User's UUID (Apple) or SID (Windows)"),
-])
-extended_schema(WINDOWS, [
- Column("type", TEXT, "Whether the account is roaming (domain), local, or a system profile"),
-])
-
-extended_schema(DARWIN, [
- Column("is_hidden", INTEGER, "IsHidden attribute set in OpenDirectory")
-])
-implementation("users@genUsers")
-examples([
- "select * from users where uid = 1000",
- "select * from users where username = 'root'",
- "select count(*) from users u, user_groups ug where u.uid = ug.uid",
-])
#include <schema/time.h>
#include <schema/processes.h>
-#include <schema/users.h>
-#include <schema/groups.h>
#include <osquery/logger.h>
make_column("on_disk", &Processes::on_disk),
make_column("parent", &Processes::parent));
-auto users = make_table("users",
- make_column("uid", &Users::uid),
- make_column("gid", &Users::gid),
- make_column("uid_signed", &Users::uid_signed),
- make_column("gid_signed", &Users::gid_signed),
- make_column("username", &Users::username),
- make_column("description", &Users::description),
- make_column("directory", &Users::directory),
- make_column("shell", &Users::shell));
-
-auto groups = make_table("groups",
- make_column("gid", &Groups::gid),
- make_column("gid_signed", &Groups::gid_signed),
- make_column("groupname", &Groups::groupname));
-
-auto db = make_database("db", time, processes, users, groups);
+auto db = make_database("db", time, processes);
} // anonymous namespace
template std::string Property<Processes>::at(std::string Processes::*) const;
template std::string Property<Processes>::operator[](std::string Processes::*) const;
-template class Property<Users>;
-template class Properties<Users>;
-template long long int Property<Users>::at(long long int Users::*) const;
-template long long int Property<Users>::operator[](long long int Users::*) const;
-template unsigned long long int Property<Users>::at(unsigned long long int Users::*) const;
-template unsigned long long int Property<Users>::operator[](unsigned long long int Users::*) const;
-template std::string Property<Users>::at(std::string Users::*) const;
-template std::string Property<Users>::operator[](std::string Users::*) const;
-
-template class Property<Groups>;
-template class Properties<Groups>;
-template long long int Property<Groups>::at(long long int Groups::*) const;
-template long long int Property<Groups>::operator[](long long int Groups::*) const;
-template unsigned long long int Property<Groups>::at(unsigned long long int Groups::*) const;
-template unsigned long long int Property<Groups>::operator[](unsigned long long int Groups::*) const;
-template std::string Property<Groups>::at(std::string Groups::*) const;
-template std::string Property<Groups>::operator[](std::string Groups::*) const;
-
} // namespace osquery
#include <schema/time.h>
#include <schema/processes.h>
-#include <schema/users.h>
-#include <schema/groups.h>
using namespace osquery;
LOG(INFO) << "\t parent: " << result.parent;
}
}
-
-TEST_F(PropertyTests, propertiesUsers) {
- Properties<Users> users;
- EXPECT_TRUE(users.size() > 0);
-
- for(const auto& user : users) {
- EXPECT_TRUE(user.size() > 0);
- LOG(INFO) << "[Test] User table:";
- LOG(INFO) << "\t uid: " << user[&Users::uid];
- LOG(INFO) << "\t gid: " << user[&Users::gid];
- LOG(INFO) << "\t uid_signed: " << user[&Users::uid_signed];
- LOG(INFO) << "\t gid_signed: " << user[&Users::gid_signed];
- LOG(INFO) << "\t username: " << user[&Users::username];
- LOG(INFO) << "\t description: " << user[&Users::description];
- LOG(INFO) << "\t directory: " << user[&Users::directory];
- LOG(INFO) << "\t shell: " << user[&Users::shell];
- }
-}
-
-TEST_F(PropertyTests, propertiesGroups) {
- Properties<Groups> groups;
- EXPECT_TRUE(groups.size() > 0);
-
- for(const auto& group : groups) {
- EXPECT_TRUE(group.size() > 0);
- LOG(INFO) << "[Test] Group table:";
- LOG(INFO) << "\t gid: " << group[&Groups::gid];
- LOG(INFO) << "\t gid_signed: " << group[&Groups::gid_signed];
- LOG(INFO) << "\t groupname: " << group[&Groups::groupname];
- }
-}
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#include <set>
-
-#include <grp.h>
-
-#include <osquery/core.h>
-#include <osquery/tables.h>
-#include <osquery/utils/mutex.h>
-
-namespace osquery {
-namespace tables {
-
-Mutex grpEnumerationMutex;
-
-QueryData genGroups(QueryContext& context) {
- QueryData results;
- struct group* grp = nullptr;
-
- if (context.constraints["gid"].exists(EQUALS)) {
- auto gids = context.constraints["gid"].getAll<long long>(EQUALS);
- for (const auto& gid : gids) {
- Row r;
- grp = getgrgid(gid);
- r["gid"] = BIGINT(gid);
- if (grp != nullptr) {
- r["gid_signed"] = INTEGER((int32_t)grp->gr_gid);
- r["groupname"] = TEXT(grp->gr_name);
- }
- results.push_back(r);
- }
- } else {
- std::set<long> groups_in;
- WriteLock lock(grpEnumerationMutex);
- setgrent();
- while ((grp = getgrent()) != nullptr) {
- if (std::find(groups_in.begin(), groups_in.end(), grp->gr_gid) ==
- groups_in.end()) {
- Row r;
- r["gid"] = INTEGER(grp->gr_gid);
- r["gid_signed"] = INTEGER((int32_t)grp->gr_gid);
- r["groupname"] = TEXT(grp->gr_name);
- results.push_back(r);
- groups_in.insert(grp->gr_gid);
- }
- }
- endgrent();
- groups_in.clear();
- }
-
- return results;
-}
-}
-}
+++ /dev/null
-/**
- * Copyright (c) 2014-present, Facebook, Inc.
- * All rights reserved.
- *
- * This source code is licensed in accordance with the terms specified in
- * the LICENSE file found in the root directory of this source tree.
- */
-
-#include <pwd.h>
-
-#include <mutex>
-
-#include <osquery/core.h>
-#include <osquery/tables.h>
-#include <osquery/utils/mutex.h>
-#include <osquery/utils/conversions/tryto.h>
-
-namespace osquery {
-namespace tables {
-
-Mutex pwdEnumerationMutex;
-
-void genUser(const struct passwd* pwd, QueryData& results) {
- Row r;
- r["uid"] = BIGINT(pwd->pw_uid);
- r["gid"] = BIGINT(pwd->pw_gid);
- r["uid_signed"] = BIGINT((int32_t)pwd->pw_uid);
- r["gid_signed"] = BIGINT((int32_t)pwd->pw_gid);
-
- if (pwd->pw_name != nullptr) {
- r["username"] = TEXT(pwd->pw_name);
- }
-
- if (pwd->pw_gecos != nullptr) {
- r["description"] = TEXT(pwd->pw_gecos);
- }
-
- if (pwd->pw_dir != nullptr) {
- r["directory"] = TEXT(pwd->pw_dir);
- }
-
- if (pwd->pw_shell != nullptr) {
- r["shell"] = TEXT(pwd->pw_shell);
- }
- results.push_back(r);
-}
-
-QueryData genUsers(QueryContext& context) {
- QueryData results;
-
- struct passwd* pwd = nullptr;
- if (context.constraints["uid"].exists(EQUALS)) {
- auto uids = context.constraints["uid"].getAll(EQUALS);
- for (const auto& uid : uids) {
- auto const auid_exp = tryTo<long>(uid, 10);
- if (auid_exp.isValue()) {
- WriteLock lock(pwdEnumerationMutex);
- pwd = getpwuid(auid_exp.get());
- if (pwd != nullptr) {
- genUser(pwd, results);
- }
- }
- }
- } else if (context.constraints["username"].exists(EQUALS)) {
- auto usernames = context.constraints["username"].getAll(EQUALS);
- for (const auto& username : usernames) {
- WriteLock lock(pwdEnumerationMutex);
- pwd = getpwnam(username.c_str());
- if (pwd != nullptr) {
- genUser(pwd, results);
- }
- }
- } else {
- WriteLock lock(pwdEnumerationMutex);
- pwd = getpwent();
- while (pwd != nullptr) {
- genUser(pwd, results);
- pwd = getpwent();
- }
- endpwent();
- }
-
- return results;
-}
-}
-}