-
Notifications
You must be signed in to change notification settings - Fork 54
/
Copy pathosquery.go
269 lines (234 loc) · 8.51 KB
/
osquery.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
package types
import (
"encoding/json"
"strconv"
"github.com/jmpsec/osctrl/queries"
)
// Types of log types
const (
StatusLog string = "status"
ResultLog string = "result"
QueryLog string = "query"
)
// OSVersionTable provided on enrollment, table os_version
type OSVersionTable struct {
ID string `json:"_id"`
Codename string `json:"codename"`
Major string `json:"major"`
Minor string `json:"minor"`
Name string `json:"name"`
Patch string `json:"patch"`
Platform string `json:"platform"`
PlatformLike string `json:"platform_like"`
Version string `json:"version"`
}
// OsqueryInfoTable provided on enrollment, table osquery_info
type OsqueryInfoTable struct {
BuildDistro string `json:"build_distro"`
BuildPlatform string `json:"build_platform"`
ConfigHash string `json:"config_hash"`
ConfigValid string `json:"config_valid"`
Extension string `json:"extensions"`
InstanceID string `json:"instance_id"`
PID string `json:"pid"`
StartTime string `json:"start_time"`
UUID string `json:"uuid"`
Version string `json:"version"`
Watcher string `json:"watcher"`
}
// PlatformInfoTable provided on enrollment, table platform_info
type PlatformInfoTable struct {
Address string `json:"address"`
Date string `json:"date"`
Extra string `json:"extra"`
Revision string `json:"revision"`
Size string `json:"size"`
Vendor string `json:"vendor"`
Version string `json:"version"`
VolumeSize string `json:"volume_size"`
}
// SystemInfoTable provided on enrollment, table system_info
type SystemInfoTable struct {
ComputerName string `json:"computer_name"`
CPUBrand string `json:"cpu_brand"`
CPULogicalCores string `json:"cpu_logical_cores"`
CPUPhysicalCores string `json:"cpu_physical_cores"`
CPUSubtype string `json:"cpu_subtype"`
CPUType string `json:"cpu_type"`
HardwareModel string `json:"hardware_model"`
HardwareSerial string `json:"hardware_serial"`
HardwareVendor string `json:"hardware_vendor"`
HardwareVersion string `json:"hardware_version"`
Hostname string `json:"hostname"`
LocalHostname string `json:"local_hostname"`
PhysicalMemory string `json:"physical_memory"`
UUID string `json:"uuid"`
}
// GenericRequest to some endpoints
type GenericRequest struct {
NodeKey string `json:"node_key"`
}
// GenericResponse for osquery nodes
type GenericResponse struct {
NodeInvalid bool `json:"node_invalid"`
}
// EnrollRequest received when nodes enroll
type EnrollRequest struct {
EnrollSecret string `json:"enroll_secret"`
HostIdentifier string `json:"host_identifier"`
PlatformType string `json:"platform_type"`
HostDetails struct {
EnrollOSVersion OSVersionTable `json:"os_version"`
EnrollOsqueryInfo OsqueryInfoTable `json:"osquery_info"`
EnrollSystemInfo SystemInfoTable `json:"system_info"`
EnrollPlatformInfo PlatformInfoTable `json:"platform_info"`
} `json:"host_details"`
}
// EnrollResponse to be returned to agents
type EnrollResponse struct {
NodeKey string `json:"node_key"`
NodeInvalid bool `json:"node_invalid"`
}
// ConfigRequest received when nodes request configuration
type ConfigRequest GenericRequest
// ConfigResponse for configuration requests from nodes
type ConfigResponse GenericResponse
// LogRequest received to process logs
type LogRequest struct {
NodeKey string `json:"node_key"`
LogType string `json:"log_type"`
Data json.RawMessage `json:"data"`
}
// LogResponse for log requests from nodes
type LogResponse GenericResponse
// LogDecorations for decorations field in node logs requests
type LogDecorations struct {
Username string `json:"username"`
OsqueryUser string `json:"osquery_user"`
LocalHostname string `json:"local_hostname"`
Hostname string `json:"hostname"`
OsqueryVersion string `json:"osquery_version"`
ConfigHash string `json:"config_hash"`
DaemonHash string `json:"osquery_md5"`
}
// StringInt to parse numbers that could be strings
type StringInt int
// UnmarshalJSON implements the json.Unmarshaler interface, which
// allows us to ingest values of any json type as an int and run our custom conversion
func (si *StringInt) UnmarshalJSON(b []byte) error {
if b[0] != '"' {
return json.Unmarshal(b, (*int)(si))
}
var s string
if err := json.Unmarshal(b, &s); err != nil {
return err
}
i, err := strconv.Atoi(s)
if err != nil {
return err
}
*si = StringInt(i)
return nil
}
// LogResultData to be used processing result logs from nodes
type LogResultData struct {
Name string `json:"name"`
Epoch int64 `json:"epoch"`
Action string `json:"action"`
Columns json.RawMessage `json:"columns"`
Counter int `json:"counter"`
UnixTime StringInt `json:"unixTime"`
Decorations LogDecorations `json:"decorations"`
CalendarTime string `json:"calendarTime"`
HostIdentifier string `json:"hostIdentifier"`
}
// LogStatusData to be used processing status logs from nodes
type LogStatusData struct {
Line StringInt `json:"line"`
Message string `json:"message"`
Version string `json:"version"`
Filename string `json:"filename"`
Severity StringInt `json:"severity"`
UnixTime StringInt `json:"unixTime"`
Decorations LogDecorations `json:"decorations"`
CalendarTime string `json:"calendarTime"`
HostIdentifier string `json:"hostIdentifier"`
}
// LogGenericData to parse both status and result logs
type LogGenericData struct {
HostIdentifier string `json:"hostIdentifier"`
Decorations LogDecorations `json:"decorations"`
Version string `json:"version"`
}
// QueryReadRequest received to get on-demand queries
type QueryReadRequest GenericRequest
// QueryReadResponse for on-demand queries from nodes
type QueryReadResponse struct {
Queries queries.QueryReadQueries `json:"queries"`
NodeInvalid bool `json:"node_invalid"`
}
// AcceleratedQueryReadResponse for accelerated on-demand queries from nodes
// https://github.com/osquery/osquery/blob/master/osquery/distributed/distributed.cpp#L219-L231
type AcceleratedQueryReadResponse struct {
Queries queries.QueryReadQueries `json:"queries"`
NodeInvalid bool `json:"node_invalid"`
Accelerate int `json:"accelerate"`
}
// QueryWriteQueries to hold the on-demand queries results
type QueryWriteQueries map[string]json.RawMessage
// QueryWriteStatuses to hold the on-demand queries statuses
type QueryWriteStatuses map[string]int
// QueryWriteMessages to hold the on-demand queries messages
type QueryWriteMessages map[string]string
// QueryWriteRequest to receive on-demand queries results
type QueryWriteRequest struct {
Queries QueryWriteQueries `json:"queries"`
Statuses QueryWriteStatuses `json:"statuses"`
Messages QueryWriteMessages `json:"messages"`
NodeKey string `json:"node_key"`
}
// QueryCarveScheduled to receive confirmation for scheduled carved file
type QueryCarveScheduled struct {
Time string `json:"time"`
SHA256 string `json:"sha256"`
Size string `json:"size"`
Path string `json:"path"`
Status string `json:"status"`
CarveGUID string `json:"carve_guid"`
RequestID string `json:"request_id"`
Carve string `json:"carve"`
}
// QueryWriteResponse for on-demand queries results from nodes
type QueryWriteResponse GenericResponse
// QueryWriteData to store result of on-demand queries
type QueryWriteData struct {
Name string `json:"name"`
Result json.RawMessage `json:"result"`
Status int `json:"status"`
Message string `json:"message"`
}
// CarveInitRequest received to begin a carve
type CarveInitRequest struct {
BlockCount int `json:"block_count"`
BlockSize int `json:"block_size"`
CarveSize int `json:"carve_size"`
CarveID string `json:"carve_id"`
RequestID string `json:"request_id"`
NodeKey string `json:"node_key"`
}
// CarveInitResponse for osquery nodes
type CarveInitResponse struct {
Success bool `json:"success"`
SessionID string `json:"session_id"`
}
// CarveBlockRequest received to begin a carve
type CarveBlockRequest struct {
BlockID int `json:"block_id"`
SessionID string `json:"session_id"`
RequestID string `json:"request_id"`
Data string `json:"data"`
}
// CarveBlockResponse for osquery nodes
type CarveBlockResponse struct {
Success bool `json:"success"`
}