/src/osquery/osquery/tables/events/event_utils.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /** |
2 | | * Copyright (c) 2014-present, The osquery authors |
3 | | * |
4 | | * This source code is licensed as defined by the LICENSE file found in the |
5 | | * root directory of this source tree. |
6 | | * |
7 | | * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) |
8 | | */ |
9 | | |
10 | | #include <osquery/sql/sql.h> |
11 | | |
12 | | #include <osquery/hashing/hashing.h> |
13 | | #include <osquery/tables/events/event_utils.h> |
14 | | |
15 | | namespace osquery { |
16 | | |
17 | | const std::set<std::string> kCommonFileColumns = { |
18 | | "inode", "uid", "gid", "mode", "size", "atime", "mtime", "ctime", |
19 | | }; |
20 | | |
21 | 0 | void decorateFileEvent(const std::string& path, bool hash, Row& r) { |
22 | 0 | auto results = SQL::selectAllFrom("file", "path", EQUALS, path); |
23 | 0 | if (results.size() == 1) { |
24 | 0 | auto& row = results.at(0); |
25 | 0 | for (const auto& key : kCommonFileColumns) { |
26 | 0 | if (row.count(key) > 0) { |
27 | 0 | r[key] = row.at(key); |
28 | 0 | } |
29 | 0 | } |
30 | 0 | } |
31 | |
|
32 | 0 | if (hash) { |
33 | 0 | auto hashes = hashMultiFromFile( |
34 | 0 | HASH_TYPE_MD5 | HASH_TYPE_SHA1 | HASH_TYPE_SHA256, path); |
35 | 0 | r["md5"] = std::move(hashes.md5); |
36 | 0 | r["sha1"] = std::move(hashes.sha1); |
37 | 0 | r["sha256"] = std::move(hashes.sha256); |
38 | | // Hashed determines the success/status of hashing, -1 failed, 1 success. |
39 | 0 | r["hashed"] = (r.at("md5").empty()) ? "-1" : "1"; |
40 | 0 | } else { |
41 | | // Alternatively if hashing wasn't needed hashed is a 0. |
42 | 0 | r["hashed"] = "0"; |
43 | 0 | } |
44 | 0 | } |
45 | | } |