Merge pull request #53 from CESNET/osquery_plugin

Osquery plugin

Author: cejkato2

Makefile.am

@@ -80,8 +80,6 @@ ipfixprobe_output_src+=\
 			fields.h
 endif
 
-
-
 ipfixprobe_process_src=\
 		process/http.cpp \
 		process/http.hpp \
@@ -130,6 +128,7 @@ ipfixprobe_process_src+=\
 		process/quic.hpp \
 		process/quic.cpp
 endif
+
 if WITH_FLEXPROBE
 ipfixprobe_process_src+=\
 		process/flexprobe-data.h \
@@ -141,6 +140,12 @@ ipfixprobe_process_src+=\
 		process/flexprobe-encryption-processing.h
 endif
 
+if WITH_OSQUERY
+ipfixprobe_input_src+=\
+      process/osquery.cpp\
+      process/osquery.hpp
+endif
+
 if WITH_DPDK
 ipfixprobe_input_src+=\
         input/dpdk.cpp \

README.md

@@ -414,6 +414,23 @@ Note: the following fields are UniRec arrays.
 ipfixprobe -p pstats:includezeros -r sample.pcap -i "f:output.trapcap"
 ```
 
+### OSQUERY
+List of unirec fields exported together with basic flow fields on interface by OSQUERY plugin.
+
+| UniRec field               | Type     | Description                                         |
+|:--------------------------:|:--------:|:---------------------------------------------------:|
+| PROGRAM_NAME               | string   | The name of the program that handles the connection |
+| USERNAME                   | string   | The name of the user who starts the process         |
+| OS_NAME                    | string   | Distribution or product name                        |
+| OS_MAJOR                   | uint16   | Major release version                               |
+| OS_MINOR                   | uint16   | Minor release version                               |
+| OS_BUILD                   | string   | Optional build-specific or variant string           |
+| OS_PLATFORM                | string   | OS Platform or ID                                   |
+| OS_PLATFORM_LIKE           | string   | Closely related platforms                           |
+| OS_ARCH                    | string   | OS Architecture                                     |
+| KERNEL_VERSION             | string   | Kernel version                                      |
+| SYSTEM_HOSTNAME            | string   | Network hostname including domain                   |
+
 ### SSDP
 List of unirec fields exported together with basic flow fields on interface by SSDP plugin.
 

configure.ac

@@ -293,6 +293,25 @@ RPM_REQUIRES+=" libtrap"
 RPM_BUILDREQ+=" libtrap-devel unirec"
 fi
 
+AC_ARG_WITH([osquery],
+        AC_HELP_STRING([--with-osquery],[Compile with osquery framework (osquery.io).]),
+        [
+      if test "$withval" = "yes"; then
+        withosquery="yes"
+        AC_CHECK_PROG(OSQUERY, osqueryi, yes)
+        AS_IF([test x${OSQUERY} != xyes], [AC_MSG_ERROR([Please install osquery before configuring.])])
+      else
+        withosquery="no"
+      fi
+        ], [withosquery="no"]
+)
+
+AM_CONDITIONAL(WITH_OSQUERY, test x${withosquery} = xyes)
+
+if [[ -z "$WITH_OSQUERY_TRUE" ]]; then
+  AC_DEFINE([WITH_OSQUERY], [1], [Define to 1 if the osquery is available])
+fi
+
 
 AC_ARG_WITH([dpdk],
          AS_HELP_STRING([--with-dpdk],[Compile ipfixprobe with DPDK interface support.]),

include/ipfixprobe/ipfix-elements.hpp

@@ -231,7 +231,6 @@ namespace ipxp {
 #define STATS_PCKT_TCPFLGS(F)         F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id1015 (uint8*)
 #define STATS_PCKT_DIRECTIONS(F)      F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id1016 (int8*)
 
-
 #define SBI_BRST_PACKETS(F)           F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id1050 (uint16*)
 #define SBI_BRST_BYTES(F)             F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id1051 (uint16*)
 #define SBI_BRST_TIME_START(F)        F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id1052 (time*)
@@ -252,9 +251,21 @@ namespace ipxp {
 
 #define QUIC_SNI(F)                   F(8057,    890,   -1,  nullptr)
 
+#define OSQUERY_PROGRAM_NAME(F)       F(8057,    852,  -1,   nullptr)
+#define OSQUERY_USERNAME(F)           F(8057,    853,  -1,   nullptr)
+#define OSQUERY_OS_NAME(F)            F(8057,    854,  -1,   nullptr)
+#define OSQUERY_OS_MAJOR(F)           F(8057,    855,   2,   nullptr)
+#define OSQUERY_OS_MINOR(F)           F(8057,    856,   2,   nullptr)
+#define OSQUERY_OS_BUILD(F)           F(8057,    857,  -1,   nullptr)
+#define OSQUERY_OS_PLATFORM(F)        F(8057,    858,  -1,   nullptr)
+#define OSQUERY_OS_PLATFORM_LIKE(F)   F(8057,    859,  -1,   nullptr)
+#define OSQUERY_OS_ARCH(F)            F(8057,    860,  -1,   nullptr)
+#define OSQUERY_KERNEL_VERSION(F)     F(8057,    861,  -1,   nullptr)
+#define OSQUERY_SYSTEM_HOSTNAME(F)    F(8057,    862,  -1,   nullptr)
+
 #ifdef WITH_FLEXPROBE
-#define FX_FRAME_SIGNATURE(F)         F(5715,   1010,  18,   NULL)
-#define FX_TCP_TRACKING(F)            F(5715,   1020,   1,   NULL)
+#define FX_FRAME_SIGNATURE(F)         F(5715,   1010,  18,   nullptr)
+#define FX_TCP_TRACKING(F)            F(5715,   1020,   1,   nullptr)
 #endif
 
 /**
@@ -467,6 +478,19 @@ namespace ipxp {
 #define IPFIX_QUIC_TEMPLATE(F) \
   F(QUIC_SNI)
 
+#define IPFIX_OSQUERY_TEMPLATE(F) \
+   F(OSQUERY_PROGRAM_NAME) \
+   F(OSQUERY_USERNAME) \
+   F(OSQUERY_OS_NAME) \
+   F(OSQUERY_OS_MAJOR) \
+   F(OSQUERY_OS_MINOR) \
+   F(OSQUERY_OS_BUILD) \
+   F(OSQUERY_OS_PLATFORM) \
+   F(OSQUERY_OS_PLATFORM_LIKE) \
+   F(OSQUERY_OS_ARCH) \
+   F(OSQUERY_KERNEL_VERSION) \
+   F(OSQUERY_SYSTEM_HOSTNAME)
+
 #ifdef WITH_FLEXPROBE
 #define IPFIX_FLEXPROBE_DATA_TEMPLATE(F) F(FX_FRAME_SIGNATURE)
 #define IPFIX_FLEXPROBE_TCP_TEMPLATE(F) F(FX_TCP_TRACKING)
@@ -505,6 +529,7 @@ namespace ipxp {
    IPFIX_PHISTS_TEMPLATE(F) \
    IPFIX_WG_TEMPLATE(F) \
    IPFIX_QUIC_TEMPLATE(F) \
+   IPFIX_OSQUERY_TEMPLATE(F) \
    IPFIX_FLEXPROBE_DATA_TEMPLATE(F) \
    IPFIX_FLEXPROBE_TCP_TEMPLATE(F) \
    IPFIX_FLEXPROBE_ENCR_TEMPLATE(F)