Added security example

Author: murphybytes

README.md

@@ -28,7 +28,7 @@ ctx, err := context.New(data)
 if err != nil {
 	log.Fatal(err)
 }
-result, err := expression.Evaluate(ctx, `@len( @select( $resources.config_maps, "$elt.firstName == 'John'" ) ) > 0`)
+result, err := expression.EvaluateContext(ctx, `@len( @select( $resources.config_maps, "$elt.firstName == 'John'" ) ) > 0`)
 if result {
 	fmt.Println("found John!")
 }
@@ -43,6 +43,10 @@ func MyFunction(args  []interface{})(interface{}, error) {
 }
 
 ctx, _ := context.New(data, context.Func("@myfunc", MyFunction))
-result, _ := expression.Evaluate(ctx, `@myfunc($foo) == "hello"`)
+result, _ := expression.EvaluateContext(ctx, `@myfunc($foo) == "hello"`)
 
-```
+```
+
+## Examples
+Programs illustrating the usage of Analyze can be found in the examples directory. Also see the 
+unit tests in the analyzer/expression package for more examples of expressions and how they are used. 

context/builtin_functions.go

@@ -101,6 +101,7 @@ func _has(args []interface{})(interface{},error){
 	return nil, errors.New(errors.TypeMismatch, "expected object for first argument of has function")
 }
 
+// @match(string, regex-string) returns true if string matches regex-string of the form /regular expression/
 func _match(args []interface{})(interface{},error){
 	if len(args) != 2 {
 		return nil, errors.New(errors.SyntaxError, "match expects 2 arguments")

examples/security/README.md

@@ -0,0 +1,41 @@
+# Example Security Check
+
+Attackers will sometimes leave a malicious process running but delete the original binary 
+on disk.  This example will use OSQuery to run a query that returns processes in which the 
+original binary has been deleted from disk.  The example converts the OSQuery results  into something 
+analyzer can consume and then uses analyzer to interpret the results. 
+
+The check is defined in the config.json file included with the example.
+```json
+{
+  "collectors": [
+    {
+      "id": "process-check",
+      "expression": "SELECT name, path, pid FROM processes WHERE on_disk = 0;"
+    }
+  ],
+  "checks": [
+    {
+      "collector-id": "process-check",
+      "Description": "processes running without binary on disk",
+      "conditions": [
+        {
+          "type": "fail",
+          "predicate": "@len( $ ) > 2",
+          "message": "lots of possible malicious processes exist"
+        },
+        {
+          "type": "warning",
+          "predicate": "@len( $ ) > 0 && @len( $ ) <= 2",
+          "message": "possible malicious processes exist"
+        },
+        {
+          "type": "pass",
+          "predicate": "@len( $ ) == 0",
+          "message": "no suspect processes found"
+        }
+      ]
+    }
+  ]
+}
+```

examples/security/config.json

@@ -11,8 +11,13 @@
       "Description": "processes running without binary on disk",
       "conditions": [
         {
-          "type": "warn",
-          "predicate": "@len( $ ) > 0",
+          "type": "fail",
+          "predicate": "@len( $ ) > 2",
+          "message": "lots of possible malicious processes exist"
+        },
+        {
+          "type": "warning",
+          "predicate": "@len( $ ) > 0 && @len( $ ) <= 2",
           "message": "possible malicious processes exist"
         },
         {

examples/security/go.mod

@@ -2,4 +2,7 @@ module github.com/murphybytes/analyze/examples/security
 
 go 1.16
 
-require github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5
+require (
+	github.com/murphybytes/analyze v0.0.0-20211113025243-bd44bca5ce89
+	github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5
+)

examples/security/go.sum

@@ -1,16 +1,30 @@
 github.com/Microsoft/go-winio v0.4.9 h1:3RbgqgGVqmcpbOiwrjbVtDHLlJBGF6aE+yHmNtBNsFQ=
 github.com/Microsoft/go-winio v0.4.9/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/alecthomas/participle/v2 v2.0.0-alpha7 h1:cK4vjj0VSgb3lN1nuKA5F7dw+1s1pWBe5bx7nNCnN+c=
+github.com/alecthomas/participle/v2 v2.0.0-alpha7/go.mod h1:NumScqsC42o9x+dGj8/YqsIfhrIQjFEOFovxotbBirA=
+github.com/alecthomas/repr v0.0.0-20181024024818-d37bc2a10ba1 h1:GDQdwm/gAcJcLAKQQZGOJ4knlw+7rfEQQcmwTbt4p5E=
+github.com/alecthomas/repr v0.0.0-20181024024818-d37bc2a10ba1/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ=
 github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f h1:33BV5v3u8I6dA2dEoPuXWCsAaHHOJfPtdxZhAMQV4uo=
 github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/murphybytes/analyze v0.0.0-20211113025243-bd44bca5ce89 h1:x+rVyFOg9WtPtMGB3jfSFpvWkyHW4iaIEARqir44hQw=
+github.com/murphybytes/analyze v0.0.0-20211113025243-bd44bca5ce89/go.mod h1:CeNT1Yh03Z8CipVMl8OEbZ3QN2bAcBwwrEYpl0oNi+I=
 github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 h1:E275nJIUAvIK/RSN8cq9MAcRLk23jaZq+s24B0I8bEw=
 github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5/go.mod h1:JKR5QhjsYdnIPY7hakgas5sxf8qlA/9wQnLqaMfWdcg=
 github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644 h1:CA1DEQ4NdKphKeL70tvsWNdT5oFh1lOjihRcEDROi0I=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

examples/security/main.go

@@ -16,75 +16,92 @@ func main() {
 	var osQuerySockPath, configPath string
 
 	flag.StringVar(&configPath, "config", "conf.json", "the path to the json configuration defining checks")
-	flag.StringVar(&osQuerySockPath, "osquery",  "/var/osquery/osquery.em", "the path to the osquery socket")
+	flag.StringVar(&osQuerySockPath, "osquery", "/var/osquery/osquery.em", "the path to the osquery socket")
 	flag.Parse()
 
 	client, err := osquery.NewClient(osQuerySockPath, 10*time.Second)
 	if err != nil {
-		log.Fatalf("could not create osquery client %q", err )
+		log.Fatalf("could not create osquery client %q", err)
 	}
 	defer client.Close()
 
 	buff, err := os.ReadFile(configPath)
 	if err != nil {
-		log.Fatalf("could not read config file %q", err )
+		log.Fatalf("could not read config file %q", err)
 	}
 	var config AnalysisConfig
 	if err := json.NewDecoder(bytes.NewBuffer(buff)).Decode(&config); err != nil {
-		log.Fatalf("could not decode config file %q", err )
+		log.Fatalf("could not decode config file %q", err)
 	}
 
 	datas, err := collect(client, config.Collectors)
 	if err != nil {
-		log.Fatalf("collection step failed %q", err )
+		log.Fatalf("collection step failed %q", err)
 	}
 
 	for _, check := range config.Checks {
+		log.Printf("check %s", check.Description)
 		data, ok := datas[check.CollectorID]
 		if !ok {
-			log.Fatalf("no collector %q for check %q", check.CollectorID, check.Description)
+			log.Fatalf("no collector %q", check.CollectorID)
+		}
+		for _, condition := range check.Conditions {
+			passed, err := expression.Evaluate(data, condition.Predicate)
+			if err != nil {
+				log.Fatalf("an error occured %q evaluating predicate %q", err, condition.Predicate)
+			}
+			if passed {
+				log.Printf("%s: %s", condition.Type, condition.Message)
+			}
 		}
 
 	}
-
 }
 
 type Collector struct {
 	ID string `json:"id"`
 	// Expression retrieve data from OSQuery
 	Expression string `json:"expression"`
-
 }
 
 type Condition struct {
-	Type string `json:"type"`
+	Type      string `json:"type"`
 	Predicate string `json:"predicate"`
-	Message string `json:"message"`
+	Message   string `json:"message"`
 }
 
 type Check struct {
-	CollectorID string `json:"collector-id"`
-	Description string `json:"description"`
-	Conditions []Condition `json:"conditions"`
-
+	CollectorID string      `json:"collector-id"`
+	Description string      `json:"description"`
+	Conditions  []Condition `json:"conditions"`
 }
 
 type AnalysisConfig struct {
 	Collectors []Collector `json:"collectors"`
-	Checks []Check `json:"checks"`
-
+	Checks     []Check     `json:"checks"`
 }
 
 type collectorMap map[string]interface{}
 
-func collect(client *osquery.ExtensionManagerClient, collectors []Collector)(collectorMap, error ) {
+// convert []map[string]string to something analyze can handle []interface{} where interface{} is map[string]interface{}
+func collect(client *osquery.ExtensionManagerClient, collectors []Collector) (collectorMap, error) {
 	results := make(collectorMap)
 	for _, coll := range collectors {
-		result, err := client.QueryRows(coll.Expression)
+		rows, err := client.QueryRows(coll.Expression)
 		if err != nil {
 			return nil, err
 		}
-		results[coll.ID] = result
+		var objects []interface{}
+		for _, row := range rows {
+			object := make(map[string]interface{})
+			for k, v := range row {
+				object[k] = v
+			}
+			objects = append(objects, object)
+
+		}
+		results[coll.ID] = objects
+
 	}
 	return results, nil
 }