def assemble_distributed_queries(node):
'''
Retrieve all distributed queries assigned to a particular node
in the NEW state. This function will change the state of the
distributed query to PENDING, however will not commit the change.
It is the responsibility of the caller to commit or rollback on the
current database session.
'''
now = dt.datetime.utcnow()
pending_query_count = 0
query_recon_count = db.session.query(db.func.count(DistributedQueryTask.id)) \
.filter(
DistributedQueryTask.node == node,
DistributedQueryTask.status == DistributedQueryTask.NEW,
DistributedQueryTask.priority == DistributedQueryTask.HIGH,
)
for r in query_recon_count:
pending_query_count = r[0]
if pending_query_count > 0:
query = db.session.query(DistributedQueryTask) \
.join(DistributedQuery) \
.filter(
DistributedQueryTask.node == node,
DistributedQueryTask.status == DistributedQueryTask.NEW,
DistributedQuery.not_before < now,
DistributedQueryTask.priority == DistributedQueryTask.HIGH,
).options(
db.lazyload('*'),
db.contains_eager(DistributedQueryTask.distributed_query)
)
else:
query = db.session.query(DistributedQueryTask) \
.join(DistributedQuery) \
.filter(
DistributedQueryTask.node == node,
DistributedQueryTask.status == DistributedQueryTask.NEW,
DistributedQuery.not_before < now,
DistributedQueryTask.priority == DistributedQueryTask.LOW,
).options(
db.lazyload('*'),
db.contains_eager(DistributedQueryTask.distributed_query)
).limit(1)
queries = {}
for task in query:
if task.sql:
queries[task.guid] = task.sql
else:
queries[task.guid] = task.distributed_query.sql
task.update(status=DistributedQueryTask.PENDING,
timestamp=now,
commit=False)
# add this query to the session, but don't commit until we're
# as sure as we possibly can be that it's been received by the
# osqueryd client. unfortunately, there are no guarantees though.
db.session.add(task)
return queries
def assemble_queries(node, config_json=None):
if config_json:
schedule = {}
for query in node.queries.options(db.lazyload('*')):
schedule[query.name] = query.to_dict()
if config_json:
schedule = merge_two_dicts(schedule, config_json.get('schedule'))
else:
schedule = []
for query in node.queries.options(db.lazyload('*')):
schedule.append(query.to_dict())
return schedule
def file_paths(self):
return db.session.object_session(self) \
.query(FilePath) \
.join(file_path_tags, file_path_tags.c['file_path.id'] == FilePath.id) \
.join(node_tags, node_tags.c['tag.id'] == file_path_tags.c['tag.id']) \
.filter(node_tags.c['node.id'] == self.id) \
.options(db.lazyload('*'))
def queries(self):
return db.session.object_session(self) \
.query(Query) \
.join(query_tags, query_tags.c['query.id'] == Query.id) \
.join(node_tags, node_tags.c['tag.id'] == query_tags.c['tag.id']) \
.filter(node_tags.c['node.id'] == self.id) \
.options(db.lazyload('*'))
def packs(self):
return db.session.object_session(self) \
.query(Pack) \
.join(pack_tags, pack_tags.c['pack.id'] == Pack.id) \
.join(node_tags, node_tags.c['tag.id'] == pack_tags.c['tag.id']) \
.filter(node_tags.c['node.id'] == self.id) \
.options(db.lazyload('*'))
def assemble_schedule(node):
schedule = {}
for query in node.queries.options(db.lazyload('*')):
schedule[query.name] = query.to_dict()
platform = node.platform
if platform not in DEFAULT_PLATFORMS:
platform = 'linux'
is_x86 = False
if node.node_info and 'cpu_type' in node.node_info and node.node_info[
'cpu_type'] == DefaultQuery.ARCH_x86:
is_x86 = True
query = DefaultQuery.query.filter(DefaultQuery.status == True).filter(
DefaultQuery.platform == platform)
if is_x86:
queries = query.filter(
DefaultQuery.arch == DefaultQuery.ARCH_x86).all()
else:
queries = query.filter(
or_(DefaultQuery.arch == None,
DefaultQuery.arch != DefaultQuery.ARCH_x86)).all()
for default_query in queries:
schedule[default_query.name] = default_query.to_dict()
return schedule
def assemble_schedule(node, config_json):
schedule = {}
for query in node.queries.options(db.lazyload('*')):
schedule[query.name] = query.to_dict()
if config_json:
schedule = merge_two_dicts(schedule, config_json.get('schedule'))
return schedule
def assemble_schedule(node):
schedule = {}
for query in node.queries.options(db.lazyload('*')):
schedule[query.name] = query.to_dict()
platform = node.platform
if platform not in DEFAULT_PLATFORMS:
platform = 'linux'
for default_query in DefaultQuery.query.filter(DefaultQuery.status == True).filter(
DefaultQuery.platform == platform).all():
schedule[default_query.name] = default_query.to_dict()
return schedule
def decorated_function(*args, **kwargs):
# in v1.7.4, the Content-Encoding header is set when
# --logger_tls_compress=true
remote_addr = get_ip()
if 'Content-Encoding' in request.headers and \
request.headers['Content-Encoding'] == 'gzip':
request._cached_data = gzip.GzipFile(
fileobj=BytesIO(request.get_data())).read()
request_json = request.get_json()
if not request_json or 'node_key' not in request_json:
current_app.logger.error(
"%s - Request did not contain valid JSON data. This could "
"be an attempt to gather information about this endpoint "
"or an automated scanner.", remote_addr)
# Return nothing
return ""
node_key = request_json.get('node_key')
node = Node.query.filter_by(node_key=node_key) \
.options(db.lazyload('*')).first()
if not node:
current_app.logger.error(
"%s - Could not find node with node_key %s", remote_addr,
node_key)
return jsonify(node_invalid=True)
if not node.node_is_active():
current_app.logger.info("%s - Node %s came back from the dead!",
request.remote_addr, node_key)
send_checkin_queries(node)
current_app.logger.info("[Checkin] Last checkin time for node :" +
str(node.id) + " is :: " +
str(node.last_checkin))
# return jsonify(node_invalid=False)
node.update(last_checkin=dt.datetime.utcnow(),
last_ip=remote_addr,
commit=False)
return f(node=node, *args, **kwargs)
def assemble_file_paths(node):
file_paths = {}
for file_path in node.file_paths.options(db.lazyload('*')):
file_paths.update(file_path.to_dict())
return file_paths
