forked from osquery/osquery
-
Notifications
You must be signed in to change notification settings - Fork 0
/
processes.cpp
107 lines (93 loc) · 2.94 KB
/
processes.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
/**
* Copyright (c) 2014-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed in accordance with the terms specified in
* the LICENSE file found in the root directory of this source tree.
*/
// Sanity check integration test for processes
// Spec file: specs/processes.table
#include <osquery/tests/integration/tables/helper.h>
#include <osquery/utils/conversions/tryto.h>
#include <osquery/utils/info/platform_type.h>
#include <osquery/utils/system/uptime.h>
namespace osquery {
namespace table_tests {
class ProcessesTest : public testing::Test {
protected:
void SetUp() override {
setUpEnvironment();
}
};
TEST_F(ProcessesTest, test_sanity) {
// 1. Query data
auto const data = execute_query("select * from processes");
// 2. Check size before validation
ASSERT_GE(data.size(), 2ul);
auto const now = std::time(nullptr);
auto const boot_time = now - getUptime() - 1;
// The getUptime API does not work how we expect it should on Windows.
if (!isPlatform(PlatformType::TYPE_WINDOWS)) {
EXPECT_GE(now, boot_time);
}
auto timeSanityCheck = [&now, &boot_time](auto value) {
auto start_time_exp = tryTo<std::time_t>(value);
if (start_time_exp.isError()) {
return false;
}
auto const start_time = start_time_exp.take();
if (start_time == -1) {
return true;
}
return start_time <= now && boot_time <= start_time;
};
ValidationMap row_map = {
{"pid", IntType},
{"name", NormalType},
{"path", NormalType},
{"cmdline", NormalType},
{"state", NormalType},
{"cwd", NormalType},
{"root", NormalType},
{"uid", IntType},
{"gid", IntType},
{"euid", IntType},
{"egid", IntType},
{"suid", IntType},
{"sgid", IntType},
{"on_disk", IntType},
{"wired_size", IntType},
{"resident_size", NormalType},
{"total_size", NormalType},
{"user_time", IntType},
{"system_time", IntType},
{"disk_bytes_read", NormalType},
{"disk_bytes_written", NormalType},
{"parent", IntType},
{"pgroup", IntType},
{"threads", IntType},
{"nice", IntType},
};
// The getUptime API does not work how we expect it should on Windows.
if (isPlatform(PlatformType::TYPE_WINDOWS)) {
row_map.emplace("start_time", IntType);
} else {
row_map.emplace("start_time", timeSanityCheck);
}
// Add the platform-specific columns.
if (isPlatform(PlatformType::TYPE_WINDOWS)) {
row_map.emplace("is_elevated_token", NormalType);
row_map.emplace("elapsed_time", IntType);
row_map.emplace("handle_count", IntType);
row_map.emplace("percent_processor_time", IntType);
}
if (isPlatform(PlatformType::TYPE_OSX)) {
row_map.emplace("upid", IntType);
row_map.emplace("uppid", IntType);
row_map.emplace("cpu_type", IntType);
row_map.emplace("cpu_subtype", IntType);
}
validate_rows(data, row_map);
}
} // namespace table_tests
} // namespace osquery