Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

carver: Refactor carver to use the Scheduler #6671

Merged
merged 4 commits into from
Oct 14, 2020
Merged

carver: Refactor carver to use the Scheduler #6671

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
75a9fe9
carver: Refactor carver to use the Scheduler
theopolis Sep 21, 2020
0c97799
Update tests and use flag for carver_expiry
Sep 27, 2020
3860a4d
Finish changes from code review
Sep 27, 2020
415cec2
Add optimiztion
Sep 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Add optimiztion
  • Loading branch information
Ted Reed committed Sep 28, 2020
commit 415cec28549a5a40d79df1e031f0188af9b69a84
6 changes: 5 additions & 1 deletion osquery/carver/carver.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ void CarverRunnable::start() {
auto requestId = Distributed::getCurrentRequestId();
doCarve(paths, guid, requestId);
}

// All pending carves have been started.
kCarverPendingCarves = false;
}

Carver::Carver(const std::set<std::string>& paths,
Expand Down Expand Up @@ -335,7 +338,8 @@ Status Carver::postCarve(const boost::filesystem::path& path) {
};

void scheduleCarves() {
if (!FLAGS_disable_carver && !CarverRunnable::running()) {
if (!FLAGS_disable_carver && kCarverPendingCarves &&
!CarverRunnable::running()) {
Dispatcher::addService(std::make_shared<CarverRunner<Carver>>());
}
}
Expand Down
3 changes: 3 additions & 0 deletions osquery/carver/carver_utils.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ CLI_FLAG(bool,
true,
"Disable the osquery file carver (default true)");

std::atomic<bool> kCarverPendingCarves{true};

/// Helper function to update values related to a carve
void updateCarveValue(const std::string& guid,
const std::string& key,
Expand Down Expand Up @@ -79,6 +81,7 @@ Status carvePaths(const std::set<std::string>& paths) {
return s;
}

kCarverPendingCarves = true;
return setDatabaseValue(kCarves, kCarverDBPrefix + guid, out);
}
} // namespace osquery
18 changes: 16 additions & 2 deletions osquery/carver/carver_utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,12 @@

#pragma once

#include <osquery/utils/status/status.h>

#include <atomic>
#include <set>
#include <string>

#include <osquery/utils/status/status.h>

namespace osquery {

/// Prefix used for the temp FS where carved files are stored.
Expand All @@ -31,6 +32,19 @@ const std::string kCarverStatusSuccess = "SUCCESS";
/// Internal carver 'status' indicating a carve request scheduled.
const std::string kCarverStatusScheduled = "SCHEDULED";

/**
* @brief This flag is an optimization attempt used by the CarverRunner.
*
* When osquery starts, if the carver is enabled, the CarverRunner will scan
* for pending carves. After all are started, it will set this pending flag to
* false. Any carve requests will set it to true.
*
* CarverRunner threads start every 60 seconds. It is wasteful to start and stop
* the thread if there are no pending carves. This flag allows us to skip
* starting the thread.
*/
extern std::atomic<bool> kCarverPendingCarves;

/// Update an attribute for a given carve GUID.
void updateCarveValue(const std::string& guid,
const std::string& key,
Expand Down