Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

carver: Refactor carver to use the Scheduler #6671

Merged
merged 4 commits into from
Oct 14, 2020
Merged

carver: Refactor carver to use the Scheduler #6671

merged 4 commits into from
Oct 14, 2020

Conversation

theopolis
Copy link
Member

@theopolis theopolis commented Sep 24, 2020
edited
Loading

This change refactors the carver code and functionality.

From a functionality perspective, carving is now implemented using a request and handler model. Carving can be requested via the SQLite carve function or using the predicate WHERE carve=1 on the osquery_carves table. Previously when a carve was requested, the carving and posting to a remote endpoint would occur during query execution. Now carve requests are buffered and the scheduler thread periodically "wakes up" a carving thread that handles the requests. Additionally, carving is now unique to osqueryd and the metadata from successful carve requests will be removed from osquery's internal database after 24hours.

From a code point of view the implementation is split into a "carver utilities" set that can be widely used/included. This allows components within osquery to request paths to be carved, as well as a minor amount of inspection into carver statuses. The new "carver" set implements the actual carving and a new "runner" thread to handle carver requests serially. This code should NOT be widely used as it has extensive linkage requirements.

@theopolis theopolis added carving refactor Related to osquery code refactoring labels Sep 24, 2020
@theopolis theopolis marked this pull request as ready for review September 25, 2020 00:06
muffins
muffins reviewed Sep 27, 2020
View reviewed changes
Copy link
Contributor

@muffins muffins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass through, overall I love it. The re-arch is very clean and I love the re-arranging for testing. Thanks a ton for taking this on man, it looks great. I'll give it another look through to see if I spot anything else, but generally I think it looks pretty good.

osquery/carver/carver.cpp Show resolved Hide resolved
osquery/carver/carver.cpp Show resolved Hide resolved
osquery/carver/carver.cpp Outdated Show resolved Hide resolved
osquery/carver/carver_utils.cpp Outdated Show resolved Hide resolved
osquery/dispatcher/scheduler.cpp Outdated Show resolved Hide resolved
muffins
muffins approved these changes Oct 14, 2020
View reviewed changes
Copy link
Contributor

@muffins muffins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm overall! Thanks a ton for this re-arch dude!

@theopolis theopolis merged commit aa27b07 into osquery:master Oct 14, 2020
@directionless directionless mentioned this pull request Jan 30, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@muffins muffins muffins approved these changes

Assignees
No one assigned
Labels
carving refactor Related to osquery code refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@theopolis @muffins