Date: Saturday, May 16, 2020 @ 02:33:17 Author: anatolik Revision: 628147
archrelease: copy trunk to community-staging-x86_64 Added: osquery/repos/community-staging-x86_64/ osquery/repos/community-staging-x86_64/PKGBUILD (from rev 628146, osquery/trunk/PKGBUILD) osquery/repos/community-staging-x86_64/yara4.patch (from rev 628146, osquery/trunk/yara4.patch) -------------+ PKGBUILD | 46 +++++++++++++++++++++++++++++++++++++++++++++ yara4.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) Copied: osquery/repos/community-staging-x86_64/PKGBUILD (from rev 628146, osquery/trunk/PKGBUILD) =================================================================== --- community-staging-x86_64/PKGBUILD (rev 0) +++ community-staging-x86_64/PKGBUILD 2020-05-16 02:33:17 UTC (rev 628147) @@ -0,0 +1,46 @@ +# Maintainer: Anatol Pomozov + +pkgname=osquery +pkgver=4.3.0 +pkgrel=2 +pkgdesc='SQL powered operating system instrumentation, monitoring, and analytics' +arch=(x86_64) +url='https://osquery.io' +license=(Apache GPL2) +depends=(augeas boost-libs gflags google-glog aws-sdk-cpp librdkafka rocksdb gtest device-mapper rpm-tools dpkg lvm2 libelfin lldpd rapidjson sleuthkit ssdeep thrift yara lmdb iptables) +makedepends=(cmake ninja python boost linenoise-ng) +# patched version of smartools that we need to build statically to avoid collision with the upstream version +_smartmontools_commit=5f7669fba545f32a6d0c07e2be67df16f3eb354b +source=(osquery-$pkgver.zip::https://github.com/osquery/osquery/archive/$pkgver.zip + third-party-smartmontools.zip::https://github.com/osquery/third-party-smartmontools/archive/$_smartmontools_commit.zip + devendorize.patch::https://github.com/anatol/osquery/compare/$pkgver...$pkgver-archlinux.patch + yara4.patch) +sha256sums=('69b570a6e5b4d3a92a7f3812fc78137383aa564025d697cef6e8717e404e3b66' + '891f11acd804aa0d53dbec599e6a32ad9c1e5392a3eb4022714871f3a1ce95ee' + 'b916c36f7e0394baf627fb0991431f77d796b29014719b754e05a761576def05' + '201b3a9f5594214b3133492618b321f428fd2cfbdec63e88436a50c748710158') + +prepare() { + cd osquery-$pkgver + patch -p1 < ../devendorize.patch + + rm -rf libraries/cmake/source/smartmontools/src + ln -sf `pwd`/../third-party-smartmontools-$_smartmontools_commit libraries/cmake/source/smartmontools/src + + patch -p1 < ../yara4.patch +} + +build() { + cd osquery-$pkgver + + cmake -DCMAKE_BUILD_TYPE=Release -DOSQUERY_STATIC_BUILD=OFF -DCMAKE_INSTALL_PREFIX=/usr -DOSQUERY_VERSION=$pkgver -S . -B build + cmake --build build +} + +package() { + cd osquery-$pkgver + + cmake --build build --target install -- DESTDIR="$pkgdir" + install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + rm -r "$pkgdir/etc/init.d/" +} Copied: osquery/repos/community-staging-x86_64/yara4.patch (from rev 628146, osquery/trunk/yara4.patch) =================================================================== --- community-staging-x86_64/yara4.patch (rev 0) +++ community-staging-x86_64/yara4.patch 2020-05-16 02:33:17 UTC (rev 628147) @@ -0,0 +1,59 @@ +commit 01d01e39a87e339c88cab216b85ee14428c0f2ec +Author: Anatol Pomozov <anatol.pomo...@gmail.com> +Date: Fri May 15 19:04:57 2020 -0700 + + Adopt code for the YARA 4 API changes + + https://github.com/VirusTotal/yara/wiki/Backward-incompatible-changes-in-YARA-4.0-API + +diff --git a/osquery/tables/yara/yara_utils.cpp b/osquery/tables/yara/yara_utils.cpp +index 897c18c2..d08bf437 100644 +--- a/osquery/tables/yara/yara_utils.cpp ++++ b/osquery/tables/yara/yara_utils.cpp +@@ -31,6 +31,7 @@ bool yaraShouldSkipFile(const std::string& path, mode_t st_mode) { + void YARACompilerCallback(int error_level, + const char* file_name, + int line_number, ++ const YR_RULE* rule, + const char* message, + void* user_data) { + if (error_level == YARA_ERROR_LEVEL_ERROR) { +@@ -209,7 +210,7 @@ Status handleRuleFiles(const std::string& category, + * This is the YARA callback. Used to store matching rules in the row which is + * passed in as user_data. + */ +-int YARACallback(int message, void* message_data, void* user_data) { ++int YARACallback(YR_SCAN_CONTEXT* context, int message, void* message_data, void* user_data) { + if (message == CALLBACK_MSG_RULE_MATCHING) { + Row* r = (Row*)user_data; + YR_RULE* rule = (YR_RULE*)message_data; +@@ -223,7 +224,7 @@ int YARACallback(int message, void* message_data, void* user_data) { + YR_STRING* string = nullptr; + yr_rule_strings_foreach(rule, string) { + YR_MATCH* match = nullptr; +- yr_string_matches_foreach(string, match) { ++ yr_string_matches_foreach(context, string, match) { + if ((*r)["strings"].length() > 0) { + (*r)["strings"] += "," + std::string(string->identifier); + } else { +diff --git a/osquery/tables/yara/yara_utils.h b/osquery/tables/yara/yara_utils.h +index dd860041..bf984240 100644 +--- a/osquery/tables/yara/yara_utils.h ++++ b/osquery/tables/yara/yara_utils.h +@@ -28,6 +28,7 @@ const std::string kYARAHome{OSQUERY_HOME "yara/"}; + void YARACompilerCallback(int error_level, + const char* file_name, + int line_number, ++ const YR_RULE* rule, + const char* message, + void* user_data); + +@@ -42,7 +43,7 @@ Status handleRuleFiles(const std::string& category, + */ + bool yaraShouldSkipFile(const std::string& path, mode_t st_mode); + +-int YARACallback(int message, void* message_data, void* user_data); ++int YARACallback(YR_SCAN_CONTEXT* context, int message, void* message_data, void* user_data); + + /** + * @brief A simple ConfigParserPlugin for a "yara" dictionary key.