Stefano Bonicatti
Stefano Bonicatti
I've updated the PR with some logic changes as suggested by @directionless. Pid reuse is detected either by the cpu time of the process being lower than what previously recorded,...
@JayantNayak I was able to verify the issue, it happens pretty often too.
I moved this to the next milestone, it wasn't my target to get it done this milestone, I don't think we should rush it, since there are several steps involved.
NOTE: I've splitted this from PR https://github.com/osquery/osquery/pull/7620, since it was a partially unrelated change to the fix in the other PR. Though this PR needs PR 7620 to pass and...
@AndrewRi thanks for the report! Although the report comes from a third-party vendor of osquery it seems, I've quickly tested this on the official osquery, and I can see this...
It also seems that's currently intended: https://github.com/osquery/osquery/blob/365babdb188b5655fcdeb7ff142ba01f0f926bd3/osquery/dispatcher/scheduler.cpp#L154-L155 https://github.com/osquery/osquery/blob/365babdb188b5655fcdeb7ff142ba01f0f926bd3/osquery/sql/sqlite_util.cpp#L248 https://github.com/osquery/osquery/blob/365babdb188b5655fcdeb7ff142ba01f0f926bd3/osquery/sql/sqlite_util.cpp#L213 https://github.com/osquery/osquery/blob/365babdb188b5655fcdeb7ff142ba01f0f926bd3/osquery/sql/sql.cpp#L63 Though I question if it's really needed that also the text log has to be escaped when using valid UTF8.
> There is one more note: if you perform a snapshot using the same code, then in this case the Cyrillic alphabet will be displayed correctly in the file `osquery.snapshots.log`...
> I think we have some prior art around https://github.com/osquery/osquery/tree/3.3.2/tools/tests starting from there might work I'm in the process of restoring those.
I've opened a PR here https://github.com/osquery/osquery/pull/5836 It's still a work in progress because there have been many changes since the old master and those scriptsdon't work properly as they are,...