7 files changed, 203 insertions, 0 deletions
diff --git a/sysutils/osquery/Makefile b/sysutils/osquery/Makefile
new file mode 100644
index 000000000000..7b82a74dd390
--- /dev/null
+++ b/sysutils/osquery/Makefile
@@ -0,0 +1,91 @@
+# Created by: Ryan Steinmetz <zi@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	osquery
+PORTVERSION=	3.3.2
+PORTREVISION=	10
+CATEGORIES=	sysutils
+
+MAINTAINER=	zi@FreeBSD.org
+COMMENT=	SQL powered OS instrumentation, monitoring, and analytics
+
+LICENSE=	BSD3CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+BROKEN_aarch64=		fails to compile: the clang compiler does not support '-march=x86-64'
+
+BUILD_DEPENDS=	thrift>=0.11.0:devel/thrift \
+		bash>0:shells/bash \
+		linenoise-ng>0:devel/linenoise-ng \
+		rapidjson>0:devel/rapidjson \
+		${PYTHON_PKGNAMEPREFIX}Jinja2>0:devel/py-Jinja2@${PY_FLAVOR}
+LIB_DEPENDS=	libaugeas.so:textproc/augeas \
+		libboost_regex.so:devel/boost-libs \
+		libfuzzy.so:security/ssdeep \
+		libgflags.so:devel/gflags \
+		libglog.so:devel/glog \
+		libicuuc.so:devel/icu \
+		librocksdb-lite.so:databases/rocksdb-lite \
+		libthrift.so:devel/thrift-cpp \
+		libzstd.so:archivers/zstd
+RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
+
+USES=		cmake compiler:c++11-lib gnome libarchive libtool \
+		python:2.7,build ssl
+USE_GNOME=	libxml2
+CONFIGURE_ENV+=	OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" \
+		SKIP_TESTS="yes" CC="${CC}" CXX="${CXX}" \
+		SKIP_SMART=1
+CMAKE_ARGS+=	-DFREEBSD=awesome -DCMAKE_SYSTEM_NAME="FreeBSD"
+BLDDIR=		${WRKDIR}/.build/${PORTNAME}
+TPVERSION=	3.0.0
+USE_RC_SUBR=	${PORTNAME}d
+USE_GITHUB=	yes
+GH_ACCOUNT=	facebook ${PORTNAME}:tp
+GH_PROJECT=	third-party:tp
+GH_SUBDIR=	third-party:tp
+GH_TAGNAME=	${TPVERSION}:tp
+
+# Some options for things that bring in many dependencies
+OPTIONS_DEFINE=	TSK AWS YARA LLDPD
+
+TSK_DESC=		Build with sleuthkit support
+TSK_LIB_DEPENDS=	libtsk.so:sysutils/sleuthkit
+TSK_CONFIGURE_ENV_OFF=	SKIP_TSK=1
+
+AWS_DESC=		Support logging to AWS Kinesis
+AWS_LIB_DEPENDS=	libaws-cpp-sdk-core.so:devel/aws-sdk-cpp
+AWS_CONFIGURE_ENV_OFF=	SKIP_AWS=1
+
+YARA_DESC=		Build with YARA malware identification support
+YARA_LIB_DEPENDS=	libyara.so:security/yara
+YARA_CONFIGURE_ENV_OFF=	SKIP_YARA=1
+
+LLDPD_DESC=		Support Link Layer Discovery Protocol
+LLDPD_LIB_DEPENDS=	liblldpctl.so:net-mgmt/lldpd
+LLDPD_CONFIGURE_ENV_OFF=SKIP_LLDPD=1
+
+.include <bsd.port.pre.mk>
+
+post-patch:
+	${REINPLACE_CMD} -e 's|/var/osquery/|/var/db/osquery/|g' \
+		${WRKSRC}/tools/deployment/osquery.example.conf
+	${REINPLACE_CMD} -e 's|python|${PYTHON_CMD}|g' \
+		${WRKSRC}/CMakeLists.txt \
+		${WRKSRC}/tools/get_platform.py
+
+do-install:
+	${INSTALL_PROGRAM} ${BLDDIR}/osqueryi ${STAGEDIR}${PREFIX}/bin
+	${INSTALL_PROGRAM} ${BLDDIR}/osqueryd ${STAGEDIR}${PREFIX}/sbin
+	${INSTALL_DATA} ${BLDDIR}/libosquery.a ${STAGEDIR}${PREFIX}/lib
+	(cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include)
+	${INSTALL_DATA} ${WRKSRC}/tools/deployment/osquery.example.conf \
+		${STAGEDIR}${PREFIX}/etc/osquery.conf.sample
+
+	${MKDIR} ${STAGEDIR}/var/db/osquery ${STAGEDIR}/var/log/osquery
+	# The flags file must exist, even if empty. Using @sample
+	# prevents a populated flags file from being nuked on upgrade.
+	${TOUCH} ${STAGEDIR}${PREFIX}/etc/osquery.flags.sample \
+		${STAGEDIR}${PREFIX}/etc/osquery.flags
+
+.include <bsd.port.post.mk>
diff --git a/sysutils/osquery/distinfo b/sysutils/osquery/distinfo
new file mode 100644
index 000000000000..81e7d0d3ee3f
--- /dev/null
+++ b/sysutils/osquery/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1547602087
+SHA256 (facebook-osquery-3.3.2_GH0.tar.gz) = 74280181f45046209053a3e15114d93adc80929a91570cc4497931cfb87679e4
+SIZE (facebook-osquery-3.3.2_GH0.tar.gz) = 2060717
+SHA256 (osquery-third-party-3.0.0_GH0.tar.gz) = 98731b92147f6c43f679a4a9f63cbb22f2a4d400d94a45e308702dee66a8de9d
+SIZE (osquery-third-party-3.0.0_GH0.tar.gz) = 3535573
diff --git a/sysutils/osquery/files/osqueryd.in b/sysutils/osquery/files/osqueryd.in
new file mode 100644
index 000000000000..e9e6a12cdd58
--- /dev/null
+++ b/sysutils/osquery/files/osqueryd.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: osqueryd
+# REQUIRE: %%REQUIRE%%
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf to enable osqueryd:
+#
+# osqueryd_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=osqueryd
+rcvar=osqueryd_enable
+load_rc_config $name
+
+command=%%PREFIX%%/sbin/osqueryd
+
+osqueryd_enable=${osqueryd_enable-"NO"}
+osqueryd_flags=${osqueryd_flags-""}
+osqueryd_config=${osqueryd_config-"%%PREFIX%%/etc/osquery.conf"}
+required_files=${osqueryd_config}
+command_args="--pidfile /var/run/osqueryd.pid --daemonize=true --database_path /var/db/osquery/osqueryd --tls_server_certs /etc/ssl/cert.pem --flagfile %%PREFIX%%/etc/osquery.flags --config_path=${osqueryd_config}"
+extra_commands="configtest"
+configtest_cmd="configtest"
+pidfile="/var/run/osqueryd.pid"
+
+start_precmd=prestart
+
+configtest() {
+    ${command} ${osqueryd_flags} --config_check --config_path=${osqueryd_config} --verbose
+}
+
+prestart() {
+    install -d /var/db/osquery
+}
+
+run_rc_command "$1"
diff --git a/sysutils/osquery/files/patch-boost-1.69 b/sysutils/osquery/files/patch-boost-1.69
new file mode 100644
index 000000000000..ce2f9b0259a6
--- /dev/null
+++ b/sysutils/osquery/files/patch-boost-1.69
@@ -0,0 +1,13 @@
+https://github.com/facebook/osquery/issues/5266
+
+--- include/osquery/system.h.orig	2018-09-19 05:51:29 UTC
++++ include/osquery/system.h
+@@ -14,6 +14,8 @@
+ #include <mutex>
+ #include <string>
+ 
++#include <boost/noncopyable.hpp>
++
+ #include <osquery/core.h>
+ #include <osquery/mutex.h>
+ 
diff --git a/sysutils/osquery/pkg-descr b/sysutils/osquery/pkg-descr
new file mode 100644
index 000000000000..52151430a249
--- /dev/null
+++ b/sysutils/osquery/pkg-descr
@@ -0,0 +1,7 @@
+osquery exposes an operating system as a high-performance relational database.
+This allows you to write SQL-based queries to explore operating system data.
+With osquery, SQL tables represent abstract concepts such as running
+processes, loaded kernel modules, open network connections, browser plugins,
+hardware events or file hashes.
+
+WWW: https://osquery.io/
diff --git a/sysutils/osquery/pkg-message b/sysutils/osquery/pkg-message
new file mode 100644
index 000000000000..36e02fc756f4
--- /dev/null
+++ b/sysutils/osquery/pkg-message
@@ -0,0 +1,10 @@
+[
+{ type: install
+  message: <<EOM
+Note that some osquery tables are currently unsupported on FreeBSD. A list of
+disabled tables can be found at:
+
+https://github.com/facebook/osquery/blob/master/specs/blacklist
+EOM
+}
+]
diff --git a/sysutils/osquery/pkg-plist b/sysutils/osquery/pkg-plist
new file mode 100644
index 000000000000..2c7f51f96a16
--- /dev/null
+++ b/sysutils/osquery/pkg-plist
@@ -0,0 +1,36 @@
+bin/osqueryi
+@dir /var/db/osquery
+@dir /var/log/osquery
+include/osquery/config.h
+include/osquery/core.h
+include/osquery/database.h
+include/osquery/dispatcher.h
+include/osquery/distributed.h
+include/osquery/enroll.h
+include/osquery/error.h
+include/osquery/events.h
+include/osquery/expected.h
+include/osquery/extensions.h
+include/osquery/filesystem.h
+include/osquery/flags.h
+include/osquery/killswitch.h
+include/osquery/logger.h
+include/osquery/numeric_monitoring.h
+include/osquery/mutex.h
+include/osquery/packs.h
+include/osquery/plugin.h
+include/osquery/posix/system.h
+include/osquery/registry.h
+include/osquery/registry_factory.h
+include/osquery/registry_interface.h
+include/osquery/sdk.h
+include/osquery/sql.h
+include/osquery/status.h
+include/osquery/system.h
+include/osquery/tables.h
+include/osquery/query.h
+include/osquery/windows/system.h
+lib/libosquery.a
+sbin/osqueryd
+@sample etc/osquery.conf.sample
+@sample etc/osquery.flags.sample