Merge pull request #58 from korylprince/alt_system_info

Add alt_system_info table

Author: grahamgilbert

BUILD.bazel

@@ -37,6 +37,7 @@ go_library(
     importpath = "github.com/macadmins/osquery-extension",
     visibility = ["//visibility:private"],
     deps = [
+        "//tables/alt_system_info",
         "//tables/authdb",
         "//tables/chromeuserprofiles",
         "//tables/fileline",

MODULE.bazel.lock

@@ -16,6 +16,7 @@ For production deployment, you should refer to the [osquery documentation](https
 
 | Table                    | Description                                                                                   | Platforms               | Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | ------------------------ | --------------------------------------------------------------------------------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alt_system_info` | Alternative system_info table | macOS | This table is an alternative to the built-in system_info table in osquery, which triggers an `Allow "osquery" to find devices on local networks?` prompt on macOS 15.0. On versions other than 15.0, this table falls back to the built-in system_info table. Note: this table returns an empty `cpu_subtype` field. See [#58](https://github.com/macadmins/osquery-extension/pull/58) for more details. |
 | `authdb` | macOS Authorization database | macOS | Use the constraint `name` to specify a right name to query, otherwise all rights will be returned. |
 | `file_lines`             | Read an arbitrary file                                                                        | Linux / macOS / Windows | Use the constraint `path` and `last` to specify the file to read lines from                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `filevault_users`        | Information on the users able to unlock the current boot volume when encrypted with Filevault | macOS                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |

README.md

@@ -8,6 +8,7 @@ require (
 	github.com/osquery/osquery-go v0.0.0-20231130195733-61ac79279aaa
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.9.0
+	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.mod

@@ -40,6 +40,8 @@ go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26
 go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4=
 go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs=
 go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

go.sum

@@ -7,6 +7,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/macadmins/osquery-extension/tables/alt_system_info"
 	"github.com/macadmins/osquery-extension/tables/chromeuserprofiles"
 	"github.com/macadmins/osquery-extension/tables/fileline"
 	"github.com/macadmins/osquery-extension/tables/filevaultusers"
@@ -100,6 +101,11 @@ func main() {
 					return wifi_network.WifiNetworkGenerate(ctx, queryContext, *flSocketPath)
 				},
 			),
+			table.NewPlugin("alt_system_info", alt_system_info.AltSystemInfoColumns(),
+				func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
+					return alt_system_info.AltSystemInfoGenerate(ctx, queryContext, *flSocketPath)
+				},
+			),
 		}
 		plugins = append(plugins, darwinPlugins...)
 	}

main.go

@@ -5,18 +5,24 @@ go_library(
     srcs = [
         "exec.go",
         "exec_mocks.go",
+        "osquery.go",
         "utils.go",
     ],
     importpath = "github.com/macadmins/osquery-extension/pkg/utils",
     visibility = ["//visibility:public"],
+    deps = ["@com_github_osquery_osquery_go//:osquery-go"],
 )
 
 go_test(
     name = "utils_test",
     srcs = [
         "exec_test.go",
+        "osquery_test.go",
         "utils_test.go",
     ],
     embed = [":utils"],
-    deps = ["@com_github_stretchr_testify//assert"],
+    deps = [
+        "@com_github_stretchr_testify//assert",
+        "@com_github_stretchr_testify//require",
+    ],
 )

pkg/utils/BUILD.bazel

@@ -1,5 +1,7 @@
 package utils
 
+import "strings"
+
 type MockCmdRunner struct {
 	Output string
 	Err    error
@@ -12,3 +14,17 @@ func (m MockCmdRunner) RunCmd(name string, arg ...string) ([]byte, error) {
 func (m MockCmdRunner) RunCmdWithStdin(name string, stdin string, arg ...string) ([]byte, error) {
 	return []byte(m.Output), m.Err
 }
+
+type MultiMockCmdRunner struct {
+	Commands map[string]MockCmdRunner
+}
+
+func (m MultiMockCmdRunner) RunCmd(name string, arg ...string) ([]byte, error) {
+	key := append([]string{name}, arg...)
+	return m.Commands[strings.Join(key, " ")].RunCmd(name, arg...)
+}
+
+func (m MultiMockCmdRunner) RunCmdWithStdin(name string, stdin string, arg ...string) ([]byte, error) {
+	key := append([]string{name}, arg...)
+	return m.Commands[strings.Join(key, " ")].RunCmdWithStdin(name, stdin, arg...)
+}

pkg/utils/exec_mocks.go

@@ -5,33 +5,41 @@ import (
 )
 
 func TestRunCmd(t *testing.T) {
-	runner := MockCmdRunner{
-		Output: "test output",
-		Err:    nil,
+	runner := MultiMockCmdRunner{
+		Commands: map[string]MockCmdRunner{
+			"echo test": {
+				Output: "test output",
+				Err:    nil,
+			},
+		},
 	}
 	output, err := runner.RunCmd("echo", "test")
 	if err != nil {
 		t.Fatalf("RunCmd() error = %v, wantErr nil", err)
 		return
 	}
 	got := string(output)
-	if got != runner.Output {
-		t.Errorf("RunCmd() = %q, want %q", got, runner.Output)
+	if got != runner.Commands["echo test"].Output {
+		t.Errorf("RunCmd() = %q, want %q", got, runner.Commands["echo test"].Output)
 	}
 }
 
 func TestRunCmdWithStdin(t *testing.T) {
-	runner := MockCmdRunner{
-		Output: "test output",
-		Err:    nil,
+	runner := MultiMockCmdRunner{
+		Commands: map[string]MockCmdRunner{
+			"echo": {
+				Output: "test output",
+				Err:    nil,
+			},
+		},
 	}
 	output, err := runner.RunCmdWithStdin("echo", "test")
 	if err != nil {
 		t.Fatalf("RunCmdWithStdin() error = %v, wantErr nil", err)
 		return
 	}
 	got := string(output)
-	if got != runner.Output {
-		t.Errorf("RunCmdWithStdin() = %q, want %q", got, runner.Output)
+	if got != runner.Commands["echo"].Output {
+		t.Errorf("RunCmdWithStdin() = %q, want %q", got, runner.Commands["echo"].Output)
 	}
 }

pkg/utils/exec_test.go

@@ -0,0 +1,53 @@
+package utils
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/osquery/osquery-go"
+)
+
+type OsqueryClienter interface {
+	NewOsqueryClient() (OsqueryClient, error)
+}
+
+type OsqueryClient interface {
+	QueryRows(query string) ([]map[string]string, error)
+	QueryRow(query string) (map[string]string, error)
+	Close()
+}
+
+type SocketOsqueryClienter struct {
+	SocketPath string
+	Timeout    time.Duration
+}
+
+func (s *SocketOsqueryClienter) NewOsqueryClient() (OsqueryClient, error) {
+	osqueryClient, err := osquery.NewClient(s.SocketPath, s.Timeout)
+	if err != nil {
+		return nil, fmt.Errorf("could not create osquery client: %w", err)
+	}
+	return osqueryClient, nil
+}
+
+type MockOsqueryClienter struct {
+	Data map[string][]map[string]string
+}
+
+func (m *MockOsqueryClienter) NewOsqueryClient() (OsqueryClient, error) {
+	return &MockOsqueryClient{Data: m.Data}, nil
+}
+
+type MockOsqueryClient struct {
+	Data map[string][]map[string]string
+}
+
+func (m *MockOsqueryClient) QueryRows(query string) ([]map[string]string, error) {
+	return m.Data[query], nil
+}
+
+func (m *MockOsqueryClient) QueryRow(query string) (map[string]string, error) {
+	return m.Data[query][0], nil
+}
+
+func (m *MockOsqueryClient) Close() {}

pkg/utils/osquery.go

@@ -0,0 +1,40 @@
+package utils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestQueryRows(t *testing.T) {
+	query := "SELECT * FROM table"
+	clienter := &MockOsqueryClienter{
+		Data: map[string][]map[string]string{
+			query: {{"column1": "value1", "column2": "value2"}},
+		},
+	}
+
+	mock, err := clienter.NewOsqueryClient()
+	require.NoError(t, err)
+
+	data, err := mock.QueryRows(query)
+	require.NoError(t, err)
+	assert.Equal(t, clienter.Data[query], data)
+}
+
+func TestQueryRow(t *testing.T) {
+	query := "SELECT * FROM table"
+	clienter := &MockOsqueryClienter{
+		Data: map[string][]map[string]string{
+			query: {{"column1": "value1", "column2": "value2"}},
+		},
+	}
+
+	mock, err := clienter.NewOsqueryClient()
+	require.NoError(t, err)
+
+	data, err := mock.QueryRow("SELECT * FROM table")
+	require.NoError(t, err)
+	assert.Equal(t, clienter.Data[query][0], data)
+}

pkg/utils/osquery_test.go

@@ -0,0 +1,25 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "alt_system_info",
+    srcs = ["alt_system_info.go"],
+    importpath = "github.com/macadmins/osquery-extension/tables/alt_system_info",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/utils",
+        "@com_github_groob_plist//:plist",
+        "@com_github_osquery_osquery_go//plugin/table",
+        "@org_golang_x_sync//errgroup:go_default_library",
+    ],
+)
+
+go_test(
+    name = "alt_system_info_test",
+    srcs = ["alt_system_info_test.go"],
+    deps = [
+        ":alt_system_info",
+        "//pkg/utils",
+        "@com_github_stretchr_testify//assert",
+        "@com_github_stretchr_testify//require",
+    ],
+)