search

macadmins / osquery-extension

An osquery extension for endpoint engineers
Apache License 2.0
97 stars 32 forks source link

Add alt_system_info table #58

Closed korylprince closed 1 month ago

korylprince commented 1 month ago

This PR adds the alt_system_info table, which mimics the built-in system_info table.

The table avoids the Allow "osquery" to find devices on local networks? prompt that the built-in system_info table triggers on macOS 15.0.

On versions other than 15.0, this table queries and returns the output of the system_info table.

The cpu_subtype field always returns empty with this table, because it requires the use of C APIs (e.g. CGo) to fetch.

The following code will allow someone to get the cpu_subtype field, if they want to deal with CGo:

/*
#include <mach/mach.h>

struct cpu_type_info_t {
    char *cpu_type;
    char *cpu_subtype;
};

struct cpu_type_info_t getCpuTypeInfo() {
  struct cpu_type_info_t cpu_info;
  int host = mach_host_self();

  host_basic_info_data_t host_data;
  mach_msg_type_number_t count = HOST_BASIC_INFO_COUNT;
  if (host_info(host, HOST_BASIC_INFO, (host_info_t)&host_data, &count) !=
      KERN_SUCCESS) {
    return cpu_info;
  }

  // Get human readable strings
  slot_name(host_data.cpu_type, host_data.cpu_subtype, &cpu_info.cpu_type, &cpu_info.cpu_subtype);

  return cpu_info;
}
*/
import "C"

func GetCPUInfo() (cpuType, cpuSubtype string) {
    info := C.getCpuTypeInfo()
    cpuTypePtr := (*C.char)(unsafe.Pointer(info.cpu_type))
    cpuSubtypePtr := (*C.char)(unsafe.Pointer(info.cpu_subtype))
    return C.GoString(cpuTypePtr), C.GoString(cpuSubtypePtr)
}

Example from macOS 15.0:

osquery> select * from system_info;
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| hostname           | uuid                                 | cpu_type | cpu_subtype | cpu_brand    | cpu_physical_cores | cpu_logical_cores | cpu_sockets | cpu_microcode | physical_memory | hardware_vendor | hardware_model | hardware_version | hardware_serial | board_vendor | board_model | board_version | board_serial | computer_name      | local_hostname |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| Kory-MacBook.local | DC0DF01C-75C6-495D-9AFB-53D60BD482FA | arm64e   | ARM64E      | Apple M2 Max | 12                 | 12                |             |               | 34359738368     | Apple Inc.      | Mac14,5        |                  | ABCDEFGHIJ      |              |             |               |              | Kory’s MacBook Pro | Kory-MacBook   |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
osquery> select * from alt_system_info;
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| hostname           | uuid                                 | cpu_type | cpu_subtype | cpu_brand    | cpu_physical_cores | cpu_logical_cores | cpu_sockets | cpu_microcode | physical_memory | hardware_vendor | hardware_model | hardware_version | hardware_serial | board_vendor | board_model | board_version | board_serial | computer_name      | local_hostname |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| Kory-MacBook.local | DC0DF01C-75C6-495D-9AFB-53D60BD482FA | arm64e   |             | Apple M2 Max | 12                 | 12                |             |               | 34359738368     | Apple Inc.      | Mac14,5        |                  | ABCDEFGHIJ      |              |             |               |              | Kory’s MacBook Pro | Kory-MacBook   |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+

Example from not macOS 15.0:

osquery> select * from system_info;
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| hostname           | uuid                                 | cpu_type | cpu_subtype | cpu_brand    | cpu_physical_cores | cpu_logical_cores | cpu_sockets | cpu_microcode | physical_memory | hardware_vendor | hardware_model | hardware_version | hardware_serial | board_vendor | board_model | board_version | board_serial | computer_name      | local_hostname |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| Kory-MacBook.local | DC0DF01C-75C6-495D-9AFB-53D60BD482FA | arm64e   | ARM64E      | Apple M2 Max | 12                 | 12                |             |               | 34359738368     | Apple Inc.      | Mac14,5        |                  | ABCDEFGHIJ      |              |             |               |              | Kory’s MacBook Pro | Kory-MacBook   |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
osquery> select * from alt_system_info;
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| hostname           | uuid                                 | cpu_type | cpu_subtype | cpu_brand    | cpu_physical_cores | cpu_logical_cores | cpu_sockets | cpu_microcode | physical_memory | hardware_vendor | hardware_model | hardware_version | hardware_serial | board_vendor | board_model | board_version | board_serial | computer_name      | local_hostname |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
| Kory-MacBook.local | DC0DF01C-75C6-495D-9AFB-53D60BD482FA | arm64e   | ARM64E      | Apple M2 Max | 12                 | 12                |             |               | 34359738368     | Apple Inc.      | Mac14,5        |                  | ABCDEFGHIJ      |              |             |               |              | Kory’s MacBook Pro | Kory-MacBook   |
+--------------------+--------------------------------------+----------+-------------+--------------+--------------------+-------------------+-------------+---------------+-----------------+-----------------+----------------+------------------+-----------------+--------------+-------------+---------------+--------------+--------------------+----------------+
grahamgilbert commented 1 month ago

Thank you for this - have you considered moving the osquery client in the sofa table to your new generic one as well?