search

osquery / osquery

SQL powered operating system instrumentation, monitoring, and analytics.
https://osquery.io
Other
21.71k stars 2.44k forks source link

`cpu_info` table returns no results on Google Compute Engine #7976

Open Rylon opened 1 year ago

Rylon commented 1 year ago

Bug report

What operating system and version are you using?

Ubuntu 18.04

What version of osquery are you using?

5.8.1

What steps did you take to reproduce the issue?

Try to fetch CPU info using the following query.

osqueryi --line "SELECT * from cpu_info;"

What did you expect to see?

I expected to see CPU information from the VM

What did you see instead?

No results, no errors.

When I try the exact same query on Ossuary 5.8.1 running on Ubuntu 18.04 on the Openstack or VMware virtualisation platforms, the query works as expected. When running on Google Compute Engine, I get no results back. I compared the output from /proc/cpuinfo on all three hosts and it looks normal, so I'm not sure why this is happening.

Rylon commented 1 year ago

Further debugging based on a Slack chat:

$ osqueryi --verbose
osquery> select * from cpu_info;
I0403 08:35:27.250139 27557 smbios_tables.cpp:106] Reading SMBIOS from sysfs DMI node

Debug from dmidecode:

$ sudo dmidecode -t processor
# dmidecode 3.1
Getting SMBIOS data from sysfs.
SMBIOS 2.4 present.

Handle 0x1001, DMI type 4, 32 bytes
Processor Information
    Socket Designation: CPU 1
    Type: Central Processor
    Family: Other
    Manufacturer: Google
    ID: 57 06 05 00 FF FB 8B 1F
    Version: Not Specified
    Voltage: Unknown
    External Clock: Unknown
    Max Speed: 2000 MHz
    Current Speed: 2000 MHz
    Status: Populated, Enabled
    Upgrade: Other
    L1 Cache Handle: Not Provided
    L2 Cache Handle: Not Provided
    L3 Cache Handle: Not Provided

Handle 0x1002, DMI type 4, 32 bytes
Processor Information
    Socket Designation: CPU 2
    Type: Central Processor
    Family: Other
    Manufacturer: Google
    ID: 57 06 05 00 FF FB 8B 1F
    Version: Not Specified
    Voltage: Unknown
    External Clock: Unknown
    Max Speed: 2000 MHz
    Current Speed: 2000 MHz
    Status: Populated, Enabled
    Upgrade: Other
    L1 Cache Handle: Not Provided
    L2 Cache Handle: Not Provided
    L3 Cache Handle: Not Provided

Handle 0x1003, DMI type 4, 32 bytes
Processor Information
    Socket Designation: CPU 3
    Type: Central Processor
    Family: Other
    Manufacturer: Google
    ID: 57 06 05 00 FF FB 8B 1F
    Version: Not Specified
    Voltage: Unknown
    External Clock: Unknown
    Max Speed: 2000 MHz
    Current Speed: 2000 MHz
    Status: Populated, Enabled
    Upgrade: Other
    L1 Cache Handle: Not Provided
    L2 Cache Handle: Not Provided
    L3 Cache Handle: Not Provided

Handle 0x1004, DMI type 4, 32 bytes
Processor Information
    Socket Designation: CPU 4
    Type: Central Processor
    Family: Other
    Manufacturer: Google
    ID: 57 06 05 00 FF FB 8B 1F
    Version: Not Specified
    Voltage: Unknown
    External Clock: Unknown
    Max Speed: 2000 MHz
    Current Speed: 2000 MHz
    Status: Populated, Enabled
    Upgrade: Other
    L1 Cache Handle: Not Provided
    L2 Cache Handle: Not Provided
    L3 Cache Handle: Not Provided
Smjert commented 10 months ago

@Rylon I think a detail I did not notice is that osquery is not being run as root, while dmidecode is. You need root access to read the SMBIOS.