Add socketfilterfw apps list table, add apps list test data, update p…

…arsers handling of rows
kolide · Jul 31, 2024 · 6ddfff6 · 6ddfff6
1 parent 1581303
commit 6ddfff6
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 21 deletions.
diff --git a/ee/tables/execparsers/socketfilterfw/parser.go b/ee/tables/execparsers/socketfilterfw/parser.go
@@ -7,22 +7,46 @@ import (
 	"strings"
 )
 
+var appRegex = regexp.MustCompile("(.*)(?:\\s\\(state:\\s)([0-9]+)")
 var lineRegex = regexp.MustCompile("(state|block|built-in|downloaded|stealth|log mode|log option)(?:.*\\s)([0-9a-z]+)")
 
 // socketfilterfw returns lines for each `get` argument supplied.
 // The output data is in the same order as the supplied arguments.
 //
-// Each line describes a part of the feature and what state it's in.
+// This supports parsing the list of apps and their allow state, or
+// each line describes a part of the feature and what state it's in.
+//
 // These are not very well-formed, so I'm doing some regex magic to
 // know which option the current line is, and then sanitize the state.
 func socketfilterfwParse(reader io.Reader) (any, error) {
 	results := make([]map[string]string, 0)
 	row := make(map[string]string)
+	parse_app_data := false
 
 	scanner := bufio.NewScanner(reader)
 	for scanner.Scan() {
-		line := strings.ToLower(scanner.Text())
-		matches := lineRegex.FindStringSubmatch(line)
+		line := scanner.Text()
+
+		// When parsing the app list, the first line of output is a total
+		// count of apps. We can break on this line to start parsing apps.
+		if strings.Contains(line, "Total number of apps") {
+			parse_app_data = true
+
+			if len(row) > 0 {
+				results = append(results, row)
+				row = make(map[string]string)
+			}
+
+			continue
+		}
+
+		matches := make([]string, 0)
+		if parse_app_data {
+			matches = appRegex.FindStringSubmatch(line)
+		} else {
+			matches = lineRegex.FindStringSubmatch(strings.ToLower(line))
+		}
+
 		if len(matches) != 3 {
 			continue
 		}
@@ -44,18 +68,19 @@ func socketfilterfwParse(reader io.Reader) (any, error) {
 		case "log option":
 			key = "logging_option"
 		default:
+			if parse_app_data {
+				row["name"] = matches[1]
+				row["allow_incoming_connections"] = sanitizeState(matches[2])
+				results = append(results, row)
+				row = make(map[string]string)
+			}
+
 			continue
 		}
 
-		// Don't allow overwrites.
-		_, ok := row[key]
-		if !ok {
-			row[key] = sanitizeState(matches[2])
-		}
+		row[key] = sanitizeState(matches[2])
 	}
 
-	// There should only be one row of data for application firewall,
-	// so this append is slightly awkward but should be fine.
 	if len(row) > 0 {
 		results = append(results, row)
 	}
@@ -67,7 +92,9 @@ func socketfilterfwParse(reader io.Reader) (any, error) {
 // the correct boolean to create a consistent state value.
 func sanitizeState(state string) string {
 	switch state {
-	case "0", "off", "disabled":
+	// The app list state for when an app is blocking incoming connections
+	// is output as `4`, while `1` is the state to allow those connections.
+	case "0", "off", "disabled", "4":
 		return "0"
 	// When the "block all" firewall option is enabled, it doesn't
 	// include a state like string, which is why we match on

diff --git a/ee/tables/execparsers/socketfilterfw/parser_test.go b/ee/tables/execparsers/socketfilterfw/parser_test.go
@@ -8,6 +8,9 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+//go:embed test-data/apps.txt
+var apps []byte
+
 //go:embed test-data/data.txt
 var data []byte
 
@@ -26,8 +29,34 @@ func TestParse(t *testing.T) {
 		expected []map[string]string
 	}{
 		{
-			name:  "empty input",
-			input: empty,
+			name: "apps",
+			input: apps,
+			expected: []map[string]string{
+				{
+					"name": "replicatord",
+					"allow_incoming_connections": "1",
+				},
+				{
+					"name": "Pop Helper.app",
+					"allow_incoming_connections": "0",
+				},
+				{
+					"name": "Google Chrome",
+					"allow_incoming_connections": "0",
+				},
+				{
+					"name": "rtadvd",
+					"allow_incoming_connections": "1",
+				},
+				{
+					"name": "com.docker.backend",
+					"allow_incoming_connections": "1",
+				},
+				{
+					"name": "sshd-keygen-wrapper",
+					"allow_incoming_connections": "1",
+				},
+			},
 		},
 		{
 			name:  "data",
@@ -44,6 +73,10 @@ func TestParse(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "empty input",
+			input: empty,
+		},
 		{
 			name:  "malformed",
 			input: malformed,

diff --git a/ee/tables/execparsers/socketfilterfw/test-data/apps.txt b/ee/tables/execparsers/socketfilterfw/test-data/apps.txt
@@ -0,0 +1,7 @@
+Total number of apps = 6
+replicatord (state: 1)
+Pop Helper.app (state: 4)
+Google Chrome (state: 4)
+rtadvd (state: 1)
+com.docker.backend (state: 1)
+sshd-keygen-wrapper (state: 1)
diff --git a/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt b/ee/tables/execparsers/socketfilterfw/test-data/malformed.txt
@@ -3,14 +3,6 @@ Firewall is blocking all non-essential incoming connections.x^CFS.
 %#UO
 Automatically allow built-in signed software DISABLED.
 
-Total number of apps = 6
-replicatord (state: 1)
-Pop Helper.app (state: 1)
-Google Chrome (state: 1)
-rtadvd (state: 1)
-com.docker.backend (state: 1)
-sshd-keygen-wrapper (state: 1)
-
 Automatically allow downloaded signed software DISABLEDENABLED.
 Firewall stealth mode is off
 Log mode is onr\r\n\r\n

diff --git a/pkg/osquery/table/platform_tables_darwin.go b/pkg/osquery/table/platform_tables_darwin.go
@@ -125,6 +125,7 @@ func platformSpecificTables(slogger *slog.Logger, currentOsquerydBinaryPath stri
 		dataflattentable.TablePluginExec(slogger, "kolide_nix_upgradeable", dataflattentable.XmlType, allowedcmd.NixEnv, []string{"--query", "--installed", "-c", "--xml"}),
 		dataflattentable.NewExecAndParseTable(slogger, "kolide_remotectl", remotectl.Parser, allowedcmd.Remotectl, []string{`dumpstate`}),
 		dataflattentable.NewExecAndParseTable(slogger, "kolide_socketfilterfw", socketfilterfw.Parser, allowedcmd.Socketfilterfw, []string{"--getglobalstate", "--getblockall", "--getallowsigned", "--getstealthmode", "--getloggingmode", "--getloggingopt"}, dataflattentable.WithIncludeStderr()),
+		dataflattentable.NewExecAndParseTable(slogger, "kolide_socketfilterfw_apps", socketfilterfw.Parser, allowedcmd.Socketfilterfw, []string{"--listapps"}, dataflattentable.WithIncludeStderr()),
 		dataflattentable.NewExecAndParseTable(slogger, "kolide_softwareupdate", softwareupdate.Parser, allowedcmd.Softwareupdate, []string{`--list`, `--no-scan`}, dataflattentable.WithIncludeStderr()),
 		dataflattentable.NewExecAndParseTable(slogger, "kolide_softwareupdate_scan", softwareupdate.Parser, allowedcmd.Softwareupdate, []string{`--list`}, dataflattentable.WithIncludeStderr()),
 		dataflattentable.NewExecAndParseTable(slogger, "kolide_carbonblack_repcli_status", repcli.Parser, allowedcmd.Repcli, []string{"status"}, dataflattentable.WithIncludeStderr()),