From c866ddc3490ab81e53bbd3977354e08b196e6d34 Mon Sep 17 00:00:00 2001 From: Rebecca Mahany-Horton Date: Thu, 9 Nov 2023 10:24:39 -0500 Subject: [PATCH] Some more platform fixups --- pkg/allowedpaths/cmd_windows.go | 2 +- .../{launchd.go => launchd_darwin.go} | 8 +- pkg/debug/checkups/launchd_other.go | 36 ++++++ pkg/log/log.go | 110 ------------------ pkg/log/log_posix.go | 106 +++++++++++++++++ pkg/log/log_windows.go | 16 +++ pkg/osquery/table/mdm.go | 3 + .../tables/crowdstrike/falconctl/parser.go | 3 + .../crowdstrike/falconctl/parser_test.go | 3 + .../tables/crowdstrike/falconctl/table.go | 3 + .../crowdstrike/falconctl/table_test.go | 3 + .../tables/firmwarepasswd/firmwarepasswd.go | 3 + .../firmwarepasswd/firmwarepasswd_test.go | 3 + pkg/osquery/tables/firmwarepasswd/parser.go | 3 + pkg/osquery/tables/mdmclient/mdmclient.go | 6 +- .../tables/mdmclient/mdmclient_test.go | 6 +- .../tablehelpers/exec_osquery_launchctl.go | 3 +- 17 files changed, 192 insertions(+), 125 deletions(-) rename pkg/debug/checkups/{launchd.go => launchd_darwin.go} (97%) create mode 100644 pkg/debug/checkups/launchd_other.go create mode 100644 pkg/log/log_posix.go create mode 100644 pkg/log/log_windows.go diff --git a/pkg/allowedpaths/cmd_windows.go b/pkg/allowedpaths/cmd_windows.go index 393be9091a..efa0a58910 100644 --- a/pkg/allowedpaths/cmd_windows.go +++ b/pkg/allowedpaths/cmd_windows.go @@ -54,5 +54,5 @@ func Taskkill(ctx context.Context, arg ...string) (*exec.Cmd, error) { func Zerotiercli(ctx context.Context, arg ...string) (*exec.Cmd, error) { // For windows, "-q" should be prepended before all other args - return validatedCommand(ctx, path.Join(os.Getenv("SYSTEMROOT"), "ProgramData", "ZeroTier", "One", "zerotier-one_x64.exe"), []string{"-q"}, arg...) + return validatedCommand(ctx, path.Join(os.Getenv("SYSTEMROOT"), "ProgramData", "ZeroTier", "One", "zerotier-one_x64.exe"), append([]string{"-q"}, arg...)) } diff --git a/pkg/debug/checkups/launchd.go b/pkg/debug/checkups/launchd_darwin.go similarity index 97% rename from pkg/debug/checkups/launchd.go rename to pkg/debug/checkups/launchd_darwin.go index 3dd4deff90..8673314983 100644 --- a/pkg/debug/checkups/launchd.go +++ b/pkg/debug/checkups/launchd_darwin.go @@ -1,3 +1,6 @@ +//go:build darwin +// +build darwin + package checkups import ( @@ -8,7 +11,6 @@ import ( "io" "os" "path/filepath" - "runtime" "strings" "github.com/kolide/launcher/pkg/allowedpaths" @@ -25,10 +27,6 @@ type launchdCheckup struct { } func (c *launchdCheckup) Name() string { - if runtime.GOOS != "darwin" { - return "" - } - return "Launchd" } diff --git a/pkg/debug/checkups/launchd_other.go b/pkg/debug/checkups/launchd_other.go new file mode 100644 index 0000000000..59af86cab1 --- /dev/null +++ b/pkg/debug/checkups/launchd_other.go @@ -0,0 +1,36 @@ +//go:build !darwin +// +build !darwin + +package checkups + +import ( + "context" + "io" +) + +type launchdCheckup struct { +} + +func (c *launchdCheckup) Name() string { + return "" +} + +func (c *launchdCheckup) Run(_ context.Context, _ io.Writer) error { + return nil +} + +func (c *launchdCheckup) ExtraFileName() string { + return "" +} + +func (c *launchdCheckup) Status() Status { + return Informational +} + +func (c *launchdCheckup) Summary() string { + return "" +} + +func (c *launchdCheckup) Data() any { + return nil +} diff --git a/pkg/log/log.go b/pkg/log/log.go index 1f03dcbc20..b728f8f5e1 100644 --- a/pkg/log/log.go +++ b/pkg/log/log.go @@ -2,19 +2,14 @@ package log import ( "bytes" - "context" "fmt" "os" - "path/filepath" "regexp" - "runtime" "strconv" "strings" - "time" kitlog "github.com/go-kit/kit/log" "github.com/go-kit/kit/log/level" - "github.com/kolide/launcher/pkg/allowedpaths" "github.com/shirou/gopsutil/v3/host" "github.com/shirou/gopsutil/v3/process" ) @@ -160,111 +155,6 @@ func (l *OsqueryLogAdapter) logInfoAboutUnrecognizedProcessLockingPidfile(p []by level.Debug(l.logger).Log(append(processInfo, "msg", "detected non-osqueryd process using pidfile")...) } -// runAndLogPs runs ps filtering on the given PID, and logs the output. -func (l *OsqueryLogAdapter) runAndLogPs(pidStr string) { - if runtime.GOOS == "windows" { - return - } - - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) - defer cancel() - - cmd, err := allowedpaths.Ps(ctx, "-p", pidStr, "-o", "user,pid,ppid,pgid,stat,time,command") - if err != nil { - level.Debug(l.logger).Log( - "msg", "error creating command to run ps on osqueryd pidfile", - "err", err, - ) - return - } - out, err := cmd.CombinedOutput() - if err != nil { - level.Debug(l.logger).Log( - "msg", "error running ps on non-osqueryd process using pidfile", - "pid", pidStr, - "err", err, - ) - return - } - - level.Debug(l.logger).Log( - "msg", "ran ps on non-osqueryd process using pidfile", - "pid", pidStr, - "output", string(out), - ) -} - -// runAndLogLsofByPID runs lsof filtering on the given PID, and logs the output. -func (l *OsqueryLogAdapter) runAndLogLsofByPID(pidStr string) { - if runtime.GOOS == "windows" { - return - } - - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) - defer cancel() - - cmd, err := allowedpaths.Lsof(ctx, "-R", "-n", "-p", pidStr) - if err != nil { - level.Debug(l.logger).Log( - "msg", "error creating command to run lsof on osqueryd pidfile", - "err", err, - ) - return - } - out, err := cmd.CombinedOutput() - if err != nil { - level.Debug(l.logger).Log( - "msg", "error running lsof on non-osqueryd process using pidfile", - "pid", pidStr, - "err", err, - ) - return - } - - level.Debug(l.logger).Log( - "msg", "ran lsof on non-osqueryd process using pidfile", - "pid", pidStr, - "output", string(out), - ) -} - -// runAndLogLsofOnPidfile runs lsof filtering by the osquery pidfile, and logs -// the output. -func (l *OsqueryLogAdapter) runAndLogLsofOnPidfile() { - if runtime.GOOS == "windows" { - return - } - - fullPidfile := filepath.Join(l.rootDirectory, "osquery.pid") - - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) - defer cancel() - - cmd, err := allowedpaths.Lsof(ctx, "-R", "-n", fullPidfile) - if err != nil { - level.Debug(l.logger).Log( - "msg", "error creating command to run lsof on osqueryd pidfile", - "err", err, - ) - return - } - out, err := cmd.CombinedOutput() - if err != nil { - level.Debug(l.logger).Log( - "msg", "error running lsof on osqueryd pidfile", - "pidfile", fullPidfile, - "err", err, - ) - return - } - - level.Debug(l.logger).Log( - "msg", "ran lsof on osqueryd pidfile", - "pidfile", fullPidfile, - "output", string(out), - ) -} - // getStringStat is a small wrapper around gopsutil/process functions // to return the stat if available, or an error message if not, so // that either way the info will be captured in the log. diff --git a/pkg/log/log_posix.go b/pkg/log/log_posix.go new file mode 100644 index 0000000000..ef47867802 --- /dev/null +++ b/pkg/log/log_posix.go @@ -0,0 +1,106 @@ +//go:build !windows +// +build !windows + +package log + +import ( + "context" + "path/filepath" + "time" + + "github.com/go-kit/kit/log/level" + "github.com/kolide/launcher/pkg/allowedpaths" +) + +// runAndLogPs runs ps filtering on the given PID, and logs the output. +func (l *OsqueryLogAdapter) runAndLogPs(pidStr string) { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + cmd, err := allowedpaths.Ps(ctx, "-p", pidStr, "-o", "user,pid,ppid,pgid,stat,time,command") + if err != nil { + level.Debug(l.logger).Log( + "msg", "error creating command to run ps on osqueryd pidfile", + "err", err, + ) + return + } + out, err := cmd.CombinedOutput() + if err != nil { + level.Debug(l.logger).Log( + "msg", "error running ps on non-osqueryd process using pidfile", + "pid", pidStr, + "err", err, + ) + return + } + + level.Debug(l.logger).Log( + "msg", "ran ps on non-osqueryd process using pidfile", + "pid", pidStr, + "output", string(out), + ) +} + +// runAndLogLsofByPID runs lsof filtering on the given PID, and logs the output. +func (l *OsqueryLogAdapter) runAndLogLsofByPID(pidStr string) { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + cmd, err := allowedpaths.Lsof(ctx, "-R", "-n", "-p", pidStr) + if err != nil { + level.Debug(l.logger).Log( + "msg", "error creating command to run lsof on osqueryd pidfile", + "err", err, + ) + return + } + out, err := cmd.CombinedOutput() + if err != nil { + level.Debug(l.logger).Log( + "msg", "error running lsof on non-osqueryd process using pidfile", + "pid", pidStr, + "err", err, + ) + return + } + + level.Debug(l.logger).Log( + "msg", "ran lsof on non-osqueryd process using pidfile", + "pid", pidStr, + "output", string(out), + ) +} + +// runAndLogLsofOnPidfile runs lsof filtering by the osquery pidfile, and logs +// the output. +func (l *OsqueryLogAdapter) runAndLogLsofOnPidfile() { + fullPidfile := filepath.Join(l.rootDirectory, "osquery.pid") + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + cmd, err := allowedpaths.Lsof(ctx, "-R", "-n", fullPidfile) + if err != nil { + level.Debug(l.logger).Log( + "msg", "error creating command to run lsof on osqueryd pidfile", + "err", err, + ) + return + } + out, err := cmd.CombinedOutput() + if err != nil { + level.Debug(l.logger).Log( + "msg", "error running lsof on osqueryd pidfile", + "pidfile", fullPidfile, + "err", err, + ) + return + } + + level.Debug(l.logger).Log( + "msg", "ran lsof on osqueryd pidfile", + "pidfile", fullPidfile, + "output", string(out), + ) +} diff --git a/pkg/log/log_windows.go b/pkg/log/log_windows.go new file mode 100644 index 0000000000..7d0dee2650 --- /dev/null +++ b/pkg/log/log_windows.go @@ -0,0 +1,16 @@ +//go:build windows +// +build windows + +package log + +func (l *OsqueryLogAdapter) runAndLogPs(_ string) { + return +} + +func (l *OsqueryLogAdapter) runAndLogLsofByPID(_ string) { + return +} + +func (l *OsqueryLogAdapter) runAndLogLsofOnPidfile() { + return +} diff --git a/pkg/osquery/table/mdm.go b/pkg/osquery/table/mdm.go index d117332991..a94f0881b3 100644 --- a/pkg/osquery/table/mdm.go +++ b/pkg/osquery/table/mdm.go @@ -1,3 +1,6 @@ +//go:build darwin +// +build darwin + package table import ( diff --git a/pkg/osquery/tables/crowdstrike/falconctl/parser.go b/pkg/osquery/tables/crowdstrike/falconctl/parser.go index b5313758dc..5b1bc115e0 100644 --- a/pkg/osquery/tables/crowdstrike/falconctl/parser.go +++ b/pkg/osquery/tables/crowdstrike/falconctl/parser.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package falconctl import ( diff --git a/pkg/osquery/tables/crowdstrike/falconctl/parser_test.go b/pkg/osquery/tables/crowdstrike/falconctl/parser_test.go index 22df1f9153..1f17681753 100644 --- a/pkg/osquery/tables/crowdstrike/falconctl/parser_test.go +++ b/pkg/osquery/tables/crowdstrike/falconctl/parser_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package falconctl import ( diff --git a/pkg/osquery/tables/crowdstrike/falconctl/table.go b/pkg/osquery/tables/crowdstrike/falconctl/table.go index 54a7a253fc..adab701a1a 100644 --- a/pkg/osquery/tables/crowdstrike/falconctl/table.go +++ b/pkg/osquery/tables/crowdstrike/falconctl/table.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package falconctl import ( diff --git a/pkg/osquery/tables/crowdstrike/falconctl/table_test.go b/pkg/osquery/tables/crowdstrike/falconctl/table_test.go index 979c1f6241..ce5abcc604 100644 --- a/pkg/osquery/tables/crowdstrike/falconctl/table_test.go +++ b/pkg/osquery/tables/crowdstrike/falconctl/table_test.go @@ -1,3 +1,6 @@ +//go:build !windows +// +build !windows + package falconctl import ( diff --git a/pkg/osquery/tables/firmwarepasswd/firmwarepasswd.go b/pkg/osquery/tables/firmwarepasswd/firmwarepasswd.go index 53fcdca02f..10619c8c4d 100644 --- a/pkg/osquery/tables/firmwarepasswd/firmwarepasswd.go +++ b/pkg/osquery/tables/firmwarepasswd/firmwarepasswd.go @@ -1,3 +1,6 @@ +//go:build darwin +// +build darwin + // firmwarepasswd is a simple wrapper around the // `/usr/sbin/firmwarepasswd` tool. This should be considered beta at // best. It serves a bit as a pattern for future exec work. diff --git a/pkg/osquery/tables/firmwarepasswd/firmwarepasswd_test.go b/pkg/osquery/tables/firmwarepasswd/firmwarepasswd_test.go index 5f8311a6c4..fd6cdef280 100644 --- a/pkg/osquery/tables/firmwarepasswd/firmwarepasswd_test.go +++ b/pkg/osquery/tables/firmwarepasswd/firmwarepasswd_test.go @@ -1,3 +1,6 @@ +//go:build darwin +// +build darwin + package firmwarepasswd import ( diff --git a/pkg/osquery/tables/firmwarepasswd/parser.go b/pkg/osquery/tables/firmwarepasswd/parser.go index f3f46c64d4..34a5a85ac8 100644 --- a/pkg/osquery/tables/firmwarepasswd/parser.go +++ b/pkg/osquery/tables/firmwarepasswd/parser.go @@ -1,3 +1,6 @@ +//go:build darwin +// +build darwin + package firmwarepasswd import ( diff --git a/pkg/osquery/tables/mdmclient/mdmclient.go b/pkg/osquery/tables/mdmclient/mdmclient.go index 1327d24f30..b230397382 100644 --- a/pkg/osquery/tables/mdmclient/mdmclient.go +++ b/pkg/osquery/tables/mdmclient/mdmclient.go @@ -1,7 +1,5 @@ -//go:build !windows -// +build !windows - -// (skip building windows, since the newline replacement doesn't work there) +//go:build darwin +// +build darwin // Package mdmclient provides a table that parses the mdmclient // output. Empirically, this seems to be an almost gnustep diff --git a/pkg/osquery/tables/mdmclient/mdmclient_test.go b/pkg/osquery/tables/mdmclient/mdmclient_test.go index 0b89fd4555..65628451e8 100644 --- a/pkg/osquery/tables/mdmclient/mdmclient_test.go +++ b/pkg/osquery/tables/mdmclient/mdmclient_test.go @@ -1,7 +1,5 @@ -//go:build !windows -// +build !windows - -// (skip building windows, since the newline replacement doesn't work there) +//go:build darwin +// +build darwin package mdmclient diff --git a/pkg/osquery/tables/tablehelpers/exec_osquery_launchctl.go b/pkg/osquery/tables/tablehelpers/exec_osquery_launchctl.go index 5971a90354..a9779c73f0 100644 --- a/pkg/osquery/tables/tablehelpers/exec_osquery_launchctl.go +++ b/pkg/osquery/tables/tablehelpers/exec_osquery_launchctl.go @@ -1,4 +1,5 @@ -// build +darwin +//go:build darwin +// +build darwin package tablehelpers