fleet/orbit/pkg/table/extension_linux.go

//go:build linux

package table

import (
	"context"

	"github.com/fleetdm/fleet/v4/orbit/pkg/table/containerd"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/crowdstrike/falcon_kernel_check"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/crowdstrike/falconctl"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/cryptsetup"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/cryptsetup_luks_salt"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/dataflattentable"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/dconf_read"
	"github.com/fleetdm/fleet/v4/orbit/pkg/table/fleetd_pacman_packages"
	"github.com/macadmins/osquery-extension/tables/crowdstrike_falcon"
	"github.com/osquery/osquery-go"
	"github.com/osquery/osquery-go/plugin/table"
	"github.com/rs/zerolog/log"
)

func PlatformTables(opts PluginOpts) ([]osquery.OsqueryPlugin, error) {
	return []osquery.OsqueryPlugin{
		cryptsetup.TablePlugin(log.Logger),            // table name is "cryptsetup_status"
		falconctl.NewFalconctlOptionTable(log.Logger), // table name is "falconctl_option"
		falcon_kernel_check.TablePlugin(log.Logger),   // table name is "falcon_kernel_check"
		dataflattentable.TablePluginExec(log.Logger, "nftables", dataflattentable.JsonType, []string{"nft", "-jat", "list", "ruleset"}, dataflattentable.WithBinDirs("/usr/bin", "/usr/sbin")), // -j (json) -a (show object handles) -t (terse, omit set contents)
		table.NewPlugin("dconf_read", dconf_read.Columns(), dconf_read.Generate),
		table.NewPlugin("containerd_containers", containerd.ContainersColumns(), containerd.GenerateContainers),
		table.NewPlugin("containerd_mounts", containerd.MountsColumns(), containerd.GenerateMounts),
		table.NewPlugin(fleetd_pacman_packages.TableName, fleetd_pacman_packages.Columns(), fleetd_pacman_packages.Generate),
		table.NewPlugin("crowdstrike_falcon", crowdstrike_falcon.CrowdstrikeFalconColumns(),
			func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
				return crowdstrike_falcon.CrowdstrikeFalconGenerate(ctx, queryContext, opts.Socket)
			},
		),

		dataflattentable.TablePluginExec(
			log.Logger,
			"lsblk",
			dataflattentable.JsonType,
			[]string{"lsblk", "-n", "-O", "--json"}, // -n (no header) -O (all vars) --json (output in json)
			dataflattentable.WithBinDirs("/usr/bin", "/usr/sbin"),
		),

		table.NewPlugin(
			cryptsetup_luks_salt.TblName,
			cryptsetup_luks_salt.Columns(),
			cryptsetup_luks_salt.Generate,
		),
	}, nil
}
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`//go:build linux`

			`package table`

			`import (`
Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553) Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) 2025-11-04 19:53:10 +00:00			`"context"`

Add `containerd_mounts` table for fleetd (#39276) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38393 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows (Linux only) --------- Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> 2026-02-10 16:57:13 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/containerd"`
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/crowdstrike/falcon_kernel_check"`
			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/crowdstrike/falconctl"`
			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/cryptsetup"`
Re-verify Linux disk encryption #26693 (#29034) Fixes #26693 Added functionality to verify that the escrowed LUKS disk encryption key is valid. To achieve this, two new fleetd tables were added: lsblk and cryptsetup_luks_salt/table to compare the stored encryption key with the ones present on the host. 2025-05-22 20:15:26 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/cryptsetup_luks_salt"`
Add nftables table (#23941) Following the discussion in #15651, this adds the `nftables` table by parsing the binary output. --------- Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2024-12-04 17:10:09 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/dataflattentable"`
Added `dconf_read` table and documentation to enable fleet desktop on Fedora and Debian (#27684) For #20675 and #25977. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2025-04-01 21:54:22 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/dconf_read"`
Add `fleetd_pacman_packages` table for arch linux (#33139) #32860 2025-09-19 14:26:23 +00:00			`"github.com/fleetdm/fleet/v4/orbit/pkg/table/fleetd_pacman_packages"`
Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553) Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) 2025-11-04 19:53:10 +00:00			`"github.com/macadmins/osquery-extension/tables/crowdstrike_falcon"`
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`"github.com/osquery/osquery-go"`
Added `dconf_read` table and documentation to enable fleet desktop on Fedora and Debian (#27684) For #20675 and #25977. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2025-04-01 21:54:22 +00:00			`"github.com/osquery/osquery-go/plugin/table"`
			`"github.com/rs/zerolog/log"`
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`)`

Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553) Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) 2025-11-04 19:53:10 +00:00			`func PlatformTables(opts PluginOpts) ([]osquery.OsqueryPlugin, error) {`
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`return []osquery.OsqueryPlugin{`
fix: use zerolog for orbit osquery table logging (#20028) > Related issue: #19886 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2024-06-27 17:26:20 +00:00			`cryptsetup.TablePlugin(log.Logger), // table name is "cryptsetup_status"`
			`falconctl.NewFalconctlOptionTable(log.Logger), // table name is "falconctl_option"`
			`falcon_kernel_check.TablePlugin(log.Logger), // table name is "falcon_kernel_check"`
Add nftables table (#23941) Following the discussion in #15651, this adds the `nftables` table by parsing the binary output. --------- Co-authored-by: Zach Wasserman <zach@fleetdm.com> 2024-12-04 17:10:09 +00:00			`dataflattentable.TablePluginExec(log.Logger, "nftables", dataflattentable.JsonType, []string{"nft", "-jat", "list", "ruleset"}, dataflattentable.WithBinDirs("/usr/bin", "/usr/sbin")), // -j (json) -a (show object handles) -t (terse, omit set contents)`
Added `dconf_read` table and documentation to enable fleet desktop on Fedora and Debian (#27684) For #20675 and #25977. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2025-04-01 21:54:22 +00:00			`table.NewPlugin("dconf_read", dconf_read.Columns(), dconf_read.Generate),`
Add `containerd_mounts` table for fleetd (#39276) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #38393 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows (Linux only) --------- Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> 2026-02-10 16:57:13 +00:00			`table.NewPlugin("containerd_containers", containerd.ContainersColumns(), containerd.GenerateContainers),`
			`table.NewPlugin("containerd_mounts", containerd.MountsColumns(), containerd.GenerateMounts),`
Add `fleetd_pacman_packages` table for arch linux (#33139) #32860 2025-09-19 14:26:23 +00:00			`table.NewPlugin(fleetd_pacman_packages.TableName, fleetd_pacman_packages.Columns(), fleetd_pacman_packages.Generate),`
Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553) Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) 2025-11-04 19:53:10 +00:00			`table.NewPlugin("crowdstrike_falcon", crowdstrike_falcon.CrowdstrikeFalconColumns(),`
			`func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {`
			`return crowdstrike_falcon.CrowdstrikeFalconGenerate(ctx, queryContext, opts.Socket)`
			`},`
			`),`
Re-verify Linux disk encryption #26693 (#29034) Fixes #26693 Added functionality to verify that the escrowed LUKS disk encryption key is valid. To achieve this, two new fleetd tables were added: lsblk and cryptsetup_luks_salt/table to compare the stored encryption key with the ones present on the host. 2025-05-22 20:15:26 +00:00
			`dataflattentable.TablePluginExec(`
			`log.Logger,`
			`"lsblk",`
			`dataflattentable.JsonType,`
			`[]string{"lsblk", "-n", "-O", "--json"}, // -n (no header) -O (all vars) --json (output in json)`
			`dataflattentable.WithBinDirs("/usr/bin", "/usr/sbin"),`
			`),`

			`table.NewPlugin(`
			`cryptsetup_luks_salt.TblName,`
			`cryptsetup_luks_salt.Columns(),`
			`cryptsetup_luks_salt.Generate,`
			`),`
Disable `mdm_bridge` table on Windows Server (#19709) #19239 2024-06-14 20:56:58 +00:00			`}, nil`
Add Kolide osquery tables 2023-11-02 02:11:35 +00:00			`}`