Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/orbit/pkg/table/extension_darwin.go

110 lines
5.9 KiB
Go
Raw Normal View History

Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
//go:build darwin
package table
import (
Updated macadmins and added new tables. (#18819) #18808 Added the new `sofa_security_release_info` and `sofa_unpatched_cves` tables from `macadmins/osquery-extension` 1.0.1 These tables do not have detailed documentation in macadmins repo, so not adding documentation at this point. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-05-08 13:57:16 +00:00
"context"
Add fleetd SOFA user agent (#19359)
2024-06-06 18:24:43 +00:00
Add `app_sso_platform` table to orbit and use table in Entra ID query ingestion (#30140) #28621 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Added/updated automated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-06-20 20:01:38 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/app_sso_platform"
Add CIS check for 5.7 (#9748) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-08 15:30:55 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/authdb"
Add `team_identifier` to macOS software (#23766) Changes to add `team_identifier` signing information to macOS applications on the `/api/latest/fleet/hosts/:id/software` API endpoint. Docs: https://github.com/fleetdm/fleet/pull/23743 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [X] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ X Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Tim Lee <timlee@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-15 17:17:04 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/codesign"
CIS 5.1.3+5.1.4 (#9642)
2023-02-07 18:26:05 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/csrutil_info"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/dataflattentable"
Add macOS CIS 5.3.1 (#10397) This adds a new check about whether all APFS volumes are encrypted. I needed to add a new table, and I took that opportunity to add another so that osquery has all information from `diskutil apfs list -plist`. Note that it is somewhat unclear whether to use the `encryption` or `filevault` field in the query. FileVault is about whether the volume is encrypted with a password and Encryption is about whether it is encrypted at all, since all modern macs have hardware-backed disk encryption.
2023-03-10 17:29:14 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/diskutil/apfs"
Add macOS CIS 5.3.2 (#10726) Add 2 new tables: corestorage_logical_volumes and corestorage_logical_volume_families. Add a query that uses these tables
2023-03-28 15:57:38 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/diskutil/corestorage"
Add check for CIS 5.6 (#9756) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-09 17:27:40 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/dscl"
Create new Fleet osquery extension table to read escrowed FileVault key (#12198)
2023-06-15 15:23:59 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/filevault_prk"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/filevault_status"
macOS CIS: Use `find` command (exposed as fleetd table) instead of relying on the osquery core `file` table (#12560) #10292, #12554 When scanning tens of thousands of files for permissions, using the `find` command exposed as a fleetd table is more performant than trying to use the `file` table. This change caused the watchdog to *stop* killing osquery because of exceeding memory or CPU limit. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-29 19:22:41 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/find_cmd"
Add check for CIS 5.6 (#9756) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-09 17:27:40 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/firmware_eficheck_integrity_check"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/firmwarepasswd"
"github.com/fleetdm/fleet/v4/orbit/pkg/table/ioreg"
DCLK: add mechanism to verify user-scoped profiles (#30110)
2025-06-25 13:51:43 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/macos_user_profiles"
CIS 5.1.3+5.1.4 (#9642)
2023-02-07 18:26:05 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/nvram_info"
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2023-02-08 16:08:17 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/pmset"
Add `icloud_private_relay` table (#8655)
2022-11-21 18:56:15 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/privaterelay"
Cis 5.2.x (#9489)
2023-01-25 20:53:24 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/pwd_policy"
CIS MAC 1.1 fix (#10619)
2023-03-29 13:24:33 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/software_update"
Add CIS checks for 5.4 and 5.5 (#9747) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-09 15:35:43 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/sudo_info"
Add macOS `tcc_access` table to `fleetd` (#19355) ## Addresses #18222 Table results: <img width="2991" alt="Screenshot 2024-05-29 at 6 15 21 PM" src="https://github.com/fleetdm/fleet/assets/61553566/eb87e744-658a-4937-92a4-30b6038a4625"> Optimized querying of host `TCC.db`s as constrained by query `WHERE` clauses on `uid`: <img width="1419" alt="Screenshot 2024-06-03 at 6 20 50 PM" src="https://github.com/fleetdm/fleet/assets/61553566/62475537-61c5-4d75-8b8e-10fe7d21462d"> <img width="1419" alt="Screenshot 2024-06-03 at 6 19 31 PM" src="https://github.com/fleetdm/fleet/assets/61553566/9901095f-5a61-4671-b45e-5935837f2f0c"> <img width="1419" alt="Screenshot 2024-06-03 at 6 15 01 PM" src="https://github.com/fleetdm/fleet/assets/61553566/6c6891cc-6baf-4b00-b446-a967d80cacfd"> <img width="1419" alt="Screenshot 2024-06-03 at 6 17 54 PM" src="https://github.com/fleetdm/fleet/assets/61553566/cadbb76d-abab-405f-8b65-683885e9e164"> - [x] Changes file added for user-visible changes in `orbit/changes/`. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality on macOS (only supported OS) --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2024-06-06 20:52:06 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/tcc_access"
CIS 2.11.1 Add Table for 2.11.1 (Ensure Users' Accounts Do Not Have a Password Hint) (#9439) fleetdm/fleet#9255
2023-01-23 20:23:59 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/table/user_login_settings"
fix: use zerolog for orbit osquery table logging (#20028) > Related issue: #19886 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-06-27 17:26:20 +00:00
"github.com/rs/zerolog/log"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
Add additional tables and Windows support in Orbit extension (#2947) More tables from https://github.com/macadmins/osquery-extension
2021-11-18 00:34:31 +00:00
"github.com/macadmins/osquery-extension/tables/filevaultusers"
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
"github.com/macadmins/osquery-extension/tables/macos_profiles"
Add macos_rsr table from macadmins extension (#11537) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2023-05-05 14:02:28 +00:00
"github.com/macadmins/osquery-extension/tables/macosrsr"
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
"github.com/macadmins/osquery-extension/tables/mdm"
"github.com/macadmins/osquery-extension/tables/munki"
Updated macadmins and added new tables. (#18819) #18808 Added the new `sofa_security_release_info` and `sofa_unpatched_cves` tables from `macadmins/osquery-extension` 1.0.1 These tables do not have detailed documentation in macadmins repo, so not adding documentation at this point. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-05-08 13:57:16 +00:00
"github.com/macadmins/osquery-extension/tables/sofa"
Add additional tables and Windows support in Orbit extension (#2947) More tables from https://github.com/macadmins/osquery-extension
2021-11-18 00:34:31 +00:00
"github.com/macadmins/osquery-extension/tables/unifiedlog"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
Add CIS check for 5.7 (#9748) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-08 15:30:55 +00:00
"github.com/osquery/osquery-go"
"github.com/osquery/osquery-go/plugin/table"
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
)
Disable `mdm_bridge` table on Windows Server (#19709) #19239
2024-06-14 20:56:58 +00:00
func PlatformTables(opts PluginOpts) ([]osquery.OsqueryPlugin, error) {
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
plugins := []osquery.OsqueryPlugin{
Add `icloud_private_relay` table (#8655)
2022-11-21 18:56:15 +00:00
// Fleet tables
table.NewPlugin("icloud_private_relay", privaterelay.Columns(), privaterelay.Generate),
CIS 2.11.1 Add Table for 2.11.1 (Ensure Users' Accounts Do Not Have a Password Hint) (#9439) fleetdm/fleet#9255
2023-01-23 20:23:59 +00:00
table.NewPlugin("user_login_settings", user_login_settings.Columns(), user_login_settings.Generate),
Cis 5.2.x (#9489)
2023-01-25 20:53:24 +00:00
table.NewPlugin("pwd_policy", pwd_policy.Columns(), pwd_policy.Generate),
CIS 5.1.3+5.1.4 (#9642)
2023-02-07 18:26:05 +00:00
table.NewPlugin("csrutil_info", csrutil_info.Columns(), csrutil_info.Generate),
table.NewPlugin("nvram_info", nvram_info.Columns(), nvram_info.Generate),
Add macOS `tcc_access` table to `fleetd` (#19355) ## Addresses #18222 Table results: <img width="2991" alt="Screenshot 2024-05-29 at 6 15 21 PM" src="https://github.com/fleetdm/fleet/assets/61553566/eb87e744-658a-4937-92a4-30b6038a4625"> Optimized querying of host `TCC.db`s as constrained by query `WHERE` clauses on `uid`: <img width="1419" alt="Screenshot 2024-06-03 at 6 20 50 PM" src="https://github.com/fleetdm/fleet/assets/61553566/62475537-61c5-4d75-8b8e-10fe7d21462d"> <img width="1419" alt="Screenshot 2024-06-03 at 6 19 31 PM" src="https://github.com/fleetdm/fleet/assets/61553566/9901095f-5a61-4671-b45e-5935837f2f0c"> <img width="1419" alt="Screenshot 2024-06-03 at 6 15 01 PM" src="https://github.com/fleetdm/fleet/assets/61553566/6c6891cc-6baf-4b00-b446-a967d80cacfd"> <img width="1419" alt="Screenshot 2024-06-03 at 6 17 54 PM" src="https://github.com/fleetdm/fleet/assets/61553566/cadbb76d-abab-405f-8b65-683885e9e164"> - [x] Changes file added for user-visible changes in `orbit/changes/`. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality on macOS (only supported OS) --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2024-06-06 20:52:06 +00:00
table.NewPlugin("tcc_access", tcc_access.Columns(), tcc_access.Generate),
Add CIS check for 5.7 (#9748) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-08 15:30:55 +00:00
table.NewPlugin("authdb", authdb.Columns(), authdb.Generate),
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
2023-02-08 16:08:17 +00:00
table.NewPlugin("pmset", pmset.Columns(), pmset.Generate),
Add CIS checks for 5.4 and 5.5 (#9747) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-09 15:35:43 +00:00
table.NewPlugin("sudo_info", sudo_info.Columns(), sudo_info.Generate),
CIS MAC 1.1 fix (#10619)
2023-03-29 13:24:33 +00:00
table.NewPlugin("software_update", software_update.Columns(), software_update.Generate),
Add check for CIS 5.6 (#9756) #9260 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-02-09 17:27:40 +00:00
table.NewPlugin("firmware_eficheck_integrity_check", firmware_eficheck_integrity_check.Columns(), firmware_eficheck_integrity_check.Generate),
table.NewPlugin("dscl", dscl.Columns(), dscl.Generate),
Add macOS CIS 5.3.1 (#10397) This adds a new check about whether all APFS volumes are encrypted. I needed to add a new table, and I took that opportunity to add another so that osquery has all information from `diskutil apfs list -plist`. Note that it is somewhat unclear whether to use the `encryption` or `filevault` field in the query. FileVault is about whether the volume is encrypted with a password and Encryption is about whether it is encrypted at all, since all modern macs have hardware-backed disk encryption.
2023-03-10 17:29:14 +00:00
table.NewPlugin("apfs_volumes", apfs.VolumesColumns(), apfs.VolumesGenerate),
table.NewPlugin("apfs_physical_stores", apfs.PhysicalStoresColumns(), apfs.PhysicalStoresGenerate),
Add macOS CIS 5.3.2 (#10726) Add 2 new tables: corestorage_logical_volumes and corestorage_logical_volume_families. Add a query that uses these tables
2023-03-28 15:57:38 +00:00
table.NewPlugin("corestorage_logical_volumes", corestorage.LogicalVolumesColumns(), corestorage.LogicalVolumesGenerate),
table.NewPlugin("corestorage_logical_volume_families", corestorage.LogicalVolumeFamiliesColumns(), corestorage.LogicalVolumeFamiliesGenerate),
Create new Fleet osquery extension table to read escrowed FileVault key (#12198)
2023-06-15 15:23:59 +00:00
table.NewPlugin("filevault_prk", filevault_prk.Columns(), filevault_prk.Generate),
macOS CIS: Use `find` command (exposed as fleetd table) instead of relying on the osquery core `file` table (#12560) #10292, #12554 When scanning tens of thousands of files for permissions, using the `find` command exposed as a fleetd table is more performant than trying to use the `file` table. This change caused the watchdog to *stop* killing osquery because of exceeding memory or CPU limit. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-29 19:22:41 +00:00
table.NewPlugin("find_cmd", find_cmd.Columns(), find_cmd.Generate),
DCLK: add mechanism to verify user-scoped profiles (#30110)
2025-06-25 13:51:43 +00:00
table.NewPlugin("macos_user_profiles", macos_user_profiles.Columns(), macos_user_profiles.Generate),
Add `icloud_private_relay` table (#8655)
2022-11-21 18:56:15 +00:00
// Macadmins extension tables
Add additional tables and Windows support in Orbit extension (#2947) More tables from https://github.com/macadmins/osquery-extension
2021-11-18 00:34:31 +00:00
table.NewPlugin("filevault_users", filevaultusers.FileVaultUsersColumns(), filevaultusers.FileVaultUsersGenerate),
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
table.NewPlugin("macos_profiles", macos_profiles.MacOSProfilesColumns(), macos_profiles.MacOSProfilesGenerate),
Add additional tables and Windows support in Orbit extension (#2947) More tables from https://github.com/macadmins/osquery-extension
2021-11-18 00:34:31 +00:00
table.NewPlugin("mdm", mdm.MDMInfoColumns(), mdm.MDMInfoGenerate),
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
table.NewPlugin("munki_info", munki.MunkiInfoColumns(), munki.MunkiInfoGenerate),
table.NewPlugin("munki_installs", munki.MunkiInstallsColumns(), munki.MunkiInstallsGenerate),
Add macos_rsr table from macadmins extension (#11537) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2023-05-05 14:02:28 +00:00
table.NewPlugin("macos_rsr", macosrsr.MacOSRsrColumns(), macosrsr.MacOSRsrGenerate),
orbit: rename `unified_log` table from extension to `macadmins_unified_log` (#7295)
2022-08-19 01:59:14 +00:00
// osquery version 5.5.0 and up ships a unified_log table in core
// we are renaming the one from the macadmins extension to avoid collision
table.NewPlugin("macadmins_unified_log", unifiedlog.UnifiedLogColumns(), unifiedlog.UnifiedLogGenerate),
Updated macadmins and added new tables. (#18819) #18808 Added the new `sofa_security_release_info` and `sofa_unpatched_cves` tables from `macadmins/osquery-extension` 1.0.1 These tables do not have detailed documentation in macadmins repo, so not adding documentation at this point. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-05-08 13:57:16 +00:00
table.NewPlugin(
"sofa_security_release_info", sofa.SofaSecurityReleaseInfoColumns(),
func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
Add fleetd SOFA user agent (#19359)
2024-06-06 18:24:43 +00:00
return sofa.SofaSecurityReleaseInfoGenerate(ctx, queryContext, opts.Socket, sofa.WithUserAgent("fleetd"))
Updated macadmins and added new tables. (#18819) #18808 Added the new `sofa_security_release_info` and `sofa_unpatched_cves` tables from `macadmins/osquery-extension` 1.0.1 These tables do not have detailed documentation in macadmins repo, so not adding documentation at this point. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-05-08 13:57:16 +00:00
},
),
table.NewPlugin(
"sofa_unpatched_cves", sofa.SofaUnpatchedCVEsColumns(),
func(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
Add fleetd SOFA user agent (#19359)
2024-06-06 18:24:43 +00:00
return sofa.SofaUnpatchedCVEsGenerate(ctx, queryContext, opts.Socket, sofa.WithUserAgent("fleetd"))
Updated macadmins and added new tables. (#18819) #18808 Added the new `sofa_security_release_info` and `sofa_unpatched_cves` tables from `macadmins/osquery-extension` 1.0.1 These tables do not have detailed documentation in macadmins repo, so not adding documentation at this point. # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-05-08 13:57:16 +00:00
},
),
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
fix: use zerolog for orbit osquery table logging (#20028) > Related issue: #19886 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-06-27 17:26:20 +00:00
filevault_status.TablePlugin(log.Logger), // table name is "filevault_status"
ioreg.TablePlugin(log.Logger), // table name is "ioreg"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
// firmwarepasswd table. Only returns valid data on a Mac with an Intel processor. Background: https://support.apple.com/en-us/HT204455
fix: use zerolog for orbit osquery table logging (#20028) > Related issue: #19886 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-06-27 17:26:20 +00:00
firmwarepasswd.TablePlugin(log.Logger), // table name is "firmwarepasswd"
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
// Table for parsing Apple Property List files, which are typically stored in ~/Library/Preferences/
fix: use zerolog for orbit osquery table logging (#20028) > Related issue: #19886 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-06-27 17:26:20 +00:00
dataflattentable.TablePlugin(log.Logger, dataflattentable.PlistType), // table name is "parse_plist"
Add `team_identifier` to macOS software (#23766) Changes to add `team_identifier` signing information to macOS applications on the `/api/latest/fleet/hosts/:id/software` API endpoint. Docs: https://github.com/fleetdm/fleet/pull/23743 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [X] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ X Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Tim Lee <timlee@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-15 17:17:04 +00:00
table.NewPlugin("codesign", codesign.Columns(), codesign.Generate),
Add `app_sso_platform` table to orbit and use table in Entra ID query ingestion (#30140) #28621 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Added/updated automated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-06-20 20:01:38 +00:00
table.NewPlugin("app_sso_platform", app_sso_platform.Columns(), app_sso_platform.Generate),
Add additional tables and Windows support in Orbit extension (#2947) More tables from https://github.com/macadmins/osquery-extension
2021-11-18 00:34:31 +00:00
}
Add Kolide osquery tables
2023-11-02 02:11:35 +00:00
// append platform specific tables
plugins = appendTables(plugins)
Disable `mdm_bridge` table on Windows Server (#19709) #19239
2024-06-14 20:56:58 +00:00
return plugins, nil
Add MacAdmins tables in Orbit extension (#2140) Uses the extension tables from https://github.com/macadmins/osquery-extension. Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-11-16 02:40:53 +00:00
}
Reference in a new issue Copy permalink