Fix platform detection for CentOS6 (#1415)

On CentOS6 there is a bug in which osquery incorrectly reports an empty string for platform. This PR fixes our detection of centos in this case. Fixes #1339
2026-04-21 13:37:30 +00:00 · 2017-03-15 15:40:18 -07:00 · 2017-03-15 15:40:18 -07:00 · da096d7b50
commit da096d7b50
parent 715d908613
4 changed files with 60 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,7 @@
+* Add a workaround for CentOS6 detection.
+
+  osquery 2.3.2 incorrectly reports an empty value for `platform` on CentOS6 hosts. We added a workaround to properly detect platform in Kolide, and also [submitted a fix](https://github.com/facebook/osquery/pull/3071) to upstream osquery.
+
 ## Kolide 1.0.2 (March 14, 2017)

 * Fix an issue adding additional targets when querying a host
--- a/server/datastore/mysql/migrations/data/20170314151620_FixCentosLabel.go
+++ b/server/datastore/mysql/migrations/data/20170314151620_FixCentosLabel.go
@ -0,0 +1,33 @@
+package data
+
+import (
+	"database/sql"
+
+	"github.com/kolide/kolide/server/kolide"
+)
+
+func init() {
+	MigrationClient.AddMigration(Up_20170314151620, Down_20170314151620)
+}
+
+func Up_20170314151620(tx *sql.Tx) error {
+	// Fix for osquery not correctly reporting platform for CentOS6
+	label_query := `select 1 from os_version where platform = 'centos' or name like '%centos%'`
+	sql := `
+                UPDATE labels
+                SET query = ?, platform = ''
+                WHERE name = 'CentOS Linux' AND label_type = ?
+`
+
+	_, err := tx.Exec(sql, label_query, kolide.LabelTypeBuiltIn)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func Down_20170314151620(tx *sql.Tx) error {
+	// Not reversible
+	return nil
+}
--- a/server/service/service_osquery.go
+++ b/server/service/service_osquery.go
@ -266,6 +266,14 @@ var detailQueries = map[string]struct {
 			host.Platform = rows[0]["platform"]
 			host.PlatformLike = rows[0]["platform_like"]
 			host.CodeName = rows[0]["code_name"]
+
+			// On centos6 there is an osquery bug that leaves
+			// platform empty. Here we workaround.
+			if host.Platform == "" &&
+				strings.Contains(strings.ToLower(rows[0]["name"]), "centos") {
+				host.Platform = "centos"
+			}
+
 			return nil
 		},
 	},
--- a/tools/osquery/docker-compose.yml
+++ b/tools/osquery/docker-compose.yml
@ -46,3 +46,18 @@ services:
      core:
        hard:  1000000000
        soft:  1000000000
+
+  centos6-osquery:
+    image: "kolide/centos6-osquery:${KOLIDE_OSQUERY_VERSION}"
+    volumes:
+      - ./kolide.crt:/etc/osquery/kolide.crt
+      - ./example_osquery.flags:/etc/osquery/osquery.flags
+    extra_hosts:
+      - "dockerhost:${LOCALHOST}"
+    environment:
+      ENROLL_SECRET: "${ENROLL_SECRET}"
+    command: osqueryd --flagfile=/etc/osquery/osquery.flags
+    ulimits:
+      core:
+        hard:  1000000000
+        soft:  1000000000