Add `kolide_brew_upgradeable` table #1634

Micah-Kolide · 2024-03-01T19:52:47Z

Add a Kolide table on both Linux and macOS for homebrew outdated packages. My initial concerns of being unable to run as sudo were correct as homebrew panics if an attempt is made to run it as sudo. This is by design in homebrew.

$ sudo brew --help
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.

osquery> SELECT * FROM kolide_brew_upgradeable WHERE uid = 501;
+---------------------------------+-------------------------------+-----------------+------------+-------+-----+
| fullkey                         | parent                        | key             | value      | query | uid |
+---------------------------------+-------------------------------+-----------------+------------+-------+-----+
| formulae/0/name                 | formulae/0                    | name            | cfitsio    | *     | 501 |
| formulae/0/installed_versions/0 | formulae/0/installed_versions | 0               | 4.3.1      | *     | 501 |
| formulae/0/current_version      | formulae/0                    | current_version | 4.4.0      | *     | 501 |
| formulae/0/pinned               | formulae/0                    | pinned          | false      | *     | 501 |
| formulae/1/name                 | formulae/1                    | name            | libnghttp2 | *     | 501 |
| formulae/1/installed_versions/0 | formulae/1/installed_versions | 0               | 1.59.0     | *     | 501 |
| formulae/1/current_version      | formulae/1                    | current_version | 1.60.0     | *     | 501 |
| formulae/1/pinned               | formulae/1                    | pinned          | false      | *     | 501 |
| formulae/2/name                 | formulae/2                    | name            | libpng     | *     | 501 |
| formulae/2/installed_versions/0 | formulae/2/installed_versions | 0               | 1.6.42     | *     | 501 |
| formulae/2/current_version      | formulae/2                    | current_version | 1.6.43     | *     | 501 |
| formulae/2/pinned               | formulae/2                    | pinned          | false      | *     | 501 |
| formulae/3/name                 | formulae/3                    | name            | openjpeg   | *     | 501 |
| formulae/3/installed_versions/0 | formulae/3/installed_versions | 0               | 2.5.0_1    | *     | 501 |
| formulae/3/current_version      | formulae/3                    | current_version | 2.5.1      | *     | 501 |
| formulae/3/pinned               | formulae/3                    | pinned          | false      | *     | 501 |
| formulae/4/name                 | formulae/4                    | name            | orc        | *     | 501 |
| formulae/4/installed_versions/0 | formulae/4/installed_versions | 0               | 0.4.37     | *     | 501 |
| formulae/4/current_version      | formulae/4                    | current_version | 0.4.38     | *     | 501 |
| formulae/4/pinned               | formulae/4                    | pinned          | false      | *     | 501 |
| formulae/5/name                 | formulae/5                    | name            | xz         | *     | 501 |
| formulae/5/installed_versions/0 | formulae/5/installed_versions | 0               | 5.4.5      | *     | 501 |
| formulae/5/current_version      | formulae/5                    | current_version | 5.6.0      | *     | 501 |
| formulae/5/pinned               | formulae/5                    | pinned          | false      | *     | 501 |
+---------------------------------+-------------------------------+-----------------+------------+-------+-----+

RebeccaMahany · 2024-03-01T20:44:50Z

ee/tables/homebrew/upgradeable.go

+	return data, nil
+}
+
+func runAsUser(ctx context.Context, uid string, cmd *exec.Cmd) error {


We use this in enough places now that we should probably just make this available/reusable somewhere. I don't think it's necessary to address in this PR, but wanted to flag in case you (or James/Zack/seph) have a good suggestion for where we should move this in the future.

Agreed. I feel fried this week, so I too didn't want to address it in this PR, but I might take a look at that next week if I can.

Agree it feels like we should put it into a helper. We have some exec helpers. Which reminds me, this isn't using them. So whether we expand the exec helper, or make another 🤷

RebeccaMahany

LGTM!

directionless · 2024-03-01T21:53:34Z

ee/allowedcmd/cmd_darwin.go

@@ -20,6 +20,10 @@ func Bputil(ctx context.Context, arg ...string) (*exec.Cmd, error) {
 	return validatedCommand(ctx, "/usr/bin/bputil", arg...)
 }

+func Brew(ctx context.Context, arg ...string) (*exec.Cmd, error) {
+	return validatedCommand(ctx, "/opt/homebrew/bin/brew", arg...)


This is only correct for m1 machines, not for the intel x86 ones

directionless · 2024-03-01T21:55:37Z

ee/tables/homebrew/upgradeable.go

+
+type Table struct {
+	slogger *slog.Logger
+	execCC  allowedcmd.AllowedCommand


You don't need the execCC thing. It should only get used when we want to override commands in the test suite. Otherwise, just skip it

directionless · 2024-03-01T21:57:45Z

ee/tables/homebrew/upgradeable.go

+	return data, nil
+}
+
+func runAsUser(ctx context.Context, uid string, cmd *exec.Cmd) error {


Agree it feels like we should put it into a helper. We have some exec helpers. Which reminds me, this isn't using them. So whether we expand the exec helper, or make another 🤷

Micah-Kolide added 2 commits March 1, 2024 12:05

Add homebrew upgradeable kolide table

7908bfb

Format code

9cf35d9

Micah-Kolide force-pushed the micah/add_homebrew_upgradeable_table branch from b10e044 to 9cf35d9 Compare March 1, 2024 20:07

Micah-Kolide changed the title ~~Add homebrew upgradeable kolide table~~ Addkolide_brew_upgradeable table Mar 1, 2024

Micah-Kolide changed the title ~~Addkolide_brew_upgradeable table~~ Add kolide_brew_upgradeable table Mar 1, 2024

Micah-Kolide marked this pull request as ready for review March 1, 2024 20:26

RebeccaMahany reviewed Mar 1, 2024

View reviewed changes

RebeccaMahany approved these changes Mar 1, 2024

View reviewed changes

Micah-Kolide added this pull request to the merge queue Mar 1, 2024

Merged via the queue into main with commit 136c75a Mar 1, 2024
29 checks passed

Micah-Kolide deleted the micah/add_homebrew_upgradeable_table branch March 1, 2024 21:44

directionless reviewed Mar 1, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add `kolide_brew_upgradeable` table #1634

Add `kolide_brew_upgradeable` table #1634

Micah-Kolide commented Mar 1, 2024 •

edited

Loading

RebeccaMahany Mar 1, 2024

Micah-Kolide Mar 1, 2024

directionless Mar 1, 2024

RebeccaMahany left a comment

directionless Mar 1, 2024

directionless Mar 1, 2024

directionless Mar 1, 2024

Add kolide_brew_upgradeable table #1634

Add kolide_brew_upgradeable table #1634

Conversation

Micah-Kolide commented Mar 1, 2024 • edited Loading

RebeccaMahany Mar 1, 2024

Choose a reason for hiding this comment

Micah-Kolide Mar 1, 2024

Choose a reason for hiding this comment

directionless Mar 1, 2024

Choose a reason for hiding this comment

RebeccaMahany left a comment

Choose a reason for hiding this comment

directionless Mar 1, 2024

Choose a reason for hiding this comment

directionless Mar 1, 2024

Choose a reason for hiding this comment

directionless Mar 1, 2024

Choose a reason for hiding this comment

Add `kolide_brew_upgradeable` table #1634

Add `kolide_brew_upgradeable` table #1634

Micah-Kolide commented Mar 1, 2024 •

edited

Loading