diff --git a/changes/bug-direct-ingest-os-windows b/changes/bug-direct-ingest-os-windows new file mode 100644 index 000000000..4bf4497a6 --- /dev/null +++ b/changes/bug-direct-ingest-os-windows @@ -0,0 +1,2 @@ +- Fixed bug introduced in 4.21.0 where Windows-specific query was being sent to non-Windows hosts + causing an error in query ingestion for `directIngestOSWindows`. diff --git a/server/service/osquery_test.go b/server/service/osquery_test.go index f644fdb0e..f46563adc 100644 --- a/server/service/osquery_test.go +++ b/server/service/osquery_test.go @@ -560,10 +560,10 @@ func TestHostDetailQueries(t *testing.T) { queries, discovery, err = svc.detailQueriesForHost(context.Background(), &host) require.NoError(t, err) - // 2 additional queries, but -2 expected queries due to removed disk space query (only 1 of 2 - // active for a given platform) and removed the Windows-specific operating system queries, - // so the result is +0. - require.Equal(t, len(expectedDetailQueries)+0, len(queries), distQueriesMapKeys(queries)) + // 2 additional queries, but -3 expected queries due to removed disk space query (only 1 of 2 + // active for a given platform) and removed two Windows-specific operating system queries, + // so the result is -1. + require.Equal(t, len(expectedDetailQueries)-1, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) for name := range queries { assert.True(t, @@ -743,9 +743,9 @@ func TestLabelQueries(t *testing.T) { // should be turned on so that we can quickly fill labels) queries, discovery, acc, err := svc.GetDistributedQueries(ctx) require.NoError(t, err) - // -2 expected queries due to removed disk space query (only 1 of 2 active for a given platform) - // and removed the Windows-specific operating system queries - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // -3 expected queries due to removed disk space query (only 1 of 2 active for a given platform) + // and removed two Windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) assert.NotZero(t, acc) @@ -835,9 +835,9 @@ func TestLabelQueries(t *testing.T) { ctx = hostctx.NewContext(ctx, host) queries, discovery, acc, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // +3 for label queries, but -2 expected queries due to removed disk space query (only 1 of 2 - // active for a given platform) and removed the Windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)+1, len(queries), distQueriesMapKeys(queries)) + // +3 for label queries, but -3 expected queries due to removed disk space query (only 1 of 2 + // active for a given platform) and removed two Windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries), len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) assert.Zero(t, acc) @@ -1067,8 +1067,8 @@ func TestDetailQueriesWithEmptyStrings(t *testing.T) { require.NoError(t, err) // somehow confusingly, the query response above changed the host's platform // from windows to darwin, so now it has all expected queries except the - // extra disk space one and the windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // extra disk space one and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) assert.Zero(t, acc) } @@ -1127,9 +1127,9 @@ func TestDetailQueries(t *testing.T) { // queries) queries, discovery, acc, err := svc.GetDistributedQueries(ctx) require.NoError(t, err) - // -5 due to linux platform, so battery, mdm, and munki are missing, and the extra disk space - // query, and the windows-specific operating system queries, then +1 due to software inventory being enabled. - if !assert.Equal(t, len(expectedDetailQueries)-4, len(queries)) { + // -6 due to linux platform, so battery, mdm, and munki are missing, and the extra disk space + // query, and two windows-specific operating system queries, then +1 due to software inventory being enabled. + if !assert.Equal(t, len(expectedDetailQueries)-5, len(queries)) { // this is just to print the diff between the expected and actual query // keys when the count assertion fails, to help debugging - they are not // expected to match. @@ -1388,10 +1388,10 @@ func TestDetailQueries(t *testing.T) { queries, discovery, acc, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // host platform changed to darwin, so -2 for the - // extra disk space query and the windows-specific operating system query, + // host platform changed to darwin, so -3 for the + // extra disk space query and two windows-specific operating system queries, // +1 for the software inventory enabled. - require.Equal(t, len(expectedDetailQueries)-1, len(queries), distQueriesMapKeys(queries)) + require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) assert.Zero(t, acc) } @@ -2355,9 +2355,9 @@ func TestPolicyQueries(t *testing.T) { queries, discovery, _, err := svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all queries -2 for the extra disk space one and the windows-specific operating system query, + // all queries -3 for the extra disk space one and two windows-specific operating system queries, // and +2 for the policy queries - require.Equal(t, len(expectedDetailQueries)-0, len(queries), distQueriesMapKeys(queries)) + require.Equal(t, len(expectedDetailQueries)-1, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) checkPolicyResults := func(queries map[string]string) { @@ -2413,8 +2413,8 @@ func TestPolicyQueries(t *testing.T) { ctx = hostctx.NewContext(context.Background(), host) queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries minus the extra disk space and the windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // all standard queries minus the extra disk space and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) noPolicyResults(queries) @@ -2423,9 +2423,9 @@ func TestPolicyQueries(t *testing.T) { queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries -2 (the extra disk space and a windows-specific operating system - // query) and +2 policy queries - require.Equal(t, len(expectedDetailQueries)+0, len(queries), distQueriesMapKeys(queries)) + // all standard queries -3 (the extra disk space and two windows-specific operating system + // queries) and +2 policy queries + require.Equal(t, len(expectedDetailQueries)-1, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) checkPolicyResults(queries) @@ -2453,8 +2453,8 @@ func TestPolicyQueries(t *testing.T) { ctx = hostctx.NewContext(context.Background(), host) queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries minus the extra disk space and windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // all standard queries minus the extra disk space and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) noPolicyResults(queries) @@ -2463,9 +2463,9 @@ func TestPolicyQueries(t *testing.T) { ctx = hostctx.NewContext(context.Background(), host) queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries -2 (the extra disk space and the windows-specific operating system + // all standard queries3-2 (the extra disk space and two windows-specific operating system // query) and +2 policy queries - require.Equal(t, len(expectedDetailQueries)+0, len(queries), distQueriesMapKeys(queries)) + require.Equal(t, len(expectedDetailQueries)-1, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) checkPolicyResults(queries) @@ -2495,8 +2495,8 @@ func TestPolicyQueries(t *testing.T) { ctx = hostctx.NewContext(context.Background(), host) queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries minus the extra disk space and the windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // all standard queries minus the extra disk space and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) noPolicyResults(queries) } @@ -2561,8 +2561,8 @@ func TestPolicyWebhooks(t *testing.T) { queries, discovery, _, err := svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all queries -2 for extra disk space and the windows-specific operating system query, +3 for policies - require.Equal(t, len(expectedDetailQueries)+1, len(queries), distQueriesMapKeys(queries)) + // all queries -3 for extra disk space and two windows-specific operating system queries, +3 for policies + require.Equal(t, len(expectedDetailQueries), len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) checkPolicyResults := func(queries map[string]string) { @@ -2675,8 +2675,8 @@ func TestPolicyWebhooks(t *testing.T) { ctx = hostctx.NewContext(context.Background(), host) queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries minus the extra disk space and the windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // all standard queries minus the extra disk space and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) noPolicyResults(queries) @@ -2685,8 +2685,8 @@ func TestPolicyWebhooks(t *testing.T) { queries, discovery, _, err = svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all queries -2 for extra disk space and windows-specific operating system query, +3 for policies - require.Equal(t, len(expectedDetailQueries)+1, len(queries), distQueriesMapKeys(queries)) + // all queries -3 for extra disk space and two windows-specific operating system queries, +3 for policies + require.Equal(t, len(expectedDetailQueries)-0, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) checkPolicyResults(queries) @@ -2809,8 +2809,8 @@ func TestLiveQueriesFailing(t *testing.T) { queries, discovery, _, err := svc.GetDistributedQueries(ctx) require.NoError(t, err) - // all standard queries minus the extra disk space and the windows-specific operating system query - require.Equal(t, len(expectedDetailQueries)-2, len(queries), distQueriesMapKeys(queries)) + // all standard queries minus the extra disk space and two windows-specific operating system queries + require.Equal(t, len(expectedDetailQueries)-3, len(queries), distQueriesMapKeys(queries)) verifyDiscovery(t, queries, discovery) logs, err := io.ReadAll(buf) diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go index 6cd15d3bf..c0c6f2d10 100644 --- a/server/service/osquery_utils/queries.go +++ b/server/service/osquery_utils/queries.go @@ -494,6 +494,7 @@ SELECT FROM os_version os, kernel_info k`, + Platforms: []string{"windows"}, DirectIngestFunc: directIngestOSWindows, }, "os_unix_like": {