linux usb_devices: add the class, subclass and protocol information (#3542)

osquery/tables/system/linux/usb_devices.cpp

@@ -12,6 +12,7 @@
 #include <osquery/logger.h>
 #include <osquery/tables.h>
 
+#include "osquery/core/conversions.h"
 #include "osquery/events/linux/udev.h"
 
 namespace osquery {
@@ -26,6 +27,7 @@ const std::string kUSBKeySubsystem = "SUBSYSTEM";
 const std::string kUSBKeySerial = "ID_SERIAL_SHORT";
 const std::string kUSBKeyAddress = "BUSNUM";
 const std::string kUSBKeyPort = "DEVNUM";
+const std::string kUSBKeyType = "TYPE";
 
 QueryData genUSBDevices(QueryContext &context) {
   QueryData results;
@@ -59,6 +61,19 @@ QueryData genUSBDevices(QueryContext &context) {
     r["vendor_id"] = UdevEventPublisher::getValue(device, kUSBKeyVendorID);
     r["serial"] = UdevEventPublisher::getValue(device, kUSBKeySerial);
 
+    // This will be of the form class/subclass/protocol and has to be parsed
+    auto devType = UdevEventPublisher::getValue(device, kUSBKeyType);
+    auto classInfo = osquery::split(devType, "/");
+    if (classInfo.size() == 3) {
+      r["class"] = classInfo[0];
+      r["subclass"] = classInfo[1];
+      r["protocol"] = classInfo[2];
+    } else {
+      r["class"] = "";
+      r["subclass"] = "";
+      r["protocol"] = "";
+    }
+
     // Address/port accessors.
     r["usb_address"] = UdevEventPublisher::getValue(device, kUSBKeyAddress);
     r["usb_port"] = UdevEventPublisher::getValue(device, kUSBKeyPort);

specs/posix/usb_devices.table

@@ -8,6 +8,9 @@ schema([
     Column("model", TEXT, "USB Device model string"),
     Column("model_id", TEXT, "Hex encoded USB Device model identifier"),
     Column("serial", TEXT, "USB Device serial connection"),
+    Column("class", TEXT, "USB Device class"),
+    Column("subclass", TEXT, "USB Device subclass"),
+    Column("protocol", TEXT, "USB Device protocol"),
     Column("removable", INTEGER, "1 If USB device is removable else 0"),
 ])
 implementation("usb_devices@genUSBDevices")