Add NTDomain Table for Windows (#5152)

osquery/tables/system/windows/ntdomains.cpp

@@ -0,0 +1,50 @@
+/**
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under both the Apache 2.0 license (found in the
+ *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
+ *  in the COPYING file in the root directory of this source tree).
+ *  You may select, at your option, one of the above-listed licenses.
+ */
+
+#include <osquery/logger.h>
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/windows/wmi.h"
+
+namespace osquery {
+namespace tables {
+
+QueryData genNtdomains(QueryContext& context) {
+  QueryData results;
+
+  WmiRequest wmiSystemReq("select * from Win32_NtDomain");
+  const auto& wmiResults = wmiSystemReq.results();
+  if (wmiSystemReq.getStatus().ok()) {
+    if (!wmiResults.empty()) {
+      for (const auto& data : wmiResults) {
+        Row r;
+        data.GetString("Name", r["name"]);
+        data.GetString("ClientSiteName", r["client_site_name"]);
+        data.GetString("DcSiteName", r["dc_site_name"]);
+        data.GetString("DnsForestName", r["dns_forest_name"]);
+        data.GetString("DomainControllerAddress",
+                       r["domain_controller_address"]);
+        data.GetString("DomainControllerName", r["domain_controller_name"]);
+        data.GetString("DomainName", r["domain_name"]);
+        data.GetString("Status", r["status"]);
+        results.push_back(std::move(r));
+      }
+    } else {
+      LOG(WARNING) << "WMI resultset empty.";
+    }
+  } else {
+    VLOG(1) << wmiSystemReq.getStatus().getMessage();
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery

osquery/tests/integration/tables/ntdomains.cpp

@@ -0,0 +1,38 @@
+/**
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed under both the Apache 2.0 license (found in the
+ *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
+ *  in the COPYING file in the root directory of this source tree).
+ *  You may select, at your option, one of the above-listed licenses.
+ */
+
+// Sanity check integration test for nt_info
+// Spec file: specs/windows/nt_info.table
+
+#include <osquery/tests/integration/tables/helper.h>
+
+namespace osquery {
+
+class nt_info : public IntegrationTableTest {};
+
+TEST_F(NTdomains, test_sanity) {
+  QueryData data = execute_query("select * from nt_info");
+
+  ASSERT_EQ(data.size(), 1ul);
+
+  ValidatatioMap row_map = {
+      {"name", NonEmptyString},
+      {"client_site_name", NonEmptyString},
+      {"dc_site_name", NonEmptyString},
+      {"dns_forest_name", NonEmptyString},
+      {"domain_controller_address", NonEmptyString},
+      {"domain_controller_name", NonEmptyString},
+      {"domain_name", NonEmptyString},
+      {"status", NonEmptyString},
+  };
+  validate_rows(data, row_map);
+}
+
+} // namespace osquery

specs/windows/ntdomains.table

@@ -0,0 +1,16 @@
+table_name("ntdomains")
+description("Display basic NT domain information of a Windows machine.")
+schema([
+    Column("name", TEXT, "The label by which the object is known."),
+    Column("client_site_name", TEXT, "The name of the site where the domain controller is configured."),
+    Column("dc_site_name", TEXT, "The name of the site where the domain controller is located."),
+    Column("dns_forest_name", TEXT, "The name of the root of the DNS tree."),
+    Column("domain_controller_address", TEXT, "The IP Address of the discovered domain controller.."),
+    Column("domain_controller_name", TEXT, "The name of the discovered domain controller."),
+    Column("domain_name", TEXT, "The name of the domain."),
+    Column("status", TEXT, "The current status of the domain object."),
+])
+implementation("system/windows/ntdomains@genNtdomains")
+examples([
+  "select * from ntdomains",
+])