Add Table for Win32_Tpm class #7107
Conversation
Welcome! The comment is showing an idea of what it can be tested. Normally these kind of tests aim to verify that the table is able to retrieve some data, that the format of the columns and the general type/category of data is the one expected. When possible we always welcome tests that validate the actual data; though I believe in this specific case it might be a bit difficult to verify if every column reports a very specific information, given that it might vary depending on where it's run. |
Oh cool. Thanks for clarifying that for me :) |
|
@skepth There was a simple merge conflict against master which I fixed, though there's more work to do (currently, formatting the code). |
…into table/wmi-tpm-info
Thanks for fixing the merge conflict. I re-formatted the code & it should pass the code style check. |
|
Powershell Get-Tpm is another way to pull TPM information status from an endpoint, but it depends on whether TPM Module is available or not. WMI is and remains the best way to query TPM details, so please add them in a new "tpm_info" table in the schema. |
I'm not sure what to make of this request? This PR seems reasonable to me. The underlying WMI is a good API. osquery is not going to exec out to powershell. |
I was not suggesting to use PS. It was just to suggest another alternative to query the same information, I actually believe even PS wraps around WMI eventually. I am not requesting anything, but to have this tpm_info. I don't really care eventually how TPM is pulled into it, but it's needed. |
|
|
||
| QueryData genTpmInfo(QueryContext& context) { | ||
| QueryData resultsdata; | ||
| std::string wmiclass{"SELECT * FROM Win32_Tpm"}; |
There was a problem hiding this comment.
can/should this be a constant?
| QueryData resultsdata; | ||
| std::string wmiclass{"SELECT * FROM Win32_Tpm"}; | ||
|
|
||
| BSTR wminamespace = ::SysAllocString(L"root\\cimv2\\Security\\MicrosoftTpm"); |
There was a problem hiding this comment.
ca/should the namespace string be a constant?
There was a problem hiding this comment.
BSTRs are a special system type, unfortunately although they're typedef'd to wchar_t *. They should always be allocated with SysAllocString and freed with SysFreeString. BSTRs use a different memory allocator, even (https://docs.microsoft.com/en-us/previous-versions/windows/desktop/automat/bstr).
This PR adds support for Win32_Tpm WMI class that would help identify TPM related information on windows machines.
Win32_Tpm class is available on all versions of Windows after Vista on clients and Server 2008 on servers, so we should get good coverage here.
Sample output:
Reference: Microsoft's doc
Note: I've noticed that the integration tests for all wmi tables are commented out for the most part and I stuck to the same pattern. Please let me know if its sufficient or not.
Fixes: #7187