New docker_container_envs table (#7313)

osquery · Oct 6, 2021 · a18ffee · a18ffee
1 parent 7e2ccc2
commit a18ffee
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 0 deletions.
diff --git a/osquery/tables/applications/posix/docker.cpp b/osquery/tables/applications/posix/docker.cpp
@@ -469,6 +469,42 @@ QueryData genContainers(QueryContext& context) {
   return results;
 }
 
+/**
+ * @brief Entry point for docker_container_envs table.
+ */
+QueryData genContainerEnvs(QueryContext& context) {
+  QueryData results;
+  std::set<std::string> ids;
+  pt::ptree containers;
+  auto s = getContainers(context, ids, containers);
+  if (!s.ok()) {
+    return results;
+  }
+
+  for (const auto& entry : containers) {
+    const pt::ptree& container = entry.second;
+    auto id = getValue(container, ids, "Id");
+
+    pt::ptree container_details;
+    s = dockerApi("/containers/" + id + "/json?stream=false",
+                  container_details);
+    if (s.ok()) {
+      for (const auto& env_var : container_details.get_child("Config.Env")) {
+        Row r;
+        r["id"] = id;
+        auto buf = std::string(env_var.second.data());
+        size_t idx = buf.find_first_of("=");
+        r["key"] = buf.substr(0, idx);
+        r["value"] = buf.substr(idx + 1);
+        results.push_back(r);
+      }
+    } else {
+      VLOG(1) << "Failed to retrieve the inspect data for container " << id;
+    }
+  }
+  return results;
+}
+
 /**
  * @brief Entry point for docker_container_labels table.
  */

diff --git a/specs/CMakeLists.txt b/specs/CMakeLists.txt
@@ -195,6 +195,7 @@ function(generateNativeTables)
     "posix/disk_encryption.table:linux,macos"
     "posix/dns_resolvers.table:linux,macos,freebsd"
     "posix/docker_container_labels.table:linux,macos,freebsd"
+    "posix/docker_container_envs.table:linux,macos,freebsd"
     "posix/docker_container_mounts.table:linux,macos,freebsd"
     "posix/docker_container_networks.table:linux,macos,freebsd"
     "posix/docker_container_ports.table:linux,macos,freebsd"

diff --git a/specs/posix/docker_container_envs.table b/specs/posix/docker_container_envs.table
@@ -0,0 +1,13 @@
+table_name("docker_container_envs")
+description("Docker container environment variables.")
+schema([
+    Column("id", TEXT, "Container ID", index=True),
+    Column("key", TEXT, "Environment variable name"),
+    Column("value", TEXT, "Environment variable value")
+])
+implementation("applications/docker@genContainerEnvs")
+examples([
+  "select * from docker_container_envs",
+  "select * from docker_container_envs where id = '1234567890abcdef'",
+  "select * from docker_container_envs where id = '11b2399e1426d906e62a0c657650e363426d6c56dbe2f35cbaa9b452250e3355'"
+])
diff --git a/tests/integration/tables/docker_container_envs.cpp b/tests/integration/tables/docker_container_envs.cpp
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2014-present, The osquery authors
+ *
+ * This source code is licensed as defined by the LICENSE file found in the
+ * root directory of this source tree.
+ *
+ * SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
+ */
+
+// Sanity check integration test for docker_container_envs
+// Spec file: specs/posix/docker_container_envs.table
+
+#include <osquery/tests/integration/tables/helper.h>
+
+namespace osquery {
+namespace table_tests {
+
+class dockerContainerEnvs : public testing::Test {
+ protected:
+  void SetUp() override {
+    setUpEnvironment();
+  }
+};
+
+TEST_F(dockerContainerEnvs, test_sanity) {
+  // 1. Query data
+  auto const data = execute_query("select * from docker_container_envs");
+  // 2. Check size before validation
+  // ASSERT_GE(data.size(), 0ul);
+  // ASSERT_EQ(data.size(), 1ul);
+  // ASSERT_EQ(data.size(), 0ul);
+  // 3. Build validation map
+  // See helper.h for available flags
+  // Or use custom DataCheck object
+  // ValidationMap row_map = {
+  //      {"id", NormalType}
+  //      {"key", NormalType}
+  //      {"value", NormalType}
+  //}
+  // 4. Perform validation
+  // validate_rows(data, row_map);
+}
+
+} // namespace table_tests
+} // namespace osquery