adding bios vendor and version to device Inventory via osquery

[Chris Herrmann]

Hi all, I'm currently trying to work out how to use Wazuh to collect data on BIOS version for agents. The idea is that this data can then be used for vulnerability monitoring (for example the recent Lenovo BIOS issue).

Osquery does appear to support the data collection:

https://osquery.io/schema/5.2.2/#system_info

hardware_version

hardware_vendor

...

AFAICT currently the BIOS serial is retrieved using smbios, which does not support returning BIOS version number or hardware_vendor.

I've modified /opt/osquery/share/osquery/packs/hardware-monitoring.conf to add a system_info block:

    "system_info": {
      "query": "select hostname,hardware_vendor,hardware_model,hardware_version,hardware_serial from system_info ;",
      "interval": "7200",
      "version": "1.4.0",
      "description": "capture additional vendor hardware information"
    },

But... what I'm not clear on is how the information defined in these .conf files makes it's way into the sqllite dbs for each agent. The logical place to store this appears to be sys_hwinfo:

sqlite> .schema sys_hwinfo
CREATE TABLE sys_hwinfo (    scan_id INTEGER,    scan_time TEXT,    board_serial TEXT,    cpu_name TEXT,    cpu_cores INTEGER CHECK (cpu_cores > 0),    cpu_mhz REAL CHECK (cpu_mhz > 0),    ram_total INTEGER CHECK (ram_total > 0),    ram_free INTEGER CHECK (ram_free > 0),    ram_usage INTEGER CHECK (ram_usage >= 0 AND ram_usage <= 100), checksum TEXT DEFAULT '' NOT NULL CHECK(checksum <> ''),    PRIMARY KEY (scan_id, board_serial));

(note - no hardware_vendor / version / etc)

are there any guides / etc around that walk through how to extend the queries that syscollector is executing, and then making sure that it actually records (and then reports on) this data?

Thanks!

Chris

[Federico Gustavo Galland]

Hi Chris,

Wazuh's configuration of OSquery Integration [1][2][3] lets you set up custom SQL queries as you can see in the example here: https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html#configuration

Have you already tried running a custom qurery from there?

Let me know so I can make my answer more accurate.

Regards,

Fede

[Chris Herrmann]

Yes, I edited this block: (/etc/osquery/osquery.conf)

    "schedule": {
        "system_info": {
        "query": "SELECT hostname, cpu_brand, hardware_vendor, hardware_model, hardware_serial, physical_memory FROM system_info;",
        "interval": 3600
        }
    },

=========

but I'm not certain that it's using this file however, because it was referring to packs in a location that doesn't exist:

  "/usr/share/osquery/packs/hardware-monitoring.conf"

I've updated to point at the actual location:

"    "packs": {
        "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
        "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",

...

"

I've just symlinked /opt/osquery/share/osquery/packs/osquery.conf --> /etc/osquery/osquery.conf and reloaded osqueryd. If that fixes it... how long before I'd be able to see any impact / results / etc?

Let me know anything else I should be checking?

Thanks!

Chris

[Chris Herrmann]

If i run that query using osqueryi on my wazuh host it does return expected results... but that's talking to the "virtual database", and not showing me what an agent is capturing / reporting etc (or what happens to the data after that point).

[Chris Herrmann]

any more cluebats? things I should check or test?