Merge pull request #83 from macadmins/gg/thermal-power-tables

Add macos_thermal_pressure and macos_soc_power tables

Author: grahamgilbert

BUILD.bazel

@@ -52,7 +52,9 @@ go_library(
         "//tables/networkquality",
         "//tables/pendingappleupdates",
         "//tables/puppet",
+        "//tables/socpower",
         "//tables/sofa",
+        "//tables/thermalthrottling",
         "//tables/unifiedlog",
         "//tables/wifi_network",
         "@com_github_osquery_osquery_go//:osquery-go",

README.md

@@ -19,12 +19,14 @@ For production deployment, you should refer to the [osquery documentation](https
 | `alt_system_info`            | Alternative system_info table | macOS                   | This table is an alternative to the built-in system_info table in osquery, which triggers an `Allow "osquery" to find devices on local networks?` prompt on macOS 15.0. On versions other than 15.0, this table falls back to the built-in system_info table. Note: this table returns an empty `cpu_subtype` field. See [#58](https://github.com/macadmins/osquery-extension/pull/58) for more details. |
 | `authdb`                     | macOS Authorization database | macOS                   | Use the constraint `name` to specify a right name to query, otherwise all rights will be returned. |
 | `crowdstrike_falcon`         | Provides basic information about the currently installed Falcon sensor. | Linux / macOS           | Requires Falcon to be installed. |
-| `energy_impact`              | Process energy impact data from `powermetrics`                                                | macOS                   | Use the `interval` constraint to specify sampling duration in milliseconds (default: 1000ms). |
+| `energy_impact`              | Process energy impact data from `powermetrics`                                                | macOS                   | Use the `interval` constraint to specify sampling duration in milliseconds (default: 1000). |
 | `file_lines`                 | Read an arbitrary file                                                                        | Linux / macOS / Windows | Use the constraint `path` and `last` to specify the file to read lines from                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `filevault_users`            | Information on the users able to unlock the current boot volume when encrypted with Filevault | macOS                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | `google_chrome_profiles`     | Profiles configured in Google Chrome.                                                         | Linux / macOS / Windows |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | `local_network_permissions`  | Local network permission state for applications | macOS                   | Shows apps that have responded to the "Allow [app] to find devices on local networks?" prompt. Reads from `/Library/Preferences/com.apple.networkextension.plist`. State values: 0 = denied, 1 = allowed. |
 | `macos_profiles`             | High level information on installed profiles enrollment                                       | macOS                   |
+| `macos_soc_power`            | Power draw in milliwatts for the CPU, GPU, Apple Neural Engine (ANE), and total System on a Chip (SoC), plus GPU active ratio, sampled via `powermetrics` | macOS | Use the `interval` constraint to specify sampling duration in milliseconds (default: 3000). Longer intervals produce more accurate averages. Requires root. |
+| `macos_thermal_pressure`     | Reports whether macOS is [thermally throttling](https://developer.apple.com/documentation/foundation/processinfo/thermalstate) the device, via `powermetrics`. Returns `thermal_pressure` (Nominal/Light/Moderate/Heavy/Sleeping) and a derived `is_throttling` integer (1 if not Nominal). | macOS | Use the `interval` constraint to specify sampling duration in milliseconds (default: 1000). Requires root. |
 | `mdm`                        | Information on the device's MDM enrollment                                                    | macOS                   | Code based on work by [Kolide](https://github.com/kolide/launcher). Due to changes in macOS 12.3, the output of `profiles show -type enrollment` can only be generated once a day. If you are running this command with another tool, you should set the `PROFILES_SHOW_ENROLLMENT_CACHE_PATH` environment variable to the path you are caching this. The cache file should be `json` with the keys `dep_capable` and `rate_limited` present, both booleans representing whether the device is capable of DEP enrollment and whether the response from `profiles show -type enrollment` is being rate limited or not. |
 | `munki_info`                 | Information from the last [Munki](https://github.com/munki/munki) run                         | macOS                   | Code based on work by [Kolide](https://github.com/kolide/launcher)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `munki_installs`             | Items [Munki](https://github.com/munki/munki) is managing                                     | macOS                   | Code based on work by [Kolide](https://github.com/kolide/launcher)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

VERSION

@@ -1 +1 @@
-1.3.2
+1.4.0

main.go

@@ -21,7 +21,9 @@ import (
 	"github.com/macadmins/osquery-extension/tables/networkquality"
 	"github.com/macadmins/osquery-extension/tables/pendingappleupdates"
 	"github.com/macadmins/osquery-extension/tables/puppet"
+	"github.com/macadmins/osquery-extension/tables/socpower"
 	"github.com/macadmins/osquery-extension/tables/sofa"
+	"github.com/macadmins/osquery-extension/tables/thermalthrottling"
 	"github.com/macadmins/osquery-extension/tables/unifiedlog"
 	"github.com/macadmins/osquery-extension/tables/wifi_network"
 
@@ -123,6 +125,8 @@ func main() {
 					return alt_system_info.AltSystemInfoGenerate(ctx, queryContext, *flSocketPath)
 				},
 			),
+			table.NewPlugin("macos_thermal_pressure", thermalthrottling.ThermalPressureColumns(), thermalthrottling.ThermalPressureGenerate),
+			table.NewPlugin("macos_soc_power", socpower.SocPowerColumns(), socpower.SocPowerGenerate),
 		}
 		plugins = append(plugins, darwinPlugins...)
 	}

tables/socpower/BUILD.bazel

@@ -0,0 +1,25 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "socpower",
+    srcs = ["soc_power.go"],
+    importpath = "github.com/macadmins/osquery-extension/tables/socpower",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/utils",
+        "@com_github_micromdm_plist//:plist",
+        "@com_github_osquery_osquery_go//plugin/table",
+        "@com_github_pkg_errors//:errors",
+    ],
+)
+
+go_test(
+    name = "socpower_test",
+    srcs = ["soc_power_test.go"],
+    embed = [":socpower"],
+    embedsrcs = ["test_powermetrics_output.plist"],
+    deps = [
+        "//pkg/utils",
+        "@com_github_stretchr_testify//assert",
+    ],
+)

tables/socpower/soc_power.go

@@ -0,0 +1,101 @@
+package socpower
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/macadmins/osquery-extension/pkg/utils"
+	"github.com/micromdm/plist"
+	"github.com/osquery/osquery-go/plugin/table"
+	"github.com/pkg/errors"
+)
+
+const defaultInterval = 3000
+
+type powermetricsOutput struct {
+	Processor struct {
+		CPUPower      float64 `plist:"cpu_power"`
+		GPUPower      float64 `plist:"gpu_power"`
+		ANEPower      float64 `plist:"ane_power"`
+		CombinedPower float64 `plist:"combined_power"`
+	} `plist:"processor"`
+	GPU struct {
+		IdleRatio float64 `plist:"idle_ratio"`
+	} `plist:"gpu"`
+}
+
+func SocPowerColumns() []table.ColumnDefinition {
+	return []table.ColumnDefinition{
+		table.TextColumn("cpu_power_mw"),
+		table.TextColumn("gpu_power_mw"),
+		table.TextColumn("ane_power_mw"),
+		table.TextColumn("combined_power_mw"),
+		table.TextColumn("gpu_active_ratio"),
+		table.IntegerColumn("interval"),
+	}
+}
+
+func SocPowerGenerate(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) {
+	interval := defaultInterval
+	if constraintList, present := queryContext.Constraints["interval"]; present {
+		for _, constraint := range constraintList.Constraints {
+			if constraint.Operator == table.OperatorEquals {
+				if parsed, err := strconv.Atoi(constraint.Expression); err == nil {
+					interval = parsed
+				}
+			}
+		}
+	}
+
+	r := utils.NewRunner()
+	fs := utils.OSFileSystem{}
+	result, err := runPowermetrics(r, fs, interval)
+	if err != nil {
+		fmt.Println(err)
+		return nil, err
+	}
+	if result == nil {
+		return nil, nil
+	}
+
+	gpuActiveRatio := 1.0 - result.GPU.IdleRatio
+
+	return []map[string]string{{
+		"cpu_power_mw":      fmt.Sprintf("%.2f", result.Processor.CPUPower),
+		"gpu_power_mw":      fmt.Sprintf("%.2f", result.Processor.GPUPower),
+		"ane_power_mw":      fmt.Sprintf("%.2f", result.Processor.ANEPower),
+		"combined_power_mw": fmt.Sprintf("%.2f", result.Processor.CombinedPower),
+		"gpu_active_ratio":  fmt.Sprintf("%.4f", gpuActiveRatio),
+		"interval":          strconv.Itoa(interval),
+	}}, nil
+}
+
+func runPowermetrics(r utils.Runner, fs utils.FileSystem, interval int) (*powermetricsOutput, error) {
+	_, err := fs.Stat("/usr/bin/powermetrics")
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	out, err := r.Runner.RunCmd(
+		"/usr/bin/powermetrics",
+		"-f", "plist",
+		"-n", "1",
+		"-i", strconv.Itoa(interval),
+		"--samplers", "cpu_power,gpu_power,ane_power",
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "running powermetrics")
+	}
+
+	var output powermetricsOutput
+	if err := plist.Unmarshal(out, &output); err != nil {
+		return nil, errors.Wrap(err, "unmarshalling powermetrics output")
+	}
+
+	return &output, nil
+}

tables/socpower/soc_power_test.go

@@ -0,0 +1,117 @@
+package socpower
+
+import (
+	_ "embed"
+	"errors"
+	"testing"
+
+	"github.com/macadmins/osquery-extension/pkg/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+//go:embed test_powermetrics_output.plist
+var testPlist string
+
+func TestSocPowerColumns(t *testing.T) {
+	columns := SocPowerColumns()
+
+	assert.Len(t, columns, 6)
+
+	columnNames := make(map[string]bool)
+	for _, col := range columns {
+		columnNames[col.Name] = true
+	}
+
+	for _, name := range []string{"cpu_power_mw", "gpu_power_mw", "ane_power_mw", "combined_power_mw", "gpu_active_ratio", "interval"} {
+		assert.True(t, columnNames[name], "expected column %s not found", name)
+	}
+}
+
+func TestRunPowermetrics(t *testing.T) {
+	tests := []struct {
+		name         string
+		mockCmd      utils.MockCmdRunner
+		fileExists   bool
+		interval     int
+		wantErr      bool
+		wantNil      bool
+		checkResult  func(t *testing.T, result *powermetricsOutput)
+	}{
+		{
+			name:       "Binary not present",
+			fileExists: false,
+			interval:   3000,
+			wantNil:    true,
+		},
+		{
+			name: "Successful execution",
+			mockCmd: utils.MockCmdRunner{
+				Output: testPlist,
+			},
+			fileExists: true,
+			interval:   3000,
+			checkResult: func(t *testing.T, result *powermetricsOutput) {
+				assert.InDelta(t, 9924.35, result.Processor.CPUPower, 0.01)
+				assert.InDelta(t, 169.958, result.Processor.GPUPower, 0.01)
+				assert.InDelta(t, 0.0, result.Processor.ANEPower, 0.01)
+				assert.InDelta(t, 10094.3, result.Processor.CombinedPower, 0.01)
+				assert.InDelta(t, 0.901357, result.GPU.IdleRatio, 0.0001)
+			},
+		},
+		{
+			name: "Command execution error",
+			mockCmd: utils.MockCmdRunner{
+				Err: errors.New("command error"),
+			},
+			fileExists: true,
+			interval:   3000,
+			wantErr:    true,
+		},
+		{
+			name: "Invalid plist output",
+			mockCmd: utils.MockCmdRunner{
+				Output: "invalid plist data",
+			},
+			fileExists: true,
+			interval:   3000,
+			wantErr:    true,
+		},
+		{
+			name: "Custom interval",
+			mockCmd: utils.MockCmdRunner{
+				Output: testPlist,
+			},
+			fileExists: true,
+			interval:   5000,
+			checkResult: func(t *testing.T, result *powermetricsOutput) {
+				assert.InDelta(t, 9924.35, result.Processor.CPUPower, 0.01)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			runner := utils.Runner{Runner: tt.mockCmd}
+			fs := utils.MockFileSystem{FileExists: tt.fileExists}
+
+			result, err := runPowermetrics(runner, fs, tt.interval)
+
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Nil(t, result)
+				return
+			}
+
+			assert.NoError(t, err)
+
+			if tt.wantNil {
+				assert.Nil(t, result)
+				return
+			}
+
+			if tt.checkResult != nil {
+				tt.checkResult(t, result)
+			}
+		})
+	}
+}

tables/socpower/test_powermetrics_output.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>is_delta</key>
+	<true/>
+	<key>elapsed_ns</key>
+	<integer>3017304750</integer>
+	<key>processor</key>
+	<dict>
+		<key>cpu_power</key>
+		<real>9924.35</real>
+		<key>gpu_power</key>
+		<real>169.958</real>
+		<key>ane_power</key>
+		<real>0.0</real>
+		<key>combined_power</key>
+		<real>10094.3</real>
+	</dict>
+	<key>gpu</key>
+	<dict>
+		<key>idle_ratio</key>
+		<real>0.901357</real>
+	</dict>
+</dict>
+</plist>

tables/thermalthrottling/BUILD.bazel

@@ -0,0 +1,26 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "thermalthrottling",
+    srcs = ["thermal_throttling.go"],
+    importpath = "github.com/macadmins/osquery-extension/tables/thermalthrottling",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/utils",
+        "@com_github_micromdm_plist//:plist",
+        "@com_github_osquery_osquery_go//plugin/table",
+        "@com_github_pkg_errors//:errors",
+    ],
+)
+
+go_test(
+    name = "thermalthrottling_test",
+    srcs = ["thermal_throttling_test.go"],
+    embed = [":thermalthrottling"],
+    embedsrcs = ["test_powermetrics_output.plist"],
+    deps = [
+        "//pkg/utils",
+        "@com_github_osquery_osquery_go//plugin/table",
+        "@com_github_stretchr_testify//assert",
+    ],
+)

tables/thermalthrottling/test_powermetrics_output.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>is_delta</key>
+	<true/>
+	<key>elapsed_ns</key>
+	<integer>1017304750</integer>
+	<key>hw_model</key>
+	<string>Mac16,6</string>
+	<key>thermal_pressure</key>
+	<string>Nominal</string>
+</dict>
+</plist>