packages query for NixOS

[06kellyjac]

Feature request

What new feature do you want?

osqueryd works well on nixos for general linux parts but it'd be nice to have more integration for the nixos specific parts.

There are many parts of NixOS that would be cool to query but to start with some kind of list of packages on the machine would be good.

The easiest option first might be to provide every package within the /nix/store

Future work could be query nixos generations separately, query just environment.systemPackages or users.users.<name>.packages for that generation, etc

How is this new feature useful?

I could query the packages on my nixos machine and work towards being able to review the packages for vulnerabilities

How can this be implemented?

A similar approach to syft that processes entries to the /nix/store might be good

https://github.com/anchore/syft/pull/1696/files#diff-586ef9e8ef1bb7af74c55ba184b0f77cf7c519bb02a97e93a362ebbc984d7276R1

Or hooking into nix-store directly to get info may be best

[06kellyjac]

• osquery packaged in nixpkgs
• osquery nixos module

cc some people interested in nixos and osquery: @nlewo @znewman01 @necrophcodr @jdbaldry @RaitoBezarius

[jdbaldry]

Sorry for the late reply.

This is a great idea. If I was still running NixOS, I would have loved to have some of the store information exposed to osquery.

I hope you can find some momentum on this idea but unfortunately I don't think I'll be much help :)

[06kellyjac]

Thanks @jdbaldry
I think the first phase here is drumming up some interest on this issue/ticket/FR so your reply is very useful :)

[james-callahan]

I'd love to see a nix_packages table.

[tomfitzhenry]

A similar approach to syft that processes entries to the /nix/store might be good

https://github.com/anchore/syft/pull/1696/files#diff-586ef9e8ef1bb7af74c55ba184b0f77cf7c519bb02a97e93a362ebbc984d7276R1

AFAICT, this reads all directories in /nix/store, which would have false positives for which packages were used on a machine, since it would include older generations, and derivations built for remote systems.

Perhaps osquery can use nix-store(1)? Other scanning tools might not be able to do. If osquery can't, then re-implementing the relevant parts of nix-store in osquery (and others) sounds like too much work.

But maybe there's a middle ground:

• introduce a NixOS option that creates /run/current-system/closure.txt that contains a list of all store paths used in that generation. (Or dependencies.json, to output the dependency tree: richer, but harder for tools to use)
• Add support in osquery (or other tooling) to read /run/current-system/closure.txt

[james-callahan]

AFAICT, this reads all directories in /nix/store, which would have false positives for which packages were used on a machine, since it would include older generations, and derivations built for remote systems.

As an auditor, I'd still want to know about older generations; the checkbox to tick is "vulnerable software is not present on the system".

[dacevedo12]

should include support for non-nixos machines running nix as a package manager? nix-env -q type stuff

[caraar12345]

should include support for non-nixos machines running nix as a package manager? nix-env -q type stuff

💯 - nix is sometimes used as an alternative to Homebrew et al on macOS so visibility over that would be really useful!

[jficz]

Turns out enumerating "packages" in Nix(OS) is not trivial: https://discourse.nixos.org/t/list-all-installed-packages-version-for-audit-purposes/67280

If anyone has any idea how to tackle this, please share them!

[RaitoBezarius]

Provided my answer in https://discourse.nixos.org/t/list-all-installed-packages-version-for-audit-purposes/67280/4.

I do not work with osquery anymore these days, unfortunately.