Windows careful bitlocker selection #18189
Conversation
Fixes an issue in windows server where selecting from `bitlocker_info` will cause the query to abort. Bitlocker is not available by default on some version of windows server, so we first check if the optional component is enabled before making our query
dantecatalfamo
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
dantecatalfamo
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
dantecatalfamo
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| -- Bitlocker is not optional, and should be on the device | ||
| SELECT 1 FROM bitlocker_info WHERE drive_letter = 'C:' AND protection_status = 1 | ||
| ) END | ||
| ) SELECT enabled FROM encrypted WHERE enabled IS NOT NULL;`, |
There was a problem hiding this comment.
awesome query! have you tried using a discovery query?
A distributed discovery query controls whether or not a distributed query will be executed on a host.
- If a distributed query has no corresponding discovery query, then it is always executed on the host.
- If a discovery query returns one or more results, then its corresponding distributed query will be executed on the host.
- If a discovery query returns no results, then its corresponding distributed query will not be executed on the host.
In our system, you can define a DiscoveryQuery as part of the struct:
fleet/server/service/osquery_utils/queries.go
Lines 36 to 38 in a24f2e3
sorry if you already tried this! if it didn't work, could you add a comment or comment here why for future reference?
There was a problem hiding this comment.
I can rewrite it to use two discovery queries if you think it makes more sense!
There was a problem hiding this comment.
not necessary! I'm just curious if you considered it and the rationale for not using it (as that was my expectation based on the other queries we have)
I don't think you can do two discovery queries, but I was thinking a single query that does all the conditional logic
There was a problem hiding this comment.
I would need two queries then, each with their own discovery queries, one for systems where bitlocker is optional and one for systems where bitlocker is built-in. I actually hadn't considered using a discovery query when I was writing this 😅. I'll try doing a quick rewrite and see if it looks any cleaner!
There was a problem hiding this comment.
@dantecatalfamo two queries would be super confusing, so if we can't do it in a single query please don't bother. This is fine as-is.
Just for fun, I was thinking something on the lines of (quick and dirty, haven't tested) for the discovery query
SELECT 1
WHERE NOT EXISTS (SELECT 1 FROM windows_optional_features WHERE name = 'BitLocker')
AND EXISTS (SELECT 1 FROM windows_optional_features WHERE state = 1);
dantecatalfamo
had a problem deploying
to
Docker Hub
GitHub Actions
Error
dantecatalfamo
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
dantecatalfamo
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
#17796 Fixes an issue in windows server where selecting from `bitlocker_info` will cause the query to abort. Bitlocker is not available by default on some version of windows server, so we first check if the optional component is enabled before making our query
#17796 Fixes an issue in windows server where selecting from `bitlocker_info` will cause the query to abort. Bitlocker is not available by default on some version of windows server, so we first check if the optional component is enabled before making our query
#17796
Checklist for submitter
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements)Added/updated testsNo updates needed