Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows/certificates: Improve table completeness for Personal certificates for system accounts #5696

Conversation

@mossberg
Copy link
Contributor

commented Aug 7, 2019

Small follow up to #5640.

When proactively searching disk for personal certificates, there is no
need to filter system accounts (SYSTEM, Local Service, etc) anymore
because findUserPersonalCertsOnDisk is now capable of handling those
accounts by dynamically finding a user's home dir (rather than by
constructing a hard coded path).

This now makes the table even more complete; any certificates found in
the system accounts directories will always be found. Previously they
could be found but only if there was a store location other than the
Users store location that had a system store string that looked like
S-1-5-18\My or .DEFAULT\My.

This is what it looked like previously. This is on a system where there are no store locations other than Users that have a system store string like the above two. However, there is a certificate installed into the Local System certificate directory.
image

This is with the PR.
image

When proactively searching disk for personal certificates, there is no
need to filter system accounts (SYSTEM, Local Service, etc) anymore
because `findUserPersonalCertsOnDisk` is now capable of handling those
accounts by dynamically finding a user's home dir (as rather than
constructing a hard coded path).

This now makes the table even more complete; any certificates found in
the system accounts directories will always be found. Previously they
could be found but only if there was a store location other than the
`Users` store location that had a system store string that looked like
`S-1-5-18\My` or `.DEFAULT\My`.
@communitybridge-easycla

This comment has been minimized.

Copy link

commented Aug 7, 2019

CLA Check
The committers are authorized under a signed CLA.

@alessandrogario alessandrogario merged commit 59a68ad into osquery:master Aug 8, 2019
13 checks passed
13 checks passed
Mark Mossberg Thank you for signing the CLA.
Details
osquery Build #20190807.5 succeeded
Details
osquery (Linux) Linux succeeded
Details
osquery (LinuxBuck Release) LinuxBuck Release succeeded
Details
osquery (LinuxCMake Debug) LinuxCMake Debug succeeded
Details
osquery (LinuxCMake Release) LinuxCMake Release succeeded
Details
osquery (Windows) Windows succeeded
Details
osquery (WindowsBuck Release) WindowsBuck Release succeeded
Details
osquery (WindowsCMake Release) WindowsCMake Release succeeded
Details
osquery (macOS) macOS succeeded
Details
osquery (macOSBuck Release) macOSBuck Release succeeded
Details
osquery (macOSCMake Debug) macOSCMake Debug succeeded
Details
osquery (macOSCMake Release) macOSCMake Release succeeded
Details
@mossberg mossberg deleted the trailofbits:mark/feature/win-certs-system-acc branch Aug 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.