https://github.com/osquery/osquery logo
Join Slack
Powered by
is there a way to run a policy only when a softwar...
# fleet
a
is there a way to run a policy only when a software is installed?
my use case if the following: I check for the existence of a preference in firefox, but I need to do it only when firefox is installed. I've tried: 
AND EXISTS (SELECT 1 FROM deb_packages WHERE name = 'firefox')
, but this makes the policy fails when firefox isn't present
z
@Andrea Scarpino not that i can think of! policies are kind of like scheduled queries in that it's continuously checking for that pass/fail status. maybe @Dherder or @Kathy Satterlee would have an idea on this ^ if you don't need an automatic check, you could live query for it but that's the manual way
f
maybe a case statement? the else could be the failsafe for when the package is not installed
d
@Andrea Scarpino you could do this in a post install script on the app installer itself. Perhaps the post install script could write a value to a file and then you could read that value with the 
file
table when you build your policy.
f
or a label query, so that you have a set of hosts that dynamically updates "firefox_installed_hosts" and only target the policy to that label
a
@Dherder I'm not sure that works for people that remove FF just after the installation or install it later
f
@Andrea Scarpino can you share your actual policy query with us? i may have time later to test out
a
sure:
Copy code
SELECT 1 FROM firefox_preferences WHERE path IN (SELECT path FROM file WHERE path LIKE '/home/%/.mozilla/firefox/%/prefs.js') AND fullkey = 'network.dns.disablePrefetch' and value = 'true';
problem is the file exists, but firefox has been uninstalled. The policy should just skip the check
f
i don't have a linux host i can check readily but maybe something like this? either way the policy is going to be either pass or fail, so there isn't too much leeway with the logic. I think the best solution (if is is technically possible in fleet), is to target the policy query based on a label query so that it only runs if firefox is actually installed on a host.
Copy code
SELECT 
    CASE 
        WHEN EXISTS (
            SELECT 1 
            FROM deb_packages 
            WHERE name = 'Firefox'
        ) THEN (
            SELECT COUNT(1)
            FROM firefox_preferences
            WHERE path IN (
                SELECT path 
                FROM file 
                WHERE path LIKE '/home/%/.mozilla/firefox/%/prefs.js'
            )
            AND fullkey = 'network.dns.disablePrefetch' 
            AND value = 'true'
        )
        ELSE 0
    END AS policy_result;
any other combination of logic within the query is either going to generate a false positive or a false negative because you only have 2 states to choose from but are trying to account for 3 possible states if I understand your problem correctly.
a
mmm, the policy should return Yes when firefox is not installed or when it's installed and that preference is enabled. It should be a 2 state
f
problem is the file exists, but firefox has been uninstalled. The policy should just skip the check
if the file is there, the policy runs no matter what, you need a better way of determining that the app is installed
maybe a JOIN against the deb_packages instead, and if there is no rows returned work that way? vs a left join that would pass more forgivingly?
a
ah I see, you are right
f
i think the example I provided would, return 1 when Firefox is reported installed by deb_packages, then it would stay at 1 if the prefs file is present, and the key. is set to the value you want, otherwise it will fail (0)
a
I've tried it and it returned 0 on all the 3 hosts that cover my tests - which is wrong
same result with:
Copy code
JOIN deb_packages ON deb_packages.name = 'firefox'
🤔
oh wait, I didn't know labels can be dynamic as well
indeed that looks like the right path to have this 🙏
I still need help please. I've created a dynamic label on:
Copy code
SELECT 1 FROM ( SELECT 1 FROM deb_packages WHERE name = 'firefox' UNION SELECT 1 FROM apps WHERE name = '<http://Firefox.app|Firefox.app>' UNION SELECT 1 FROM programs WHERE name LIKE 'Mozilla Firefox %')
but I don't get how to restrict my policy to match only the hosts with that label
d
@Andrea Scarpino I think this approach will only work once we have https://github.com/fleetdm/fleet/issues/24091 completed.
a
oh, I see
thanks!
5 Views
Open in Slack
PreviousNext
Powered by