The new Policies feature looks really promising tada Somethi osquery #fleet

The new "Policies" feature looks really promising ...

Martin Pöhlmann

09/27/2021, 1:10 PM

The new "Policies" feature looks really promising 🎉 Something I found, I formulated a simple query that checks whether at least one drive is bitlocker encrypted. While the UI looks great, on my Linux machines I get now warnings that the bitlocker tables are missing. Is it planned to tie checks to labels as it is for packs? Or is there another SQL-workaround that tries to see if the table present / os = win and only then performs the second part of the query (think of the logical

&&

operator that omits evaluating the second part if the 1st fails).

🎉 1

Noah Talerman

09/27/2021, 2:01 PM

I get now warnings that the bitlocker tables are missing.

Ah, yes. This is because the

bitlocker_info

table is only available on Windows machines. Are these “warnings” something you see in the Fleet UI or somewhere else?

Is it planned to tie checks to labels as it is for packs?

I can see how it would be useful to have more control over which polices are run against which devices (maybe especially if your Fleet has devices with different OS’s) Can you please file a feature request issue that describes your use case here on GitHub? https://github.com/fleetdm/fleet

Noah Talerman

09/27/2021, 2:04 PM

I formulated a simple query that checks whether at least one drive is bitlocker encrypted.

It would be awesome if you were interested in contributing this policy to Fleet’s standard query library so that other members of the Fleet/osquery community can utilize/adapt your policy. Instructions on contributing are here: https://github.com/fleetdm/fleet/tree/main/docs/01-Using-Fleet/standard-query-library#contributors If it’s easier, please feel free to include the policy in this thread!

Martin Pöhlmann

09/27/2021, 3:12 PM

RE where is it shown: systemd logs

Copy code

Sep 27 12:37:26 xps13 osqueryd[563898]: I0927 12:37:26.099275 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 12:37:26 xps13 osqueryd[563898]: E0927 12:37:26.099321 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info

RE standard library: it's basically the inverse of @zwass's query here, so I wouldn't duplicate:

Copy code

apiVersion: v1
kind: query
spec:
  name: Get Windows machines with unencrypted hard disks
  platforms: Windows
  description:
  query: SELECT * FROM bitlocker_info WHERE protection_status = 0;
  purpose: Informational
  contributors: zwass

But this raises another general question, whether the std-library and policies should be better linked? RE feature request: will do

Martin Pöhlmann

09/27/2021, 3:24 PM

https://github.com/fleetdm/fleet/issues/2238

👍🏽 1

Martin Pöhlmann

09/27/2021, 3:43 PM

Looking more in the details, it seems like the policy query is executed not every hour, but every few secs. This yields that the machine showed as offline (probably as no other queries were executed).

Copy code

Sep 27 17:38:43 xps13 osqueryd[563898]: I0927 17:38:43.131816 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 17:38:43 xps13 osqueryd[563898]: E0927 17:38:43.132011 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info
Sep 27 17:38:54 xps13 osqueryd[563898]: I0927 17:38:54.045698 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 17:38:54 xps13 osqueryd[563898]: E0927 17:38:54.045900 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info
Sep 27 17:39:04 xps13 osqueryd[563898]: I0927 17:39:04.956792 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 17:39:04 xps13 osqueryd[563898]: E0927 17:39:04.957000 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info
Sep 27 17:39:15 xps13 osqueryd[563898]: I0927 17:39:15.884637 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 17:39:15 xps13 osqueryd[563898]: E0927 17:39:15.884968 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info
Sep 27 17:39:26 xps13 osqueryd[563898]: I0927 17:39:26.809438 564007 distributed.cpp:121] Executing distributed query: fleet_policy_query_2: SELECT * FROM bitlocker_info where protection_status = 1;
Sep 27 17:39:26 xps13 osqueryd[563898]: E0927 17:39:26.809629 564007 distributed.cpp:131] Error executing distributed query: fleet_policy_query_2: no such table: bitlocker_info

Martin Pöhlmann

09/27/2021, 4:10 PM

https://github.com/fleetdm/fleet/issues/2240

👍🏽 1

5 Views

Open in Slack

Previous Next