https://github.com/osquery/osquery logo
#fleet
Title
# fleet
m

Matthew Warren

12/15/2022, 4:12 PM
To confirm my understanding of policies – and specifically writing custom ones – Fleet uses a null set vs
1
to determine failure/pass respectively?
m

Michal Nicpon

12/15/2022, 4:14 PM
no rows is failure, anything else is a pass You will see a lot of
select 1 …
in policy queries because we don’t care about the actual columns being returned
m

Matthew Warren

12/15/2022, 4:30 PM
Thanks, that's very helpful. I'm more familiar with writing checks using a synthetic table, e.g.
Copy code
WITH expected_policies(DOMAIN, name, value) AS (
                                                VALUES ('com.apple.applicationaccess',
                                                        'allowCloudDocumentSync',
                                                        '0'))
SELECT expected_policies.*,
       CASE
           WHEN managed_policies.domain IS NOT NULL THEN 'OK'
           ELSE NULL
       END complaince_check
FROM expected_policies
LEFT JOIN managed_policies ON (managed_policies.domain = expected_policies.domain
                               AND managed_policies.name = expected_policies.name
                               AND managed_policies.value = expected_policies.value)
ORDER BY expected_policies.domain,
         expected_policies.name;
Changing this query to an
INNER JOIN
forces a null result as expected here. Does that look like the correct solution @Michal Nicpon or @Lucas Rodriguez?
m

Michal Nicpon

12/16/2022, 1:12 PM
Yes, you should change it to use an
INNER JOIN
, otherwise you will always return at least 1 row from the
expected_policies
CTE. However, I think you could simplify the query to the following
Copy code
SELECT
	1
FROM
	managed_policies
WHERE
	domain = 'com.apple.applicationaccess'
	AND name = 'allowCloudDocumentSync'
	AND value = '0';