https://github.com/osquery/osquery logo
Powered by
Title
m

Matthew Warren

12/15/2022, 4:12 PM
To confirm my understanding of policies – and specifically writing custom ones – Fleet uses a null set vs 
1
to determine failure/pass respectively?
m

Michal Nicpon

12/15/2022, 4:14 PM
no rows is failure, anything else is a pass You will see a lot of 
select 1 …
in policy queries because we don’t care about the actual columns being returned
m

Matthew Warren

12/15/2022, 4:30 PM
Thanks, that's very helpful. I'm more familiar with writing checks using a synthetic table, e.g. 
WITH expected_policies(DOMAIN, name, value) AS (
                                                VALUES ('com.apple.applicationaccess',
                                                        'allowCloudDocumentSync',
                                                        '0'))
SELECT expected_policies.*,
       CASE
           WHEN managed_policies.domain IS NOT NULL THEN 'OK'
           ELSE NULL
       END complaince_check
FROM expected_policies
LEFT JOIN managed_policies ON (managed_policies.domain = expected_policies.domain
                               AND managed_policies.name = expected_policies.name
                               AND managed_policies.value = expected_policies.value)
ORDER BY expected_policies.domain,
         expected_policies.name;
Changing this query to an 
INNER JOIN
forces a null result as expected here. Does that look like the correct solution @Michal Nicpon or @Lucas Rodriguez?
m

Michal Nicpon

12/16/2022, 1:12 PM
Yes, you should change it to use an 
INNER JOIN
, otherwise you will always return at least 1 row from the 
expected_policies
CTE. However, I think you could simplify the query to the following 
SELECT
	1
FROM
	managed_policies
WHERE
	domain = 'com.apple.applicationaccess'
	AND name = 'allowCloudDocumentSync'
	AND value = '0';
#fleetJoin Slack
Powered by