fleet
fleet copied to clipboard
fleetdm
See if disk encryption is enabled
Goal
As a user on the Host details page, I want to see the host's disk encryption status.
Figma
https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=8869%3A291427
Queries
macOS: SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;
Windows: SELECT 1 FROM bitlocker_info where protection_status = 1;
Linux: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';
Currently, in the standard query library, there’s…
- A “Get Windows machines with unencrypted hard disks” query: https://fleetdm.com/queries/get-windows-machines-with-unencrypted-hard-disks
- A “Is disk encryption enabled on Windows devices?” policy: https://fleetdm.com/queries/is-disk-encryption-enabled-on-windows-devices
This policy has some loose instructions to interpret a failing result (screenshot below) but can be improved.
@GuillaumeRoss heads up, this is the issue I'm using the track the addition of disk encryption status to the Host details page.
The following is from the Base Resource Spec Proposal: LinuxUserComputer: FleetDM (internal) shared by the prospective customer:
In this pass, I'd like to only surface the encrypted true/false in the Fleet UI. This will add a lot of value to all Fleet users and we can ship it quickly.
@GuillaumeRoss do you think Fleet will still look like a legitimate partner for this prospective customer if we come back to the isBootVolume and lastBootTimestamp pieces?
@GuillaumeRoss to determine the encrypted true/false, do you think Fleet can use (with slight modifications if needed) the queries for the Full disk encryption enabled policies?
macOS: SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;
Windows: SELECT 1 FROM bitlocker_info where protection_status = 1;
Linux: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';
To my understand, these check if disk encryption is turned on. Which is different than disk is encrypted.
Is your comment, from Base Resource Spec, about how we could say "disk is encrypted" instead of "disk encryption is turned on" ? I think this would be valuable.
Guillaume: On macOS, if one partition has FileVault enabled then disk encryption is enabled. We can tell users, "The FileVault feature is enabled on at least on partition."
Guillaume: Maybe filter on C drive (system drive) for Windows. Would this still pass if they use an unencrypted? Guillaume will update query to do this. What does protection status mean? If percent_encrypted is 100? The BitLocker Protection status is on. https://docs.microsoft.com/en-us/windows/win32/secprov/getprotectionstatus-win32-encryptablevolume
We can tell users, "The volume is fully encrypted and the encryption key for the volume isn't available in clear on the hard disk."
Can we tell users the same on macOS and Linux?
Guillaume: If you installed latest version of Ubuntu and root file system is on /dev/dm-1.
@GuillaumeRoss when you get the chance, can you please help verify that the latest queries and messages we'd like to add to the Host details page in Fleet UI are accurate?
You can find the queries and messages in this issue's description.
I assigned this issue to you so that I remember to keep checking in.
@noahtalerman just checking - I think we talked about this at the same time you originally assigned it to me - you have what you need?
@GuillaumeRoss can you please review the queries and messages we'd like to add in the Fleet UI for accuracy?
I'm pasting the queries and messages below:
macOS
SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1;
disk_encryption_enabled set to true:
"The disk is fully encrypted and the user must enter their password when they start their computer. If recently turned on, encryption could take awhile depending on how much information the user has stored."
disk_encryption_enabled set to false:
"The disk is unencrypted."
Windows
SELECT 1 FROM bitlocker_info WHERE drive_letter = 'C:' AND protection_status = 1;
disk_encryption_enabled set to true:
"The disk is fully encrypted and the user must enter their password when they start their computer. If recently turned on, encryption could take awhile depending on how much information the user has stored."
disk_encryption_enabled set to false:
"The disk is unencrypted."
Ubtuntu
SELECT 1 FROM disk_encryption WHERE encrypted = 1 AND name LIKE '/dev/dm-1';
disk_encryption_enabled set to true:
"Disk encryption is enabled."
I want to get your eyes on these in case the info returned by the query doesn't match what'd you expect to see in the UI.
@mna I am assigning you this issue to review and finalize the specs. Please read through the issue and update the specs as necessary to reflect the implementation details. Once it's ready, please bring it into the "Specified" column on the roadmap so we know it's ready for estimation.
If you have any ideas, questions, or concerns, please tag the appropriate people and update the issue as necessary to prepare for estimation. Thanks!
@noahtalerman
I am assuming the strings like disk_encryption_enabled set to true are for my understanding and will not show up in the product. Let me know if this is not a good assumption.
Mac
disk_encryption_enabled set to true:
I would completely scratch the second sentence. Unless you have a very old Mac, it's instant (few seconds), so I don't think we should tell people it might take a while.
"The disk is fully encrypted and the user must enter their password when they start their computer."
disk_encryption_enabled set to false:
I would steer away from saying the drive is not encrypted, because it might be, but the value people look for is filevault encryption that prevents it from booting without a password.
"The disk is not protected with FileVault encryption."
Windows
disk_encryption_enabled set to true:
We don't know for sure the user has to enter a password. The keys might be in a TPM, on a USB stick, on the network - BitLocker has a LOT of different scenarios it can support.
"The disk is is protected by encryption. If recently turned on, encryption could take awhile depending on how much information the user has stored."
disk_encryption_enabled set to false: no comment, it's great like that.
Linux
You seem to be missing one for Linux on the unencrypted case. Since it's Linux, can we be more nerdy with the error? There's too many ways people might actually configure encryption.
"The drive (/dev/dm-1) is unencrypted."
That way someone might realize that the way their machine is configured, they should be looking for /dev/dm-2 and tune the query?
I would completely scratch the second sentence. Unless you have a very old Mac, it's instant (few seconds), so I don't think we should tell people it might take a while.
Makes sense 👍
I would steer away from saying the drive is not encrypted, because it might be, but the value people look for is filevault encryption that prevents it from booting without a password.
Got it. This is a great explanation. I'm going to update the text to include your explanation:
"The disk might be encrypted however FileVault encryption is off. This means that the disk can be accessed without entering password."
We don't know for sure the user has to enter a password.
Makes sense. I'd like to continue using "the disk is encrypted" language:
"The disk is encrypted. If recently turned on, encryption could take awhile depending on how much information the user has stored."
You seem to be missing one for Linux on the unencrypted case.
Not presenting the Linux unencrypted case was intentional. I think the reasoning was that a device either installs an encrypted or unencrypted image for Ubuntu. This value doesn't change.
That being said, this reasoning doesn't support not showing the user when the disk is unencrypted. I like your suggestion.
I'd like to continue using "the disk is encrypted" language. Please let me know if there's a strong reason not to be consistent and use the word "disk."
"The drive (/dev/dm-1) is unencrypted."
Thanks @GuillaumeRoss !
Hey @mna heads up, I assigned myself.
Before you add specs to this issue, I'd like to review some changes during tomorrow's product design review.
UPDATE: Noah: Made updates to the disk encryption copy. API/UI need to handle case when there’s no /dev/dm-1 or cut it. Goal is to be accurate.
(2022-09-02)
UPDATE:
API/UI need to handle case when there’s no
/dev/dm-1for Linux or cut it. Goal is to be accurate.
Decision made to cut Linux unencrypted case. (noahtalerman 2022-09-06).
@mna I assigned this issue to you. Can you please complete specs for this issue?
Updates since you were last assigned:
- For Linux hosts, the "Off" (unencrypted) state is not included in the API. This is because we're only detected if the
/dev/dm-1drive is encrypted. For now we won't be able to determine if there's another drive that's encrypted.
We'll need a new table to store the host's disk status. I'd recommend making it a bit flexible so we're not stuck with today's requirement - today we only store the encryption status of a single drive, but it's not unthinkable that we'll want the status for all available drives in the future, and perhaps other properties than the encryption state for each drive. I'd suggest going with a JSON column to hold drive information, and just store the encryption state key for now. Two reasons for that: we're unlikely to want to query on this information (right @noahtalerman ? and even if we did, encryption status is on-off so an index would probably not make a huge difference), and it's relatively easy to migrate if in the future we want to store an array of drives with their properties. Plus if we really do need to index some information, we can promote a JSON key to a column and index that column.
we'll want the status for all available drives in the future, and perhaps other properties than the encryption state for each drive
@mna yes, it's likely that we'll want more properties for the encryption state for each drive.
For example, on macOS, in the future we'll likely want something like name, encrypted, filevaultEnabled, and isBootVolume properties.
we're unlikely to want to query on this information
I'm not sure if this affects the above assumption but, it's likely we'll want to add the ability to see the number of hosts (count) with "on" or "off" encryption state.
Removing from roadmap board until we commit to doing Vanta integration for Q4. @noahtalerman
@lukeheath heads up, Mo and I went through the Roadmap board and removed several issues from the estimated column (deprioritized):
- This issue
- #7440
- #2002
- #6257
- #6781
This way, the interface team prioritizes bugs, query automations (#7765), and MDM issues.
I left the assignments and estimation tags on the above issues so that we can bring them back in to fill capacity if needed.
@noahtalerman Just want to confirm that the linux query should really only run on platforms reported as "ubuntu" (and not any ubuntu-like distros, such as "pop", or on all "linux")?
Not urgent/blocker, that's a tiny change if needed and I'll make it target only "ubuntu" for now.
@mna the goal is to show the "On" state for as many Linux distros as possible. Up to you on how to accomplish this.
I'm not sure which Linux distros will return true for the query.
That being said, I think it makes sense to run the query on all Linux distros. This way, the UI displays "On" for as many Linux distros as possible.
@noahtalerman Thanks, looks like osquery might not understand specific distros anyway (see "The platform key can be" section here: https://osquery.readthedocs.io/en/stable/deployment/configuration/#schedule), so I'll go with "linux".
Yeah...osquery won't understand it. The problem is different Linux distros implement disk encryption differently so it's hard to come up with a single query that'll work for all.
@lukeheath @RachelElysia I added the disk_encryption_enabled field to the response payload of GET /hosts/{id} (and GET /device/{token} as they share a common implementation). As per the spec and the figma, I believe this is the only place where we need this new information for now, so I did not add it to e.g. the list hosts endpoint to avoid bloating the response payloads unnecessarily. Let me know if somehow we end up needing it in more endpoints.