Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

ingest empty disk encryption keys (#10671)

Browse source 
this cover edge cases when the `/var/db/FileVaultPRK.dat` is not
present, but the disk is still encrypted and thus we're not able to get
the encryption key.


https://github.com/fleetdm/fleet/issues/10672
This commit is contained in:
Roberto Dip 2023-03-22 10:06:36 -03:00 committed by GitHub
parent c1aa0f04b6
commit 5391091dbb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
server/service/osquery_utils/queries.go
View file

@ -1316,16 +1316,8 @@ func directIngestDiskEncryptionKeyDarwin(
)
}
if strings.TrimSpace(rows[0]["filevault_key"]) == "" {
level.Debug(logger).Log(
"component", "service",
"method", "directIngestDiskEncryptionKeyDarwin",
"msg", "host reported empty /var/db/FileVaultPRK.dat contents",
"host", host.Hostname,
)
return nil
}
// it's okay if the key comes empty, this can happen and if the disk is
// encrypted it means we need to reset the encryption key
return ds.SetOrUpdateHostDiskEncryptionKey(ctx, host.ID, rows[0]["filevault_key"])
}

12
server/service/osquery_utils/queries_test.go
View file

@ -875,8 +875,9 @@ func TestDirectIngestDiskEncryptionKeyDarwin(t *testing.T) {
logger := log.NewNopLogger()
wantKey := "OTM5ODRDQTYtOUY1Mi00NERELTkxOUEtMDlBN0ZBOUUzNUY5Cg=="
host := &fleet.Host{ID: 1}
ds.SetOrUpdateHostDiskEncryptionKeyFunc = func(ctx context.Context, hostID uint, encryptedBase64Key string) error {
require.Equal(t, wantKey, encryptedBase64Key)
require.Empty(t, encryptedBase64Key)
require.Equal(t, host.ID, hostID)
return nil
}
@ -887,7 +888,14 @@ func TestDirectIngestDiskEncryptionKeyDarwin(t *testing.T) {
err = directIngestDiskEncryptionKeyDarwin(ctx, logger, host, ds, []map[string]string{{"filevault_key": ""}})
require.NoError(t, err)
require.False(t, ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked)
require.True(t, ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked)
ds.SetOrUpdateHostDiskEncryptionKeyFuncInvoked = false
ds.SetOrUpdateHostDiskEncryptionKeyFunc = func(ctx context.Context, hostID uint, encryptedBase64Key string) error {
require.Equal(t, wantKey, encryptedBase64Key)
require.Equal(t, host.ID, hostID)
return nil
}
err = directIngestDiskEncryptionKeyDarwin(ctx, logger, host, ds, []map[string]string{{"filevault_key": wantKey}})
require.NoError(t, err)