From b3acc96c4f8e3d7149ed76c483f371504590543e Mon Sep 17 00:00:00 2001 From: Brock Walters <153771548+nonpunctual@users.noreply.github.com> Date: Tue, 6 Feb 2024 16:27:21 -0500 Subject: [PATCH] Update standard-query-library.yml (#16271) It is very easy for data collection like this to veer into double / triple negative mulitverse of madness stuff... That said, I may have a lack of understanding about how the product works, i.e., that a query literally must return a 0 value & not null in order to "pass" in a policy. If so, then this works as expected. However, if a query just needs to return empty (null) & 0 is implied in the logic that sets a policy flag to green or red, then, as a rule, queries like this should be always be simplified & should default to using "positive" as opposed to "negative" logic, i.e., check if something exists, never check if a thing does NOT exist. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests: Tested by adding dummy Emergency Kit.pdf files to Desktop & Downloads, running query, then, removing files & running query. --- .../standard-query-library/standard-query-library.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 2fd0022006..213a9d05a2 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -880,7 +880,7 @@ apiVersion: v1 kind: policy spec: name: No 1Password emergency kit stored on desktop or in downloads (macOS) - query: SELECT EXISTS(SELECT 1 FROM file WHERE filename like '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/%%/Desktop/%%')) as does_1p_ek_exist; + query: SELECT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/%%/Desktop/%%')); description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits." resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location." platform: darwin