From dcee7a15ea0c98288dd06aa25f2048a79714673f Mon Sep 17 00:00:00 2001 From: Guillaume Ross Date: Thu, 18 Aug 2022 13:45:17 -0400 Subject: [PATCH] Making Bitlocker policy stricter (#7253) Adding a filter to check that this is happening on the C drive and not some random other drive. --- .../standard-query-library/standard-query-library.yml | 2 +- frontend/utilities/constants.ts | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 21b5f3c6c0..519353e785 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -489,7 +489,7 @@ apiVersion: v1 kind: policy spec: name: Full disk encryption enabled (Windows) - query: SELECT 1 FROM bitlocker_info where protection_status = 1; + query: SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1; description: Checks to make sure that full disk encryption is enabled on Windows devices. resolution: "To get additional information, run the following osquery query on the failing device: SELECT * FROM bitlocker_info. In the diff --git a/frontend/utilities/constants.ts b/frontend/utilities/constants.ts index f959fbf3c9..55accce13b 100644 --- a/frontend/utilities/constants.ts +++ b/frontend/utilities/constants.ts @@ -81,7 +81,8 @@ export const DEFAULT_POLICIES = [ }, { key: 7, - query: "SELECT 1 FROM bitlocker_info WHERE protection_status = 1;", + query: + "SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1;", name: "Full disk encryption enabled (Windows)", description: "Checks to make sure that full disk encryption is enabled on Windows devices.",