zayhanlon
commented
1 year ago Zay to scope with @marcosd4h
Closed zayhanlon closed 1 year ago
zayhanlon
commented
1 year ago Zay to scope with @marcosd4h
zayhanlon
commented
1 year ago @eashaw to investigate for estimation
zayhanlon
commented
1 year ago @eashaw to investigate for estimation next week
sharon-fdm
commented
1 year ago Need to investigate about possible backend work needed. Website side - 1pt
eashaw
commented
1 year ago To send the host screen lock status to Vanta, we need to send an object with two attributes:
requiresPassword - A boolean - "After the screenlock takes effect, does the user have to enter a password to access their device."
screenSleepTimeoutMs - A number - "The timeout in milliseconds for screenlock to trigger."
We need this data to be returned in the response from the /api/v1/fleet/hosts or /api/v1/fleet/hosts/{id} API endpoint.
There is a screenlock table in osquery we can use to get the requiresPassword (via the enabled column), but that table only works on macOS (and with the caveat that it only returns results for the current logged-in user, and that user must have recently logged in).
To get the screenSleepTimeoutMs value, it looks like we would need to query the plist table on macOS, and the registry table on Windows hosts.
I was able to get the data we need for screenSleepTimeoutMs with these queries:
For macOS hosts:
SELECT value as screenSleepTimeoutInSeconds, path
FROM plist
WHERE path LIKE '/Users/%/Library/Preferences/ByHost/com.apple.screensaver.%'
AND key = 'idleTime'For Windows hosts:
SELECT data AS screenSleepTimeoutInSeconds
FROM registry
WHERE key LIKE 'HKEY_USERS\%\Control Panel\Desktop'
AND name = 'ScreenSaveTimeOut'
zhumo
commented
1 year ago Last I heard, this work required either a new table or maybe a table from Kolide. Let's confirm this before moving forward.
zayhanlon
commented
1 year ago @artemist-work would be able to pull in some Kolide tables to assist with this ask. @zhumo do you know which ones we need?
zayhanlon
commented
1 year ago @zhumo ping back on this for estimation - do you know which Kolide table we would need? Artemis can estimate the work then.
zhumo
commented
1 year ago Hey @zayhanlon sorry for delayed response here. I am not sure whether a Kolide table will solve the problem. Part of the scoping here is to determine whether we need to build a new table for this or piggyback on pre-existing work.
zhumo
commented
1 year ago @zwass was there a table that had the screenlock data already existing?
zwass
commented
1 year ago There is a Kolide Launcher table that claims to do it, but we tested it and found the results unreliable. This has been a perennial issue on macOS.
We can detect with certainty whether it's enforced via MDM profile, but the problem is detecting it outside of that.
sharon-fdm
commented
1 year ago Estimation: Artemis - add table - 2 day Eric - send info to Vanta - 1 day
sharon-fdm
commented
1 year ago @marcosd4h has found a new way to deal with the Kolide tables. I am closing all former issue in order to putt all new info in the main Story.
Will keep all closed items here for tracking history if needed.
fleet-release
commented
1 year ago Screen lock joins Fleet, Compliance made seamless now, Vanta unites all.
User story
As a user who enables the Fleet-Vanta integration, I want to get this information (screen lock attribute) all in one place for compliance rather than getting information from Vanta and a separate set of data from Fleet.
What we would need to get screen lock data from osquery:
https://developer.vanta.com/reference/put-macosusercomputer
Requirements
ee/directory.UI
TODO?
CLI usage
TODO?
Compatibility
REST API changes
TODO?
Database schema migrations
TODO?
Technical sub-tasks (if any)
N/A