From 0f52cb5998cfa4a11a4d231db71e08cffc5e31f6 Mon Sep 17 00:00:00 2001 From: John-Michael Mulesa Date: Fri, 18 Oct 2024 11:24:05 +1100 Subject: [PATCH] Add additional WMI data to `deviceguard_status` table (#8440) --- .../system/windows/deviceguard_status.cpp | 31 +++++++++++++++++++ specs/windows/deviceguard_status.table | 2 ++ .../integration/tables/deviceguard_status.cpp | 2 ++ 3 files changed, 35 insertions(+) diff --git a/osquery/tables/system/windows/deviceguard_status.cpp b/osquery/tables/system/windows/deviceguard_status.cpp index 77afd145b9c..f268dc4fcc2 100644 --- a/osquery/tables/system/windows/deviceguard_status.cpp +++ b/osquery/tables/system/windows/deviceguard_status.cpp @@ -23,6 +23,12 @@ QueryData genDeviceGuardStatus(QueryContext& context) { "VBS_ENABLED_AND_NOT_RUNNING", "VBS_ENABLED_AND_RUNNING"}; + std::vector security_services = {"NONE", + "CREDENTIAL_GUARD", + "MEMORY_INTEGRITY", + "SYSTEM_GUARD_SECURE_LAUNCH", + "SMM_FIRMWARE_MEASUREMENT"}; + std::vector enforcement_methods = { "OFF", "AUDIT_MODE", "ENFORCED_MODE"}; @@ -57,6 +63,31 @@ QueryData genDeviceGuardStatus(QueryContext& context) { ? enforcement_methods[umci_status] : "UNKNOWN"; + std::vector running_security_services; + data.GetVectorOfLongs("SecurityServicesRunning", running_security_services); + for (int i = 0; i < running_security_services.size(); i++) { + r["running_security_services"].append( + security_services.size() > running_security_services[i] + ? security_services[running_security_services[i]] + : "UNKNOWN"); + if (i < (running_security_services.size() - 1)) { + r["running_security_services"].append(","); + } + } + + std::vector configured_security_services; + data.GetVectorOfLongs("SecurityServicesConfigured", + configured_security_services); + for (int i = 0; i < configured_security_services.size(); i++) { + r["configured_security_services"].append( + security_services.size() > configured_security_services[i] + ? security_services[configured_security_services[i]] + : "UNKNOWN"); + if (i < (configured_security_services.size() - 1)) { + r["configured_security_services"].append(","); + } + } + results.push_back(r); } return results; diff --git a/specs/windows/deviceguard_status.table b/specs/windows/deviceguard_status.table index d6ef97d0260..45bd9df9a27 100644 --- a/specs/windows/deviceguard_status.table +++ b/specs/windows/deviceguard_status.table @@ -5,6 +5,8 @@ schema([ Column("instance_identifier", TEXT, "The instance ID of Device Guard."), Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered."), Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered."), + Column("configured_security_services", TEXT, "The list of configured Device Guard services. Returns UNKNOWN if an error is encountered."), + Column("running_security_services", TEXT, "The list of running Device Guard services. Returns UNKNOWN if an error is encountered."), Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered."), ]) implementation("system/windows/deviceguard_status@genDeviceGuardStatus") diff --git a/tests/integration/tables/deviceguard_status.cpp b/tests/integration/tables/deviceguard_status.cpp index 90982ad0ea4..3786d49f991 100644 --- a/tests/integration/tables/deviceguard_status.cpp +++ b/tests/integration/tables/deviceguard_status.cpp @@ -33,6 +33,8 @@ TEST_F(DeviceGuardStatus, test_sanity) { {"vbs_status", NonEmptyString}, {"code_integrity_policy_enforcement_status", NonEmptyString}, {"umci_policy_status", NonEmptyString}, + {"configured_security_services", NonEmptyString}, + {"running_security_services", NonEmptyString}, }; validate_rows(data, row_map); }