Collect Institutional Recovery Key Hash for OSX Encrypted Volume

[tannevaled]

Your idea

GLPI is able to report the encryption state of every OSX volumes collected using the Agent.

Sample result using a request on the REST API

Query

"/apirest.php/search/Computer?range=0-1000&forcedisplay[0]=174&forcedisplay[1]=175&forcedisplay[2]=176&forcedisplay[3]=177&forcedisplay[4]=153&forcedisplay[5]=154&forcedisplay[6]=155&forcedisplay[7]=156&criteria[0][field]=80&criteria[0][value]=LABO&criteria[0][searchtype]=contains"

Response

{"totalcount"=>16,
 "count"=>16,
 "sort"=>["1"],
 "order"=>["ASC"],
 "data"=>
  [...
   {"1"=>"mba-10817780",
    "80"=>"Entit\u00E9 racine > LABO",
    "174"=>["0", "1", "0", "0", "0"],
    "175"=>[nil, "FileVault 2", nil, nil, nil],
    "176"=>[nil, "XTS_AES_128", nil, nil, nil],
    "177"=>[nil, nil, nil, nil, nil],
    "153"=>["/System/Volumes/VM", "/", "/System/Volumes/Update", "/System/Volumes/Data", "/System/Volumes/Preboot"],
    "154"=>["/dev/disk1s4", "/dev/disk1s5s1", "/dev/disk1s6", "/dev/disk1s1", "/dev/disk1s2"],
    "155"=>["41504653-0000-11AA-AA11-00306543ECAC", "apfs"],
    "156"=>["VM", "/", "/System/Volumes/Update", "Macintosh HD - Data", "Preboot"]},
  ...
  ]
}

RFE

For synthetic dashboards it would be necessary to have the state of FileVault

$ fdesetup status --verbose
fdesetup: device path = /
FileVault is On.
FileVault master keychain appears to be installed.
$ sudo fdesetup hasinstitutionalrecoverykey
true

and to be sure the IRK is the one we expect (ie have the expected SHA-256)

$ security find-certificate -p -Z -c "FileVault Recovery Key" /Library/Keychains/FileVaultMaster.keychain
SHA-256 hash: 675D8CECB561821B6547A26062402E6C3BB6385409CB9D36F7D85467F1B0AA5D
SHA-1 hash: E1A86E53B7C3D51BC44331408C46DE5F150538B0
-----BEGIN CERTIFICATE-----
MIICKjCCAZOgAwIBAgIFAMvhvcIwCwYJKoZIhvcNAQEFMEkxHzAdBgNVBAMMFkZp
...
-----END CERTIFICATE-----

Could we have this information collected by the Agent?

[g-bougard]

Hi @tannevaled

thank you for your idea submission.

What do you really need ? Just the key hash or the key itself ? And for what purpose exactly ? For example, do you just need to identify computers which don't have the right recovery key ? In that case, just the key hash is probably sufficient as it can be understood as a key identifier.

[tannevaled]

i need a proof that the certificate in use is the one the IT staff have the corresponding private key to recover in emergency case. i think the SHA-256 is suffisient.

[g-bougard]

Actually, the inventory format doesn't permit to add such information easily.

But you have the Collect task solution. On MacOSX, the only data you can gather this way is a filename checking few conditions. And in the possible conditions, you have a sha512 or a sha2 checksum:

If you can't check directly a file proving the certificate in use is the right one, you should be able to run a script from crontab or even from a Deploy task which would generate a file you'll have to look for with Collect task. Than later, in GLPI, you'll just be able to filter out the computer list with the expected (or not) criteria.

In the FAQ link on Deploy task, the purpose is to deploy a software, but you can use it to only run a script without installing anything. If the agent tasks configuration is set to somethink like inventory,deploy,collect,... this will guaranty the deploy script is always run just before the collect task. So the script result can be integrated in glpi with collect task quickly.

For example, you can just run a script to output the result of security find-certificate -p -Z -c "FileVault Recovery Key" /Library/Keychains/FileVaultMaster.keychain into a file. Running manually sha512sum on that file will provide you the criteria for the sha512 field for the file search collect data (not sure this is the right command on MacOSX, but I let you find the right). Or more simply, your Deploy script can just make the check and create or remove a file and the Collect task can just check for the existence of that file.