New Table: Windows Firewall Rules #7403
Conversation
Co-authored-by: seph <seph@kolide.co>
|
Are these specific to Defender, or does it apply to Windows network firewall rules in-general? |
This is windows firewall in general, using API defined in: https://en.wikipedia.org/wiki/Windows_Firewall |
|
Maybe |
…d addresses and ports columns.
Renamed table
|
|
LGTM |
|
@zwass Thanks! Looks like still blocked on CLA verification. Will check with our team. |
|
Thought that might help! I don't seem to have admin access to our EasyCLA account so not sure if there's anything else I can do at the moment. |
|
/easycla |
There was a problem hiding this comment.
Hello @aleksmaus,
thanks for the PR! I have left some comments
Thanks for the feedback! Most of the patterns borrowed from the existing code to make it consistent. Will update for suggested changes. |
|
@alessandrogario I've made the changes that you requested. Could you take a look if this matches what you meant? |
|
It looks like the CLA resolved itself. Closing and reopening is the simple way to get it to check. FWIW a common issue is having commits that aren't tied to your github username in the PR. But for more complex stuff I usually dig up the easyCLA support email address. |
17d8d3e
to
88f2b1d
Compare
88f2b1d
to
3f8f133
Compare
There was a problem hiding this comment.
This is really good code @aleksmaus! I have left some additional comments, I think we can merge this soon
9a59731
to
9ae981d
Compare
There was a problem hiding this comment.
This is excellent work, thank you for this cool table @aleksmaus!
Thank you for the code reviews @alessandrogario! |
| description("Provides the list of Windows firewall rules.") | ||
| schema([ | ||
| Column("name", TEXT, "Friendly name of the rule"), | ||
| Column("app_name", TEXT, "Friendly name of the application to which the rule applies"), |
There was a problem hiding this comment.
Is there a non-friendly, but authoritative, way to link this rule to an app? (I haven't looked at the underlying API yet)
There was a problem hiding this comment.
Digging through https://docs.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwrule
I think get_ServiceName is worth adding, since that's documented as an optional parameter that may take the place of app name.
get_grouping might also be interesting
There was a problem hiding this comment.
basically exposed this API: (https://docs.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwrule)
and got the description from https://docs.microsoft.com/en-us/windows/win32/api/netfw/nf-netfw-inetfwrule-get_applicationname
|
Added |
|
Closing and reopening so that it aligns with the latest master. |
|
Gentle bump, Is there anything else needed to get the pr merged? |
…2 to master * commit 'c97a1b416492585e049010deea36d2992b680556': (52 commits) Fix user_time and system_time unit in processes table on M1 (osquery#7473) Add BOOST_USE_ASAN define when enabling Asan (osquery#7469) Removing unnecessary macOS version check (osquery#7451) Add `utc` flag back for compatibility(osquery#7460) Add osquery version to macOS app bundle Info.plist (osquery#7452) Fix submodule cache for macOS CI runner (osquery#7456) New Table: Windows Firewall Rules (osquery#7403) Remove utc flag from example config file (osquery#7437) Update the ATC table `path` column check to be case insensitive (osquery#7442) Fix typos in documentation (osquery#7443) Fix a crash when Yara uses its own strutils functions (osquery#7439) Update `time` table to reflect UTC values (osquery#7276) Update sqlite to version 3.37.0 (osquery#7426) Fix linking of thirdparty_sleuthkit (osquery#7425) Apple Silicon support (osquery#7330) Fix how we disable tables in the fuzzer init method (osquery#7419) Prevent running discovery queries when fuzzing (osquery#7418) Hide the deprecate `antispyware` column in `windows_security_center` (osquery#7411) Fix typo in docs (osquery#7412) CHANGELOG 5.1.0 (osquery#7406) ...
This change adds the new table
windows_firewall_rulesas requested in the issue: #7335There are couple of deviations from the original requirement:
versioncolumn, since it's not available through the API.enabledcolumn name instead ofactive, more consistent with the API naming.enabledcolumn instead of TRUE/FALSE TEXT value.rule_actionintoactionfield, more consistent with the API naming.profileintoprofilescolumn that contains decoded comma separated text values likePrivate,Public. Could create individual rows for each if needed. Let me know.Screenshot:
I was not sure if we can use ATL CComPtr wrappers for example, it's cleaner this way.
Can rewrite without them if needed. Let me know.
Looking for a feedback if there is anything needs to be changed/added/removed.
Fixes: #7335