[ale] How would you ....

DJ-Pfulio DJPfulio at jdpfu.com
Fri Apr 30 22:39:36 EDT 2021 

Thanks everyone for the ideas.

For Linux, ansible seemed the easiest answer:

$ ansible -a "lsblk -e 7 -o name,size,type,fstype,mountpoint" cur |egrep '=|crypt'

This provides not only the systems with LUKS containers, but also a list of all the systems, so the ones without encryption can be hunted down. Some sample output:

nextcloud | CHANGED | rc=0 >>
posc | CHANGED | rc=0 >>
└─sda3                          464.6G part  crypto_LUKS 
  └─sda3_crypt                  464.6G crypt LVM2_member 
osmc | CHANGED | rc=0 >>
vpn | UNREACHABLE! => {
pi3 | UNREACHABLE! => {

I need to check out the Windows answers, but I've heard ansible works on Windows, though I've never gotten it working. Something about signed powershell scripts. I didn't think to ask which method of encryption is being used. It might not be bitlocker. Could be veracrypt or something else.

Thought about using the
$ ansible -m setup cur | egrep '=>|crypt'
nextcloud | SUCCESS => {
posc | SUCCESS => {
                    "dm-name-sda3_crypt",
                    "dm-uuid-CRYPT-LUKS1-f67e63db81114836aff8f2dcb9bb32fc-sda3_crypt",
                        "dm-name-sda3_crypt",
                        "dm-uuid-CRYPT-LUKS1-f67e63db81114836aff8f2dcb9bb32fc-sda3_crypt",
                            "sda3_crypt"
vpn | UNREACHABLE! => {
pi3 | UNREACHABLE! => {
osmc | SUCCESS => {

Not nearly as nice, but with ansible-cmdb output, managers will feel like they can check the work of the admins doing the scripting.


On 4/30/21 8:02 AM, Jim Kinney via Ale wrote:
> https://devblogs.microsoft.com/scripting/using-winrm-on-linux/ <https://devblogs.microsoft.com/scripting/using-winrm-on-linux/>
> 
> Not the tool I used but very similar. Basically use python on Linux to scrape windows using powershell.
> 
> On April 30, 2021 7:34:43 AM EDT, Jim Kinney <jim.kinney at gmail.com> wrote:
> 
>     Nice.
> 
>     I was going to suggest a linux-based pxe boot that auto runs dd if=/dev/random of=/dev/sd[[:alpha:]] to ensure the drives are encrypted. Windows admins don't let me get near their systems any more.
> 
>     Fuzzy memory. There's a tool I used many years ago for pulling data like this from windows systems in a large corp environment using a shared AD password. Network tool on Linux that connected to a port.... auth happens.... request variable values... something. I used it to pull names and versions of all install software but it could pull anything known by the windows box. Dang. Can't remember the tool name. I'll look.
> 
>     On April 30, 2021 7:11:37 AM EDT, Raj Wurttemberg via Ale <ale at ale.org> wrote:
> 
>         I would probably use Ansible to report on hundreds of systems, it is cross
>         platform and agentless.
> 
>         For Windows, you just need to run the command (Administrator level account),
>         "manage-bde -status".  It comes back with a nice report like this:
> 
>         '''
>         Volume C: [OS]
>         [OS Volume]
> 
>             Size:                 243.58 GB
>             BitLocker Version:    None
>             Conversion Status:    Fully Decrypted
>             Percentage Encrypted: 0.0%
>             Encryption Method:    None
>             Protection Status:    Protection Off
>             Lock Status:          Unlocked
>             Identification Field: None
>             Key Protectors:       None Found
>         '''
> 
>         Or with PowerShell...  (output can be JSON if needed with "
>         Get-BitLockerVolume | convertto-json")
> 
>         '''
>         PS C:\WINDOWS\system32> Get-BitLockerVolume
> 
> 
>            ComputerName: XXXXXXX
> 
>         VolumeType      Mount CapacityGB VolumeStatus           Encryption
>         KeyProtector              AutoUnlock Protection
>                         Point                                   Percentage
>         Enabled    Status
>         ----------      ----- ---------- ------------           ----------
>         ------------              ---------- ----------
>         Data            E:      2,048.00 FullyDecrypted         0          {}
>         Off
>         Data            F:      2,560.00 FullyDecrypted         0          {}
>         Off
>         Data            G:        979.37 FullyDecrypted         0          {}
>         Off
>         OperatingSystem C:        243.58 FullyDecrypted         0          {}
>         Off
>         Data            D:        232.80 FullyDecrypted         0          {}
>         Off
>         '''
> 
>         /Raj
> 
>             -----Original Message-----
>             From: Ale <ale-bounces at ale.org> On Behalf Of DJ-Pfulio via Ale
>             Sent: Thursday, April 29, 2021 11:10 PM
>             To: Atlanta Linux Enthusiasts <ale at ale.org>
>             Cc: DJ-Pfulio <DJPfulio at jdpfu.com>
>             Subject: [ale] How would you ....
> 
>             run a report against thousands of workstations to ensure they all use
>             encrypted storage. Call it a HIPPA requirement and reporting is just as
>             important as actually having the encryption deployed.
> 
>             Assume Windows and Linux workstations - but linux-only is fine too.
>             F/LOSS preferred for the solution.
>              
>

More information about the Ale mailing list