Added inventory-fde to inventory full disk encryption

nickanderson · nickanderson · commit 8fa7626bfcc1 · 2026-02-12T15:47:13.000-06:00
diff --git a/cfbs.json b/cfbs.json
@@ -137,13 +137,23 @@
     },
     "inventory-windows-services": {
       "description": "Inventory running Windows services.",
-      "subdirectory": "inventory",
+      "subdirectory": "inventory/inventory-windows-services",
       "steps": [
         "copy inventory-windows-services.cf services/cfbs/inventory-windows-services/",
         "policy_files services/cfbs/inventory-windows-services/",
         "bundles inventory_windows_services_running"
       ]
     },
+    "inventory-fde": {
+      "description": "Inventory full disk encryption status (LUKS, FileVault, BitLocker).",
+      "tags": ["inventory", "security"],
+      "subdirectory": "inventory/inventory-fde",
+      "steps": [
+        "copy inventory-fde.cf services/cfbs/inventory-fde/",
+        "policy_files services/cfbs/inventory-fde/",
+        "bundles inventory_fde:main"
+      ]
+    },
     "library-for-promise-types-in-bash": {
       "description": "Library enabling promise types implemented in bash.",
       "subdirectory": "libraries/bash",
diff --git a/inventory/inventory-fde/README.md b/inventory/inventory-fde/README.md
@@ -0,0 +1,31 @@
+Full disk encryption (FDE) protects data at rest by encrypting entire block devices.
+This module detects mounted volumes backed by dm-crypt (LUKS1, LUKS2, or plain dm-crypt) on Linux systems.
+
+Detection is performed entirely through virtual filesystem reads (`/sys/block/` and `/proc/mounts`), with no dependency on external commands like `dmsetup` or `findmnt`.
+
+## How it works
+
+1. Enumerates device-mapper block devices from `/sys/block/dm-*`
+2. Reads each device's DM subsystem UUID from `/sys/block/dm-N/dm/uuid`
+3. Identifies crypt devices by the `CRYPT-` prefix in the UUID
+4. Checks `/proc/mounts` for any mounted filesystem referencing a crypt device (via `/dev/mapper/<name>` or `/dev/dm-N`)
+
+## Inventory
+
+- **Full disk encryption enabled** -- `yes` if any mounted volume is on a dm-crypt device, `no` otherwise.
+- **Full disk encryption method** -- The encryption type(s) detected, e.g. `LUKS2`, `LUKS1`, `PLAIN`, or `none`. Multiple types are comma-separated if different methods are in use.
+- **Full disk encryption volumes** -- List of device-mapper names for mounted encrypted volumes.
+
+## Example
+
+```
+$ sudo cf-agent -Kf ./inventory-fde.cf --show-evaluated-vars=inventory_fde
+Variable name                            Variable value                                               Meta tags                                Comment
+inventory_fde:main.fde_enabled           yes                                                          source=promise,inventory,attribute_name=Full disk encryption enabled
+inventory_fde:main.fde_method            LUKS2                                                        source=promise,inventory,attribute_name=Full disk encryption method
+inventory_fde:main.fde_volumes            {"luks-4c56337e-878a-48c7-bca3-ed6fa50cf017"}               source=promise,inventory,attribute_name=Full disk encryption volumes
+```
+
+## Platform
+
+- Linux only (requires `/sys/block/` and `/proc/mounts`)
diff --git a/inventory/inventory-fde/inventory-fde.cf b/inventory/inventory-fde/inventory-fde.cf
@@ -0,0 +1,82 @@
+body file control
+{
+      namespace => "inventory_fde";
+}
+
+bundle agent main
+# @brief Inventory full disk encryption status
+# @inventory Full disk encryption enabled Whether any mounted volume uses dm-crypt encryption (yes/no).
+# @inventory Full disk encryption method The encryption type(s) in use, e.g. LUKS2, LUKS1, PLAIN, or none.
+# @inventory Full disk encryption volumes List of device-mapper names for mounted encrypted volumes, e.g. luks-4c56337e-878a-48c7-bca3-ed6fa50cf017.
+{
+  vars:
+    linux::
+      # Enumerate all device-mapper block devices
+      "_dm_devices" slist => lsdir("/sys/block", "dm-\d+", false);
+
+      # Read the DM subsystem uuid and name for each dm device
+      "_dm_uuid[${_dm_devices}]"
+        string => readfile("/sys/block/${_dm_devices}/dm/uuid"),
+        if => fileexists("/sys/block/${_dm_devices}/dm/uuid");
+      "_dm_name[${_dm_devices}]"
+        string => readfile("/sys/block/${_dm_devices}/dm/name"),
+        if => fileexists("/sys/block/${_dm_devices}/dm/name");
+
+      # Extract the encryption type (e.g. LUKS1, LUKS2, PLAIN) from the uuid
+      # UUID format: CRYPT-<TYPE>-<uuid>-<name>
+      "_dm_crypt_type[${_dm_devices}]"
+        string => regex_replace("${_dm_uuid[${_dm_devices}]}", "^CRYPT-([^-]+)-.*", "\1", ""),
+        if => canonify("_mnt_on_crypt_${_dm_devices}");
+
+      # Collect mapper name and method for each mounted crypt volume
+      "_mounted_crypt_name[${_dm_devices}]"
+        string => "${_dm_name[${_dm_devices}]}",
+        if => canonify("_mnt_on_crypt_${_dm_devices}");
+      "_mounted_crypt_method[${_dm_devices}]"
+        string => "${_dm_crypt_type[${_dm_devices}]}",
+        if => canonify("_mnt_on_crypt_${_dm_devices}");
+
+    _fde_detected::
+      "fde_enabled"
+        string => "yes",
+        meta => { "inventory", "attribute_name=Full disk encryption enabled" };
+      "fde_method"
+        string => join(", ", unique(getvalues(_mounted_crypt_method))),
+        meta => { "inventory", "attribute_name=Full disk encryption method" };
+      "fde_volumes"
+        slist => getvalues(_mounted_crypt_name),
+        meta => { "inventory", "attribute_name=Full disk encryption volumes" };
+
+    linux.!_fde_detected::
+      "fde_enabled"
+        string => "no",
+        meta => { "inventory", "attribute_name=Full disk encryption enabled" };
+      "fde_method"
+        string => "none",
+        meta => { "inventory", "attribute_name=Full disk encryption method" };
+
+  classes:
+    linux::
+      # Flag each dm device that has a CRYPT uuid
+      "_dm_is_crypt_${_dm_devices}"
+        expression => regcmp("CRYPT-.*", "${_dm_uuid[${_dm_devices}]}");
+
+      # Check if any mounted volume references a crypt dm device
+      "_mnt_on_crypt_${_dm_devices}"
+        expression => regline("/dev/(mapper/${_dm_name[${_dm_devices}]}|${_dm_devices})\s.*",
+                              "/proc/mounts"),
+        if => canonify("_dm_is_crypt_${_dm_devices}");
+
+      "_fde_detected" expression => classmatch("_mnt_on_crypt_.*");
+}
+
+body file control
+{
+      namespace => "default";
+}
+
+bundle agent __main__
+{
+  methods:
+    "inventory_fde:main";
+}
diff --git a/inventory/inventory-windows-services/inventory-windows-services.cf b/inventory/inventory-windows-services/inventory-windows-services.cf
