Update standard-query-library.yml (#17782)

- Policy's fail when they return no results
2024-11-06 00:45:19 +00:00 · 2024-03-21 18:48:56 -04:00 · 2024-03-21 18:48:56 -04:00 · 3c33e83085
commit 3c33e83085
parent 7ae21d2fda
1 changed files with 1 additions and 1 deletions
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@ -880,7 +880,7 @@ apiVersion: v1
 kind: policy
 spec:
  name: No 1Password emergency kit stored on desktop or in downloads (macOS)
-  query: SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared');
+  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared'));
  description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits."
  resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location."
  platform: darwin