chore: add ro-dc default selector

mistahj67 · mistahj67 · commit 2d7ce4729eec · 2025-06-26T14:56:02.000-10:00
diff --git a/cmd/api/src/database/migration/migrations/v7.6.0.sql b/cmd/api/src/database/migration/migrations/v7.6.0.sql
@@ -25,3 +25,48 @@ INSERT INTO parameters (key, name, description, value, created_at, updated_at) V
 
 -- Add Auth Session TTL Hours
 INSERT INTO parameters (key, name, description, value, created_at, updated_at) VALUES ('auth.session_ttl_hours', 'Auth Session TTL Hours', 'This configuration parameter determines the length of time in hours a logged in session stays active before expiration.', '{"hours": 8}', current_timestamp, current_timestamp) ON CONFLICT DO NOTHING;
+
+-- Add RO-DC default selector to Tier Zero
+WITH src_data AS (
+  SELECT * FROM (VALUES
+-- START
+('Read-Only DCs', false, true, E'MATCH (n:Computer)\nWHERE n.isReadOnlyDC = true\nRETURN n;', E'An attacker with control over a RODC computer object can compromise Tier Zero principals. The attacker can modify the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes of the RODC computer object such that the RODC can retrieve the credentials of a targeted Tier Zero principal. The attacker can obtain admin access to the OS of the RODC through the managedBy attribute, from where they can obtain the credentials of the RODC krbtgt account. With that, the attacker can create a RODC golden ticket for the target principal. This ticket can be converted to a real golden ticket as the target has been added to the msDS-RevealOnDemandGroup attribute and is not protected by the msDS-NeverRevealGroup attribute. Therefore, the RODC computer object is Tier Zero.')
+-- END
+  ) AS s (name, enabled, allow_disable, cypher, description)
+), inserted_selectors AS (
+INSERT INTO asset_group_tag_selectors (
+  asset_group_tag_id,
+  created_at,
+  created_by,
+  updated_at,
+  updated_by,
+  disabled_at,
+  disabled_by,
+  name,
+  description,
+  is_default,
+  allow_disable,
+  auto_certify
+)
+SELECT
+  (SELECT id FROM asset_group_tags WHERE type = 1 and position = 1),
+  current_timestamp,
+  'SYSTEM',
+  current_timestamp,
+  'SYSTEM',
+  CASE WHEN NOT d.enabled THEN current_timestamp ELSE NULL END,
+  CASE WHEN NOT d.enabled THEN 'SYSTEM' ELSE NULL END,
+  d.name,
+  d.description,
+  true,
+  d.allow_disable,
+  false
+FROM src_data d WHERE NOT EXISTS(SELECT 1 FROM asset_group_tag_selectors WHERE name = d.name)
+  RETURNING id, name
+)
+INSERT INTO asset_group_tag_selector_seeds (selector_id, type, value)
+SELECT
+  s.id,
+  2,
+  d.cypher
+FROM inserted_selectors s JOIN src_data d ON d.name = s.name;
