From 88d8bf3b90ec13379343fa3f24a8f114e0234076 Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Wed, 24 Jan 2024 08:57:19 -0600 Subject: [PATCH] Update docs for CIS benchmark support (#16211) --- docs/Using Fleet/CIS-Benchmarks.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/Using Fleet/CIS-Benchmarks.md b/docs/Using Fleet/CIS-Benchmarks.md index 39f7091604..bf12e3ba44 100644 --- a/docs/Using Fleet/CIS-Benchmarks.md +++ b/docs/Using Fleet/CIS-Benchmarks.md @@ -9,6 +9,7 @@ For more information about CIS Benchmarks check out [Center for Internet Securit Fleet has implemented native support for CIS Benchmarks for the following platforms: - macOS 13.0 Ventura (96 checks) - Windows 10 Enterprise (496 checks) +- Windows 11 Enterprise (521 checks) [Where possible](#limitations), each CIS Benchmark is implemented with a [policy query](./REST-API.md#policies) in Fleet. @@ -72,9 +73,13 @@ wget https://raw.githubusercontent.com/fleetdm/fleet/main/ee/cis/macos-13/cis-po # Windows 10 (note the same file name. Rename as needed.) wget https://raw.githubusercontent.com/fleetdm/fleet/main/ee/cis/win-10/cis-policy-queries.yml -# Apply the downloaded policies to Fleet for both files. +# Windows 11 (note the same file name. Rename as needed.) +wget https://raw.githubusercontent.com/fleetdm/fleet/main/ee/cis/win-11/cis-policy-queries.yml + +# Apply the downloaded policies to Fleet for all files. fleetctl apply --context -f --policies-team fleetctl apply --context -f --policies-team +fleetctl apply --context -f --policies-team ``` To apply the policies on a specific team use the `--policies-team` flag: @@ -87,7 +92,8 @@ Fleet's current set of benchmarks only implements benchmark *auditing* steps tha In practice, Fleet is able to cover a large majority of benchmarks: * macOS 13 Ventura - 96 of 104 -* Windows 10 Enterprise - All CIS items (496) +* Windows 10 Enterprise - All CIS items (496) +* Windows 11 Enterprise - All CIS items (521) For a list of specific checks which are not covered by Fleet, please visit the section devoted to each benchmark. @@ -109,7 +115,8 @@ For both the audit and remediation elements of a CIS Benchmark, there are two ty Fleet only implements automated audit checks. Manual checks require administrators to implement other processes to conduct the check. * macOS 13 Ventura - 96 of 104 are automated -* Windows 10 Enterprise - All CIS items (496) are automated +* Windows 10 Enterprise - All CIS items (496) are automated +* Windows 11 Enterprise - All CIS items (521) are automated ## Levels 1 and 2 @@ -166,9 +173,9 @@ The following CIS benchmark checks cannot be automated and must be addressed man - 3.7 Audit Software Inventory - 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled -## Windows 10 Enterprise benchmark +## Windows 10 & 11 Enterprise benchmarks -Fleet's policies have been written against v2.0.0 of the benchmark. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. +Fleet's policies have been written against v2.0.0 of the benchmarks. You can refer to the [CIS website](https://www.cisecurity.org/cis-benchmarks) for full details about this version. ### Checks that require a Group Policy template @@ -182,5 +189,5 @@ Detailed results are [here](https://docs.google.com/document/d/1OSpyzMkHjVhG_-EI - +