diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 4f0f916db8..4749f2bafb 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -750,3 +750,51 @@ spec: tags: compliance, hardening, built-in platform: darwin contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Operating system up to date (macOS) + query: SELECT 1 FROM os_version WHERE version >= '12.5.1'; + description: "Checks that the operating system is up to date." + resolution: "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password." + platforms: macOS + tags: compliance, CIS, template, CIS1.1 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic updates enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates." + platforms: macOS + tags: compliance, CIS, CIS1.2 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic update downloads enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads." + platforms: macOS + tags: compliance, CIS, CIS1.3 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic installation of application updates is enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to App Store applications." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates." + platforms: macOS + tags: compliance, CIS, CIS1.4 + platform: darwin + contributors: GuillaumeRoss \ No newline at end of file diff --git a/frontend/utilities/constants.ts b/frontend/utilities/constants.ts index 55accce13b..de6ca5592a 100644 --- a/frontend/utilities/constants.ts +++ b/frontend/utilities/constants.ts @@ -182,6 +182,48 @@ export const DEFAULT_POLICIES = [ "Contact your IT administrator to confirm that your Mac is receiving configuration profiles for password length.", platform: "darwin", }, + { + key: 17, + query: "SELECT 1 FROM os_version WHERE version >= '12.5.1';", + name: "Operating system up to date (macOS) [CIS 1.1]", + description: "Checks that the operating system is up to date.", + resolution: + "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password.", + platform: "darwin", + }, + { + key: 19, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;", + name: "Automatic updates enabled (macOS) [CIS 1.2]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates.", + platform: "darwin", + }, + { + key: 20, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;", + name: "Automatic update downloads enabled (macOS) [CIS 1.3]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads.", + platform: "darwin", + }, + { + key: 21, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;", + name: "Installation of application updates is enabled (macOS) [CIS 1.4]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to Apple applications.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables installation of application updates.", + platform: "darwin", + }, ] as IPolicyNew[]; export const FREQUENCY_DROPDOWN_OPTIONS = [