From c4ccf20bd6fb888459a55da39e17a96ac07889e2 Mon Sep 17 00:00:00 2001 From: Guillaume Ross Date: Mon, 22 Aug 2022 15:23:09 -0400 Subject: [PATCH] Adding first set of CIS benchmark policies for macOS (#7296) * Adding CIS 1.1 for macOS * Adding CIS 1.2 * Fix linting * Adding CIS 1.3 * Adding CIS 1.4 * Apply suggestions from code review Committing Noah's suggestions Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> * Fixed copy pasta errors + changed formatting Fixed some auto update queries that were accidentally the same, and put [CIS X.X] between brackets in `constants.ts` Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- .../standard-query-library.yml | 48 +++++++++++++++++++ frontend/utilities/constants.ts | 42 ++++++++++++++++ 2 files changed, 90 insertions(+) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 4f0f916db8..4749f2bafb 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -750,3 +750,51 @@ spec: tags: compliance, hardening, built-in platform: darwin contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Operating system up to date (macOS) + query: SELECT 1 FROM os_version WHERE version >= '12.5.1'; + description: "Checks that the operating system is up to date." + resolution: "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password." + platforms: macOS + tags: compliance, CIS, template, CIS1.1 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic updates enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates." + platforms: macOS + tags: compliance, CIS, CIS1.2 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic update downloads enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads." + platforms: macOS + tags: compliance, CIS, CIS1.3 + platform: darwin + contributors: GuillaumeRoss +--- +apiVersion: v1 +kind: policy +spec: + name: Automatic installation of application updates is enabled (macOS) + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1; + description: "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to App Store applications." + resolution: "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic installation of application updates." + platforms: macOS + tags: compliance, CIS, CIS1.4 + platform: darwin + contributors: GuillaumeRoss \ No newline at end of file diff --git a/frontend/utilities/constants.ts b/frontend/utilities/constants.ts index 55accce13b..de6ca5592a 100644 --- a/frontend/utilities/constants.ts +++ b/frontend/utilities/constants.ts @@ -182,6 +182,48 @@ export const DEFAULT_POLICIES = [ "Contact your IT administrator to confirm that your Mac is receiving configuration profiles for password length.", platform: "darwin", }, + { + key: 17, + query: "SELECT 1 FROM os_version WHERE version >= '12.5.1';", + name: "Operating system up to date (macOS) [CIS 1.1]", + description: "Checks that the operating system is up to date.", + resolution: + "From the Apple menu () in the corner of your screen choose System Preferences. Then select Software Update and select Upgrade Now. You might be asked to restart or enter your password.", + platform: "darwin", + }, + { + key: 19, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticCheckEnabled' AND value=1 LIMIT 1;", + name: "Automatic updates enabled (macOS) [CIS 1.2]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically check for updates.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic updates.", + platform: "darwin", + }, + { + key: 20, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticDownload' AND value=1 LIMIT 1;", + name: "Automatic update downloads enabled (macOS) [CIS 1.3]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically download updates.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables automatic update downloads.", + platform: "darwin", + }, + { + key: 21, + query: + "SELECT 1 FROM managed_policies WHERE domain='com.apple.SoftwareUpdate' AND name='AutomaticallyInstallAppUpdates' AND value=1 LIMIT 1;", + name: "Installation of application updates is enabled (macOS) [CIS 1.4]", + description: + "Checks that a mobile device management (MDM) solution configures the operating system to automatically install updates to Apple applications.", + resolution: + "Contact your IT administrator to ensure your Mac is receiving a profile that enables installation of application updates.", + platform: "darwin", + }, ] as IPolicyNew[]; export const FREQUENCY_DROPDOWN_OPTIONS = [